234 lines
8.6 KiB
JavaScript
234 lines
8.6 KiB
JavaScript
import cfg from "./inc/config.mjs";
|
|
import path from "path";
|
|
import { promises as fs } from "fs";
|
|
import db from "./inc/sql.mjs";
|
|
import lib from "./inc/lib.mjs";
|
|
import { parseMultipart, collectBody } from "./inc/multipart.mjs";
|
|
import { execFile as _execFile } from "child_process";
|
|
import { promisify } from "util";
|
|
|
|
const execFile = promisify(_execFile);
|
|
|
|
// Multi-part parsing logic removed, using shared imports
|
|
|
|
// Helper for JSON response
|
|
const sendJson = (res, data, code = 200) => {
|
|
res.writeHead(code, { 'Content-Type': 'application/json' });
|
|
res.end(JSON.stringify(data));
|
|
};
|
|
|
|
// Generate UUID using the same method as video uploads
|
|
const genuuid = async () => {
|
|
return (await db`select gen_random_uuid() as uuid`)[0].uuid.substring(0, 8);
|
|
};
|
|
|
|
export const handleAvatarUpload = async (req, res) => {
|
|
console.log('[AVATAR HANDLER] Upload started');
|
|
|
|
// Manual Session Lookup
|
|
let user = [];
|
|
if (req.cookies && req.cookies.session) {
|
|
user = await db`
|
|
select "user".id, "user".login, "user".user, "user".admin, "user_sessions".id as sess_id, "user_sessions".csrf_token, "user_options".*
|
|
from "user_sessions"
|
|
left join "user" on "user".id = "user_sessions".user_id
|
|
left join "user_options" on "user_options".user_id = "user_sessions".user_id
|
|
where "user_sessions".session = ${lib.sha256(req.cookies.session)}
|
|
limit 1
|
|
`;
|
|
}
|
|
|
|
if (user.length === 0) {
|
|
console.log('[AVATAR HANDLER] Unauthorized - No valid session found');
|
|
return sendJson(res, { success: false, msg: 'Unauthorized' }, 401);
|
|
}
|
|
|
|
req.session = user[0];
|
|
console.log('[AVATAR HANDLER] Authorized:', req.session.user);
|
|
|
|
// CSRF validation — must happen after session lookup since flummpress middlewares run in parallel
|
|
if (req.session.csrf_token) {
|
|
const csrfToken = req.headers['x-csrf-token'];
|
|
if (!csrfToken || csrfToken !== req.session.csrf_token) {
|
|
console.warn(`[CSRF] Blocked avatar upload for user ${req.session.user}. Invalid token.`);
|
|
return sendJson(res, { success: false, msg: 'Invalid CSRF token' }, 403);
|
|
}
|
|
}
|
|
|
|
try {
|
|
const contentType = req.headers['content-type'] || '';
|
|
const boundaryMatch = contentType.match(/boundary=(.+)$/);
|
|
|
|
if (!boundaryMatch) {
|
|
console.log('[AVATAR HANDLER] No boundary');
|
|
return sendJson(res, { success: false, msg: 'Invalid content type' }, 400);
|
|
}
|
|
|
|
console.log('[AVATAR HANDLER] Collecting body...');
|
|
const body = await collectBody(req);
|
|
console.log('[AVATAR HANDLER] Body collected, size:', body.length);
|
|
|
|
const parts = parseMultipart(body, boundaryMatch[1]);
|
|
const file = parts.file;
|
|
|
|
if (!file || !file.data) {
|
|
return sendJson(res, { success: false, msg: 'No file provided' }, 400);
|
|
}
|
|
|
|
// Validate file size (5MB max)
|
|
const maxSize = 5 * 1024 * 1024;
|
|
if (file.data.length > maxSize) {
|
|
return sendJson(res, {
|
|
success: false,
|
|
msg: `File too large. Maximum size is 5MB, got ${(file.data.length / 1024 / 1024).toFixed(2)}MB`
|
|
}, 400);
|
|
}
|
|
|
|
// Allowed MIME types
|
|
const allowedMimes = [
|
|
'image/gif',
|
|
'image/jpeg',
|
|
'image/jpg',
|
|
'image/png',
|
|
'image/webp'
|
|
];
|
|
|
|
// Validate MIME type from content-type header
|
|
let mime = file.contentType.toLowerCase();
|
|
if (!allowedMimes.includes(mime)) {
|
|
return sendJson(res, {
|
|
success: false,
|
|
msg: `Invalid file type. Allowed: gif, jpg, jpeg, png, webp. Got: ${mime}`
|
|
}, 400);
|
|
}
|
|
|
|
// Save to tmp and verify with file magic
|
|
const uuid = await genuuid();
|
|
const tmpPath = path.join(cfg.paths.tmp, `avatar_${uuid}_tmp`);
|
|
const finalFilename = `${uuid}.webp`;
|
|
const finalPath = path.join(cfg.paths.a, finalFilename);
|
|
|
|
await fs.mkdir(cfg.paths.tmp, { recursive: true });
|
|
await fs.mkdir(cfg.paths.a, { recursive: true });
|
|
|
|
await fs.writeFile(tmpPath, file.data);
|
|
|
|
// Verify MIME with file magic
|
|
