Leon Serfaty
51c541ad22
Cross-cutting input-validation, isolation, and DoS-resistance fixes across the app, API, billing, queue, and infra layers. - Runtime validation (zod) for client-supplied admin actions (role/plan/ limits), series generation index, and all pg-boss queue payloads - Auth: require email verification before sign-in; reject weak/placeholder/ short BETTER_AUTH_SECRET in production - Billing: sanitize Stripe/PayPal errors (log server-side, generic to client); race-safe subscription upsert; only count "processed" webhook events as handled; verify org membership in getEffectivePlan to block plan escalation - Series generation: reserve usage up front and refund on failure; bill the owning org, not the caller's active org - Injection defenses: HTML-escape user fields in emails, strip CR/LF from subject/recipient, validate ElevenLabs voiceId before URL interpolation - Media routes: stream off disk instead of buffering whole files; rate-limit anonymous public audio/cover endpoints by client IP
85 lines
2.8 KiB
TypeScript
85 lines
2.8 KiB
TypeScript
import { Readable } from "node:stream";
|
|
import { NextRequest } from "next/server";
|
|
import { prisma } from "@/lib/db";
|
|
import { rateLimit, LIMITS } from "@/lib/ratelimit";
|
|
import { storage } from "@/lib/storage";
|
|
|
|
export const dynamic = "force-dynamic";
|
|
|
|
/** Best-effort client IP for anonymous rate limiting. */
|
|
function clientKey(req: NextRequest): string {
|
|
const fwd = req.headers.get("x-forwarded-for");
|
|
if (fwd) return fwd.split(",")[0].trim();
|
|
return req.headers.get("x-real-ip") ?? "anon";
|
|
}
|
|
|
|
/**
|
|
* Stream an episode's MP3 to anonymous visitors, authorized purely by a valid,
|
|
* still-enabled public `shareId` (NOT a session). Returns 404 when the share is
|
|
* disabled or the audio is missing so we never disclose private episode state.
|
|
*
|
|
* Supports HTTP Range requests so the audio element can seek/scrub. The file is
|
|
* streamed off disk (never buffered whole) to avoid memory-amplification DoS.
|
|
*/
|
|
export async function GET(
|
|
req: NextRequest,
|
|
{ params }: { params: Promise<{ shareId: string }> }
|
|
) {
|
|
// Rate-limit by client IP (never by shareId alone).
|
|
const rl = await rateLimit("public-audio", clientKey(req), LIMITS.publicMedia);
|
|
if (!rl.ok) {
|
|
return new Response("Too many requests", {
|
|
status: 429,
|
|
headers: { "Retry-After": String(rl.retryAfterSec ?? 1) },
|
|
});
|
|
}
|
|
|
|
const { shareId } = await params;
|
|
|
|
const episode = await prisma.episode.findUnique({
|
|
where: { shareId },
|
|
select: { audioAsset: { select: { storageKey: true } } },
|
|
});
|
|
const key = episode?.audioAsset?.storageKey;
|
|
if (!key) return new Response("Not found", { status: 404 });
|
|
|
|
const total = await storage().size(key);
|
|
if (total === null) return new Response("Not found", { status: 404 });
|
|
|
|
const contentType = "audio/mpeg";
|
|
|
|
const range = req.headers.get("range");
|
|
if (range) {
|
|
const match = /bytes=(\d+)-(\d*)/.exec(range);
|
|
if (match) {
|
|
const start = Number(match[1]);
|
|
const end = match[2] ? Math.min(Number(match[2]), total - 1) : total - 1;
|
|
if (start <= end && start < total) {
|
|
const node = storage().createReadStream!(key, { start, end });
|
|
const body = Readable.toWeb(node as Readable) as unknown as BodyInit;
|
|
return new Response(body, {
|
|
status: 206,
|
|
headers: {
|
|
"Content-Type": contentType,
|
|
"Content-Length": String(end - start + 1),
|
|
"Content-Range": `bytes ${start}-${end}/${total}`,
|
|
"Accept-Ranges": "bytes",
|
|
"Cache-Control": "public, max-age=3600",
|
|
},
|
|
});
|
|
}
|
|
}
|
|
}
|
|
|
|
const node = storage().createReadStream!(key);
|
|
const body = Readable.toWeb(node as Readable) as unknown as BodyInit;
|
|
return new Response(body, {
|
|
headers: {
|
|
"Content-Type": contentType,
|
|
"Content-Length": String(total),
|
|
"Accept-Ranges": "bytes",
|
|
"Cache-Control": "public, max-age=3600",
|
|
},
|
|
});
|
|
}
|