rhythia-api 230.0.0 → 233.0.0

package/utils/getUserBySession.ts

@@ -4,7 +4,7 @@ import { supabase } from "./supabase";
 
 export async function getUserBySession(session: string): Promise<User | null> {
   const user = (await supabase.auth.getUser(session)).data.user;
-
+  console.log("session:", session);
   if (user) {
     return user;
   }

package/utils/mapLifecycleWebhook.ts

@@ -0,0 +1,277 @@
+import { supabase } from "./supabase";
+
+type MapLifecycleEvent = "qualified" | "ranked" | "vetoed";
+
+const WEBHOOK_COLORS: Record<MapLifecycleEvent, number> = {
+  qualified: 0x3498db,
+  ranked: 0x2ecc71,
+  vetoed: 0xe74c3c,
+};
+
+const WEBHOOK_TITLES: Record<MapLifecycleEvent, string> = {
+  qualified: "Map Qualified",
+  ranked: "Map Ranked",
+  vetoed: "Map Vetoed",
+};
+
+const WEBHOOK_MESSAGES: Record<MapLifecycleEvent, string> = {
+  qualified: "A fresh map just reached qualification.",
+  ranked: "This map cleared qualification and is now ranked.",
+  vetoed: "This map was vetoed and sent back for improvements.",
+};
+
+function clampText(value: string, maxLength: number) {
+  const sanitized = value.replace(/[\u0000-\u0008\u000B\u000C\u000E-\u001F\u007F]/g, "");
+
+  if (sanitized.length <= maxLength) {
+    return sanitized;
+  }
+
+  if (maxLength <= 3) {
+    return sanitized.slice(0, maxLength);
+  }
+
+  return `${sanitized.slice(0, maxLength - 3)}...`;
+}
+
+function getSafeHttpUrl(value: string | null | undefined) {
+  if (!value) {
+    return null;
+  }
+
+  try {
+    const parsed = new URL(value.trim());
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      return null;
+    }
+    const serialized = parsed.toString();
+    if (serialized.length > 2048) {
+      return null;
+    }
+    return serialized;
+  } catch {
+    return null;
+  }
+}
+
+function formatLength(milliseconds: number | null | undefined) {
+  if (!milliseconds || milliseconds < 0) {
+    return "-";
+  }
+
+  const totalSeconds = Math.floor(milliseconds / 1000);
+  const minutes = Math.floor(totalSeconds / 60);
+  const seconds = totalSeconds % 60;
+  return `${minutes.toString().padStart(2, "0")}:${seconds
+    .toString()
+    .padStart(2, "0")}`;
+}
+
+export async function postMapLifecycleWebhook({
+  mapId,
+  event,
+  vetoReason,
+}: {
+  mapId: number;
+  event: MapLifecycleEvent;
+  vetoReason?: string;
+}) {
+  const webhookUrl = process.env.WEBHOOK_MSG_DISCORD;
+  if (!webhookUrl) {
+    return;
+  }
+
+  try {
+    const { data: beatmapPage } = await supabase
+      .from("beatmapPages")
+      .select(
+        `
+        id,
+        owner,
+        title,
+        tags,
+        status,
+        qualified,
+        qualifiedAt,
+        beatmaps (
+          title,
+          starRating,
+          length,
+          difficulty,
+          noteCount,
+          image,
+          imageLarge
+        ),
+        profiles (
+          id,
+          username,
+          avatar_url
+        )
+      `
+      )
+      .eq("id", mapId)
+      .single();
+
+    if (!beatmapPage) {
+      return;
+    }
+
+    const beatmapData = (beatmapPage as any).beatmaps;
+    const profileData = (beatmapPage as any).profiles;
+    const mapTitle =
+      beatmapData?.title || beatmapPage.title || `Beatmap Page #${mapId}`;
+    const creatorName = profileData?.username || "Unknown";
+    const creatorId = beatmapPage.owner || profileData?.id || 0;
+    const rawImage =
+      beatmapData?.imageLarge || beatmapData?.image || "https://www.rhythia.com/unkimg.png";
+    const mapImage = rawImage.includes("backfill")
+      ? "https://www.rhythia.com/unkimg.png"
+      : rawImage;
+    const safeMapImageUrl = getSafeHttpUrl(mapImage);
+    const safeAvatarUrl = getSafeHttpUrl(profileData?.avatar_url);
+
+    const fields: Array<{ name: string; value: string; inline?: boolean }> = [
+      {
+        name: "Map ID",
+        value: clampText(`${beatmapPage.id}`, 1024),
+        inline: true,
+      },
+      {
