bizydraft 0.1.30__py3-none-any.whl → 0.2.0__py3-none-any.whl

bizydraft/block_nodes.py

@@ -0,0 +1,35 @@
+import os
+
+from loguru import logger
+
+BIZYDRAFT_BLACKLIST_NODES = os.getenv(
+    "BIZYDRAFT_BLACKLIST_NODES", "blacklist_nodes.json"
+)
+logger.info(f"Using blacklist nodes file: {BIZYDRAFT_BLACKLIST_NODES=}")
+
+if os.path.exists(BIZYDRAFT_BLACKLIST_NODES):
+    import json
+
+    with open(BIZYDRAFT_BLACKLIST_NODES, "r") as f:
+        BLACKLIST_NODE_CLASS = json.load(f)
+else:
+    logger.error(f"Blacklisted nodes file {BIZYDRAFT_BLACKLIST_NODES} does not exist.")
+    BLACKLIST_NODE_CLASS = []
+
+
+def remove_blacklisted_nodes():
+    try:
+        import nodes
+    except ImportError:
+        logger.error(
+            "Failed to import NODE_CLASS_MAPPINGS, ensure PYTHONPATH is set correctly. (export PYTHONPATH=$PYTHONPATH:/path/to/ComfyUI)"
+        )
+        return
+
+    for node_name in BLACKLIST_NODE_CLASS:
+        if node_name in nodes.NODE_CLASS_MAPPINGS:
+            del nodes.NODE_CLASS_MAPPINGS[node_name]
+            logger.info(f"Removed blacklisted node: {node_name}")
+        else:
+            pass
+            # logger.warning(f"Node {node_name} not found in NODE_CLASS_MAPPINGS")

bizydraft/env.py

@@ -0,0 +1,11 @@
+import os
+
+from loguru import logger
+
+BIZYDRAFT_DOMAIN = os.getenv("BIZYDRAFT_DOMAIN", "https://api.bizyair.cn")
+BIZYDRAFT_SERVER = f"{BIZYDRAFT_DOMAIN}/x/v1"
+
+logger.info(f"{BIZYDRAFT_DOMAIN=} {BIZYDRAFT_SERVER=}")
+
+BIZYAIR_API_KEY = os.getenv("BIZYAIR_API_KEY")
+logger.info(f"{BIZYAIR_API_KEY=}")

bizydraft/hijack_nodes.py

@@ -1,6 +1,9 @@
+import re
+
 from loguru import logger
 
 try:
+    from comfy_extras.nodes_video import LoadVideo
     from nodes import NODE_CLASS_MAPPINGS, LoadImage
 except ImportError:
     logger.error(
@@ -9,6 +12,21 @@ except ImportError:
     exit(1)
 
 
+class BizyDraftLoadVideo(LoadVideo):
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+    @classmethod
+    def INPUT_TYPES(cls):
+        return {
+            "required": {"file": (["choose your file"], {"video_upload": True})},
+        }
+
+    @classmethod
+    def VALIDATE_INPUTS(s, *args, **kwargs):
+        return True
+
+
 class BizyDraftLoadImage(LoadImage):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -16,17 +34,59 @@ class BizyDraftLoadImage(LoadImage):
     @classmethod
     def INPUT_TYPES(s):
         return {
-            "required": {"image": ([], {"image_upload": True})},
+            "required": {"image": (["choose your file"], {"image_upload": True})},
         }
 
     @classmethod
-    def VALIDATE_INPUTS(s, image, *args, **kwargs):
+    def VALIDATE_INPUTS(s, *args, **kwargs):
         return True
 
