ilia/mirror_match
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
mirror_match/app/api/photos/upload/route.ts
ilia df865dca41
All checks were successful
CI / skip-ci-check (push) Successful in 1m25s
Details
CI / lint-and-type-check (push) Successful in 1m50s
Details
CI / test (push) Successful in 1m54s
Details
CI / build (push) Successful in 1m54s
Details
CI / secret-scanning (push) Successful in 1m26s
Details
CI / dependency-scan (push) Successful in 1m31s
Details
CI / sast-scan (push) Successful in 2m34s
Details
CI / workflow-summary (push) Successful in 1m23s
Details
This MR fixes critical authentication issues that prevented login on localhost and improves the developer experience with consolidated rebuild scripts and a working help modal keyboard shortcut. (#5) 
# Fix authentication issues and improve developer experience

## Summary

This MR fixes critical authentication issues that prevented login on localhost and improves the developer experience with consolidated rebuild scripts and a working help modal keyboard shortcut.

## Problems Fixed

### 1. Authentication Issues
- **UntrustedHost Error**: NextAuth v5 was rejecting localhost requests with "UntrustedHost: Host must be trusted" error
- **Cookie Prefix Errors**: Cookies were being set with `__Host-` and `__Secure-` prefixes on HTTP (localhost), causing browser rejection
- **MissingCSRF Error**: CSRF token cookies were not being set correctly due to cookie configuration issues

### 2. Help Modal Keyboard Shortcut
- **Shift+? not working**: The help modal keyboard shortcut was not detecting the question mark key correctly

### 3. Developer Experience
- **Multiple rebuild scripts**: Had several overlapping rebuild scripts that were confusing
- **Unused code**: Removed unused `useSecureCookies` variable and misleading comments

## Changes Made

### Authentication Fixes (`lib/auth.ts`)
- Set `trustHost: true` to fix UntrustedHost error (required for NextAuth v5)
- Added explicit cookie configuration for HTTP (localhost) to prevent prefix errors:
  - Cookies use `secure: false` for HTTP
  - Cookie names without prefixes for HTTP
  - Let Auth.js defaults handle HTTPS (with prefixes and Secure flag)
- Removed unused `useSecureCookies` variable
- Simplified debug logging

### Help Modal Fix (`components/HelpModal.tsx`)
- Fixed keyboard shortcut detection to properly handle Shift+? (Shift+/)
- Updated help text to show correct shortcut (Shift+? instead of Ctrl+?)

### Developer Scripts
- **Consolidated rebuild scripts**: Merged `CLEAN_REBUILD.sh`, `FIX_AND_RESTART.sh`, and `start-server.sh` into single `rebuild.sh`
- **Added REBUILD.md**: Documentation for rebuild process
- Removed redundant script files

### Code Cleanup
- Removed unused `useSecureCookies` variable from `lib/auth.ts`
- Removed misleading comment from `app/api/auth/[...nextauth]/route.ts`
- Cleaned up verbose debug logging

## Technical Details

### Cookie Configuration
The fix works by explicitly configuring cookies for HTTP environments:
- **HTTP (localhost)**: Cookies without prefixes, `secure: false`
- **HTTPS (production)**: Let Auth.js defaults handle (prefixes + Secure flag)

This prevents NextAuth v5 from auto-detecting HTTPS from proxy headers and incorrectly adding cookie prefixes.

### Keyboard Shortcut
The question mark key requires Shift+/ on most keyboards. The fix now properly detects:
- `event.shiftKey && event.key === "/"`
- `event.key === "?"` (fallback)
- `event.code === "Slash" && event.shiftKey` (additional fallback)

## Testing

-  Login works on localhost (http://localhost:3000)
-  No cookie prefix errors in browser console
-  No UntrustedHost errors in server logs
-  Help modal opens/closes with Shift+?
-  Rebuild script works in both dev and prod modes

## Files Changed

### Modified
- `lib/auth.ts` - Authentication configuration fixes
- `components/HelpModal.tsx` - Keyboard shortcut fix
- `app/api/auth/[...nextauth]/route.ts` - Removed misleading comment

### Added
- `rebuild.sh` - Consolidated rebuild script
- `REBUILD.md` - Rebuild documentation

## Migration Notes

No database migrations or environment variable changes required. The fix works with existing configuration.

## Related Issues

Fixes authentication issues preventing local development and testing.

