At the moment, image manipulation can't be restricted by role or to an API key. This means, if a content item with an image is publicly accessible, than its ID is also accessible and anyone with that ID can make unlimited resize requests to the server, a very expensive task.
The only way to prevent this, is to restrict access to the the content item, fetch it server-side to privately get the asset id, do the image manipulation server-side and return the image url.
This isn't even a more expensive task, it does not require more requests, it just requires more complicated architecture in some cases.
An even more efficient and simple solution, would be to be able to restrict what size images (or what manipulations) can be requested on a per field basis. Or, something similar to https://github.com/pauloamgomes/ImageStyles for the old version of cockpit. Then everything could be done client side with no need for multiple requests.
At the moment, image manipulation can't be restricted by role or to an API key. This means, if a content item with an image is publicly accessible, than its ID is also accessible and anyone with that ID can make unlimited resize requests to the server, a very expensive task.
The only way to prevent this, is to restrict access to the the content item, fetch it server-side to privately get the asset id, do the image manipulation server-side and return the image url.
This isn't even a more expensive task, it does not require more requests, it just requires more complicated architecture in some cases.
An even more efficient and simple solution, would be to be able to restrict what size images (or what manipulations) can be requested on a per field basis. Or, something similar to https://github.com/pauloamgomes/ImageStyles for the old version of cockpit. Then everything could be done client side with no need for multiple requests.