 
+CLASS_PATCHES = {
+    # "LoadImage": BizyDraftLoadImage,
+    # "LoadVideo": BizyDraftLoadVideo,
+}
+
+DATA_LOAD_CLASSES = [
+    "LoadImage",
+    "LoadVideo",
+    "LoadImageMask",
+    "LoadAudio",
+    "Load3D",
+]
+
+
 def hijack_nodes():
-    if "LoadImage" in NODE_CLASS_MAPPINGS:
-        del NODE_CLASS_MAPPINGS["LoadImage"]
-    NODE_CLASS_MAPPINGS["LoadImage"] = BizyDraftLoadImage
+    def _hijack_node(node_name, new_class):
+        if node_name in NODE_CLASS_MAPPINGS:
+            logger.warning(
+                f"Node {node_name} already exists, replacing with {new_class.__name__}"
+            )
+        NODE_CLASS_MAPPINGS[node_name] = new_class
+
+    # 特例情况，用手写的 class 替换
+    for node_name, new_class in CLASS_PATCHES.items():
+        _hijack_node(node_name, new_class)
+
+    # 通用情况，正则匹配后，打通用patch、替换
+    for node_name, base_class in NODE_CLASS_MAPPINGS.items():
+        regex = r"^(?!BizyAir_)\w+.*Loader.*"
+        match = re.match(regex, node_name, re.IGNORECASE)
+        if (match and (node_name not in CLASS_PATCHES)) or (
+            node_name in DATA_LOAD_CLASSES
+        ):
+            logger.debug(f"Creating patched class for {node_name}")
+            patched_class = create_patched_class(base_class)
+            NODE_CLASS_MAPPINGS[node_name] = patched_class
+
+
+def create_patched_class(base_class, validate_inputs_func=None):
+    class PatchedClass(base_class):
+        pass
+
+    if validate_inputs_func:
+        PatchedClass.VALIDATE_INPUTS = classmethod(validate_inputs_func)
+    else:
+        PatchedClass.VALIDATE_INPUTS = classmethod(lambda cls, *a, **k: True)
 
-    logger.info("[BizyDraft] Hijacked LoadImage node to BizyDraftLoadImage.")
+    return PatchedClass

bizydraft/hijack_routes.py

@@ -1,14 +1,10 @@
-import asyncio
-import math
-import mimetypes
-import os
-import uuid
-
-from aiohttp import ClientSession, ClientTimeout, web
+from aiohttp import web
 from loguru import logger
 
+from bizydraft.oss_utils import upload_image
+from bizydraft.patch_handlers import post_prompt, view_image
+
 try:
-    import execution
     from server import PromptServer
 
     comfy_server = PromptServer.instance
@@ -19,181 +15,88 @@ except ImportError:
     exit(1)
 
