winebox 0.1.3__py3-none-any.whl → 0.1.5__py3-none-any.whl

winebox/services/image_storage.py

@@ -4,42 +4,171 @@ import uuid
 from pathlib import Path
 
 import aiofiles
-from fastapi import UploadFile
+from fastapi import HTTPException, UploadFile, status
 
 from winebox.config import settings
 
+# Allowed MIME types for image uploads
+ALLOWED_MIME_TYPES = {
+    "image/jpeg",
+    "image/png",
+    "image/gif",
+    "image/webp",
+}
+
+# File extension to MIME type mapping
+EXTENSION_MIME_MAP = {
+    ".jpg": "image/jpeg",
+    ".jpeg": "image/jpeg",
+    ".png": "image/png",
+    ".gif": "image/gif",
+    ".webp": "image/webp",
+}
+
+# Magic byte signatures for image formats
+# Each entry is (magic_bytes, offset, detected_extension)
+IMAGE_MAGIC_SIGNATURES = [
+    # JPEG: starts with FF D8 FF
+    (b"\xff\xd8\xff", 0, ".jpg"),
+    # PNG: starts with 89 50 4E 47 0D 0A 1A 0A
+    (b"\x89PNG\r\n\x1a\n", 0, ".png"),
+    # GIF87a and GIF89a
+    (b"GIF87a", 0, ".gif"),
+    (b"GIF89a", 0, ".gif"),
+    # WebP: starts with RIFF....WEBP
+    (b"RIFF", 0, ".webp"),  # Additional check for WEBP at offset 8
+]
+
+
+def detect_image_type(content: bytes) -> str | None:
+    """Detect image type from file content using magic bytes.
+
+    Args:
+        content: The file content bytes.
+
+    Returns:
+        The detected extension (e.g., ".jpg") or None if not a valid image.
+    """
+    if len(content) < 12:
+        return None
+
+    for magic, offset, ext in IMAGE_MAGIC_SIGNATURES:
+        if content[offset:offset + len(magic)] == magic:
+            # Special case for WebP: verify WEBP signature at offset 8
+            if ext == ".webp":
+                if content[8:12] != b"WEBP":
+                    continue
+            return ext
+
+    return None
+
+
+class FileSizeExceededError(Exception):
+    """Raised when uploaded file exceeds size limit."""
+
+    pass
+
+
+class InvalidFileTypeError(Exception):
+    """Raised when uploaded file has invalid type."""
+
+    pass
+
+
+class InvalidMagicBytesError(Exception):
+    """Raised when file content doesn't match a valid image format."""
+
+    pass
+
 
 class ImageStorageService:
     """Service for storing and managing wine label images."""
 
-    def __init__(self, storage_path: Path | None = None) -> None:
+    def __init__(
+        self,
+        storage_path: Path | None = None,
+        max_size_bytes: int | None = None,
+    ) -> None:
         """Initialize the image storage service.
 
         Args:
             storage_path: Path to store images. Defaults to config setting.
+            max_size_bytes: Maximum file size in bytes. Defaults to config setting.
         """
         self.storage_path = storage_path or settings.image_storage_path
         self.storage_path.mkdir(parents=True, exist_ok=True)
+        self.max_size_bytes = max_size_bytes or settings.max_upload_size_bytes
+
+    def _validate_extension(self, filename: str | None) -> str:
+        """Validate and return the file extension.
+
+        Args:
+            filename: The original filename.
+
+        Returns:
+            Valid extension (e.g., ".jpg").
+
+        Raises:
+            InvalidFileTypeError: If extension is not allowed.
+        """
+        if not filename:
+            return ".jpg"
+
+        ext = Path(filename).suffix.lower()
+        if ext not in EXTENSION_MIME_MAP:
+            raise InvalidFileTypeError(
+                f"Invalid file type. Allowed types: {', '.join(EXTENSION_MIME_MAP.keys())}"
+            )
+        return ext
 
     async def save_image(self, upload_file: UploadFile) -> str:
-        """Save an uploaded image file.
+        """Save an uploaded image file with size, type, and content validation.
 
         Args:
             upload_file: The uploaded file from FastAPI.
 
