Security & robustness hardening pass

Cross-cutting input-validation, isolation, and DoS-resistance fixes across the app, API, billing, queue, and infra layers. - Runtime validation (zod) for client-supplied admin actions (role/plan/ limits), series generation index, and all pg-boss queue payloads - Auth: require email verification before sign-in; reject weak/placeholder/ short BETTER_AUTH_SECRET in production - Billing: sanitize Stripe/PayPal errors (log server-side, generic to client); race-safe subscription upsert; only count "processed" webhook events as handled; verify org membership in getEffectivePlan to block plan escalation - Series generation: reserve usage up front and refund on failure; bill the owning org, not the caller's active org - Injection defenses: HTML-escape user fields in emails, strip CR/LF from subject/recipient, validate ElevenLabs voiceId before URL interpolation - Media routes: stream off disk instead of buffering whole files; rate-limit anonymous public audio/cover endpoints by client IP
2026-06-20 20:59:03 -04:00
parent cd1d6a1a28
commit 51c541ad22
21 changed files with 489 additions and 152 deletions
@@ -1,5 +1,7 @@
+import { Readable } from "node:stream";
 import { NextRequest } from "next/server";
 import { prisma } from "@/lib/db";
+import { rateLimit, LIMITS } from "@/lib/ratelimit";
 import { storage } from "@/lib/storage";

 export const dynamic = "force-dynamic";
@@ -11,15 +13,32 @@ const CONTENT_TYPES: Record<string, string> = {
  webp: "image/webp",
 };

+/** Best-effort client IP for anonymous rate limiting. */
+function clientKey(req: NextRequest): string {
+  const fwd = req.headers.get("x-forwarded-for");
+  if (fwd) return fwd.split(",")[0].trim();
+  return req.headers.get("x-real-ip") ?? "anon";
+}
+
 /**
 * Serve an episode's cover art to anonymous visitors, authorized by a valid,
 * still-enabled public `shareId`. Used as a fallback when the storage provider
- * doesn't expose a directly-fetchable public URL for cover art.
+ * doesn't expose a directly-fetchable public URL for cover art. The file is
+ * streamed off disk rather than buffered whole to avoid memory-amplification DoS.
 */
 export async function GET(
-  _req: NextRequest,
+  req: NextRequest,
  { params }: { params: Promise<{ shareId: string }> }
 ) {
+  // Rate-limit by client IP (never by shareId alone).
+  const rl = await rateLimit("public-cover", clientKey(req), LIMITS.publicMedia);
+  if (!rl.ok) {
+    return new Response("Too many requests", {
+      status: 429,
+      headers: { "Retry-After": String(rl.retryAfterSec ?? 1) },
+    });
+  }
+
  const { shareId } = await params;

  const episode = await prisma.episode.findUnique({
@@ -28,14 +47,17 @@ export async function GET(
  });
  const key = episode?.coverArt?.storageKey;
  if (!key) return new Response("Not found", { status: 404 });
-  if (!(await storage().exists(key))) return new Response("Not found", { status: 404 });

-  const data = await storage().get(key);
+  const total = await storage().size(key);
+  if (total === null) return new Response("Not found", { status: 404 });
+
  const ext = key.split(".").pop()?.toLowerCase() ?? "png";
-  return new Response(data as BodyInit, {
+  const node = storage().createReadStream!(key);
+  const body = Readable.toWeb(node as Readable) as unknown as BodyInit;
+  return new Response(body, {
    headers: {
      "Content-Type": CONTENT_TYPES[ext] ?? "image/png",
-      "Content-Length": String(data.byteLength),
+      "Content-Length": String(total),
      "Cache-Control": "public, max-age=3600",
    },
  });