 
-BIZYDRAFT_MAX_FILE_SIZE = int(
-    os.getenv("BIZYDRAFT_MAX_FILE_SIZE", 100 * 1024 * 1024)
-)  # 100MB
-BIZYDRAFT_REQUEST_TIMEOUT = int(
-    os.getenv("BIZYDRAFT_REQUEST_TIMEOUT", 20 * 60)
-)  # 20分钟
-BIZYDRAFT_CHUNK_SIZE = int(os.getenv("BIZYDRAFT_CHUNK_SIZE", 1024 * 16))  # 16KB
-
-
-async def view_image(request, old_handler):
-    logger.debug(f"Received request for /view with query: {request.rel_url.query}")
-    if "filename" not in request.rel_url.query:
-        logger.warning("'filename' not provided in query string, returning 404")
-        return web.Response(status=404, text="'filename' not provided in query string")
-
-    filename = request.rel_url.query["filename"]
-    subfolder = request.rel_url.query.get("subfolder", "")
-
-    if not filename.startswith(("http://", "https://")) and not subfolder.startswith(
-        ("http://", "https://")
-    ):
-        logger.warning(f"Invalid filename format: {filename}, only URLs are supported")
-        return web.Response(
-            status=400, text="Invalid filename format(only url supported)"
-        )
-
-    try:
-        filename = (
-            f"{subfolder}/{filename}"
-            if not filename.startswith(("http://", "https://"))
-            else filename
-        )  # preview 3d request: https://host:port/api/view?filename=filename.glb&type=output&subfolder=https://bizyair-dev.oss-cn-shanghai.aliyuncs.com/outputs&rand=0.5763957215362988
-
-        content_type, _ = mimetypes.guess_type(filename)
-        if content_type and any(x in content_type for x in ("image", "video")):
-            return web.HTTPFound(filename)
-
-        timeout = ClientTimeout(total=BIZYDRAFT_REQUEST_TIMEOUT)
-        async with ClientSession(timeout=timeout) as session:
-            async with session.get(filename) as resp:
-                resp.raise_for_status()
-                content_length = int(resp.headers.get("Content-Length", 0))
-                if content_length > BIZYDRAFT_MAX_FILE_SIZE:
-                    logger.warning(
-                        f"File size {human_readable_size(content_length)} exceeds limit {human_readable_size(BIZYDRAFT_MAX_FILE_SIZE)}"
-                    )
-                    return web.Response(
-                        status=413,
-                        text=f"File size exceeds limit ({human_readable_size(BIZYDRAFT_MAX_FILE_SIZE)})",
-                    )
-
-                headers = {
-                    "Content-Disposition": f'attachment; filename="{uuid.uuid4()}"',
-                    "Content-Type": "application/octet-stream",
-                }
-
-                proxy_response = web.StreamResponse(headers=headers)
-                await proxy_response.prepare(request)
-
-                total_bytes = 0
-                async for chunk in resp.content.iter_chunked(BIZYDRAFT_CHUNK_SIZE):
-                    total_bytes += len(chunk)
-                    if total_bytes > BIZYDRAFT_MAX_FILE_SIZE:
-                        await proxy_response.write(b"")
-                        return web.Response(
-                            status=413,
-                            text=f"File size exceeds limit during streaming ({human_readable_size(BIZYDRAFT_MAX_FILE_SIZE)})",
-                        )
-                    await proxy_response.write(chunk)
-
-                return proxy_response
-
-    except asyncio.TimeoutError:
-        return web.Response(
-            status=504,
-            text=f"Request timed out (max {BIZYDRAFT_REQUEST_TIMEOUT//60} minutes)",
-        )
-    except Exception as e:
-        return web.Response(
-            status=502, text=f"Failed to fetch remote resource: {str(e)}"
-        )
-
-
-def human_readable_size(size_bytes):
-    if size_bytes == 0:
-        return "0B"
-    size_name = ("B", "KB", "MB", "GB", "TB", "PB", "EB", "ZB", "YB")
-    i = int(math.floor(math.log(size_bytes, 1024)))
-    p = math.pow(1024, i)
-    s = round(size_bytes / p, 2)
-    return f"{s} {size_name[i]}"
-
-
-async def post_prompt(request):
-    json_data = await request.json()
-    logger.debug(f"Received POST request to /prompt with data")
-    json_data = comfy_server.trigger_on_prompt(json_data)
-
-    if "prompt" in json_data:
-        prompt = json_data["prompt"]
-        valid = execution.validate_prompt(prompt)
-        if valid[0]:
-            response = {
-                "prompt_id": None,
-                "number": None,
-                "node_errors": valid[3],
-            }
-            return web.json_response(response)
-        else:
-            return web.json_response(
-                {"error": valid[1], "node_errors": valid[3]}, status=400
-            )
-    else:
-        error = {
-            "type": "no_prompt",
-            "message": "No prompt provided",
-            "details": "No prompt provided",
-            "extra_info": {},
+def hijack_routes_pre_add_routes():
+    app = comfy_server.app
+
+    async def custom_business_middleware(app, handler):
+        routes_patch = {
