Jennie Robinson Faber
26c300c357
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification, member status checks (suspended/cancelled = 403), and admin role enforcement. Apply to all admin, upload, and payment endpoints. Add role field to Member model. CSRF: Double-submit cookie middleware with client plugin. Exempt webhook and magic-link verify routes. Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP (Helcim/Cloudinary/Plausible sources) in production only. Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general 100/min via rate-limiter-flexible, keyed by client IP. XSS: DOMPurify sanitization on marked() output with tag/attr allowlists. escapeHtml() utility for email template interpolation. Anti-enumeration: Login returns identical response for existing and non-existing emails. Remove 404 handling from login UI components. Mass assignment: Remove helcimCustomerId from profile allowedFields. Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies. Environment: Validate required secrets on startup via server plugin. Remove JWT_SECRET hardcoded fallback.
74 lines
No EOL
2 KiB
JavaScript
74 lines
No EOL
2 KiB
JavaScript
import { v2 as cloudinary } from 'cloudinary'
|
|
import { requireAuth } from '../../utils/auth.js'
|
|
|
|
// Configure Cloudinary
|
|
cloudinary.config({
|
|
cloud_name: process.env.CLOUDINARY_CLOUD_NAME,
|
|
api_key: process.env.CLOUDINARY_API_KEY,
|
|
api_secret: process.env.CLOUDINARY_API_SECRET
|
|
})
|
|
|
|
export default defineEventHandler(async (event) => {
|
|
try {
|
|
await requireAuth(event)
|
|
// Parse the multipart form data
|
|
const formData = await readMultipartFormData(event)
|
|
|
|
if (!formData || formData.length === 0) {
|
|
throw createError({
|
|
statusCode: 400,
|
|
statusMessage: 'No file provided'
|
|
})
|
|
}
|
|
|
|
// Find the file in the form data
|
|
const fileData = formData.find(item => item.name === 'file')
|
|
|
|
if (!fileData) {
|
|
throw createError({
|
|
statusCode: 400,
|
|
statusMessage: 'No file found in upload'
|
|
})
|
|
}
|
|
|
|
// Validate file type
|
|
if (!fileData.type?.startsWith('image/')) {
|
|
throw createError({
|
|
statusCode: 400,
|
|
statusMessage: 'Invalid file type. Only images are allowed.'
|
|
})
|
|
}
|
|
|
|
// Convert buffer to base64 for Cloudinary upload
|
|
const base64File = `data:${fileData.type};base64,${fileData.data.toString('base64')}`
|
|
|
|
// Upload to Cloudinary
|
|
const result = await cloudinary.uploader.upload(base64File, {
|
|
folder: 'ghost-guild/events',
|
|
transformation: [
|
|
{ quality: 'auto', fetch_format: 'auto' },
|
|
{ width: 1200, height: 630, crop: 'fill' } // Standard social media dimensions
|
|
],
|
|
allowed_formats: ['jpg', 'png', 'webp', 'gif'],
|
|
resource_type: 'image'
|
|
})
|
|
|
|
return {
|
|
success: true,
|
|
secure_url: result.secure_url,
|
|
public_id: result.public_id,
|
|
width: result.width,
|
|
height: result.height,
|
|
format: result.format,
|
|
bytes: result.bytes
|
|
}
|
|
|
|
} catch (error) {
|
|
console.error('Image upload error:', error)
|
|
|
|
throw createError({
|
|
statusCode: error.statusCode || 500,
|
|
statusMessage: error.statusMessage || 'Image upload failed'
|
|
})
|
|
}
|
|
}) |