pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-20 13:31:12 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
60c749c715a16c1f076e9fb7078a13fb9abbd1ae
thrilltrack-explorer/supabase/functions/upload-image/index.ts
gpt-engineer-app[bot] bf3da6414a Centralize CORS configuration 
Consolidate CORS handling by introducing a shared supabase/functions/_shared/cors.ts and migrate edge functions to import from it. Remove inline cors.ts usage across functions, standardize headers (including traceparent and x-request-id), and prepare for environment-aware origins.
2025-11-10 21:28:46 +00:00

685 lines
22 KiB
TypeScript
Raw Blame History

import { serve } from "https://deno.land/std@0.168.0/http/server.ts"
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2'
import { getAllowedOrigin, getCorsHeaders } from '../_shared/cors.ts'
import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts'
import { rateLimiters, withRateLimit } from '../_shared/rateLimiter.ts'
import { formatEdgeError } from '../_shared/errorFormatter.ts'
// Helper to create authenticated Supabase client
const createAuthenticatedSupabaseClient = (authHeader: string) => {
const supabaseUrl = Deno.env.get('SUPABASE_URL')
const supabaseAnonKey = Deno.env.get('SUPABASE_ANON_KEY')
if (!supabaseUrl || !supabaseAnonKey) {
throw new Error('Missing Supabase environment variables')
}
return createClient(supabaseUrl, supabaseAnonKey, {
global: { headers: { Authorization: authHeader } }
})
}
/**
* Report ban evasion attempts to system alerts
*/
async function reportBanEvasionToAlerts(
supabaseClient: any,
userId: string,
action: string,
requestId: string
): Promise<void> {
try {
await supabaseClient.rpc('create_system_alert', {
p_alert_type: 'ban_attempt',
p_severity: 'high',
p_message: `Banned user attempted image upload: ${action}`,
p_metadata: {
user_id: userId,
action,
request_id: requestId,
timestamp: new Date().toISOString()
}
});
} catch (error) {
// Non-blocking - log but don't fail the response
edgeLogger.warn('Failed to report ban evasion', {
error: formatEdgeError(error),
requestId
});
}
}
// Apply strict rate limiting (5 requests/minute) to prevent abuse
const uploadRateLimiter = rateLimiters.strict;
serve(withRateLimit(async (req) => {
const tracking = startRequest();
const requestOrigin = req.headers.get('origin');
const allowedOrigin = getAllowedOrigin(requestOrigin);
// Check if this is a CORS request with a disallowed origin
if (requestOrigin && !allowedOrigin) {
edgeLogger.warn('CORS request rejected', { action: 'cors_validation', origin: requestOrigin, requestId: tracking.requestId });
return new Response(
JSON.stringify({
error: 'Origin not allowed',
message: 'The origin of this request is not allowed to access this resource'
}),
{
status: 403,
headers: { 'Content-Type': 'application/json' }
}
);
}
// Define CORS headers at function scope so they're available in catch block
const corsHeaders = getCorsHeaders(allowedOrigin);
// Handle CORS preflight requests
if (req.method === 'OPTIONS') {
return new Response(null, { headers: corsHeaders })
}
try {
const CLOUDFLARE_ACCOUNT_ID = Deno.env.get('CLOUDFLARE_ACCOUNT_ID')
const CLOUDFLARE_IMAGES_API_TOKEN = Deno.env.get('CLOUDFLARE_IMAGES_API_TOKEN')
if (!CLOUDFLARE_ACCOUNT_ID || !CLOUDFLARE_IMAGES_API_TOKEN) {
throw new Error('Missing Cloudflare credentials')
}
if (req.method === 'DELETE') {
// Require authentication for DELETE operations
const authHeader = req.headers.get('Authorization')
if (!authHeader) {
return new Response(
JSON.stringify({
error: 'Authentication required',
message: 'Authentication required for delete operations'
}),
{
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
// Verify JWT token
const supabase = createAuthenticatedSupabaseClient(authHeader)
const { data: { user }, error: authError } = await supabase.auth.getUser()
if (authError || !user) {
edgeLogger.error('Auth verification failed', { action: 'delete_auth', error: authError?.message })
return new Response(
JSON.stringify({
error: 'Invalid authentication',
message: 'Authentication token is invalid or expired'
}),
{
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
// Check if user is banned
const { data: profile, error: profileError } = await supabase
.from('profiles')
.select('banned')
.eq('user_id', user.id)
.single()
if (profileError || !profile) {
