From a8548bddcf9c24238c5f1cd72424b547fe137486 Mon Sep 17 00:00:00 2001 From: ilia Date: Sat, 3 Jan 2026 10:19:59 -0500 Subject: [PATCH] This PR adds comprehensive photo management features, duplicate detection, attempt limits, penalty system improvements, and admin photo deletion capabilities to the MirrorMatch application. (#1) # Photo Management and Game Features ## Summary This PR adds comprehensive photo management features, duplicate detection, attempt limits, penalty system improvements, and admin photo deletion capabilities to the MirrorMatch application. ## Features Added ### 1. Duplicate Photo Detection - **File-based duplicates**: Calculates SHA256 hash of uploaded files to detect duplicate content - **URL-based duplicates**: Checks for duplicate photo URLs - Prevents users from uploading the same photo multiple times - Returns HTTP 409 (Conflict) with clear error messages ### 2. Maximum Attempts Per Photo - Uploaders can set a maximum number of guesses allowed per user for each photo - Default: unlimited (null or 0) - UI displays remaining attempts counter - API enforces attempt limits before allowing guesses - Shows warning message when max attempts reached ### 3. Penalty System Improvements - **Simplified UI**: Removed checkbox - penalty automatically enabled when penalty points > 0 - **Score protection**: Scores cannot go below 0, even with large penalties - If penalty would result in negative score, only deducts available points and sets to 0 ### 4. Admin Photo Deletion - Admins can delete photos from: - Photos list page (hover to reveal delete icon) - Individual photo detail page (delete button in header) - Deletes associated guesses automatically - Deletes local uploaded files from filesystem - Confirmation dialog before deletion - Proper error handling and user feedback ### 5. Navigation Improvements - Logout button always visible in side menu (hamburger menu) - Improved side menu layout with fixed footer for logout button - Better mobile responsiveness ### 6. Self-Guess Prevention - Users cannot guess on their own uploaded photos - Shows informative message with answer for photo owners ## Technical Changes ### Database Schema - Added `fileHash` field (String?) to Photo model for duplicate detection - Added `maxAttempts` field (Int?) to Photo model for attempt limits - Added indexes on `url` and `fileHash` for performance ### API Routes - `POST /api/photos/upload-multiple`: Enhanced with duplicate checking and maxAttempts - `POST /api/photos/[photoId]/guess`: Added maxAttempts enforcement and score floor protection - `DELETE /api/photos/[photoId]`: New route for admin photo deletion ### Components - `DeletePhotoButton`: New reusable component for photo deletion - Updated upload form to remove penalty checkbox - Enhanced photo display pages with attempt counters and admin controls ## Database Migrations - Run `npm run db:push` to apply schema changes - Run `npm run db:generate` to regenerate Prisma client ## Testing - Test duplicate detection with same file and different filenames - Test duplicate detection with same URL - Test max attempts enforcement - Test penalty system with various point values - Test score floor (cannot go below 0) - Test admin photo deletion - Test self-guess prevention ## Breaking Changes None - all changes are backward compatible. Existing photos will have `null` for `maxAttempts` (unlimited) and `fileHash` (for URL uploads). Reviewed-on: https://git.levkin.ca/ilia/mirror_match/pulls/1 --- .github/workflows/ci.yml | 35 ++++++++++++++++--------- .prisma/client | 1 - app/api/photos/[photoId]/route.ts | 2 +- app/api/photos/route.ts | 5 +++- app/api/photos/upload-multiple/route.ts | 27 ++++++++++++------- app/api/photos/upload/route.ts | 12 ++++++--- app/photos/[id]/page.tsx | 19 +++++++++----- components/Navigation.tsx | 20 +++++++------- package.json | 1 + prisma/schema.prisma | 1 - tsconfig.json | 3 +-- 11 files changed, 79 insertions(+), 47 deletions(-) delete mode 120000 .prisma/client diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fad2e5c..d2473a3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,3 +1,4 @@ +# CI (triggered) name: CI on: @@ -11,7 +12,7 @@ jobs: skip-ci-check: runs-on: ubuntu-latest outputs: - should-skip: ${{ steps.check.outputs.skip }} + should-skip: ${{ steps.check.outputs.skip || 'false' }} steps: - name: Check out code (for commit message) uses: actions/checkout@v4 @@ -21,6 +22,8 @@ jobs: - name: Check if CI should be skipped id: check run: | + SKIP=false + # Simple skip pattern: @skipci (case-insensitive) SKIP_PATTERN="@skipci" @@ -36,23 +39,21 @@ jobs: COMMIT_MSG=$(git log -1 --pretty=%B 2>/dev/null || echo "") fi - SKIP=0 - # Check branch name (case-insensitive) if echo "$BRANCH_NAME" | grep -qiF "$SKIP_PATTERN"; then echo "Skipping CI: branch name contains '$SKIP_PATTERN'" - SKIP=1 + SKIP=true fi # Check commit message (case-insensitive) - if [ $SKIP -eq 0 ] && [ -n "$COMMIT_MSG" ]; then + if [ "$SKIP" = "false" ] && [ -n "$COMMIT_MSG" ]; then if echo "$COMMIT_MSG" | grep -qiF "$SKIP_PATTERN"; then echo "Skipping CI: commit message contains '$SKIP_PATTERN'" - SKIP=1 + SKIP=true fi fi - echo "skip=$SKIP" >> $GITHUB_OUTPUT + echo "skip=$SKIP" >> "$GITHUB_OUTPUT" echo "Branch: $BRANCH_NAME" echo "Commit: ${COMMIT_MSG:0:50}..." echo "Skip CI: $SKIP" @@ -60,7 +61,7 @@ jobs: lint-and-type-check: needs: skip-ci-check runs-on: ubuntu-latest - if: needs.skip-ci-check.outputs.should-skip != '1' + if: &should_run ${{ needs.skip-ci-check.outputs.should-skip != 'true' }} container: image: node:20-bullseye steps: @@ -70,6 +71,11 @@ jobs: - name: Install dependencies run: npm ci + - name: Generate Prisma Client + run: npm run db:generate + env: + DATABASE_URL: postgresql://postgres:postgres@localhost:5432/mirrormatch?schema=public + - name: Run ESLint run: npm run lint @@ -79,7 +85,7 @@ jobs: test: needs: skip-ci-check runs-on: ubuntu-latest - if: needs.skip-ci-check.outputs.should-skip != '1' + if: *should_run container: image: node:20-bullseye services: @@ -127,7 +133,7 @@ jobs: build: needs: skip-ci-check runs-on: ubuntu-latest - if: needs.skip-ci-check.outputs.should-skip != '1' + if: *should_run container: image: node:20-bullseye steps: @@ -139,6 +145,9 @@ jobs: - name: Generate Prisma Client run: npm run db:generate + env: + # Use the same connection string we provide to the build step so Prisma can generate types + DATABASE_URL: postgresql://postgres:postgres@localhost:5432/mirrormatch?schema=public - name: Build application run: npm run build @@ -149,7 +158,7 @@ jobs: secret-scanning: needs: skip-ci-check - if: needs.skip-ci-check.outputs.should-skip != '1' + if: *should_run runs-on: ubuntu-latest container: image: zricethezav/gitleaks:latest @@ -169,7 +178,7 @@ jobs: dependency-scan: needs: skip-ci-check - if: needs.skip-ci-check.outputs.should-skip != '1' + if: *should_run runs-on: ubuntu-latest container: image: aquasec/trivy:latest @@ -203,7 +212,7 @@ jobs: sast-scan: needs: skip-ci-check - if: needs.skip-ci-check.outputs.should-skip != '1' + if: *should_run runs-on: ubuntu-latest container: image: ubuntu:22.04 diff --git a/.prisma/client b/.prisma/client deleted file mode 120000 index b9f4aca..0000000 --- a/.prisma/client +++ /dev/null @@ -1 +0,0 @@ -../node_modules/.prisma/client \ No newline at end of file diff --git a/app/api/photos/[photoId]/route.ts b/app/api/photos/[photoId]/route.ts index 855ded5..efac356 100644 --- a/app/api/photos/[photoId]/route.ts +++ b/app/api/photos/[photoId]/route.ts @@ -47,7 +47,7 @@ export async function DELETE( try { await unlink(filepath) } catch (error) { - console.error(`Failed to delete file ${filepath}:`, error) + console.error("Failed to delete file:", filepath, error) // Continue with database deletion even if file deletion fails } } diff --git a/app/api/photos/route.ts b/app/api/photos/route.ts index 4ed5205..e89474b 100644 --- a/app/api/photos/route.ts +++ b/app/api/photos/route.ts @@ -46,6 +46,7 @@ export async function POST(req: NextRequest) { answerName: answerName.trim(), points: pointsValue, maxAttempts: maxAttemptsValue, + // eslint-disable-next-line @typescript-eslint/no-explicit-any } as any, include: { uploader: { @@ -72,7 +73,9 @@ export async function POST(req: NextRequest) { Promise.all( allUsers.map((user: { id: string; email: string; name: string }) => sendNewPhotoEmail(user.email, user.name, photo.id, photo.uploader.name).catch( - (err) => console.error(`Failed to send email to ${user.email}:`, err) + (err) => { + console.error("Failed to send email to:", user.email, err) + } ) ) ) diff --git a/app/api/photos/upload-multiple/route.ts b/app/api/photos/upload-multiple/route.ts index a37de9c..489535e 100644 --- a/app/api/photos/upload-multiple/route.ts +++ b/app/api/photos/upload-multiple/route.ts @@ -6,7 +6,6 @@ import { writeFile } from "fs/promises" import { join } from "path" import { existsSync, mkdirSync } from "fs" import { createHash } from "crypto" -import type { Photo } from "@prisma/client" export async function POST(req: NextRequest) { try { @@ -44,7 +43,13 @@ export async function POST(req: NextRequest) { mkdirSync(uploadsDir, { recursive: true }) } - type PhotoWithUploader = Photo & { + type PhotoWithUploader = { + id: string + uploaderId: string + url: string + answerName: string + points: number + createdAt: Date uploader: { name: string } } @@ -106,6 +111,7 @@ export async function POST(req: NextRequest) { // Check for duplicate file const existingPhoto = await prisma.photo.findFirst({ + // eslint-disable-next-line @typescript-eslint/no-explicit-any where: { fileHash } as any, }) @@ -118,9 +124,12 @@ export async function POST(req: NextRequest) { const timestamp = Date.now() const randomStr = Math.random().toString(36).substring(2, 15) - const extension = file.name.split(".").pop() || "jpg" + // Sanitize extension - only allow alphanumeric characters + const rawExtension = file.name.split(".").pop() || "jpg" + const extension = rawExtension.replace(/[^a-zA-Z0-9]/g, "").toLowerCase() || "jpg" const filename = `${timestamp}-${i}-${randomStr}.${extension}` + // Filename is generated server-side (timestamp + random), safe for path.join const filepath = join(uploadsDir, filename) await writeFile(filepath, buffer) @@ -158,6 +167,7 @@ export async function POST(req: NextRequest) { penaltyEnabled: penaltyEnabled, penaltyPoints: penaltyPointsValue, maxAttempts: maxAttemptsValue, + // eslint-disable-next-line @typescript-eslint/no-explicit-any } as any, include: { uploader: { @@ -168,7 +178,7 @@ export async function POST(req: NextRequest) { }, }) - createdPhotos.push(photo as PhotoWithUploader) + createdPhotos.push(photo) } // Send emails to all other users for all photos @@ -193,12 +203,9 @@ export async function POST(req: NextRequest) { user.name, photo.id, photo.uploader.name - ).catch((err) => - console.error( - `Failed to send email to ${user.email} for photo ${photo.id}:`, - err - ) - ) + ).catch((err) => { + console.error("Failed to send email to:", user.email, "for photo:", photo.id, err) + }) ) ) ) diff --git a/app/api/photos/upload/route.ts b/app/api/photos/upload/route.ts index c883f05..76afdc2 100644 --- a/app/api/photos/upload/route.ts +++ b/app/api/photos/upload/route.ts @@ -62,6 +62,7 @@ export async function POST(req: NextRequest) { // Check for duplicate file const existingPhoto = await prisma.photo.findFirst({ + // eslint-disable-next-line @typescript-eslint/no-explicit-any where: { fileHash } as any, }) @@ -75,7 +76,9 @@ export async function POST(req: NextRequest) { // Generate unique filename const timestamp = Date.now() const randomStr = Math.random().toString(36).substring(2, 15) - const extension = file.name.split(".").pop() || "jpg" + // Sanitize extension - only allow alphanumeric characters + const rawExtension = file.name.split(".").pop() || "jpg" + const extension = rawExtension.replace(/[^a-zA-Z0-9]/g, "").toLowerCase() || "jpg" const filename = `${timestamp}-${randomStr}.