uses `new URL()` and `decodeURI()` instead of `url.parse()`
also checks that the requested file is in a subdirectory of `public/` before serving the file
fixes path traversal vulnerability GHSA-5cxq-25mp-q5f2
Mojang has disabled their legacy skins API:
https://twitter.com/MojangSupport/status/964511258601865216
With their API rate limits, it's now practially impossible
for us to support usernames.
Fixes#142. The default parameter allows using:
- UUID
- URL
- MHF_Alex
- MHF_Steve
- Alex
- Steve
Contrary to UUIDs, using alex/steve doesn't redirect
and instead provides the skin from a locally stored file.
This led to a crash when a cape or skin was not stored on disk.
The function caled skins.save_image and returned that function's lwip image object instead of the expected buffer.
skins.save_image also no longer returns the image object because it's not used anywhere
human_status (response.js) defines code -2 as 'user error'. 404 is definitely a user error, so using that makes sense.
eventually we should change the whole status code thing with #120
