diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fad2e5c..d2473a3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,3 +1,4 @@ +# CI (triggered) name: CI on: @@ -11,7 +12,7 @@ jobs: skip-ci-check: runs-on: ubuntu-latest outputs: - should-skip: ${{ steps.check.outputs.skip }} + should-skip: ${{ steps.check.outputs.skip || 'false' }} steps: - name: Check out code (for commit message) uses: actions/checkout@v4 @@ -21,6 +22,8 @@ jobs: - name: Check if CI should be skipped id: check run: | + SKIP=false + # Simple skip pattern: @skipci (case-insensitive) SKIP_PATTERN="@skipci" @@ -36,23 +39,21 @@ jobs: COMMIT_MSG=$(git log -1 --pretty=%B 2>/dev/null || echo "") fi - SKIP=0 - # Check branch name (case-insensitive) if echo "$BRANCH_NAME" | grep -qiF "$SKIP_PATTERN"; then echo "Skipping CI: branch name contains '$SKIP_PATTERN'" - SKIP=1 + SKIP=true fi # Check commit message (case-insensitive) - if [ $SKIP -eq 0 ] && [ -n "$COMMIT_MSG" ]; then + if [ "$SKIP" = "false" ] && [ -n "$COMMIT_MSG" ]; then if echo "$COMMIT_MSG" | grep -qiF "$SKIP_PATTERN"; then echo "Skipping CI: commit message contains '$SKIP_PATTERN'" - SKIP=1 + SKIP=true fi fi - echo "skip=$SKIP" >> $GITHUB_OUTPUT + echo "skip=$SKIP" >> "$GITHUB_OUTPUT" echo "Branch: $BRANCH_NAME" echo "Commit: ${COMMIT_MSG:0:50}..." echo "Skip CI: $SKIP" @@ -60,7 +61,7 @@ jobs: lint-and-type-check: needs: skip-ci-check runs-on: ubuntu-latest - if: needs.skip-ci-check.outputs.should-skip != '1' + if: &should_run ${{ needs.skip-ci-check.outputs.should-skip != 'true' }} container: image: node:20-bullseye steps: @@ -70,6 +71,11 @@ jobs: - name: Install dependencies run: npm ci + - name: Generate Prisma Client + run: npm run db:generate + env: + DATABASE_URL: postgresql://postgres:postgres@localhost:5432/mirrormatch?schema=public + - name: Run ESLint run: npm run lint @@ -79,7 +85,7 @@ jobs: test: needs: skip-ci-check runs-on: ubuntu-latest - if: needs.skip-ci-check.outputs.should-skip != '1' + if: *should_run container: image: node:20-bullseye services: @@ -127,7 +133,7 @@ jobs: build: needs: skip-ci-check runs-on: ubuntu-latest - if: needs.skip-ci-check.outputs.should-skip != '1' + if: *should_run container: image: node:20-bullseye steps: @@ -139,6 +145,9 @@ jobs: - name: Generate Prisma Client run: npm run db:generate + env: + # Use the same connection string we provide to the build step so Prisma can generate types + DATABASE_URL: postgresql://postgres:postgres@localhost:5432/mirrormatch?schema=public - name: Build application run: npm run build @@ -149,7 +158,7 @@ jobs: secret-scanning: needs: skip-ci-check - if: needs.skip-ci-check.outputs.should-skip != '1' + if: *should_run runs-on: ubuntu-latest container: image: zricethezav/gitleaks:latest @@ -169,7 +178,7 @@ jobs: dependency-scan: needs: skip-ci-check - if: needs.skip-ci-check.outputs.should-skip != '1' + if: *should_run runs-on: ubuntu-latest container: image: aquasec/trivy:latest @@ -203,7 +212,7 @@ jobs: sast-scan: needs: skip-ci-check - if: needs.skip-ci-check.outputs.should-skip != '1' + if: *should_run runs-on: ubuntu-latest container: image: ubuntu:22.04 diff --git a/.prisma/client b/.prisma/client deleted file mode 120000 index b9f4aca..0000000 --- a/.prisma/client +++ /dev/null @@ -1 +0,0 @@ -../node_modules/.prisma/client \ No newline at end of file diff --git a/app/api/photos/[photoId]/route.ts b/app/api/photos/[photoId]/route.ts index 855ded5..efac356 100644 --- a/app/api/photos/[photoId]/route.ts +++ b/app/api/photos/[photoId]/route.ts @@ -47,7 +47,7 @@ export async function DELETE( try { await unlink(filepath) } catch (error) { - console.error(`Failed to delete file ${filepath}:`, error) + console.error("Failed to delete file:", filepath, error) // Continue with database deletion even if