+            ("/view", "GET"): view_image,
+            ("/prompt", "POST"): post_prompt,
+            ("/upload/image", "POST"): upload_image,
+            # /api alias
+            ("/api/view", "GET"): view_image,
+            ("/api/prompt", "POST"): post_prompt,
+            ("/api/upload/image", "POST"): upload_image,
         }
-        return web.json_response({"error": error, "node_errors": {}}, status=400)
-
-
-def hijack_routes():
-    routes = comfy_server.routes
-    for idx, route in enumerate(routes._items):
-        if route.path == "/view" and route.method == "GET":
-            old_handler = route.handler
-
-            async def new_handler(request):
-                return await view_image(request, old_handler)
-
-            routes._items[idx] = web.get("/view", new_handler)
-            routes._items[idx].kwargs.clear()
-            logger.info("Hijacked /view route to handle image, video and 3D streaming")
-            break
-    for idx, route in enumerate(routes._items):
-        if route.path == "/prompt" and route.method == "POST":
-            routes._items[idx] = web.post("/prompt", post_prompt)
-            logger.info(
-                "Hijacked /prompt route to handle prompt validation but not execution"
-            )
-            break
-
-    routes = comfy_server.routes
-    white_list = [
-        # 劫持改造过的
-        "/prompt",
-        "/view",
-        # 原生的
-        "/",
-        "/ws",
-        "/extensions",
-        "/object_info",
-        "/object_info/{node_class}",
-    ]
-
-    async def null_handler(request):
-        return web.Response(
-            status=403,
-            text="Access Forbidden: You do not have permission to access this resource.",
-        )
-
-    for idx, route in enumerate(routes._items):
-        if (route.path not in white_list) and ("/bizyair" not in route.path):
-            if route.method == "GET":
-                logger.info(f"hijiack to null: {route.path}, {route.method}")
-                routes._items[idx] = web.get(route.path, null_handler)
-                routes._items[idx].kwargs.clear()
-            elif route.method == "POST":
-                logger.info(f"hijiack to null: {route.path}, {route.method}")
-                routes._items[idx] = web.post(route.path, null_handler)
-                routes._items[idx].kwargs.clear()
-            else:
-                logger.warning(
-                    f"neither GET or POST, passed: {route.path}, {route.method}"
+
+        async def middleware_handler(request):
+            if ((request.path, request.method) in routes_patch) or (
+                (
+                    "/api" + request.path,
+                    request.method,
+                )
+                in routes_patch
+            ):
+                logger.debug(
+                    f"Custom handler for {request.path} with method {request.method}"
+                )
+                new_handler = routes_patch[(request.path, request.method)]
+                return await new_handler(request)
+
+            return await handler(request)
+
+        return middleware_handler
+
+    async def access_control_middleware(app, handler):
+        base_white_list = [
+            "/prompt",
+            "/view",
+            "/upload/image",
+            "/",
+            "/ws",
+            "/extensions",
+            "/object_info",
+            "/object_info/{node_class}",
+            "/assets",
+            "/users",
+            "/settings",
+            "/i18n",
+            "/userdata",
+        ]
+
+        white_list = [
+            *base_white_list,
+            *(f"/api{path}" for path in base_white_list if path not in ("/", "/ws")),
+        ]
+
+        async def middleware_handler(request):
+            is_allowed = any(
+                request.path == path
+                or (
+                    request.path.startswith(path.replace("{node_class}", ""))
+                    and path != "/"
+                    and path != "/api/"
                 )
-        else:
-            logger.warning(f"passed directly: {route.path}, {route.method}")
+                or ".css" in request.path
+                for path in white_list
+            )
+            #  Access control check for /assets/GraphView-Y3xu9HJK.js.map: allowed
+            logger.debug(
+                f"Access control check for {request.path}: {'allowed' if is_allowed else 'blocked'}"
+            )
+            if not is_allowed and "/bizyair" not in request.path:
+                logger.info(f"Blocked access to: {request.path}")
+                return web.Response(status=403, text="Access Forbidden")
+
+            return await handler(request)
+
+        return middleware_handler
+
+    app.middlewares.extend([custom_business_middleware])
+
+    logger.info("Optimized middleware setup complete.")
+
+
+def hijack_routes_post_add_routes():
+    # do someting after all routes are set up
+    logger.info("Post-add routes hijack complete, all routes are set up.")