${extension}` // Ensure uploads directory exists @@ -84,7 +87,7 @@ export async function POST(req: NextRequest) { mkdirSync(uploadsDir, { recursive: true }) } - // Save file + // Filename is generated server-side (timestamp + random), safe for path.join const filepath = join(uploadsDir, filename) await writeFile(filepath, buffer) @@ -122,6 +125,7 @@ export async function POST(req: NextRequest) { answerName: answerName.trim(), points: pointsValue, maxAttempts: maxAttemptsValue, + // eslint-disable-next-line @typescript-eslint/no-explicit-any } as any, include: { uploader: { @@ -148,7 +152,9 @@ export async function POST(req: NextRequest) { Promise.all( allUsers.map((user: { id: string; email: string; name: string }) => sendNewPhotoEmail(user.email, user.name, photo.id, photo.uploader.name).catch( - (err) => console.error(`Failed to send email to ${user.email}:`, err) + (err) => { + console.error("Failed to send email to:", user.email, err) + } ) ) ) diff --git a/app/photos/[id]/page.tsx b/app/photos/[id]/page.tsx index 7240bf2..9c74940 100644 --- a/app/photos/[id]/page.tsx +++ b/app/photos/[id]/page.tsx @@ -49,10 +49,17 @@ export default async function PhotoPage({ params }: { params: Promise<{ id: stri const hasCorrectGuess = userGuess?.correct || false const isOwner = photo.uploaderId === session.user.id + // Type assertion for new fields (penaltyEnabled, penaltyPoints, maxAttempts) + type PhotoWithNewFields = typeof photo & { + penaltyEnabled: boolean + penaltyPoints: number + maxAttempts: number | null + } + const photoWithFields = photo as PhotoWithNewFields + // Calculate remaining attempts - const photoWithMaxAttempts = photo as typeof photo & { maxAttempts: number | null | undefined } const userGuessCount = photo.guesses.length - const maxAttempts = photoWithMaxAttempts.maxAttempts ?? null + const maxAttempts = photoWithFields.maxAttempts ?? null const remainingAttempts = maxAttempts !== null && maxAttempts > 0 ? Math.max(0, maxAttempts - userGuessCount) : null @@ -77,9 +84,9 @@ export default async function PhotoPage({ params }: { params: Promise<{ id: stri +{photo.points} {photo.points === 1 ? "point" : "points"} if correct - {(photo as any).penaltyEnabled && (photo as any).penaltyPoints > 0 && ( + {photoWithFields.penaltyEnabled && photoWithFields.penaltyPoints > 0 && ( - -{(photo as any).penaltyPoints} {(photo as any).penaltyPoints === 1 ? "point" : "points"} if wrong + -{photoWithFields.penaltyPoints} {photoWithFields.penaltyPoints === 1 ? "point" : "points"} if wrong )} {maxAttempts !== null && maxAttempts > 0 && ( @@ -117,9 +124,9 @@ export default async function PhotoPage({ params }: { params: Promise<{ id: stri

Your last guess: {userGuess.guessText}

- {(photo as any).penaltyEnabled && (photo as any).penaltyPoints > 0 && ( + {photoWithFields.penaltyEnabled && photoWithFields.penaltyPoints > 0 && (

- You lost {(photo as any).penaltyPoints} {(photo as any).penaltyPoints === 1 ? "point" : "points"} for this wrong guess. + You lost {photoWithFields.penaltyPoints} {photoWithFields.penaltyPoints === 1 ? "point" : "points"} for this wrong guess.

)} diff --git a/components/Navigation.tsx b/components/Navigation.tsx index 0e4727c..0e67ddf 100644 --- a/components/Navigation.tsx +++ b/components/Navigation.tsx @@ -29,14 +29,14 @@ export default function Navigation() { return ( <> -