+        name: "Creator",
+        value: clampText(creatorName, 1024),
+        inline: true,
+      },
+      {
+        name: "Stars",
+        value: clampText(
+          beatmapData?.starRating !== null && beatmapData?.starRating !== undefined
+            ? `${Math.round(beatmapData.starRating * 100) / 100}*`
+            : "-",
+          1024
+        ),
+        inline: true,
+      },
+      {
+        name: "Length",
+        value: clampText(formatLength(beatmapData?.length), 1024),
+        inline: true,
+      },
+      {
+        name: "Notes",
+        value: clampText(
+          beatmapData?.noteCount !== null && beatmapData?.noteCount !== undefined
+            ? `${beatmapData.noteCount}`
+            : "-",
+          1024
+        ),
+        inline: true,
+      },
+      {
+        name: "Tags",
+        value: clampText(beatmapPage.tags || "-", 1024),
+        inline: false,
+      },
+    ];
+
+    if (event === "vetoed") {
+      fields.push({
+        name: "Veto Reason",
+        value: clampText(vetoReason || "No reason provided", 1024),
+        inline: false,
+      });
+    }
+
+    const embed: Record<string, any> = {
+      title: clampText(`${WEBHOOK_TITLES[event]}: ${mapTitle}`, 256),
+      url: `https://www.rhythia.com/maps/${beatmapPage.id}`,
+      description: clampText(WEBHOOK_MESSAGES[event], 4096),
+      color: WEBHOOK_COLORS[event],
+      fields: fields.map((field) => ({
+        ...field,
+        name: clampText(field.name || "-", 256),
+        value: clampText(field.value || "-", 1024),
+      })),
+      author: {
+        name: clampText(creatorName, 256),
+        url: `https://www.rhythia.com/player/${creatorId}`,
+        icon_url: safeAvatarUrl || "https://www.rhythia.com/unkimg.png",
+      },
+      footer: {
+        text: clampText(
+          `Status: ${beatmapPage.status || "-"} | ${new Date().toUTCString()}`,
+          2048
+        ),
+      },
+    };
+
+    if (safeMapImageUrl) {
+      embed.thumbnail = {
+        url: safeMapImageUrl,
+      };
+    }
+
+    const payload = {
+      content: clampText(WEBHOOK_MESSAGES[event], 2000),
+      embeds: [embed],
+    };
+
+    let response = await fetch(webhookUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify(payload),
+    });
+
+    if (
+      !response.ok &&
+      response.status === 400 &&
+      (payload.embeds?.[0]?.image?.url || payload.embeds?.[0]?.thumbnail?.url)
+    ) {
+      // Most common Discord embed 400 here is a bad media URL. Retry without media.
+      const retryPayload = {
+        ...payload,
+        embeds: payload.embeds.map((embed: any) => {
+          const clone = { ...embed };
+          delete clone.image;
+          delete clone.thumbnail;
+          return clone;
+        }),
+      };
+
+      response = await fetch(webhookUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify(retryPayload),
+      });
+    }
+
+    if (!response.ok) {
+      const responseBody = await response.text();
+      console.log("Discord webhook failed", {
+        event,
+        mapId,
+        status: response.status,
+        statusText: response.statusText,
+        responseBody: clampText(responseBody || "-", 4000),
+        payloadPreview: {
+          content: payload.content,
+          title: payload.embeds?.[0]?.title,
+          fields: payload.embeds?.[0]?.fields?.map((field: any) => ({
+            name: field.name,
+            value: clampText(field.value || "-", 120),
+          })),
+          imageUrl: payload.embeds?.[0]?.image?.url || null,
+          thumbnailUrl: payload.embeds?.[0]?.thumbnail?.url || null,
+          authorIconUrl: payload.embeds?.[0]?.author?.icon_url || null,
+          hasImage: Boolean(payload.embeds?.[0]?.image?.url),
+          hasThumbnail: Boolean(payload.embeds?.[0]?.thumbnail?.url),
+        },
+      });
+    }
+  } catch (error) {
+    console.log("Failed to post map lifecycle webhook", error);
+  }
+}