edgeLogger.error('Failed to fetch user profile', { action: 'delete_profile_check', userId: user.id })
return new Response(
JSON.stringify({
error: 'User profile not found',
message: 'Unable to verify user profile'
}),
{
status: 403,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
if (profile.banned) {
// Report ban evasion attempt (non-blocking)
await reportBanEvasionToAlerts(supabase, user.id, 'image_delete', tracking.requestId);
const duration = endRequest(tracking);
edgeLogger.warn('Banned user blocked from image deletion', {
userId: user.id,
requestId: tracking.requestId
});
return new Response(
JSON.stringify({
error: 'Account suspended',
message: 'Account suspended. Contact support for assistance.',
requestId: tracking.requestId
}),
{
status: 403,
headers: {
...corsHeaders,
'Content-Type': 'application/json',
'X-Request-ID': tracking.requestId
}
}
)
}
// Delete image from Cloudflare
edgeLogger.info('Deleting image', { action: 'delete_image', requestId: tracking.requestId });
let requestBody;
try {
requestBody = await req.json();
} catch (error: unknown) {
const errorMessage = formatEdgeError(error);
edgeLogger.error('Invalid JSON in delete request', {
error: errorMessage,
requestId: tracking.requestId
});
return new Response(
JSON.stringify({
error: 'Invalid JSON',
message: 'Request body must be valid JSON'
}),
{
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
const { imageId } = requestBody;
if (!imageId || typeof imageId !== 'string' || imageId.trim() === '') {
return new Response(
JSON.stringify({
error: 'Invalid imageId',
message: 'imageId is required and must be a non-empty string'
}),
{
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
// Validate imageId format - Cloudflare accepts UUIDs and alphanumeric IDs
// Allow: alphanumeric, hyphens, underscores (common ID formats)
// Reject: special characters that could cause injection or path traversal
const validImageIdPattern = /^[a-zA-Z0-9_-]{1,100}$/;
if (!validImageIdPattern.test(imageId)) {
return new Response(
JSON.stringify({
error: 'Invalid imageId format',
message: 'imageId must be alphanumeric with optional hyphens/underscores (max 100 chars)'
}),
{
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
let deleteResponse;
try {
deleteResponse = await fetch(
`https://api.cloudflare.com/client/v4/accounts/${CLOUDFLARE_ACCOUNT_ID}/images/v1/${imageId}`,
{
method: 'DELETE',
headers: {
'Authorization': `Bearer ${CLOUDFLARE_IMAGES_API_TOKEN}`,
},
}
)
} catch (fetchError) {
edgeLogger.error('Network error deleting image', {
error: String(fetchError),
requestId: tracking.requestId
});
return new Response(
JSON.stringify({
error: 'Network error',
message: 'Unable to reach Cloudflare Images API'
}),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
let deleteResult;
try {
deleteResult = await deleteResponse.json()
} catch (parseError) {
edgeLogger.error('Failed to parse Cloudflare delete response', {
error: String(parseError),
requestId: tracking.requestId
});
return new Response(
JSON.stringify({
error: 'Invalid response',
message: 'Unable to parse response from Cloudflare Images API'
}),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
if (!deleteResponse.ok) {
edgeLogger.error('Cloudflare delete error', {
result: deleteResult,
requestId: tracking.requestId
});
return new Response(
JSON.stringify({
error: 'Failed to delete image',
message: deleteResult.errors?.[0]?.message || deleteResult.error || 'Unknown error occurred',
details: deleteResult.errors || deleteResult.error
}),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
const duration = endRequest(tracking);
edgeLogger.info('Image deleted successfully', { action: 'delete_image', requestId: tracking.requestId, duration });
return new Response(
JSON.stringify({ success: true, deleted: true, requestId: tracking.requestId }),
{
headers: { ...corsHeaders, 'Content-Type': 'application/json', 'X-Request-ID': tracking.requestId }
}
)
}
if (req.method === 'POST') {
// Require authentication for POST operations
const authHeader = req.headers.get('Authorization')
if (!authHeader) {
return new Response(
JSON.stringify({
error: 'Authentication required',
message: 'Authentication required for upload operations'
}),
{
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
// Verify JWT token
const supabase = createAuthenticatedSupabaseClient(authHeader)
