ilia
df865dca41
All checks were successful
CI / skip-ci-check (push) Successful in 1m25s
CI / lint-and-type-check (push) Successful in 1m50s
CI / test (push) Successful in 1m54s
CI / build (push) Successful in 1m54s
CI / secret-scanning (push) Successful in 1m26s
CI / dependency-scan (push) Successful in 1m31s
CI / sast-scan (push) Successful in 2m34s
CI / workflow-summary (push) Successful in 1m23s
# Fix authentication issues and improve developer experience ## Summary This MR fixes critical authentication issues that prevented login on localhost and improves the developer experience with consolidated rebuild scripts and a working help modal keyboard shortcut. ## Problems Fixed ### 1. Authentication Issues - **UntrustedHost Error**: NextAuth v5 was rejecting localhost requests with "UntrustedHost: Host must be trusted" error - **Cookie Prefix Errors**: Cookies were being set with `__Host-` and `__Secure-` prefixes on HTTP (localhost), causing browser rejection - **MissingCSRF Error**: CSRF token cookies were not being set correctly due to cookie configuration issues ### 2. Help Modal Keyboard Shortcut - **Shift+? not working**: The help modal keyboard shortcut was not detecting the question mark key correctly ### 3. Developer Experience - **Multiple rebuild scripts**: Had several overlapping rebuild scripts that were confusing - **Unused code**: Removed unused `useSecureCookies` variable and misleading comments ## Changes Made ### Authentication Fixes (`lib/auth.ts`) - Set `trustHost: true` to fix UntrustedHost error (required for NextAuth v5) - Added explicit cookie configuration for HTTP (localhost) to prevent prefix errors: - Cookies use `secure: false` for HTTP - Cookie names without prefixes for HTTP - Let Auth.js defaults handle HTTPS (with prefixes and Secure flag) - Removed unused `useSecureCookies` variable - Simplified debug logging ### Help Modal Fix (`components/HelpModal.tsx`) - Fixed keyboard shortcut detection to properly handle Shift+? (Shift+/) - Updated help text to show correct shortcut (Shift+? instead of Ctrl+?) ### Developer Scripts - **Consolidated rebuild scripts**: Merged `CLEAN_REBUILD.sh`, `FIX_AND_RESTART.sh`, and `start-server.sh` into single `rebuild.sh` - **Added REBUILD.md**: Documentation for rebuild process - Removed redundant script files ### Code Cleanup - Removed unused `useSecureCookies` variable from `lib/auth.ts` - Removed misleading comment from `app/api/auth/[...nextauth]/route.ts` - Cleaned up verbose debug logging ## Technical Details ### Cookie Configuration The fix works by explicitly configuring cookies for HTTP environments: - **HTTP (localhost)**: Cookies without prefixes, `secure: false` - **HTTPS (production)**: Let Auth.js defaults handle (prefixes + Secure flag) This prevents NextAuth v5 from auto-detecting HTTPS from proxy headers and incorrectly adding cookie prefixes. ### Keyboard Shortcut The question mark key requires Shift+/ on most keyboards. The fix now properly detects: - `event.shiftKey && event.key === "/"` - `event.key === "?"` (fallback) - `event.code === "Slash" && event.shiftKey` (additional fallback) ## Testing - ✅ Login works on localhost (http://localhost:3000) - ✅ No cookie prefix errors in browser console - ✅ No UntrustedHost errors in server logs - ✅ Help modal opens/closes with Shift+? - ✅ Rebuild script works in both dev and prod modes ## Files Changed ### Modified - `lib/auth.ts` - Authentication configuration fixes - `components/HelpModal.tsx` - Keyboard shortcut fix - `app/api/auth/[...nextauth]/route.ts` - Removed misleading comment ### Added - `rebuild.sh` - Consolidated rebuild script - `REBUILD.md` - Rebuild documentation ## Migration Notes No database migrations or environment variable changes required. The fix works with existing configuration. ## Related Issues Fixes authentication issues preventing local development and testing. Reviewed-on: #5
259 lines
8.0 KiB
TypeScript
259 lines
8.0 KiB
TypeScript
/**
|
|
* Multiple Photo Upload Endpoint
|
|
*
|
|
* POST /api/photos/upload-multiple
|
|
*
|
|
* Uploads multiple photos in a single request. Supports both file uploads and URL-based uploads.
|
|
*
|
|
* This endpoint is used by the upload page for batch uploads. It processes multiple photos
|
|
* in parallel and sends email notifications for all successfully uploaded photos.
