kestrelos/server/api/me/avatar.put.js

import { writeFile, unlink } from 'node:fs/promises'
import { join } from 'node:path'
import { readMultipartFormData } from 'h3'
import { getDb, getAvatarsDir } from '../../utils/db.js'
import { requireAuth } from '../../utils/authHelpers.js'

const MAX_SIZE = 2 * 1024 * 1024
const ALLOWED_TYPES = Object.freeze(['image/jpeg', 'image/png'])
const EXT_BY_MIME = Object.freeze({ 'image/jpeg': 'jpg', 'image/png': 'png' })

/**
 * Validate image content using magic bytes to prevent MIME type spoofing.
 * @param {Buffer} buffer - File data buffer
 * @returns {string|null} Detected MIME type or null if invalid
 */
function validateImageContent(buffer) {
  if (!buffer || buffer.length < 8) return null
  // JPEG: FF D8 FF
  if (buffer[0] === 0xFF && buffer[1] === 0xD8 && buffer[2] === 0xFF) {
    return 'image/jpeg'
  }
  // PNG: 89 50 4E 47 0D 0A 1A 0A
  if (buffer[0] === 0x89 && buffer[1] === 0x50 && buffer[2] === 0x4E && buffer[3] === 0x47) {
    return 'image/png'
  }
  return null
}

export default defineEventHandler(async (event) => {
  const user = requireAuth(event)
  const form = await readMultipartFormData(event)
  const file = form?.find(f => f.name === 'avatar' && f.data)
  if (!file || !file.filename) throw createError({ statusCode: 400, message: 'Missing avatar file' })
  if (file.data.length > MAX_SIZE) throw createError({ statusCode: 400, message: 'File too large' })
  const mime = file.type ?? ''
  if (!ALLOWED_TYPES.includes(mime)) throw createError({ statusCode: 400, message: 'Invalid type; use JPEG or PNG' })

  // Validate file content matches declared MIME type
  const actualMime = validateImageContent(file.data)
  if (!actualMime || actualMime !== mime) {
    throw createError({ statusCode: 400, message: 'File content does not match declared type' })
  }

  const ext = EXT_BY_MIME[actualMime] ?? 'jpg'
  const filename = `${user.id}.${ext}`
  const dir = getAvatarsDir()
  const path = join(dir, filename)
  await writeFile(path, file.data)
  const { run } = await getDb()
  const previous = user.avatar_path
  await run('UPDATE users SET avatar_path = ? WHERE id = ?', [filename, user.id])
  if (previous && previous !== filename) {
    const oldPath = join(dir, previous)
    await unlink(oldPath).catch(() => {})
  }
  return { ok: true }
})