const { data: { user }, error: authError } = await supabase.auth.getUser()
if (authError || !user) {
edgeLogger.error('Auth verification failed for POST', {
error: authError?.message,
requestId: tracking.requestId
});
return new Response(
JSON.stringify({
error: 'Invalid authentication',
message: 'Authentication token is invalid or expired'
}),
{
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
// Check if user is banned
const { data: profile, error: profileError } = await supabase
.from('profiles')
.select('banned')
.eq('user_id', user.id)
.single()
if (profileError || !profile) {
edgeLogger.error('Failed to fetch user profile for POST', {
error: profileError?.message,
requestId: tracking.requestId
});
return new Response(
JSON.stringify({
error: 'User profile not found',
message: 'Unable to verify user profile'
}),
{
status: 403,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
if (profile.banned) {
// Report ban evasion attempt (non-blocking)
await reportBanEvasionToAlerts(supabase, user.id, 'image_upload', tracking.requestId);
const duration = endRequest(tracking);
edgeLogger.warn('Banned user blocked from image upload', {
userId: user.id,
requestId: tracking.requestId
});
return new Response(
JSON.stringify({
error: 'Account suspended',
message: 'Account suspended. Contact support for assistance.',
requestId: tracking.requestId
}),
{
status: 403,
headers: { ...corsHeaders, 'Content-Type': 'application/json', 'X-Request-ID': tracking.requestId }
}
)
}
// Request a direct upload URL from Cloudflare
edgeLogger.info('Requesting upload URL', { action: 'request_upload_url', requestId: tracking.requestId });
let requestBody;
try {
requestBody = await req.json();
} catch (error: unknown) {
requestBody = {};
}
// Validate request body structure
if (requestBody && typeof requestBody !== 'object') {
return new Response(
JSON.stringify({
error: 'Invalid request body',
message: 'Request body must be a valid JSON object'
}),
{
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
const { metadata = {}, variant = 'public', requireSignedURLs = false } = requestBody;
// Create FormData for the request (Cloudflare API requires multipart/form-data)
const formData = new FormData()
formData.append('requireSignedURLs', requireSignedURLs.toString())
// Add metadata to the request if provided
if (metadata && Object.keys(metadata).length > 0) {
formData.append('metadata', JSON.stringify(metadata))
}
let directUploadResponse;
try {
directUploadResponse = await fetch(
`https://api.cloudflare.com/client/v4/accounts/${CLOUDFLARE_ACCOUNT_ID}/images/v2/direct_upload`,
{
method: 'POST',
headers: {
'Authorization': `Bearer ${CLOUDFLARE_IMAGES_API_TOKEN}`,
},
body: formData,
}
)
} catch (fetchError) {
edgeLogger.error('Network error getting upload URL', {
error: String(fetchError),
requestId: tracking.requestId
});
return new Response(
JSON.stringify({
error: 'Network error',
message: 'Unable to reach Cloudflare Images API'
}),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
let directUploadResult;
try {
directUploadResult = await directUploadResponse.json()
} catch (parseError) {
edgeLogger.error('Failed to parse Cloudflare upload response', {
error: String(parseError),
requestId: tracking.requestId
});
return new Response(
JSON.stringify({
error: 'Invalid response',
message: 'Unable to parse response from Cloudflare Images API'
}),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
if (!directUploadResponse.ok) {
edgeLogger.error('Cloudflare direct upload error', {
result: directUploadResult,
requestId: tracking.requestId
});
return new Response(
JSON.stringify({
error: 'Failed to get upload URL',
message: directUploadResult.errors?.[0]?.message || directUploadResult.error || 'Unable to create upload URL',
details: directUploadResult.errors || directUploadResult.error
}),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
// Return the upload URL and image ID to the client
const duration = endRequest(tracking);
edgeLogger.info('Upload URL created', { action: 'upload_url_success', requestId: tracking.requestId, duration });
return new Response(
JSON.stringify({
success: true,
uploadURL: directUploadResult.result.uploadURL,
id: directUploadResult.result.id,
requestId: tracking.requestId
}),
{
headers: { ...corsHeaders, 'Content-Type': 'application/json', 'X-Request-ID': tracking.requestId }
