vibe coded v1

api/routes/avatars.ts

@@ -0,0 +1,110 @@
+import { Router } from "@oak/oak";
+import { authMiddleware } from "../middleware/auth.ts";
+import { getUserById, updateUserAvatar } from "../services/user-service.ts";
+import { updateClientAvatar } from "../services/ws-service.ts";
+import { APIErrorCode, APIException } from "../model/interfaces.ts";
+
+const AVATARS_DIR = "api/uploads/avatars";
+const MAX_AVATAR_SIZE = 5 * 1024 * 1024; // 5 MB
+const ALLOWED_AVATAR_MIMES = new Set([
+  "image/jpeg",
+  "image/png",
+  "image/gif",
+  "image/webp",
+]);
+
+// Magic bytes for image validation
+const MAGIC: Array<{ mime: string; bytes: number[]; offset?: number }> = [
+  { mime: "image/jpeg", bytes: [0xFF, 0xD8, 0xFF] },
+  { mime: "image/png", bytes: [0x89, 0x50, 0x4E, 0x47] },
+  { mime: "image/gif", bytes: [0x47, 0x49, 0x46, 0x38] },
+  { mime: "image/webp", bytes: [0x52, 0x49, 0x46, 0x46], offset: 0 }, // RIFF
+];
+
+function checkMagicBytes(data: Uint8Array, mime: string): boolean {
+  if (mime === "image/webp") {
+    // RIFF....WEBP
+    return data[0] === 0x52 && data[1] === 0x49 && data[2] === 0x46 &&
+      data[3] === 0x46 && data[8] === 0x57 && data[9] === 0x45 &&
+      data[10] === 0x42 && data[11] === 0x50;
+  }
+  const entry = MAGIC.find((m) => m.mime === mime);
+  if (!entry) return false;
+  return entry.bytes.every((b, i) => data[i] === b);
+}
+
+const router = new Router();
+
+router.post("/api/avatars/me", authMiddleware, async (ctx) => {
+  const authPayload = ctx.state.user;
+  const contentType = ctx.request.headers.get("content-type") ?? "";
+  if (!contentType.includes("multipart/form-data")) {
+    throw new APIException(APIErrorCode.BAD_REQUEST, 400, "Expected multipart/form-data");
+  }
+
+  const body = await ctx.request.body.formData();
+  const file = body.get("file");
+
+  if (!(file instanceof File)) {
+    throw new APIException(APIErrorCode.BAD_REQUEST, 400, "Missing file field");
+  }
+
+  if (!ALLOWED_AVATAR_MIMES.has(file.type)) {
+    throw new APIException(
+      APIErrorCode.BAD_REQUEST,
+      400,
+      "Only JPEG, PNG, GIF, WebP images are allowed",
+    );
+  }
+
+  if (file.size > MAX_AVATAR_SIZE) {
+    throw new APIException(APIErrorCode.BAD_REQUEST, 400, "File too large (max 5 MB)");
+  }
+
+  const data = new Uint8Array(await file.arrayBuffer());
+
+  if (!checkMagicBytes(data, file.type)) {
+    throw new APIException(APIErrorCode.BAD_REQUEST, 400, "File content does not match declared type");
+  }
+
+  await Deno.mkdir(AVATARS_DIR, { recursive: true });
+  await Deno.writeFile(`${AVATARS_DIR}/${authPayload.userId}`, data);
+  updateUserAvatar(authPayload.userId, file.type);
+  updateClientAvatar(authPayload.userId, file.type);
+
+  const user = getUserById(authPayload.userId);
+  ctx.response.status = 200;
+  ctx.response.body = { success: true, data: user };
+});
+
+router.get("/api/avatars/:userId", async (ctx) => {
+  const { userId } = ctx.params;
+
+  let user;
+  try {
+    user = getUserById(userId);
+  } catch {
+    ctx.response.status = 404;
+    return;
+  }
+
+  if (!user.avatarMime) {
+    ctx.response.status = 404;
+    return;
+  }
+
+  let data: Uint8Array;
+  try {
+    data = await Deno.readFile(`${AVATARS_DIR}/${userId}`);
+  } catch {
+    ctx.response.status = 404;
+    return;
+  }
+
+  ctx.response.headers.set("Content-Type", user.avatarMime);
+  ctx.response.headers.set("Content-Disposition", "inline");
+  ctx.response.headers.set("Cache-Control", "public, max-age=3600");
+  ctx.response.body = data;
+});
+
+export default router;