file deletion fails } } diff --git a/app/api/photos/route.ts b/app/api/photos/route.ts index 4ed5205..e89474b 100644 --- a/app/api/photos/route.ts +++ b/app/api/photos/route.ts @@ -46,6 +46,7 @@ export async function POST(req: NextRequest) { answerName: answerName.trim(), points: pointsValue, maxAttempts: maxAttemptsValue, + // eslint-disable-next-line @typescript-eslint/no-explicit-any } as any, include: { uploader: { @@ -72,7 +73,9 @@ export async function POST(req: NextRequest) { Promise.all( allUsers.map((user: { id: string; email: string; name: string }) => sendNewPhotoEmail(user.email, user.name, photo.id, photo.uploader.name).catch( - (err) => console.error(`Failed to send email to ${user.email}:`, err) + (err) => { + console.error("Failed to send email to:", user.email, err) + } ) ) ) diff --git a/app/api/photos/upload-multiple/route.ts b/app/api/photos/upload-multiple/route.ts index a37de9c..489535e 100644 --- a/app/api/photos/upload-multiple/route.ts +++ b/app/api/photos/upload-multiple/route.ts @@ -6,7 +6,6 @@ import { writeFile } from "fs/promises" import { join } from "path" import { existsSync, mkdirSync } from "fs" import { createHash } from "crypto" -import type { Photo } from "@prisma/client" export async function POST(req: NextRequest) { try { @@ -44,7 +43,13 @@ export async function POST(req: NextRequest) { mkdirSync(uploadsDir, { recursive: true }) } - type PhotoWithUploader = Photo & { + type PhotoWithUploader = { + id: string + uploaderId: string + url: string + answerName: string + points: number + createdAt: Date uploader: { name: string } } @@ -106,6 +111,7 @@ export async function POST(req: NextRequest) { // Check for duplicate file const existingPhoto = await prisma.photo.findFirst({ + // eslint-disable-next-line @typescript-eslint/no-explicit-any where: { fileHash } as any, }) @@ -118,9 +124,12 @@ export async function POST(req: NextRequest) { const timestamp = Date.now() const randomStr = Math.random().toString(36).substring(2, 15) - const extension = file.name.split(".").pop() || "jpg" + // Sanitize extension - only allow alphanumeric characters + const rawExtension = file.name.split(".").pop() || "jpg" + const extension = rawExtension.replace(/[^a-zA-Z0-9]/g, "").toLowerCase() || "jpg" const filename = `${timestamp}-${i}-${randomStr}.${extension}` + // Filename is generated server-side (timestamp + random), safe for path.join const filepath = join(uploadsDir, filename) await writeFile(filepath, buffer) @@ -158,6 +167,7 @@ export async function POST(req: NextRequest) { penaltyEnabled: penaltyEnabled, penaltyPoints: penaltyPointsValue, maxAttempts: maxAttemptsValue, + // eslint-disable-next-line @typescript-eslint/no-explicit-any } as any, include: { uploader: { @@ -168,7 +178,7 @@ export async function POST(req: NextRequest) { }, }) - createdPhotos.push(photo as PhotoWithUploader) + createdPhotos.push(photo) } // Send emails to all other users for all photos @@ -193,12 +203,9 @@ export async function POST(req: NextRequest) { user.name, photo.id, photo.uploader.name - ).catch((err) => - console.error( - `Failed to send email to ${user.email} for photo ${photo.id}:`, - err - ) - ) + ).catch((err) => { + console.error("Failed to send email to:", user.email, "for photo:", photo.id, err) + }) ) ) ) diff --git a/app/api/photos/upload/route.ts b/app/api/photos/upload/route.ts index c883f05..76afdc2 100644 --- a/app/api/photos/upload/route.ts +++ b/app/api/photos/upload/route.ts @@ -62,6 +62,7 @@ export async function POST(req: NextRequest) { // Check for duplicate file const existingPhoto = await prisma.photo.findFirst({ + // eslint-disable-next-line @typescript-eslint/no-explicit-any where: { fileHash } as any, }) @@ -75,7 +76,9 @@ export async function POST(req: NextRequest) { // Generate unique filename const timestamp = Date.now() const randomStr = Math.random().toString(36).substring(2, 15) - const extension = file.name.split(".").pop() || "jpg" + // Sanitize extension - only allow alphanumeric characters + const rawExtension = file.name.split(".").pop() || "jpg" + const extension = rawExtension.replace(/[^a-zA-Z0-9]/g, "").toLowerCase() || "jpg" const filename = `${timestamp}-${randomStr}.