letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
7a7fd760812d2f547158cb21586f4aba3bfbfaef
pn-new-crm/src/lib/services/storage.ts

32 lines
1013 B
TypeScript
Raw Normal View History

Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
import { buildStoragePath } from '@/lib/minio';
import { MIME_TO_EXT } from '@/lib/constants/file-validation';
export function generateStorageKey(
portSlug: string,
entity: string,
entityId: string,
mimeType: string,
): string {
const fileId = crypto.randomUUID();
const extension = MIME_TO_EXT[mimeType] ?? 'bin';
return buildStoragePath(portSlug, entity, entityId, fileId, extension);
}
export function sanitizeFilename(name: string): string {
fix(audit-wave-11): asset hygiene + datetime correctness **asset-auditor C1+C2+H1+H3 — image normalization** Add `src/lib/services/image-normalize.ts` and wire it into `uploadFile()` so every accepted image is re-encoded via sharp before hitting storage: - Strips EXIF (GPS coords, device serial, photographer) so uploaded photos don't leak per-pixel PII to anyone with a download URL (C1). - Caps dimensions at 4096px via `resize({fit:'inside',withoutEnlargement:true})` so a 30000×30000 palette PNG can't decompression-bomb a downstream sharp decode (C2). - Re-encode drops polyglot trailers (PDF+JPEG sandwiches that beat the prefix-only magic-byte check) (H1). - Freezes animated GIFs to first frame (H3). Avatar route already funnels through uploadFile so it's covered by the single change. **asset-auditor M2 — sanitizeFilename strips RTL/zero-width** Add Unicode NFC + a strip of bidi-control (U+202A-U+202E, U+2066-U+2069) + zero-width chars (U+200B-U+200F, U+FEFF) to `sanitizeFilename`. Closes the classic Windows-icon-spoof vector (`invoice_‮fdp.exe` displaying as `invoice_exe.pdf`) plus folder-listing collision spoofs. **datetime-auditor C1 — reminder dueAt drift on every save** The `<input type="datetime-local">` round-trip in reminder-form.tsx used `iso.slice(0,16)` (load) and `new Date(value).toISOString()` (submit). The slice drops the `Z` so a UTC instant is mis-interpreted as local on load, then converted back to UTC on save — every save of an existing Warsaw reminder drifted backwards by 2h (CEST). After two saves the reminder appears at 06:00 instead of 10:00. Add `toLocalDatetimeLocal(d: Date)` helper that builds the local YYYY-MM-DDTHH:MM string from getter methods so the round-trip is TZ-safe. snooze-dialog already did this correctly; the contact-log dialog also uses the correct localIsoString pattern. **datetime-auditor C2 — BullMQ cron in UTC, not port-local** `upsertJobScheduler` defaulted `tz` to UTC. Patterns like `0 8 * * *` were intended as "8 AM Warsaw" but fired at 09:00 winter / 10:00 summer. Pass `tz: process.env.SCHEDULER_TZ ?? 'Europe/Warsaw'`. Sub-hourly / hourly patterns are TZ-invariant and stay UTC. **datetime-auditor C3 — report-scheduler never advanced next_run_at** The minutely scheduler selected `nextRunAt <= now()` and enqueued generate-report — but never bumped nextRunAt. For weekly/monthly reports this meant the job re-fired every single minute until a human zeroed the row out, flooding recipients with dupes. Now uses `cron-parser` (added as a dep) to compute the next fire from `report.schedule` and UPDATEs the row BEFORE the enqueue. Malformed cron expressions disable the row instead of re-attempting every minute. Tests 1315/1315. Migration 0058 applied via psql. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 12:58:58 +02:00
return (
name
.normalize('NFC')
.replace(/[/\\:]/g, '') // strip path chars
.replace(/\x00/g, '') // strip null bytes
.replace(/[\x01-\x1f\x7f]/g, '') // strip control chars
// asset-auditor M2: strip Unicode bidi-control + zero-width
// characters that enable the classic Windows-icon spoof
// (`invoice_fdp.exe` renders as `invoice_exe.pdf`) and folder-
// listing collision spoofs (U+200B/U+FEFF).
.replace(/[---]/g, '')
.trim()
.slice(0, 255)
);
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
}
Reference in New Issue Copy Permalink