admin/podcastdistributiona
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security & robustness hardening pass

Browse Source 
Cross-cutting input-validation, isolation, and DoS-resistance fixes across
the app, API, billing, queue, and infra layers.

- Runtime validation (zod) for client-supplied admin actions (role/plan/
  limits), series generation index, and all pg-boss queue payloads
- Auth: require email verification before sign-in; reject weak/placeholder/
  short BETTER_AUTH_SECRET in production
- Billing: sanitize Stripe/PayPal errors (log server-side, generic to client);
  race-safe subscription upsert; only count "processed" webhook events as
  handled; verify org membership in getEffectivePlan to block plan escalation
- Series generation: reserve usage up front and refund on failure; bill the
  owning org, not the caller's active org
- Injection defenses: HTML-escape user fields in emails, strip CR/LF from
  subject/recipient, validate ElevenLabs voiceId before URL interpolation
- Media routes: stream off disk instead of buffering whole files; rate-limit
  anonymous public audio/cover endpoints by client IP
This commit is contained in:
Leon Serfaty
2026-06-20 20:59:03 -04:00
parent cd1d6a1a28
commit 51c541ad22
21 changed files with 489 additions and 152 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/api/assets/[...key]/route.ts
+8 -5
View File
@@ -1,3 +1,4 @@
import { Readable } from "node:stream";
import { NextRequest } from "next/server";
import { getServerSession } from "@/lib/auth/guards";
import { prisma } from "@/lib/db";
@@ -42,20 +43,22 @@ export async function GET(
const isAdmin = session.user.role === "admin";
if (!isOwner && !isAdmin) return new Response("Forbidden", { status: 403 });
const exists = await storage().exists(key);
if (!exists) return new Response("Not found", { status: 404 });
// Stream off disk instead of buffering the whole file into memory.
const total = await storage().size(key);
if (total === null) return new Response("Not found", { status: 404 });
const data = await storage().get(key);
const ext = key.split(".").pop()?.toLowerCase() ?? "";
const contentType = CONTENT_TYPES[ext] ?? "application/octet-stream";
const download = req.nextUrl.searchParams.get("download");
const filename = key.split("/").pop() ?? "asset";
return new Response(data as BodyInit, {
const node = storage().createReadStream!(key);
const body = Readable.toWeb(node as Readable) as unknown as BodyInit;
return new Response(body, {
headers: {
"Content-Type": contentType,
"Content-Length": String(data.byteLength),
"Content-Length": String(total),
"Cache-Control": "private, max-age=3600",
...(download
? { "Content-Disposition": `attachment; filename="${filename}"` }
app/api/public/episodes/[shareId]/audio/route.ts
+29 -8
View File
@@ -1,20 +1,39 @@
import { Readable } from "node:stream";
import { NextRequest } from "next/server";
import { prisma } from "@/lib/db";
import { rateLimit, LIMITS } from "@/lib/ratelimit";
import { storage } from "@/lib/storage";
export const dynamic = "force-dynamic";
/** Best-effort client IP for anonymous rate limiting. */
function clientKey(req: NextRequest): string {
const fwd = req.headers.get("x-forwarded-for");
if (fwd) return fwd.split(",")[0].trim();
return req.headers.get("x-real-ip") ?? "anon";
}
/**
* Stream an episode's MP3 to anonymous visitors, authorized purely by a valid,
* still-enabled public `shareId` (NOT a session). Returns 404 when the share is
* disabled or the audio is missing so we never disclose private episode state.
*
* Supports HTTP Range requests so the audio element can seek/scrub.
* Supports HTTP Range requests so the audio element can seek/scrub. The file is
* streamed off disk (never buffered whole) to avoid memory-amplification DoS.
