taskover-mcp 1.1.0 → 1.2.0

package/image-upload-service.js

@@ -0,0 +1,398 @@
+"use strict";
+
+const crypto = require("crypto");
+const { PutObjectCommand } = require("@aws-sdk/client-s3");
+const { validateAndProcess } = require("./image-processor");
+const store = require("./data-store");
+
+// Strict image types: needs_review is treated as rejected (no quarantine, no R2 upload)
+const STRICT_TYPES = new Set(["avatar", "project_image", "banner", "public_page_image"]);
+
+// ---------------------------------------------------------------------------
+// State
+// ---------------------------------------------------------------------------
+let _moderator = null;
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/** Generate a ULID-ish key: timestamp base36 + random suffix. */
+function _generateKey(prefix, userId) {
+  const id = Date.now().toString(36) + Math.random().toString(36).substr(2, 8);
+  return `images/${prefix}/${userId}/${id}.webp`;
+}
+
+/** Upload a buffer to R2 (Cloudflare / S3-compatible). */
+async function _uploadToR2(r2Client, bucket, key, buffer) {
+  await r2Client.send(new PutObjectCommand({
+    Bucket: bucket,
+    Key: key,
+    Body: buffer,
+    ContentType: "image/webp",
+  }));
+}
+
+/**
+ * Decode a data URL into a raw Buffer.
+ *
+ * Accepts:  data:image/png;base64,iVBOR...
+ * Returns:  { buffer, declaredMime }
+ * Throws:   on invalid format
+ */
+function _decodeDataUrl(dataUrl) {
+  if (typeof dataUrl !== "string" || !dataUrl.startsWith("data:")) {
+    return null;
+  }
+  const commaIdx = dataUrl.indexOf(",");
+  if (commaIdx === -1) return null;
+
+  // Extract declared MIME from the header portion
+  const header = dataUrl.slice(0, commaIdx); // e.g. "data:image/png;base64"
+  const mimeMatch = header.match(/^data:([^;,]+)/);
+  const declaredMime = mimeMatch ? mimeMatch[1] : null;
+
+  const base64 = dataUrl.slice(commaIdx + 1);
+  if (!base64) return null;
+
+  const buffer = Buffer.from(base64, "base64");
+  if (buffer.length === 0) return null;
+
+  return { buffer, declaredMime };
+}
+
+/**
+ * Check whether the user is currently blocked from uploading.
+ *
+ * Lockout ladder (fail-closed):
+ *   1. Persisted lock — admin lock, or auto-lock written after previous rejection
+ *      - "indefinite" → blocked permanently
+ *      - "auto_1h:<ISO>" / "auto_24h:<ISO>" → blocked until timestamp
+ *      - plain ISO timestamp → admin-set expiry
+ *   2. Fallback count-based derivation (covers race / missing persist)
+ *      - >= 20 rejections in 30 days → indefinite
+ *      - >= 10 rejections in 24 h   → 24-hour cooldown
+ *      - >= 5  rejections in 24 h   → 1-hour cooldown (from last rejection)
+ *
+ * @returns {{ locked: boolean, reason?: string }}
+ */
+function _checkAbuseLockout(userId) {
+  // --- 1. Persisted lock (admin or auto) ---
+  const lockVal = store.getUserUploadLock(userId);
+  if (lockVal) {
+    if (lockVal === "indefinite") {
+      return { locked: true, reason: "lock_indefinite" };
+    }
+    // auto_1h:<ISO> or auto_24h:<ISO>
+    const autoMatch = lockVal.match(/^auto_\w+:(.+)$/);
+    if (autoMatch) {
+      const expiresAt = new Date(autoMatch[1]);
+      if (!isNaN(expiresAt.getTime()) && expiresAt.getTime() > Date.now()) {
+        return { locked: true, reason: "lock_active:" + lockVal };
+      }
+      // Expired auto-lock — clear and continue
+      store.clearUserUploadLock(userId);
+    } else {
+      // Plain ISO timestamp (admin-set expiry)
+      const expiresAt = new Date(lockVal);
+      if (!isNaN(expiresAt.getTime()) && expiresAt.getTime() > Date.now()) {
+        return { locked: true, reason: "admin_lock_until:" + lockVal };
+      }
+      // Expired admin lock — clear
+      store.clearUserUploadLock(userId);
+    }
+  }
+
+  // --- 2. Count-based fallback (covers window where lock wasn't persisted) ---
+  const count30d = store.getUserRejectionCount(userId, 720); // 30 days
+  if (count30d >= 20) {
+    return { locked: true, reason: "auto_lock_indefinite:30d_rejections=" + count30d };
+  }
+
+  const count24h = store.getUserRejectionCount(userId, 24);
+  if (count24h >= 10) {
+    return { locked: true, reason: "auto_lock_24h:24h_rejections=" + count24h };
+  }
+
+  if (count24h >= 5) {
+    const count1h = store.getUserRejectionCount(userId, 1);
+    if (count1h > 0) {
+      return { locked: true, reason: "auto_lock_1h:24h_rejections=" + count24h };
+    }
+  }
+
+  return { locked: false };
+}
+
+/**
+ * After a rejection, check thresholds and persist an auto-lock if warranted.