|
|
*
|
|
* Form Data:
|
|
* - photo_{index}_file: File object (optional, if using file upload)
|
|
* - photo_{index}_url: URL string (optional, if using URL upload)
|
|
* - photo_{index}_answerName: Answer name (required)
|
|
* - photo_{index}_points: Points value (optional, defaults to 1)
|
|
* - photo_{index}_penaltyEnabled: "true" or "false" (optional)
|
|
* - photo_{index}_penaltyPoints: Penalty points (optional)
|
|
* - photo_{index}_maxAttempts: Maximum attempts (optional)
|
|
* - count: Number of photos being uploaded
|
|
*
|
|
* Related endpoints:
|
|
* - POST /api/photos/upload - Single photo upload (supports both file and URL)
|
|
*/
|
|
import { NextRequest, NextResponse } from "next/server"
|
|
import { auth } from "@/lib/auth"
|
|
import { prisma } from "@/lib/prisma"
|
|
import { sendNewPhotoEmail } from "@/lib/email"
|
|
import { logger } from "@/lib/logger"
|
|
import { writeFile } from "fs/promises"
|
|
import { join } from "path"
|
|
import { existsSync, mkdirSync } from "fs"
|
|
import { createHash } from "crypto"
|
|
|
|
// Mark this route as dynamic to prevent build-time data collection
|
|
export const dynamic = "force-dynamic"
|
|
|
|
export async function POST(req: NextRequest) {
|
|
try {
|
|
const session = await auth()
|
|
|
|
if (!session) {
|
|
return NextResponse.json({ error: "Unauthorized" }, { status: 401 })
|
|
}
|
|
|
|
// Verify the user exists in the database
|
|
const user = await prisma.user.findUnique({
|
|
where: { id: session.user.id },
|
|
select: { id: true },
|
|
})
|
|
|
|
if (!user) {
|
|
return NextResponse.json(
|
|
{ error: "User not found. Please log out and log back in." },
|
|
{ status: 401 }
|
|
)
|
|
}
|
|
|
|
const formData = await req.formData()
|
|
const count = parseInt(formData.get("count") as string, 10)
|
|
|
|
if (!count || count < 1) {
|
|
return NextResponse.json(
|
|
{ error: "Invalid photo count" },
|
|
{ status: 400 }
|
|
)
|
|
}
|
|
|
|
const uploadsDir = join(process.cwd(), "public", "uploads")
|
|
if (!existsSync(uploadsDir)) {
|
|
mkdirSync(uploadsDir, { recursive: true })
|
|
}
|
|
|
|
type PhotoWithUploader = {
|
|
id: string
|
|
uploaderId: string
|
|
url: string
|
|
answerName: string
|
|
points: number
|
|
createdAt: Date
|
|
uploader: { name: string }
|
|
}
|
|
|
|
const createdPhotos: PhotoWithUploader[] = []
|
|
|
|
for (let i = 0; i < count; i++) {
|
|
const answerName = (formData.get(`photo_${i}_answerName`) as string)?.trim()
|
|
const pointsStr = (formData.get(`photo_${i}_points`) as string) || "1"
|
|
const pointsValue = Math.max(1, parseInt(pointsStr, 10))
|
|
const penaltyEnabled = formData.get(`photo_${i}_penaltyEnabled`) === "true"
|
|
const penaltyPointsStr = (formData.get(`photo_${i}_penaltyPoints`) as string) || "0"
|
|
const penaltyPointsValue = Math.max(0, parseInt(penaltyPointsStr, 10))
|
|
const maxAttemptsStr = (formData.get(`photo_${i}_maxAttempts`) as string)?.trim() || ""
|
|
const maxAttemptsValue = maxAttemptsStr && parseInt(maxAttemptsStr, 10) > 0
|
|
? parseInt(maxAttemptsStr, 10)
|
|
: null
|
|
|
|
if (!answerName) {
|
|
return NextResponse.json(
|
|
{ error: `Photo ${i + 1}: Answer name is required` },
|
|
{ status: 400 }
|
|
)
|
|
}
|
|
|
|
const file = formData.get(`photo_${i}_file`) as File | null
|
|
const url = (formData.get(`photo_${i}_url`) as string)?.trim() || null
|
|
|
|
if (!file && !url) {
|
|
return NextResponse.json(
|
|
{ error: `Photo ${i + 1}: File or URL is required` },
|
|
{ status: 400 }
|
|
)
|
|
}
|
|
|
|
let photoUrl: string
|
|
let fileHash: string | null = null
|
|
|
|
if (file) {
|
|
// Handle file upload
|
|
if (!file.type.startsWith("image/")) {