*/
export async function GET(
req: NextRequest,
{ params }: { params: Promise<{ shareId: string }> }
) {
// Rate-limit by client IP (never by shareId alone).
const rl = await rateLimit("public-audio", clientKey(req), LIMITS.publicMedia);
if (!rl.ok) {
return new Response("Too many requests", {
status: 429,
headers: { "Retry-After": String(rl.retryAfterSec ?? 1) },
});
}
const { shareId } = await params;
const episode = await prisma.episode.findUnique({
@@ -24,10 +43,9 @@ export async function GET(
const key = episode?.audioAsset?.storageKey;
if (!key) return new Response("Not found", { status: 404 });
if (!(await storage().exists(key))) return new Response("Not found", { status: 404 });
const total = await storage().size(key);
if (total === null) return new Response("Not found", { status: 404 });
const data = await storage().get(key);
const total = data.byteLength;
const contentType = "audio/mpeg";
const range = req.headers.get("range");
@@ -37,12 +55,13 @@ export async function GET(
const start = Number(match[1]);
const end = match[2] ? Math.min(Number(match[2]), total - 1) : total - 1;
if (start <= end && start < total) {
const chunk = data.subarray(start, end + 1);
return new Response(chunk as BodyInit, {
const node = storage().createReadStream!(key, { start, end });
const body = Readable.toWeb(node as Readable) as unknown as BodyInit;
return new Response(body, {
status: 206,
headers: {
"Content-Type": contentType,
"Content-Length": String(chunk.byteLength),
"Content-Length": String(end - start + 1),
"Content-Range": `bytes ${start}-${end}/${total}`,
"Accept-Ranges": "bytes",
"Cache-Control": "public, max-age=3600",
@@ -52,7 +71,9 @@ export async function GET(
}
}
return new Response(data as BodyInit, {
const node = storage().createReadStream!(key);
const body = Readable.toWeb(node as Readable) as unknown as BodyInit;
return new Response(body, {
headers: {
"Content-Type": contentType,
"Content-Length": String(total),
app/api/public/episodes/[shareId]/cover/route.ts
+28 -6
View File
@@ -1,5 +1,7 @@
import { Readable } from "node:stream";
import { NextRequest } from "next/server";
import { prisma } from "@/lib/db";
import { rateLimit, LIMITS } from "@/lib/ratelimit";
import { storage } from "@/lib/storage";
export const dynamic = "force-dynamic";
@@ -11,15 +13,32 @@ const CONTENT_TYPES: Record<string, string> = {
webp: "image/webp",
};
/** Best-effort client IP for anonymous rate limiting. */
function clientKey(req: NextRequest): string {
const fwd = req.headers.get("x-forwarded-for");
if (fwd) return fwd.split(",")[0].trim();
return req.headers.get("x-real-ip") ?? "anon";
}
/**
* Serve an episode's cover art to anonymous visitors, authorized by a valid,
* still-enabled public `shareId`. Used as a fallback when the storage provider
* doesn't expose a directly-fetchable public URL for cover art.
* doesn't expose a directly-fetchable public URL for cover art. The file is
* streamed off disk rather than buffered whole to avoid memory-amplification DoS.
*/
export async function GET(
_req: NextRequest,
req: NextRequest,
{ params }: { params: Promise<{ shareId: string }> }
) {
// Rate-limit by client IP (never by shareId alone).
const rl = await rateLimit("public-cover", clientKey(req), LIMITS.publicMedia);
if (!rl.ok) {
return new Response("Too many requests", {
status: 429,
headers: { "Retry-After": String(rl.retryAfterSec ?? 1) },
});
}
const { shareId } = await params;
const episode = await prisma.episode.findUnique({
@@ -28,14 +47,17 @@ export async function GET(
});
const key = episode?.coverArt?.storageKey;
if (!key) return new Response("Not found", { status: 404 });
if (!(await storage().exists(key))) return new Response("Not found", { status: 404 });
const data = await storage().get(key);
const total = await storage().size(key);
if (total === null) return new Response("Not found", { status: 404 });
const ext = key.split(".").pop()?.toLowerCase() ?? "png";
return new Response(data as BodyInit, {
const node = storage().createReadStream!(key);
const body = Readable.toWeb(node as Readable) as unknown as BodyInit;
return new Response(body, {
headers: {
"Content-Type": CONTENT_TYPES[ext] ?? "image/png",
"Content-Length": String(data.byteLength),
"Content-Length": String(total),
"Cache-Control": "public, max-age=3600",
},
});