${extension}` // Ensure uploads directory exists @@ -84,7 +87,7 @@ export async function POST(req: NextRequest) { mkdirSync(uploadsDir, { recursive: true }) } - // Save file + // Filename is generated server-side (timestamp + random), safe for path.join const filepath = join(uploadsDir, filename) await writeFile(filepath, buffer) @@ -122,6 +125,7 @@ export async function POST(req: NextRequest) { answerName: answerName.trim(), points: pointsValue, maxAttempts: maxAttemptsValue, + // eslint-disable-next-line @typescript-eslint/no-explicit-any } as any, include: { uploader: { @@ -148,7 +152,9 @@ export async function POST(req: NextRequest) { Promise.all( allUsers.map((user: { id: string; email: string; name: string }) => sendNewPhotoEmail(user.email, user.name, photo.id, photo.uploader.name).catch( - (err) => console.error(`Failed to send email to ${user.email}:`, err) + (err) => { + console.error("Failed to send email to:", user.email, err) + } ) ) ) diff --git a/app/photos/[id]/page.tsx b/app/photos/[id]/page.tsx index 7240bf2..9c74940 100644 --- a/app/photos/[id]/page.tsx +++ b/app/photos/[id]/page.tsx @@ -49,10 +49,17 @@ export default async function PhotoPage({ params }: { params: Promise<{ id: stri const hasCorrectGuess = userGuess?.correct || false const isOwner = photo.uploaderId === session.user.id + // Type assertion for new fields (penaltyEnabled, penaltyPoints, maxAttempts) + type PhotoWithNewFields = typeof photo & { + penaltyEnabled: boolean + penaltyPoints: number + maxAttempts: number | null + } + const photoWithFields = photo as PhotoWithNewFields + // Calculate remaining attempts - const photoWithMaxAttempts = photo as typeof photo & { maxAttempts: number | null | undefined } const userGuessCount = photo.guesses.length - const maxAttempts = photoWithMaxAttempts.maxAttempts ?? null + const maxAttempts = photoWithFields.maxAttempts ?? null const remainingAttempts = maxAttempts !== null && maxAttempts > 0 ? Math.max(0, maxAttempts - userGuessCount) : null @@ -77,9 +84,9 @@ export default async function PhotoPage({ params }: { params: Promise<{ id: stri +{photo.points} {photo.points === 1 ? "point" : "points"} if correct - {(photo as any).penaltyEnabled && (photo as any).penaltyPoints > 0 && ( + {photoWithFields.penaltyEnabled && photoWithFields.penaltyPoints > 0 && ( - -{(photo as any).penaltyPoints} {(photo as any).penaltyPoints === 1 ? "point" : "points"} if wrong + -{photoWithFields.penaltyPoints} {photoWithFields.penaltyPoints === 1 ? "point" : "points"} if wrong )} {maxAttempts !== null && maxAttempts > 0 && ( @@ -117,9 +124,9 @@ export default async function PhotoPage({ params }: { params: Promise<{ id: stri

Your last guess: {userGuess.guessText}

- {(photo as any).penaltyEnabled && (photo as any).penaltyPoints > 0 && ( + {photoWithFields.penaltyEnabled && photoWithFields.penaltyPoints > 0 && (

- You lost {(photo as any).penaltyPoints} {(photo as any).penaltyPoints === 1 ? "point" : "points"} for this wrong guess. + You lost {photoWithFields.penaltyPoints} {photoWithFields.penaltyPoints === 1 ? "point" : "points"} for this wrong guess.

)} diff --git a/components/Navigation.tsx b/components/Navigation.tsx index 0e4727c..0e67ddf 100644 --- a/components/Navigation.tsx +++ b/components/Navigation.tsx @@ -29,14 +29,14 @@ export default function Navigation() { return ( <> -