admin/podcastdistributiona
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
328cd62766a5e9008425f0a75cb35ee4343b29c1
podcastdistributiona/app/api/assets/[...key]/route.ts
T
Leon Serfaty 51c541ad22 Security & robustness hardening pass 
Cross-cutting input-validation, isolation, and DoS-resistance fixes across
the app, API, billing, queue, and infra layers.

- Runtime validation (zod) for client-supplied admin actions (role/plan/
  limits), series generation index, and all pg-boss queue payloads
- Auth: require email verification before sign-in; reject weak/placeholder/
  short BETTER_AUTH_SECRET in production
- Billing: sanitize Stripe/PayPal errors (log server-side, generic to client);
  race-safe subscription upsert; only count "processed" webhook events as
  handled; verify org membership in getEffectivePlan to block plan escalation
- Series generation: reserve usage up front and refund on failure; bill the
  owning org, not the caller's active org
- Injection defenses: HTML-escape user fields in emails, strip CR/LF from
  subject/recipient, validate ElevenLabs voiceId before URL interpolation
- Media routes: stream off disk instead of buffering whole files; rate-limit
  anonymous public audio/cover endpoints by client IP
2026-06-20 20:59:03 -04:00

69 lines
2.4 KiB
TypeScript
Raw Blame History

import { Readable } from "node:stream";
import { NextRequest } from "next/server";
import { getServerSession } from "@/lib/auth/guards";
import { prisma } from "@/lib/db";
import { storage } from "@/lib/storage";
export const dynamic = "force-dynamic";
const CONTENT_TYPES: Record<string, string> = {
mp3: "audio/mpeg",
png: "image/png",
jpg: "image/jpeg",
jpeg: "image/jpeg",
webp: "image/webp",
zip: "application/zip",
txt: "text/plain; charset=utf-8",
};
/**
* Serve a stored asset by key after verifying the requester owns the episode
* (or is an admin). Private MP3 downloads flow through here; public cover art is
* served directly by nginx from /media.
*/
export async function GET(
req: NextRequest,
{ params }: { params: Promise<{ key: string[] }> }
) {
const { key: segments } = await params;
const key = segments.join("/");
const session = await getServerSession();
if (!session) return new Response("Unauthorized", { status: 401 });
// Resolve the owning episode from the asset record so we can authorize.
const [audio, art] = await Promise.all([
prisma.audioAsset.findFirst({ where: { storageKey: key }, select: { episode: { select: { userId: true } } } }),
prisma.coverArt.findFirst({ where: { storageKey: key }, select: { episode: { select: { userId: true } } } }),
]);
const ownerId = audio?.episode.userId ?? art?.episode.userId;
if (!ownerId) return new Response("Not found", { status: 404 });
const isOwner = ownerId === session.user.id;
const isAdmin = session.user.role === "admin";
if (!isOwner && !isAdmin) return new Response("Forbidden", { status: 403 });
// Stream off disk instead of buffering the whole file into memory.
const total = await storage().size(key);
if (total === null) return new Response("Not found", { status: 404 });
const ext = key.split(".").pop()?.toLowerCase() ?? "";
const contentType = CONTENT_TYPES[ext] ?? "application/octet-stream";
const download = req.nextUrl.searchParams.get("download");
const filename = key.split("/").pop() ?? "asset";
const node = storage().createReadStream!(key);
const body = Readable.toWeb(node as Readable) as unknown as BodyInit;
return new Response(body, {
headers: {
"Content-Type": contentType,
"Content-Length": String(total),
"Cache-Control": "private, max-age=3600",
...(download
? { "Content-Disposition": `attachment; filename="${filename}"` }
: {}),
},
});
}
Reference in New Issue View Git Blame Copy Permalink