+ * Also logs a lock_user moderation action for audit trail.
+ *
+ * @param {string} userId
+ * @param {string} imageUploadId — the just-rejected upload (for audit linkage)
+ */
+function _escalateAfterRejection(userId, imageUploadId) {
+  const count30d = store.getUserRejectionCount(userId, 720);
+  const count24h = store.getUserRejectionCount(userId, 24);
+
+  let lockValue = null;
+  let lockReason = null;
+
+  if (count30d >= 20) {
+    lockValue = "indefinite";
+    lockReason = "auto_lock:30d_rejections=" + count30d;
+  } else if (count24h >= 10) {
+    const expires = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString();
+    lockValue = "auto_24h:" + expires;
+    lockReason = "auto_lock:24h_rejections=" + count24h;
+  } else if (count24h >= 5) {
+    const expires = new Date(Date.now() + 60 * 60 * 1000).toISOString();
+    lockValue = "auto_1h:" + expires;
+    lockReason = "auto_lock:24h_rejections=" + count24h;
+  }
+
+  if (lockValue) {
+    store.setUserUploadLock(userId, lockValue);
+    store.createModerationAction({
+      imageUploadId,
+      actorUserId: "system",
+      action: "lock_user",
+      previousState: "rejected",
+      newState: lockValue,
+      note: lockReason,
+    });
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Initialize the service. Must be called once at startup.
+ * @param {{ moderator: object }} opts
+ */
+function init({ moderator }) {
+  _moderator = moderator;
+}
+
+/**
+ * Process an image upload through the full pipeline.
+ *
+ * Steps: lockout check → decode → validate → process → DB record →
+ *        moderate → (reject|quarantine|approve) → R2 upload → done.
+ *
+ * Returns a structured result — never throws for business-logic failures.
+ *
+ * @param {object} params
+ * @param {string} params.dataUrl    - base64 data URL ("data:image/...;base64,...")
+ * @param {string} params.userId
+ * @param {string|null} params.projectId
+ * @param {string} params.imageType  - 'avatar','project_image','banner','public_page_image'
+ * @param {object} params.r2Client   - S3Client instance (injected by API server)
+ * @param {string} params.r2Bucket   - bucket name
+ * @returns {Promise<{ success: boolean, imageUploadId?: string, error?: string, errorCode?: string }>}
+ */
+async function processUpload({ dataUrl, userId, projectId, imageType, r2Client, r2Bucket }) {
+  try {
+    // ── 1. Check abuse lockout ───────────────────────────────────────
+    const lockout = _checkAbuseLockout(userId);
+    if (lockout.locked) {
+      return {
+        success: false,
+        error: "Upload temporarily disabled: " + lockout.reason,
+        errorCode: "UPLOAD_LOCKED",
+      };
+    }
+
+    // ── 2. Decode base64 data URL ────────────────────────────────────
+    const decoded = _decodeDataUrl(dataUrl);
+    if (!decoded) {
+      return {
+        success: false,
+        error: "Invalid or empty data URL",
+        errorCode: "INVALID_DATA_URL",
+      };
+    }
+    const { buffer: rawBuffer, declaredMime } = decoded;
+
+    // ── 3-4. Validate magic bytes, size, format + process ────────────
+    let result;
+    try {
+      result = await validateAndProcess(rawBuffer, imageType);
+    } catch (err) {
+      // Distinguish validation from processing errors
+      const processCodes = new Set(["PROCESS_FAILED", "CORRUPT_IMAGE"]);
+      const errorCode = processCodes.has(err.code) ? "PROCESS_FAILED" : "VALIDATION_FAILED";
+      return {
+        success: false,
+        error: err.message || "Image validation failed",
+        errorCode,
+      };
+    }
+
+    const { processed, width, height, detectedMime, originalSize, processedSize } = result;
+
+    // ── 4b. Compute content hash for abuse fingerprinting ────────────
+    const contentHash = crypto.createHash("sha256").update(processed).digest("hex");
+
+    // ── 5. Create image_uploads record (state: pending) ──────────────
+    const uploadRecord = store.createImageUpload({
+      userId,
+      projectId: projectId || null,
+      imageType,
+      originalMime: declaredMime || detectedMime,
+      originalSize,
+      detectedMime,
+      processedSize,
+      width,
+      height,
+      contentHash,
+    });
+    const imageUploadId = uploadRecord.id;
+
+    // ── 6. Moderate synchronously ────────────────────────────────────
+    if (!_moderator) {
+      store.updateImageUploadState(imageUploadId, "storage_failed");
+      return {
+        success: false,
+        error: "Moderation service not initialized",
+        errorCode: "INTERNAL_ERROR",
+      };
+    }
+
+    let modResult;
+    try {
+      modResult = await _moderator.moderate(processed, imageType);