package/utils/requestUtils.ts

@@ -1,88 +1,127 @@
-import { NextResponse } from "next/server";
-import { set, ZodObject } from "zod";
-import { getUserBySession } from "./getUserBySession";
-import { supabase } from "./supabase";
-
-interface Props<
-  K = (...args: any[]) => Promise<NextResponse<any>>,
-  T = ZodObject<any>,
-> {
-  request: Request;
-  schema: { input: T; output: T };
-  authorization?: Function;
-  activity: K;
-}
-
-export async function protectedApi({
-  request,
-  schema,
-  authorization,
-  activity,
-}: Props) {
-  try {
-    const toParse = await request.json();
-    const data = schema.input.parse(toParse);
-
-    const dataClone = structuredClone(data);
-    if (dataClone) {
-      if (dataClone["token"]) {
-        dataClone["token"] = "********";
-      }
-      Object.keys(dataClone).forEach((key) => {
-        console.log("KEY: ", key, dataClone[key]);
-        if (key == "data") {
-          try {
-            Object.keys(dataClone[key]).forEach((key2) => {
-              console.log("KEY2: ", key2, dataClone[key][key2]);
-            });
-          } catch (error) {}
-        }
-      });
-    }
-
-    setActivity(data);
-    if (authorization) {
-      const authorizationResponse = await authorization(data);
-      if (authorizationResponse) {
-        return authorizationResponse;
-      }
-    }
-    return await activity(data, request);
-  } catch (error) {
-    console.log(`Couldn't parse`, error.toString());
-    return NextResponse.json({ error: error.toString() }, { status: 400 });
-  }
-}
-
-export async function setActivity(data: Record<string, any>) {
-  if (data.session) {
-    const user = (await supabase.auth.getUser(data.session)).data.user;
-    if (user) {
-      await supabase.from("profileActivities").upsert({
-        uid: user.id,
-        last_activity: Date.now(),
-      });
-    }
-  }
-}
-
-export async function validUser(data) {
-  if (!data.session) {
-    return NextResponse.json(
-      {
-        error: "Session is missing",
-      },
-      { status: 501 }
-    );
-  }
-
-  const user = await getUserBySession(data.session);
-  if (!user) {
-    return NextResponse.json(
-      {
-        error: "Invalid user session",
-      },
-      { status: 400 }
-    );
-  }
-}
+import { NextResponse } from "next/server";
+import { ZodObject } from "zod";
+import { getUserBySession } from "./getUserBySession";
+import { supabase } from "./supabase";
+
+const SENSITIVE_LOG_KEYS = new Set([
+  "session",
+  "replayBytes",
+  "token",
+  "secret",
+  "passkey",
+  "passKey",
+]);
+const LONG_LOG_STRING_THRESHOLD = 256;
+
+function sanitizeForLog(
+  value: unknown,
+  key?: string
+):
+  | string
+  | number
+  | boolean
+  | null
+  | undefined
+  | Record<string, unknown>
+  | unknown[] {
+  const normalizedKey = (key || "").toLowerCase();
+  if (
+    SENSITIVE_LOG_KEYS.has(key || "") ||
+    SENSITIVE_LOG_KEYS.has(normalizedKey)
+  ) {
+    if (value === null || value === undefined) {
+      return value as null | undefined;
+    }
+    return "<Long>";
+  }
+
+  if (typeof value === "string") {
+    return value.length > LONG_LOG_STRING_THRESHOLD ? "<Long>" : value;
+  }
+
+  if (Array.isArray(value)) {
+    return value.map((item) => sanitizeForLog(item));
+  }
+
+  if (value && typeof value === "object") {
+    const sanitizedObject: Record<string, unknown> = {};
+    Object.entries(value as Record<string, unknown>).forEach(
+      ([entryKey, entryValue]) => {
+        sanitizedObject[entryKey] = sanitizeForLog(entryValue, entryKey);
+      }
+    );
+    return sanitizedObject;
+  }
+
+  return value as string | number | boolean | null | undefined;
+}
+
+interface Props<
+  K = (...args: any[]) => Promise<NextResponse<any>>,
+  T = ZodObject<any>,
+> {
+  request: Request;
+  schema: { input: T; output: T };
+  authorization?: Function;
+  activity: K;
+}
+
+export async function protectedApi({
+  request,
+  schema,
+  authorization,
+  activity,
+}: Props) {
+  try {
+    const toParse = await request.json();
+    const data = schema.input.parse(toParse);
+
+    console.log("Request payload:", sanitizeForLog(data));
+
+    setActivity(data);
+    if (authorization) {
+      const authorizationResponse = await authorization(data);
+      if (authorizationResponse) {
+        return authorizationResponse;
+      }
+    }
+    return await activity(data, request);
+  } catch (error) {
+    console.log(`Couldn't parse`, error.toString());
+    return NextResponse.json({ error: error.toString() }, { status: 400 });
+  }
+}
+
+export async function setActivity(data: Record<string, any>) {
+  if (data.session) {
+    const user = (await supabase.auth.getUser(data.session)).data.user;
+    if (user) {
+      await supabase.from("profileActivities").upsert({
+        uid: user.id,
+        last_activity: Date.now(),
+      });
+    }
+  }
+}
+
+export async function validUser(data) {
+  if (!data.session) {
+    return NextResponse.json(
+      {
+        error: "Session is missing",
+      },
+      { status: 501 }
+    );
+  }
+
+  const user = await getUserBySession(data.session);
+  if (!user) {
+    console.log("Invalid user session");
+    return NextResponse.json(
+      {
+        error: "Invalid user session",
+      },
+      { status: 401 }
+    );
+  }
+}

