Add config option to set the HTTP redirect code for external icons

The default code is 307 (temporary) to make it easier to test different icon
services, but once a service has been decided on, users should ideally switch
to using permanent redirects for cacheability.

3 files changed, 28 insertions, 3 deletions

diff --git a/.env.template b/.env.template
index 7fcbbfcb..fecac220 100644
--- a/.env.template
+++ b/.env.template
@@ -135,13 +135,20 @@
 ## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`.
 ##
 ## `internal` refers to Vaultwarden's built-in icon fetching implementation.
-## If an external service is set, an icon request to Vaultwarden will return an HTTP 307
+## If an external service is set, an icon request to Vaultwarden will return an HTTP
 ## redirect to the corresponding icon at the external service. An external service may
 ## be useful if your Vaultwarden instance has no external network connectivity, or if
 ## you are concerned that someone may probe your instance to try to detect whether icons
 ## for certain sites have been cached.
 # ICON_SERVICE=internal
 
+## Icon redirect code
+## The HTTP status code to use for redirects to an external icon service.
+## The supported codes are 307 (temporary) and 308 (permanent).
+## Temporary redirects are useful while testing different icon services, but once a service
+## has been decided on, consider using permanent redirects for cacheability.
+# ICON_REDIRECT_CODE=307
+
 ## Disable icon downloading
 ## Set to true to disable icon downloading in the internal icon service.
 ## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external
diff --git a/src/api/icons.rs b/src/api/icons.rs
index 3d1de094..4e8c753a 100644
--- a/src/api/icons.rs
+++ b/src/api/icons.rs
@@ -71,7 +71,14 @@ fn icon_redirect(domain: &str, template: &str) -> Option<Redirect> {
     }
 
     let url = template.replace("{}", domain);
-    Some(Redirect::temporary(url))
+    match CONFIG.icon_redirect_code() {
+        308 => Some(Redirect::permanent(url)),
+        307 => Some(Redirect::temporary(url)),
+        _ => {
+            error!("Unexpected redirect code {}", CONFIG.icon_redirect_code());
+            None
+        }
+    }
 }
 
 #[get("/<domain>/icon.png")]
diff --git a/src/config.rs b/src/config.rs
index 5bbe8575..9554aee3 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -454,9 +454,14 @@ make_config! {
         /// To specify a custom icon service, set a URL template with exactly one instance of `{}`,
         /// which is replaced with the domain. For example: `https://icon.example.com/domain/{}`.
         /// `internal` refers to Vaultwarden's built-in icon fetching implementation. If an external
-        /// service is set, an icon request to Vaultwarden will return an HTTP 307 redirect to the
+        /// service is set, an icon request to Vaultwarden will return an HTTP redirect to the
         /// corresponding icon at the external service.
         icon_service:           String, false,  def,    "internal".to_string();
+        /// Icon redirect code |> The HTTP status code to use for redirects to an external icon service.
+        /// The supported codes are 307 (temporary) and 308 (permanent).
+        /// Temporary redirects are useful while testing different icon services, but once a service
+        /// has been decided on, consider using permanent redirects for cacheability.
+        icon_redirect_code:     u32,    true,   def,    307;
         /// Positive icon cache expiry |> Number of seconds to consider that an already cached icon is fresh. After this period, the icon will be redownloaded
         icon_cache_ttl:         u64,    true,   def,    2_592_000;
         /// Negative icon cache expiry |> Number of seconds before trying to download an icon that failed again.
@@ -693,6 +698,12 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
         }
     }
 
+    // Check if the icon redirect code is valid
+    match cfg.icon_redirect_code {
+        307 | 308 => (),
+        _ => err!("Only HTTP 307/308 redirects are supported"),
+    }
+
     Ok(())
 }