bizydraft/oss_utils.py

@@ -0,0 +1,227 @@
+import base64
+import json
+import os
+from http.cookies import SimpleCookie
+from time import time
+from typing import Any, Dict
+
+import aiohttp
+import oss2
+from aiohttp import web
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import padding
+from loguru import logger
+from werkzeug.utils import secure_filename
+
+from bizydraft.env import BIZYAIR_API_KEY, BIZYDRAFT_SERVER
+
+private_key_pem = os.getenv(
+    "RSA_PRIVATE_KEY",
+    """-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAuROqSPqhJlpv5R1wDl2sGuyA59Hf1y+VLR0w3cCyM6/WEQ4b
++TBFfM5HeCLc2YVDybc0ZJxsEqCXKpTweMlQg063ECK4961icF3xL8DRfXkwpUFJ
+CfG24tLdXwWK3CJDb4RqGSyZm2F0mE/kqMpidsoJrXy24B4iSJrk5DGRSL1dChiL
+vuvNNWPtdDHylormBxz2f8ePvvO8v/qsN+Xpxt7YirqWe5P2VavqMv66H7tItcZj
+LMIFF2kV8rYF94tk6/jL/Hb7gG7ujG2p5ikG+sNhrzn0TsWdh97S6F9kTC5D1IkM
+TXEhedXN1CQ4Z35TvIHxU1DBiax8t8mq/lF3rwIDAQABAoIBAQCvR8SaYWOF41jd
+8MdTk7uPtDVRWB9auSHbHC5PllQvR3TBqk8r7V+iF+rwCHSJPgE5ZV0lfE+ORLFm
+DrDAdEjgUwhlK71qNLdqHE50H3VIFCLSH8aAuH+wymwFtkYQvhKH5yxksyy3T9EQ
+/3lbsnEWd7o6qEa6c0+c27WzuI4UCEdQpeSG+5UYHykC/Rdfc25wXTjeK8QSUcw4
+Xlbt1O7omKAdrbSwbTValfqoUpKlAZ55nvJGqHnBWE5cvx9UHPooGWMUpq8004xb
+sU42q2mDSEkRNE+irvc1FInxJ+gDk51Qem1r4Uy4pUnzyngXBFrp2XQazE/aVZSr
+JG9fxfmBAoGBAN66SwUJg5LsRBFlPZTXzTLTzwXqm8e9ipKfe9dkuXX5Mx9mEbTd
+mjZL1pHX0+YZAQu2V6dekvABFwEOnlvm0l0TopR1yyzA7PZK5ZUF0Tb9binLobO1
+8G01Cp2jmrlarRGbwRdr9YXQ4ZKbvKUMevzYMIvPUFIkKQxHY/+x2IkRAoGBANS5
+gDHwJ/voZTqqcJpn916MwhjsQvOmlNdDzqKe5FYd/DKb1X+tDAXK/sAFMOMj5Row
+qCWu5G1T4f7DRY/BDXEU4u6YqcdokXTeZ45Z+fAZotcSit50T9gGoCTx8MMdeTUb
+y4uY6cvCnd6x5PYOoBRL9QQX/ML7LX0S1Q2xL/S/AoGAfOQ/nuJ32hIMFSkNAAKG
+eOLWan3kvnslUhSF8AD2EhYbuZaVhTLh/2JFPmCk3JjWwkeMHTjl8hjaWmhlGilz
+emfBObhXpo/EEFNtK0QozcoMVPlvggMaf1JH0p9j6l3TQFVzT/vkoBXB92DGxlIa
+QN/FURB9/KF0NwNtKnsCbdECgYARgUZUVa/koeYaosXrXtzTUf/y7xY/WJjs8e6C
+IVMm5wbG3139SK8xltfJ02OHfX+v3QspNrAjcwCo50bFIpzJjm9yNOvbtfYqSNb6
+ttrDcEifLC5zSdz8KOdqwuIOHFHKFgR081th4hz9o2P0/5UatnluIc8x+Ftw7GjN
+3KPWnwKBgQCrt3Zs5eqDvFRmuB6d1uMFhAPqjrxnvdl3xhONnIopM4A62FLW4AoI
+jpIg9K5YWK3nrROMWINH286CewjHXu2fhkhk1VPKo6Mz8bTqUoFZkI8cap/wfyqv
+BMb5TNmgx+tp12pH2VNc/kC5c+GKi8VnNYx8K6gRzpZIIDfSUR10RQ==
+-----END RSA PRIVATE KEY-----""",
+)
+
+
+class TokenExpiredError(Exception):
+    """Exception raised when the token has expired."""
+
+    pass
+
+
+def decrypt(encrypted_message):
+    try:
+        if not encrypted_message or not isinstance(encrypted_message, str):
+            raise ValueError("无效的加密消息")
+
+        private_key = serialization.load_pem_private_key(
+            private_key_pem.encode(), password=None, backend=default_backend()
+        )
+
+        encrypted_bytes = base64.b64decode(encrypted_message)
+        decrypted_bytes = private_key.decrypt(encrypted_bytes, padding.PKCS1v15())
+        decrypted_str = decrypted_bytes.decode("utf-8")
+
+        parsed_data = json.loads(decrypted_str)
+
+        now = int(time() * 1000)  # Convert to milliseconds to match JavaScript
+        if now - parsed_data["timestamp"] > parsed_data["expiresIn"]:
+            raise TokenExpiredError("Token已过期")
+
+        return parsed_data["data"]
+
+    except Exception as error:
+        logger.error(
+            "解密失败:",
+            {
+                "message": str(error),
+                "input": encrypted_message[:100] + "..." if encrypted_message else None,
+            },
+        )
+        return None
+
+
+async def get_upload_token(
+    filename: str,
+    api_key: str,
+) -> Dict[str, Any]:
+    url = f"{BIZYDRAFT_SERVER}/upload/token?file_name={filename}&file_type=inputs"
+
+    headers = {
+        "Content-Type": "application/json",
+        "Authorization": f"Bearer {api_key}",
+    }
+
+    async with aiohttp.ClientSession() as session:
+        async with session.get(url, headers=headers) as response:
+            if response.status == 200:
+                return await response.json()
+            else:
+                response.raise_for_status()
+
+