|
|
return NextResponse.json(
|
|
{ error: `Photo ${i + 1}: File must be an image` },
|
|
{ status: 400 }
|
|
)
|
|
}
|
|
|
|
if (file.size > 10 * 1024 * 1024) {
|
|
return NextResponse.json(
|
|
{ error: `Photo ${i + 1}: File size must be less than 10MB` },
|
|
{ status: 400 }
|
|
)
|
|
}
|
|
|
|
const bytes = await file.arrayBuffer()
|
|
const buffer = Buffer.from(bytes)
|
|
|
|
// Calculate SHA256 hash for duplicate detection
|
|
fileHash = createHash("sha256").update(buffer).digest("hex")
|
|
|
|
// Check for duplicate file
|
|
const existingPhoto = await prisma.photo.findFirst({
|
|
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
where: { fileHash } as any,
|
|
})
|
|
|
|
if (existingPhoto) {
|
|
return NextResponse.json(
|
|
{ error: `Photo ${i + 1}: This photo has already been uploaded (duplicate file detected)` },
|
|
{ status: 409 }
|
|
)
|
|
}
|
|
|
|
const timestamp = Date.now()
|
|
const randomStr = Math.random().toString(36).substring(2, 15)
|
|
// Sanitize extension - only allow alphanumeric characters
|
|
const rawExtension = file.name.split(".").pop() || "jpg"
|
|
const extension = rawExtension.replace(/[^a-zA-Z0-9]/g, "").toLowerCase() || "jpg"
|
|
const filename = `${timestamp}-${i}-${randomStr}.${extension}`
|
|
|
|
// Filename is generated server-side (timestamp + random), safe for path.join
|
|
const filepath = join(uploadsDir, filename)
|
|
await writeFile(filepath, buffer)
|
|
|
|
photoUrl = `/api/uploads/${filename}`
|
|
} else if (url) {
|
|
// Handle URL upload
|
|
photoUrl = url
|
|
|
|
// Check for duplicate URL
|
|
const existingPhoto = await prisma.photo.findFirst({
|
|
where: { url: photoUrl },
|
|
})
|
|
|
|
if (existingPhoto) {
|
|
return NextResponse.json(
|
|
{ error: `Photo ${i + 1}: This photo URL has already been uploaded (duplicate URL detected)` },
|
|
{ status: 409 }
|
|
)
|
|
}
|
|
} else {
|
|
return NextResponse.json(
|
|
{ error: `Photo ${i + 1}: File or URL is required` },
|
|
{ status: 400 }
|
|
)
|
|
}
|
|
|
|
// Create photo record
|
|
const photo = await prisma.photo.create({
|
|
data: {
|
|
uploaderId: session.user.id,
|
|
url: photoUrl,
|
|
fileHash,
|
|
answerName,
|
|
points: pointsValue,
|
|
penaltyEnabled: penaltyEnabled,
|
|
penaltyPoints: penaltyPointsValue,
|
|
maxAttempts: maxAttemptsValue,
|
|
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
} as any,
|
|
include: {
|
|
uploader: {
|
|
select: {
|
|
name: true,
|
|
},
|
|
},
|
|
},
|
|
})
|
|
|
|
createdPhotos.push(photo)
|
|
}
|
|
|
|
// Send emails to all other users for all photos
|
|
const allUsers = await prisma.user.findMany({
|
|
where: {
|
|
id: { not: session.user.id },
|
|
},
|
|
select: {
|
|
id: true,
|
|
email: true,
|
|
name: true,
|
|
},
|
|
})
|
|
|
|
// Send emails asynchronously for all photos
|
|
Promise.all(
|
|
allUsers.map((user: { id: string; email: string; name: string }) =>
|
|
Promise.all(
|
|
createdPhotos.map((photo: PhotoWithUploader) =>
|
|
sendNewPhotoEmail(
|
|
user.email,
|
|
user.name,
|
|
photo.id,
|
|
photo.uploader.name
|
|
).catch((err) => {
|
|
logger.error("Failed to send email", {
|
|
email: user.email,
|
|
photoId: photo.id,
|
|
error: err instanceof Error ? err : new Error(String(err)),
|
|
})
|
|
})
|
|
)
|
|
)
|
|
)
|
|
)
|
|
|
|
return NextResponse.json(
|
|
{ photos: createdPhotos, count: createdPhotos.length },
|
|
{ status: 201 }
|
|
)
|
|
} catch (error) {
|
|
logger.error("Error uploading photos", {
|
|
error: error instanceof Error ? error : new Error(String(error)),
|
|
})
|
|
return NextResponse.json(
|
|
{ error: "Internal server error" },
|
|
{ status: 500 }
|
|
)
|
|
}
|
|
}
|