Add ban evasion reporting to edge function

Added ban evasion reporting to the `upload-image` edge function for both DELETE and POST operations. This ensures that all ban evasion attempts, including those via direct API calls, are logged to `system_alerts` and visible on the `/admin/error-monitoring` dashboard.

src/components/upload/UppyPhotoSubmissionUpload.tsx

@@ -21,6 +21,7 @@ import { logger } from "@/lib/logger";
 import { breadcrumb } from "@/lib/errorBreadcrumbs";
 import { checkSubmissionRateLimit, recordSubmissionAttempt } from "@/lib/submissionRateLimiter";
 import { sanitizeErrorMessage } from "@/lib/errorSanitizer";
+import { reportBanEvasionAttempt } from "@/lib/pipelineAlerts";
 
 /**
  * Photo upload pipeline configuration
@@ -140,6 +141,10 @@ export function UppyPhotoSubmissionUpload({
       );
 
       if (profile?.banned) {
+        // Report ban evasion attempt
+        reportBanEvasionAttempt(user.id, 'photo_upload').catch(() => {
+          // Non-blocking - don't fail if alert fails
+        });
         throw new Error('Account suspended. Contact support for assistance.');
       }
 

supabase/functions/upload-image/index.ts

@@ -70,6 +70,36 @@ const createAuthenticatedSupabaseClient = (authHeader: string) => {
   })
 }
 
+/**
+ * Report ban evasion attempts to system alerts
+ */
+async function reportBanEvasionToAlerts(
+  supabaseClient: any,
+  userId: string,
+  action: string,
+  requestId: string
+): Promise<void> {
+  try {
+    await supabaseClient.rpc('create_system_alert', {
+      p_alert_type: 'ban_attempt',
+      p_severity: 'high',
+      p_message: `Banned user attempted image upload: ${action}`,
+      p_metadata: {
+        user_id: userId,
+        action,
+        request_id: requestId,
+        timestamp: new Date().toISOString()
+      }
+    });
+  } catch (error) {
+    // Non-blocking - log but don't fail the response
+    edgeLogger.warn('Failed to report ban evasion', { 
+      error: error instanceof Error ? error.message : String(error),
+      requestId 
+    });
+  }
+}
+
 // Apply strict rate limiting (5 requests/minute) to prevent abuse
 const uploadRateLimiter = rateLimiters.strict;
 
@@ -164,7 +194,15 @@ serve(withRateLimit(async (req) => {
       }
 
       if (profile.banned) {
+        // Report ban evasion attempt (non-blocking)
+        await reportBanEvasionToAlerts(supabase, user.id, 'image_delete', tracking.requestId);
+        
         const duration = endRequest(tracking);
+        edgeLogger.warn('Banned user blocked from image deletion', { 
+          userId: user.id, 
+          requestId: tracking.requestId 
+        });
+        
         return new Response(
           JSON.stringify({ 
             error: 'Account suspended',
@@ -375,7 +413,15 @@ serve(withRateLimit(async (req) => {
       }
 
       if (profile.banned) {
+        // Report ban evasion attempt (non-blocking)
+        await reportBanEvasionToAlerts(supabase, user.id, 'image_upload', tracking.requestId);
+        
         const duration = endRequest(tracking);
+        edgeLogger.warn('Banned user blocked from image upload', { 
+          userId: user.id, 
+          requestId: tracking.requestId 
+        });
+        
         return new Response(
           JSON.stringify({ 
             error: 'Account suspended',

supabase/migrations/20251108004021_cf1843f9-3f73-4681-ba5d-ac8f491bafc6.sql

@@ -0,0 +1,24 @@
+-- Add rate_limit_violation to system_alerts alert_type check constraint
+-- This enables tracking of rate limit violations in the admin dashboard
+
+-- First, drop the existing check constraint
+ALTER TABLE system_alerts 
+DROP CONSTRAINT IF EXISTS system_alerts_alert_type_check;
+
+-- Recreate the constraint with the new value
+ALTER TABLE system_alerts 
+ADD CONSTRAINT system_alerts_alert_type_check CHECK (alert_type IN (
+  'orphaned_images',
+  'stale_submissions',
+  'circular_dependency',
+  'validation_error',
+  'ban_attempt',
+  'upload_timeout',
+  'high_error_rate',
+  'rate_limit_violation',
+  'temp_ref_error',
+  'submission_queue_backlog',
+  'failed_submissions',
+  'high_ban_rate',
+  'slow_approval'
+));