+async def upload_filefield_to_oss(file_field, token_data):
+    file_info = token_data["data"]["file"]
+    storage_info = token_data["data"]["storage"]
+
+    auth = oss2.StsAuth(
+        file_info["access_key_id"],
+        file_info["access_key_secret"],
+        file_info["security_token"],
+    )
+    bucket = oss2.Bucket(
+        auth, f"http://{storage_info['endpoint']}", storage_info["bucket"]
+    )
+
+    try:
+        result = bucket.put_object(
+            file_info["object_key"],  # OSS存储路径
+            file_field.file,  # 直接使用文件流对象
+            headers={
+                "Content-Type": file_field.content_type,  # 保留原始MIME类型
+                "Content-Disposition": f"attachment; filename={secure_filename(file_field.filename)}",
+            },
+        )
+
+        if result.status == 200:
+            return {
+                "status": result.status,
+                "url": f"https://{storage_info['bucket']}.{storage_info['endpoint']}/{file_info['object_key']}",
+            }
+        else:
+            return {
+                "status": result.status,
+                "reason": f"OSS返回状态码: {result.status}",
+            }
+
+    except Exception as e:
+        return {"status": 500, "reason": str(e)}
+
+
+async def commit_file(object_key: str, filename: str, api_key: str):
+    url = f"{BIZYDRAFT_SERVER}/input_resource/commit"
+    headers = {
+        "Content-Type": "application/json",
+        "Authorization": f"Bearer {api_key}",
+    }
+    payload = {
+        "object_key": object_key,
+        "name": filename,
+    }
+
+    async with aiohttp.ClientSession() as session:
+        async with session.post(url, headers=headers, json=payload) as response:
+            if response.status == 200:
+                return await response.json()
+            response.raise_for_status()
+
+
+async def upload_to_oss(post, api_key: str):
+    from bizydraft.oss_utils import get_upload_token
+
+    image = post.get("image")
+    overwrite = post.get("overwrite")
+    image_upload_type = post.get("type")
+    subfolder = post.get("subfolder", "")
+    logger.debug(f"{image=}, {overwrite=}, {image_upload_type=}, {subfolder=}")
+
+    if not (image and image.file):
+        return web.Response(status=400)
+
+    filename = image.filename
+    if not filename:
+        return web.Response(status=400)
+
+    oss_token = await get_upload_token(filename, api_key)
+    result = await upload_filefield_to_oss(image, oss_token)
+    if result["status"] != 200:
+        return web.Response(status=result["status"], text=result.get("reason", ""))
+    logger.debug(f"upload file: {result['url']}")
+    try:
+        object_key = oss_token["data"]["file"]["object_key"]
+        await commit_file(object_key, filename, api_key)
+        logger.debug(f"sucess: commit {filename=}")
+    except Exception as e:
+        logger.error(f"Commit file failed: {e}")
+        return web.Response(status=500, text=str(e))
+    return web.json_response(
+        {"name": result["url"], "subfolder": subfolder, "type": image_upload_type}
+    )
+
+
+def get_api_key(request):
+    if BIZYAIR_API_KEY:
+        return BIZYAIR_API_KEY
+
+    cookies = request.headers.get("Cookie")
+    if not cookies:
+        return None
+
+    try:
+        cookie = SimpleCookie()
+        cookie.load(cookies)
+
+        bizy_token = cookie.get("bizy_token").value if "bizy_token" in cookie else None
+
+        decrypted_token = decrypt(bizy_token)
+        api_key = decrypted_token if decrypted_token else None
+
+    except Exception as e:
+        logger.error(f"error happens when get_api_key from cookies: {e}")
+        return None
+
+    return api_key
+
+
+async def upload_image(request):
+    logger.debug(f"Received request to upload image: {request.path}")
+    api_key = get_api_key(request)
+    if not api_key:
+        return web.Response(status=403, text="No validated key found")
+    post = await request.post()
+    return await upload_to_oss(post, api_key)