}
)
}
if (req.method === 'GET') {
// Require authentication for GET operations
const authHeader = req.headers.get('Authorization')
if (!authHeader) {
return new Response(
JSON.stringify({
error: 'Authentication required',
message: 'Authentication required for image status operations'
}),
{
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
// Verify JWT token
const supabase = createAuthenticatedSupabaseClient(authHeader)
const { data: { user }, error: authError } = await supabase.auth.getUser()
if (authError || !user) {
edgeLogger.error('Auth verification failed for GET', {
error: authError?.message,
requestId: tracking.requestId
});
return new Response(
JSON.stringify({
error: 'Invalid authentication',
message: 'Authentication token is invalid or expired'
}),
{
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
// Check image status endpoint
const url = new URL(req.url)
const imageId = url.searchParams.get('id')
if (!imageId || imageId.trim() === '') {
return new Response(
JSON.stringify({
error: 'Missing id parameter',
message: 'id query parameter is required and must be non-empty'
}),
{
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
let imageResponse;
try {
imageResponse = await fetch(
`https://api.cloudflare.com/client/v4/accounts/${CLOUDFLARE_ACCOUNT_ID}/images/v1/${imageId}`,
{
headers: {
'Authorization': `Bearer ${CLOUDFLARE_IMAGES_API_TOKEN}`,
},
}
)
} catch (fetchError) {
edgeLogger.error('Network error fetching image status', {
error: String(fetchError),
requestId: tracking.requestId
});
return new Response(
JSON.stringify({
error: 'Network error',
message: 'Unable to reach Cloudflare Images API'
}),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
let imageResult;
try {
imageResult = await imageResponse.json()
} catch (parseError) {
edgeLogger.error('Failed to parse Cloudflare image status response', {
error: String(parseError),
requestId: tracking.requestId
});
return new Response(
JSON.stringify({
error: 'Invalid response',
message: 'Unable to parse response from Cloudflare Images API'
}),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
if (!imageResponse.ok) {
edgeLogger.error('Cloudflare image status error', {
result: imageResult,
requestId: tracking.requestId
});
return new Response(
JSON.stringify({
error: 'Failed to get image status',
message: imageResult.errors?.[0]?.message || imageResult.error || 'Unable to retrieve image information',
details: imageResult.errors || imageResult.error
}),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
)
}
// Return the image details with convenient URLs
const result = imageResult.result
const duration = endRequest(tracking);
// Construct CDN URLs for display
const baseUrl = `https://cdn.thrillwiki.com/images/${result.id}`
edgeLogger.info('Image status retrieved', { action: 'get_image_status', requestId: tracking.requestId, duration });
return new Response(
JSON.stringify({
success: true,
id: result.id,
uploaded: result.uploaded,
variants: result.variants,
draft: result.draft,
// Provide convenient URLs using proper Cloudflare Images format
urls: result.uploaded ? {
public: `${baseUrl}/public`,
thumbnail: `${baseUrl}/thumbnail`,
medium: `${baseUrl}/medium`,
large: `${baseUrl}/large`,
avatar: `${baseUrl}/avatar`,
} : null,
requestId: tracking.requestId
}),
{
headers: { ...corsHeaders, 'Content-Type': 'application/json', 'X-Request-ID': tracking.requestId }
}
)
}
const duration = endRequest(tracking);
return new Response(
JSON.stringify({
error: 'Method not allowed',
message: 'HTTP method not supported for this endpoint',
requestId: tracking.requestId
}),
{
status: 405,
headers: { ...corsHeaders, 'Content-Type': 'application/json', 'X-Request-ID': tracking.requestId }
}
)
} catch (error: unknown) {
const duration = endRequest(tracking);
const errorMessage = error instanceof Error ? error.message : 'An unexpected error occurred';
edgeLogger.error('Upload function error', { action: 'upload_error', requestId: tracking.requestId, duration, error: errorMessage });
return new Response(
JSON.stringify({
error: 'Internal server error',
message: errorMessage,
requestId: tracking.requestId
}),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json', 'X-Request-ID': tracking.requestId }
}
)
}
}, uploadRateLimiter, getCorsHeaders(allowedOrigin)));
Reference in New Issue View Git Blame Copy Permalink