import formidable from 'formidable'; import { promises as fs } from 'fs'; import { uploadProfileImage, updateMemberProfileImageUrl, validateImageFile } from '~/server/utils/profile-images'; // Authentication utility - we'll need to check if it exists async function requireAuth(event: any) { // Check for session-based authentication const sessionCookie = getCookie(event, 'auth-token') || getCookie(event, 'nuxt-oidc-auth-session'); if (!sessionCookie) { throw createError({ statusCode: 401, statusMessage: 'Authentication required', }); } // For now, return a basic user object - this should integrate with your existing auth system const user = event.context.user; if (!user) { throw createError({ statusCode: 401, statusMessage: 'Invalid authentication', }); } return user; } // Role-based access control function canEditMember(user: any, targetMemberId: string): boolean { // Admin can edit anyone if (user.tier === 'admin' || user.groups?.includes('admin') || user.groups?.includes('monaco-admin')) { return true; } // Board members can edit anyone if (user.tier === 'board' || user.groups?.includes('board') || user.groups?.includes('monaco-board')) { return true; } // Users can only edit their own profile // We'll need to match by email or keycloak ID since users might not know their member_id return user.email === targetMemberId || user.member_id === targetMemberId; } export default defineEventHandler(async (event) => { try { // Check authentication const user = await requireAuth(event); // Get query parameters const query = getQuery(event); const targetMemberId = query.memberId as string; if (!targetMemberId) { throw createError({ statusCode: 400, statusMessage: 'Member ID is required', }); } // Check permissions if (!canEditMember(user, targetMemberId)) { throw createError({ statusCode: 403, statusMessage: 'You can only upload images for your own profile', }); } console.log(`[profile-upload] Processing upload for member: ${targetMemberId}`); // Parse multipart form data const form = formidable({ maxFileSize: 5 * 1024 * 1024, // 5MB limit keepExtensions: true, allowEmptyFiles: false, maxFiles: 1, }); const [fields, files] = await form.parse(event.node.req); // Get the uploaded file const uploadedFile = Array.isArray(files.image) ? files.image[0] : files.image; if (!uploadedFile) { throw createError({ statusCode: 400, statusMessage: 'No image file provided', }); } console.log(`[profile-upload] File received: ${uploadedFile.originalFilename}, size: ${uploadedFile.size} bytes`); // Read file buffer const fileBuffer = await fs.readFile(uploadedFile.filepath); // Validate the image file validateImageFile(fileBuffer, uploadedFile.originalFilename || 'image.jpg'); // Upload image and generate thumbnails const imagePath = await uploadProfileImage( targetMemberId, fileBuffer, uploadedFile.originalFilename || 'profile.jpg' ); // Update database with image path await updateMemberProfileImageUrl( targetMemberId, imagePath, uploadedFile.originalFilename || 'profile.jpg' ); // Clean up temporary file try { await fs.unlink(uploadedFile.filepath); } catch (error) { console.warn('[profile-upload] Failed to clean up temp file:', error); } console.log(`[profile-upload] Successfully uploaded profile image for member: ${targetMemberId}`); return { success: true, message: 'Profile image uploaded successfully', imagePath, originalName: uploadedFile.originalFilename, size: uploadedFile.size, }; } catch (error: any) { console.error('[profile-upload] Upload failed:', error); // Provide specific error messages if (error.statusCode) { throw error; // Re-throw HTTP errors } throw createError({ statusCode: 500, statusMessage: error.message || 'Profile image upload failed', }); } });