Reviewed-on: #5
2026-01-05 19:42:46 -05:00

215 lines
6.6 KiB
TypeScript
Raw Permalink Blame History

import { NextRequest, NextResponse } from "next/server"
import { auth } from "@/lib/auth"
import { prisma } from "@/lib/prisma"
import { sendNewPhotoEmail } from "@/lib/email"
import { logActivity } from "@/lib/activity-log"
import { logger } from "@/lib/logger"
import { writeFile } from "fs/promises"
import { join } from "path"
import { existsSync, mkdirSync } from "fs"
import { createHash } from "crypto"
// Mark this route as dynamic to prevent build-time data collection
export const dynamic = "force-dynamic"
export async function POST(req: NextRequest) {
try {
const session = await auth()
if (!session) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 })
}
const formData = await req.formData()
const file = formData.get("file") as File | null
const answerName = formData.get("answerName") as string | null
const pointsStr = formData.get("points") as string | null
const maxAttemptsStr = (formData.get("maxAttempts") as string)?.trim() || ""
if (!answerName) {
return NextResponse.json(
{ error: "Answer name is required" },
{ status: 400 }
)
}
// Validate points (must be positive integer, default to 1)
const pointsValue = pointsStr ? Math.max(1, parseInt(pointsStr, 10)) : 1
const maxAttemptsValue = maxAttemptsStr && parseInt(maxAttemptsStr, 10) > 0
? parseInt(maxAttemptsStr, 10)
: null
let photoUrl: string
let fileHash: string | null = null
if (file) {
// Handle file upload
if (!file.type.startsWith("image/")) {
return NextResponse.json(
{ error: "File must be an image" },
{ status: 400 }
)
}
// Check file size (max 10MB)
if (file.size > 10 * 1024 * 1024) {
return NextResponse.json(
{ error: "File size must be less than 10MB" },
{ status: 400 }
)
}
const bytes = await file.arrayBuffer()
const buffer = Buffer.from(bytes)
// Calculate SHA256 hash for duplicate detection
fileHash = createHash("sha256").update(buffer).digest("hex")
// Check for duplicate file
const existingPhoto = await prisma.photo.findFirst({
// eslint-disable-next-line @typescript-eslint/no-explicit-any
where: { fileHash } as any,
})
if (existingPhoto) {
return NextResponse.json(
{ error: "This photo has already been uploaded (duplicate file detected)" },
{ status: 409 }
)
}
// Generate unique filename
const timestamp = Date.now()
const randomStr = Math.random().toString(36).substring(2, 15)
// Sanitize extension - only allow alphanumeric characters
const rawExtension = file.name.split(".").pop() || "jpg"
const extension = rawExtension.replace(/[^a-zA-Z0-9]/g, "").toLowerCase() || "jpg"
const filename = `${timestamp}-${randomStr}.${extension}`
// Ensure uploads directory exists
const uploadsDir = join(process.cwd(), "public", "uploads")
if (!existsSync(uploadsDir)) {
mkdirSync(uploadsDir, { recursive: true })
// DEBUG level: directory creation is normal operation
logger.debug("Created uploads directory", { path: uploadsDir })
}
console.log(`[UPLOAD] Using uploads directory: ${uploadsDir} (exists: ${existsSync(uploadsDir)})`)
// Filename is generated server-side (timestamp + random), safe for path.join
const filepath = join(uploadsDir, filename)
await writeFile(filepath, buffer)
// Verify file was written successfully
const { access } = await import("fs/promises")
try {
await access(filepath)
// DEBUG level: file save verification is normal operation
logger.debug("File saved successfully", { filepath })
} catch (error) {
// ERROR level: file write failure is an error condition
logger.error("File write verification failed", {
filepath,
error: error instanceof Error ? error : new Error(String(error)),
})
throw new Error("Failed to save file to disk")
}
// Set URL to the uploaded file - use API route to ensure it's accessible
photoUrl = `/api/uploads/${filename}`
} else {
// Handle URL upload (fallback)
const url = formData.get("url") as string | null
if (!url) {
return NextResponse.json(
{ error: "Either file or URL is required" },
{ status: 400 }
)
}
photoUrl = url
// Check for duplicate URL
const existingPhoto = await prisma.photo.findFirst({
where: { url: photoUrl },
})
if (existingPhoto) {
return NextResponse.json(
{ error: "This photo URL has already been uploaded (duplicate URL detected)" },
{ status: 409 }
)
}
}
const photo = await prisma.photo.create({
data: {
uploaderId: session.user.id,
url: photoUrl,
fileHash,
answerName: answerName.trim(),
points: pointsValue,
maxAttempts: maxAttemptsValue,
// eslint-disable-next-line @typescript-eslint/no-explicit-any
} as any,
include: {
uploader: {
select: {
name: true,
},
},
},
})
// Send emails to all other users
const allUsers = await prisma.user.findMany({
where: {
id: { not: session.user.id },
},
select: {
id: true,
email: true,
name: true,
},
})
// Send emails asynchronously (don't wait for them)
Promise.all(
allUsers.map((user: { id: string; email: string; name: string }) =>
sendNewPhotoEmail(user.email, user.name, photo.id, photo.uploader.name).catch(
(err) => {
logger.error("Failed to send email", {
email: user.email,
photoId: photo.id,
error: err instanceof Error ? err : new Error(String(err)),
})
}
)
)
)
// Log photo upload activity
logActivity(
"PHOTO_UPLOAD",
"/api/photos/upload",
"POST",
session.user,
{
photoId: photo.id,
answerName: photo.answerName,
points: photo.points,
filename: photoUrl.split("/").pop()
},
req
)
return NextResponse.json({ photo }, { status: 201 })
} catch (error) {
logger.error("Error uploading photo", {
error: error instanceof Error ? error : new Error(String(error)),
})
return NextResponse.json(
{ error: "Internal server error" },
{ status: 500 }
)
}
}
Reference in New Issue View Git Blame Copy Permalink