admin/podcastdistributiona
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
19a403b431f1fd34b680bcb9baaa5d5600b1378d
podcastdistributiona/app/api/public/episodes/[shareId]/cover/route.ts
T
Leon Serfaty 51c541ad22 Security & robustness hardening pass 
Cross-cutting input-validation, isolation, and DoS-resistance fixes across
the app, API, billing, queue, and infra layers.

- Runtime validation (zod) for client-supplied admin actions (role/plan/
  limits), series generation index, and all pg-boss queue payloads
- Auth: require email verification before sign-in; reject weak/placeholder/
  short BETTER_AUTH_SECRET in production
- Billing: sanitize Stripe/PayPal errors (log server-side, generic to client);
  race-safe subscription upsert; only count "processed" webhook events as
  handled; verify org membership in getEffectivePlan to block plan escalation
- Series generation: reserve usage up front and refund on failure; bill the
  owning org, not the caller's active org
- Injection defenses: HTML-escape user fields in emails, strip CR/LF from
  subject/recipient, validate ElevenLabs voiceId before URL interpolation
- Media routes: stream off disk instead of buffering whole files; rate-limit
  anonymous public audio/cover endpoints by client IP
2026-06-20 20:59:03 -04:00

65 lines
2.1 KiB
TypeScript
Raw Blame History

import { Readable } from "node:stream";
import { NextRequest } from "next/server";
import { prisma } from "@/lib/db";
import { rateLimit, LIMITS } from "@/lib/ratelimit";
import { storage } from "@/lib/storage";
export const dynamic = "force-dynamic";
const CONTENT_TYPES: Record<string, string> = {
png: "image/png",
jpg: "image/jpeg",
jpeg: "image/jpeg",
webp: "image/webp",
};
/** Best-effort client IP for anonymous rate limiting. */
function clientKey(req: NextRequest): string {
const fwd = req.headers.get("x-forwarded-for");
if (fwd) return fwd.split(",")[0].trim();
return req.headers.get("x-real-ip") ?? "anon";
}
/**
* Serve an episode's cover art to anonymous visitors, authorized by a valid,
* still-enabled public `shareId`. Used as a fallback when the storage provider
* doesn't expose a directly-fetchable public URL for cover art. The file is
* streamed off disk rather than buffered whole to avoid memory-amplification DoS.
*/
export async function GET(
req: NextRequest,
{ params }: { params: Promise<{ shareId: string }> }
) {
// Rate-limit by client IP (never by shareId alone).
const rl = await rateLimit("public-cover", clientKey(req), LIMITS.publicMedia);
if (!rl.ok) {
return new Response("Too many requests", {
status: 429,
headers: { "Retry-After": String(rl.retryAfterSec ?? 1) },
});
}
const { shareId } = await params;
const episode = await prisma.episode.findUnique({
where: { shareId },
select: { coverArt: { select: { storageKey: true } } },
});
const key = episode?.coverArt?.storageKey;
if (!key) return new Response("Not found", { status: 404 });
const total = await storage().size(key);
if (total === null) return new Response("Not found", { status: 404 });
const ext = key.split(".").pop()?.toLowerCase() ?? "png";
const node = storage().createReadStream!(key);
const body = Readable.toWeb(node as Readable) as unknown as BodyInit;
return new Response(body, {
headers: {
"Content-Type": CONTENT_TYPES[ext] ?? "image/png",
"Content-Length": String(total),
"Cache-Control": "public, max-age=3600",
},
});
}
Reference in New Issue View Git Blame Copy Permalink