         Returns:
             The filename of the saved image.
-        """
-        # Generate unique filename
-        ext = Path(upload_file.filename or "image.jpg").suffix.lower()
-        if ext not in [".jpg", ".jpeg", ".png", ".gif", ".webp"]:
-            ext = ".jpg"
 
+        Raises:
+            HTTPException: If file exceeds size limit, has invalid type, or
+                          content doesn't match a valid image format.
+        """
+        # Validate extension first
+        try:
+            declared_ext = self._validate_extension(upload_file.filename)
+        except InvalidFileTypeError as e:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail=str(e),
+            )
+
+        # Read content with size limit check
+        content = await upload_file.read()
+        if len(content) > self.max_size_bytes:
+            max_mb = self.max_size_bytes / (1024 * 1024)
+            raise HTTPException(
+                status_code=status.HTTP_413_CONTENT_TOO_LARGE,
+                detail=f"File size exceeds maximum allowed size of {max_mb:.1f} MB",
+            )
+
+        # Validate magic bytes - ensure file content matches a valid image format
+        detected_ext = detect_image_type(content)
+        if detected_ext is None:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Invalid file content. File does not appear to be a valid image.",
+            )
+
+        # Use the detected extension (more reliable than declared extension)
+        # This prevents attacks where malicious files are renamed to .jpg/.png
+        ext = detected_ext
+
+        # Generate unique filename with detected extension
         filename = f"{uuid.uuid4()}{ext}"
         file_path = self.storage_path / filename
 
         # Save file
-        content = await upload_file.read()
         async with aiofiles.open(file_path, "wb") as f:
             await f.write(content)
 

winebox/services/vision.py

@@ -37,30 +37,47 @@ class ClaudeVisionService:
 
     def __init__(self) -> None:
         """Initialize the Claude Vision service."""
-        self._client = None
+        self._default_client = None
+
+    def _get_system_api_key(self) -> str | None:
+        """Get the system-wide API key from settings or environment."""
+        return settings.anthropic_api_key or os.getenv("ANTHROPIC_API_KEY")
+
+    def _get_client(self, user_api_key: str | None = None):
+        """Get an Anthropic client, using user key if provided, else system key."""
+        try:
+            import anthropic
+
+            # Use user's API key if provided, otherwise use system key
+            api_key = user_api_key or self._get_system_api_key()
+            if not api_key:
+                raise ValueError("No Anthropic API key configured")
+
+            # If using system key, cache the client
+            if not user_api_key:
+                if self._default_client is None:
+                    self._default_client = anthropic.Anthropic(api_key=api_key)
+                return self._default_client
+
+            # Create a new client for user-specific key
+            return anthropic.Anthropic(api_key=api_key)
+        except ImportError:
+            logger.error("anthropic package is not installed")
+            raise
 
     @property
     def client(self):
-        """Lazy-load the Anthropic client."""
-        if self._client is None:
-            try:
-                import anthropic
-
-                # Check for API key in settings or environment
-                api_key = settings.anthropic_api_key or os.getenv("ANTHROPIC_API_KEY")
-                if not api_key:
-                    raise ValueError("No Anthropic API key configured")
-
-                self._client = anthropic.Anthropic(api_key=api_key)
-            except ImportError:
-                logger.error("anthropic package is not installed")
-                raise
-        return self._client
-
-    def is_available(self) -> bool:
-        """Check if Claude Vision is available."""
+        """Lazy-load the default Anthropic client (for backward compatibility)."""
+        return self._get_client()
+
+    def is_available(self, user_api_key: str | None = None) -> bool:
+        """Check if Claude Vision is available.
+
+        Args:
+            user_api_key: Optional user-specific API key to check.
+        """
         try:
-            api_key = settings.anthropic_api_key or os.getenv("ANTHROPIC_API_KEY")
+            api_key = user_api_key or self._get_system_api_key()
             return bool(api_key) and settings.use_claude_vision
         except Exception:
             return False
@@ -68,13 +85,15 @@ class ClaudeVisionService:
     async def analyze_label(
         self,
         image_data: bytes,
-        media_type: str = "image/jpeg"
+        media_type: str = "image/jpeg",
+        user_api_key: str | None = None,
     ) -> dict[str, Any]:
         """Analyze a wine label image using Claude Vision.
 
