58 lines
2.2 KiB
JavaScript
58 lines
2.2 KiB
JavaScript
import { writeFile, unlink } from 'node:fs/promises'
|
|
import { join } from 'node:path'
|
|
import { readMultipartFormData } from 'h3'
|
|
import { getDb, getAvatarsDir } from '../../utils/db.js'
|
|
import { requireAuth } from '../../utils/authHelpers.js'
|
|
|
|
const MAX_SIZE = 2 * 1024 * 1024
|
|
const ALLOWED_TYPES = Object.freeze(['image/jpeg', 'image/png'])
|
|
const EXT_BY_MIME = Object.freeze({ 'image/jpeg': 'jpg', 'image/png': 'png' })
|
|
|
|
/**
|
|
* Validate image content using magic bytes to prevent MIME type spoofing.
|
|
* @param {Buffer} buffer - File data buffer
|
|
* @returns {string|null} Detected MIME type or null if invalid
|
|
*/
|
|
function validateImageContent(buffer) {
|
|
if (!buffer || buffer.length < 8) return null
|
|
// JPEG: FF D8 FF
|
|
if (buffer[0] === 0xFF && buffer[1] === 0xD8 && buffer[2] === 0xFF) {
|
|
return 'image/jpeg'
|
|
}
|
|
// PNG: 89 50 4E 47 0D 0A 1A 0A
|
|
if (buffer[0] === 0x89 && buffer[1] === 0x50 && buffer[2] === 0x4E && buffer[3] === 0x47) {
|
|
return 'image/png'
|
|
}
|
|
return null
|
|
}
|
|
|
|
export default defineEventHandler(async (event) => {
|
|
const user = requireAuth(event)
|
|
const form = await readMultipartFormData(event)
|
|
const file = form?.find(f => f.name === 'avatar' && f.data)
|
|
if (!file || !file.filename) throw createError({ statusCode: 400, message: 'Missing avatar file' })
|
|
if (file.data.length > MAX_SIZE) throw createError({ statusCode: 400, message: 'File too large' })
|
|
const mime = file.type ?? ''
|
|
if (!ALLOWED_TYPES.includes(mime)) throw createError({ statusCode: 400, message: 'Invalid type; use JPEG or PNG' })
|
|
|
|
// Validate file content matches declared MIME type
|
|
const actualMime = validateImageContent(file.data)
|
|
if (!actualMime || actualMime !== mime) {
|
|
throw createError({ statusCode: 400, message: 'File content does not match declared type' })
|
|
}
|
|
|
|
const ext = EXT_BY_MIME[actualMime] ?? 'jpg'
|
|
const filename = `${user.id}.${ext}`
|
|
const dir = getAvatarsDir()
|
|
const path = join(dir, filename)
|
|
await writeFile(path, file.data)
|
|
const { run } = await getDb()
|
|
const previous = user.avatar_path
|
|
await run('UPDATE users SET avatar_path = ? WHERE id = ?', [filename, user.id])
|
|
if (previous && previous !== filename) {
|
|
const oldPath = join(dir, previous)
|
|
await unlink(oldPath).catch(() => {})
|
|
}
|
|
return { ok: true }
|
|
})
|