package/api/nominateMap.ts

@@ -1,82 +0,0 @@
-import { NextResponse } from "next/server";
-import z from "zod";
-import { protectedApi, validUser } from "../utils/requestUtils";
-import { supabase } from "../utils/supabase";
-import { getUserBySession } from "../utils/getUserBySession";
-import { User } from "@supabase/supabase-js";
-
-export const Schema = {
-  input: z.strictObject({
-    session: z.string(),
-    mapId: z.number(),
-  }),
-  output: z.object({
-    error: z.string().optional(),
-  }),
-};
-
-export async function POST(request: Request) {
-  return protectedApi({
-    request,
-    schema: Schema,
-    authorization: validUser,
-    activity: handler,
-  });
-}
-
-export async function handler(data: (typeof Schema)["input"]["_type"]) {
-  const user = (await getUserBySession(data.session)) as User;
-  let { data: queryUserData, error: userError } = await supabase
-    .from("profiles")
-    .select("*")
-    .eq("uid", user.id)
-    .single();
-
-  if (!queryUserData) {
-    return NextResponse.json({ error: "Can't find user" });
-  }
-
-  const tags = (queryUserData?.badges || []) as string[];
-
-  if (!tags.includes("RCT")) {
-    return NextResponse.json({ error: "Only RCTs can nominate maps!" });
-  }
-
-  const { data: mapData, error } = await supabase
-    .from("beatmapPages")
-    .select("id,nominations,owner")
-    .eq("id", data.mapId)
-    .single();
-
-  if (!mapData) {
-    return NextResponse.json({ error: "Bad map" });
-  }
-
-  if (mapData.owner == queryUserData.id) {
-    return NextResponse.json({ error: "Can't nominate own map" });
-  }
-
-  if ((mapData.nominations as number[]).includes(queryUserData.id)) {
-    return NextResponse.json({ error: "Already nominated" });
-  }
-
-  const newNominations = [
-    ...(mapData.nominations! as number[]),
-    queryUserData.id,
-  ];
-  if (newNominations.length == 2) {
-    await supabase.from("beatmapPages").upsert({
-      id: data.mapId,
-      nominations: newNominations,
-      status: "RANKED",
-      ranked_at: Date.now(),
-    });
-  } else {
-    await supabase.from("beatmapPages").upsert({
-      id: data.mapId,
-      nominations: newNominations,
-    });
-  }
-
-  return NextResponse.json({});
-}