const { stdout: actualMime } = await execFile('file', ['--mime-type', '-b', tmpPath]);
|
|
const allowedActualMimes = [
|
|
'image/gif',
|
|
'image/jpeg',
|
|
'image/png',
|
|
'image/webp'
|
|
];
|
|
|
|
if (!allowedActualMimes.includes(actualMime.trim())) {
|
|
await fs.unlink(tmpPath).catch(() => { });
|
|
return sendJson(res, {
|
|
success: false,
|
|
msg: `Invalid file type detected: ${actualMime.trim()}`
|
|
}, 400);
|
|
}
|
|
|
|
// Get current avatar_file to delete old one
|
|
const currentAvatar = (await db`
|
|
select avatar_file from user_options where user_id = ${+req.session.id}
|
|
`)[0]?.avatar_file;
|
|
|
|
// Convert to webp using ImageMagick with coalesce for GIF handling
|
|
try {
|
|
await execFile('magick', [tmpPath, '-coalesce', '-resize', '256x256^', '-gravity', 'center', '-background', 'none', '-extent', '256x256', '-quality', '50', finalPath]);
|
|
} catch (err) {
|
|
console.error('[AVATAR HANDLER] Magick error:', err);
|
|
await fs.unlink(tmpPath).catch(() => { });
|
|
return sendJson(res, { success: false, msg: 'Failed to process image' }, 500);
|
|
}
|
|
|
|
// Clean up tmp file
|
|
await fs.unlink(tmpPath).catch(() => { });
|
|
|
|
// Delete old avatar file if exists (except default.png)
|
|
if (currentAvatar && currentAvatar !== 'default.png') {
|
|
const oldPath = path.join(cfg.paths.a, currentAvatar);
|
|
await fs.unlink(oldPath).catch(() => { });
|
|
}
|
|
|
|
// Update database — clear item-based avatar so custom file takes priority
|
|
await db`
|
|
update user_options
|
|
set avatar_file = ${finalFilename},
|
|
avatar = NULL
|
|
where user_id = ${+req.session.id}
|
|
`;
|
|
|
|
console.log('[AVATAR HANDLER] Upload complete:', finalFilename);
|
|
return sendJson(res, {
|
|
success: true,
|
|
avatar_file: finalFilename,
|
|
msg: 'Avatar uploaded successfully'
|
|
}, 200);
|
|
|
|
} catch (err) {
|
|
if (err.code === 'BODY_TOO_LARGE') {
|
|
return sendJson(res, { success: false, msg: 'File too large (5 MB max for avatars)' }, 413);
|
|
}
|
|
console.error('[AVATAR HANDLER ERROR]', err);
|
|
return sendJson(res, { success: false, msg: lib.logError(err, 'Avatar Upload failed') }, 500);
|
|
}
|
|
};
|
|
|
|
export const handleAvatarDelete = async (req, res) => {
|
|
console.log('[AVATAR HANDLER] Delete started');
|
|
|
|
// Manual Session Lookup
|
|
let user = [];
|
|
if (req.cookies && req.cookies.session) {
|
|
user = await db`
|
|
select "user".id, "user".login, "user".user, "user".admin, "user_sessions".id as sess_id, "user_sessions".csrf_token, "user_options".*
|
|
from "user_sessions"
|
|
left join "user" on "user".id = "user_sessions".user_id
|
|
left join "user_options" on "user_options".user_id = "user_sessions".user_id
|
|
where "user_sessions".session = ${lib.sha256(req.cookies.session)}
|
|
limit 1
|
|
`;
|
|
}
|
|
|
|
if (user.length === 0) {
|
|
return sendJson(res, { success: false, msg: 'Unauthorized' }, 401);
|
|
}
|
|
|
|
req.session = user[0];
|
|
|
|
// CSRF validation — must happen after session lookup since flummpress middlewares run in parallel
|
|
if (req.session.csrf_token) {
|
|
const csrfToken = req.headers['x-csrf-token'];
|
|
if (!csrfToken || csrfToken !== req.session.csrf_token) {
|
|
console.warn(`[CSRF] Blocked avatar delete for user ${req.session.user}. Invalid token.`);
|
|
return sendJson(res, { success: false, msg: 'Invalid CSRF token' }, 403);
|
|
}
|
|
}
|
|
|
|
try {
|
|
const currentAvatar = (await db`
|
|
select avatar_file from user_options where user_id = ${+req.session.id}
|
|
`)[0]?.avatar_file;
|
|
|
|
if (currentAvatar && currentAvatar !== 'default.png') {
|
|
const oldPath = path.join(cfg.paths.a, currentAvatar);
|
|
await fs.unlink(oldPath).catch(() => { });
|
|
}
|
|
|
|
await db`
|
|
update user_options
|
|
set avatar_file = null
|
|
where user_id = ${+req.session.id}
|
|
`;
|
|
|
|
console.log('[AVATAR HANDLER] Delete complete');
|
|
return sendJson(res, { success: true, msg: 'Custom avatar removed' }, 200);
|
|
} catch (err) {
|
|
console.error('[AVATAR DELETE ERROR]', err);
|
|
return sendJson(res, { success: false, msg: 'Failed to remove avatar' }, 500);
|
|
}
|
|
};
|