+    } catch (err) {
+      // Moderation backend threw unexpectedly — fail safe to needs_review
+      console.error("[image-upload-service] Moderation threw:", err.message);
+      modResult = {
+        decision: "needs_review",
+        reason: "moderation_exception",
+        labels: [],
+        score: 0,
+        provider: "unknown",
+      };
+    }
+
+    const { decision, reason, labels, score, provider } = modResult;
+
+    // ── Strict binary decision: for strict types, needs_review → rejected ──
+    const isStrict = STRICT_TYPES.has(imageType);
+    let effectiveDecision = decision;
+    if (isStrict && effectiveDecision === "needs_review") {
+      effectiveDecision = "rejected";
+    }
+
+    // Map effective decision to DB moderation_state
+    const stateMap = {
+      approved: "approved",
+      rejected: "rejected",
+      needs_review: "needs_review",
+    };
+    const moderationState = stateMap[effectiveDecision] || "needs_review";
+
+    // Update the record with moderation outcome
+    store.updateImageUploadModeration(imageUploadId, {
+      state: moderationState,
+      reason: reason || null,
+      labels: Array.isArray(labels) ? labels.join(",") : (labels || null),
+      provider: provider || null,
+      score: score != null ? score : null,
+    });
+
+    // Log moderation action for ALL outcomes
+    const actionMap = {
+      approved: "auto_approve",
+      rejected: "auto_reject",
+      needs_review: "auto_needs_review",
+    };
+    // Log the original decision as the action, but the effective state as newState
+    store.createModerationAction({
+      imageUploadId,
+      actorUserId: "system",
+      action: actionMap[decision] || "auto_needs_review",
+      previousState: "pending",
+      newState: moderationState,
+      note: (isStrict && decision === "needs_review")
+        ? (reason || "") + " [strict_type: needs_review→rejected]"
+        : (reason || null),
+    });
+
+    // ── 6a. REJECTED (including strict needs_review→rejected) → stop, no R2 upload ──
+    if (effectiveDecision === "rejected") {
+      // Check if rejection thresholds are now crossed → persist auto-lock
+      _escalateAfterRejection(userId, imageUploadId);
+
+      return {
+        success: false,
+        imageUploadId,
+        error: "Image rejected by content moderation",
+        errorCode: "MODERATION_REJECTED",
+      };
+    }
+
+    // ── 6b. NEEDS_REVIEW → quarantine (only for non-strict types, future use) ──
+    if (!isStrict && effectiveDecision === "needs_review") {
+      const quarantineKey = _generateKey("quarantine", userId);
+      try {
+        await _uploadToR2(r2Client, r2Bucket, quarantineKey, processed);
+        store.updateImageUploadR2Key(imageUploadId, quarantineKey);
+      } catch (err) {
+        console.error("[image-upload-service] Quarantine R2 upload failed:", err.message);
+        store.updateImageUploadState(imageUploadId, "storage_failed");
+        return {
+          success: false,
+          imageUploadId,
+          error: "Failed to store image for review",
+          errorCode: "STORAGE_FAILED",
+        };
+      }
+
+      return {
+        success: false,
+        imageUploadId,
+        error: "Image is under review",
+        errorCode: "MODERATION_REVIEW",
+      };
+    }
+
+    // ── 7. APPROVED → upload to approved/ R2 prefix ──────────────────
+    const approvedKey = _generateKey("approved", userId);
+    try {
+      await _uploadToR2(r2Client, r2Bucket, approvedKey, processed);
+    } catch (err) {
+      console.error("[image-upload-service] R2 upload failed:", err.message);
+      store.updateImageUploadState(imageUploadId, "storage_failed");
+      return {
+        success: false,
+        imageUploadId,
+        error: "Image storage failed — please try again",
+        errorCode: "STORAGE_FAILED",
+      };
+    }
+
+    // ── 8. Update record with R2 key ─────────────────────────────────
+    store.updateImageUploadR2Key(imageUploadId, approvedKey);
+
+    // ── 9. Success ───────────────────────────────────────────────────
+    return {
+      success: true,
+      imageUploadId,
+    };
+  } catch (err) {
+    // Catch-all for truly unexpected errors
+    console.error("[image-upload-service] Unexpected error:", err);
+    return {
+      success: false,
+      error: "Internal error processing upload",
+      errorCode: "INTERNAL_ERROR",
+    };
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Exports
+// ---------------------------------------------------------------------------
+module.exports = { init, processUpload };