letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
221ae5784e36c131db86ff0731914b62ae58a45a
pn-new-crm/src/app/api/v1/me/avatar/route.ts
Matt 221ae5784e chore(autonomous-session): consolidate uncommitted work from prior session 
Bundles the prior autonomous-session output that was sitting unstaged:

- Em-dash sweep across src/ + tests/ (en-dash/em-dash to hyphen, ~2280 instances)
- country-flag-icons rollout (CountryFlag component, replaces emoji glyphs that
  never rendered on Windows; lazy-loads the 3x2 SVG index as a single chunk
  after the per-subpath dynamic-import approach silently failed in webpack)
- Admin IA Phase 1+2: 7-domain regroup, 41 to 38 pages, /admin/berths index,
  redirects (ocr to ai, reports to dashboard, invitations to users),
  docs/admin-ia-proposal.md
- Per-template email tester (registry + endpoint + UI on Email admin page)
- Cancel-document mode picker (delete-from-Documenso vs keep-for-audit)
- Dashboard PDF report: 25 widgets, SVG charts, date-range picker, 11 resolvers
- Customize-widgets per-region sortables at xl+ (charts/rails/feed); single
  flat sortable below xl when the layout stacks; per-viewport saved orders
- Audit doc updates capturing each shipped item
- Lint fixes: react-compiler immutability in DonutChart (reduce instead of
  let-reassign), set-state-in-effect disables in CountryFlag and
  UploadForSigning preview-bytes effect, unused 'confirm' destructures in
  interest contract + reservation tabs, unescaped apostrophe in test-template
  card copy
2026-05-23 00:52:59 +02:00

124 lines
4.2 KiB
TypeScript
Raw Blame History

import { NextResponse } from 'next/server';
import { eq } from 'drizzle-orm';
import { withAuth } from '@/lib/api/helpers';
import { db } from '@/lib/db';
import { ports } from '@/lib/db/schema/ports';
import { userProfiles } from '@/lib/db/schema/users';
import { deleteFile, uploadFile } from '@/lib/services/files';
import { errorResponse, ValidationError } from '@/lib/errors';
import { logger } from '@/lib/logger';
const MAX_AVATAR_BYTES = 2 * 1024 * 1024;
/**
* Profile-photo upload. Accepts a multipart `file` (cropped JPEG/PNG
* from the ImageCropperDialog), persists it via the polymorphic files
* table (so an S3↔filesystem swap carries it correctly), and writes
* the file id into `user_profiles.avatar_file_id`.
*
* Files are scoped to the user's CURRENT port - the rep can't end up
* with an avatar that's only visible from one port. (Avatars render
* via the GET handler below, which presigns by id regardless of port.)
*/
export const POST = withAuth(async (req, ctx) => {
try {
const formData = await req.formData();
const fileEntry = formData.get('file');
if (!(fileEntry instanceof File)) {
throw new ValidationError('Missing `file` part');
}
if (fileEntry.size === 0) {
throw new ValidationError('Empty file');
}
if (fileEntry.size > MAX_AVATAR_BYTES) {
throw new ValidationError('Avatar exceeds 2 MB');
}
// Resolve the port slug for the storage path. Super-admins without
// an active port fall through to a synthetic 'global' bucket.
const port = ctx.portId
? await db.query.ports.findFirst({ where: eq(ports.id, ctx.portId) })
: null;
const portSlug = port?.slug ?? 'global';
const portId = ctx.portId || port?.id || '';
if (!portId) throw new ValidationError('No active port');
const buffer = Buffer.from(await fileEntry.arrayBuffer());
// Pick the storage filename's extension from the upload's MIME so
// PNG uploads aren't silently relabelled `.jpg` (which would strip
// the alpha-channel signal from the storage layer).
const mimeType = fileEntry.type || 'image/jpeg';
const ext =
mimeType === 'image/png'
? 'png'
: mimeType === 'image/webp'
? 'webp'
: mimeType === 'image/gif'
? 'gif'
: mimeType === 'image/avif'
? 'avif'
: 'jpg';
const record = await uploadFile(
portId,
portSlug,
{
buffer,
originalName: fileEntry.name || `avatar.${ext}`,
mimeType,
size: fileEntry.size,
},
{
filename: `avatar-${ctx.userId}.${ext}`,
category: 'avatar',
entityType: 'user',
entityId: ctx.userId,
},
{
userId: ctx.userId,
portId,
ipAddress: ctx.ipAddress,
userAgent: ctx.userAgent,
},
);
// file-lifecycle-auditor C1: capture the prior avatar id BEFORE
// overwriting so we can clean it up. Without this every "Replace
// photo" leaked one files row + one S3 blob, untethered (no
// client/yacht/company FK) and invisible to UI sweeps.
const prior = await db.query.userProfiles.findFirst({
where: eq(userProfiles.userId, ctx.userId),
columns: { avatarFileId: true },
});
const priorAvatarId = prior?.avatarFileId ?? null;
await db
.update(userProfiles)
.set({ avatarFileId: record.id, updatedAt: new Date() })
.where(eq(userProfiles.userId, ctx.userId));
if (priorAvatarId && priorAvatarId !== record.id) {
// Best-effort delete - a stale-blob failure shouldn't fail the
// new-avatar response. deleteFile handles ref-check + blob
// delete + audit so a referenced file (somehow) is safe.
try {
await deleteFile(priorAvatarId, portId, {
userId: ctx.userId,
portId,
ipAddress: ctx.ipAddress,
userAgent: ctx.userAgent,
});
} catch (err) {
logger.warn(
{ err, priorAvatarId, userId: ctx.userId },
'avatar replace: failed to clean up prior avatar file - orphan blob possible',
);
}
}
return NextResponse.json({ data: { avatarFileId: record.id } });
} catch (error) {
return errorResponse(error);
}
});
Reference in New Issue View Git Blame Copy Permalink