         Args:
             image_data: Raw image data as bytes.
             media_type: MIME type of the image (image/jpeg, image/png, etc.)
+            user_api_key: Optional user-specific API key.
 
         Returns:
             Dictionary with parsed wine information.
@@ -83,8 +102,11 @@ class ClaudeVisionService:
             # Encode image to base64
             image_base64 = base64.standard_b64encode(image_data).decode("utf-8")
 
+            # Get client (uses user key if provided, else system key)
+            client = self._get_client(user_api_key)
+
             # Call Claude API with vision
-            message = self.client.messages.create(
+            message = client.messages.create(
                 model="claude-sonnet-4-20250514",
                 max_tokens=1024,
                 messages=[
@@ -146,6 +168,7 @@ class ClaudeVisionService:
         back_image_data: bytes | None = None,
         front_media_type: str = "image/jpeg",
         back_media_type: str = "image/jpeg",
+        user_api_key: str | None = None,
     ) -> dict[str, Any]:
         """Analyze front and back wine label images.
 
@@ -154,11 +177,15 @@ class ClaudeVisionService:
             back_image_data: Optional back label image data.
             front_media_type: MIME type of front image.
             back_media_type: MIME type of back image.
+            user_api_key: Optional user-specific API key.
 
         Returns:
             Combined analysis results.
         """
         try:
+            # Get client (uses user key if provided, else system key)
+            client = self._get_client(user_api_key)
+
             # Build message content with images
             content = [
                 {
@@ -199,7 +226,7 @@ class ClaudeVisionService:
                 ])
 
             # Call Claude API
-            message = self.client.messages.create(
+            message = client.messages.create(
                 model="claude-sonnet-4-20250514",
                 max_tokens=1024,
                 messages=[{"role": "user", "content": content}],

winebox/static/css/style.css

@@ -555,6 +555,140 @@ h3 {
     max-width: 400px;
 }
 
+.modal-content.modal-large {
+    max-width: 900px;
+}
+
+/* Checkin Confirmation Modal */
+.checkin-confirm-header {
+    text-align: center;
+    margin-bottom: 1.5rem;
+}
+
+.checkin-confirm-header h3 {
+    color: var(--primary-color);
+    margin-bottom: 0.25rem;
+}
+
+.checkin-confirm-subtitle {
+    color: var(--text-muted);
+    font-size: 0.9rem;
+}
+
+.checkin-confirm-content {
+    display: grid;
+    grid-template-columns: 200px 1fr;
+    gap: 1.5rem;
+    margin-bottom: 1.5rem;
+}
+
+.checkin-confirm-image {
+    width: 200px;
+    height: 250px;
+    border-radius: var(--radius);
+    overflow: hidden;
+    border: 1px solid var(--border-color);
+    background: var(--background-color);
+}
+
+.checkin-confirm-image img {
+    width: 100%;
+    height: 100%;
+    object-fit: cover;
+}
+
+.checkin-confirm-form .form-grid {
+    display: grid;
+    grid-template-columns: repeat(2, 1fr);
+    gap: 1rem;
+}
+
+.checkin-confirm-form .form-group {
+    margin-bottom: 0;
+}
+
+.checkin-confirm-form .form-group.full-width {
+    grid-column: 1 / -1;
+}
+
+.checkin-confirm-form label {
+    display: block;
+    font-size: 0.85rem;
+    color: var(--text-muted);
+    margin-bottom: 0.25rem;
+}
+
+.checkin-confirm-form input,
+.checkin-confirm-form textarea {
+    width: 100%;
+    padding: 0.5rem 0.75rem;
+    border: 1px solid var(--border-color);
+    border-radius: var(--radius);
+    font-size: 0.95rem;
+}
+
+.checkin-confirm-form textarea {
+    resize: vertical;
+}
+
+.checkin-confirm-ocr {
+    margin-bottom: 1.5rem;
+    border: 1px solid var(--border-color);
+    border-radius: var(--radius);
+}
+
+.checkin-confirm-ocr .collapsible-header {
+    padding: 0.75rem 1rem;
+    cursor: pointer;
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+    background: var(--background-color);
+    border-radius: var(--radius);
+}
+
+.checkin-confirm-ocr .collapsible-header:hover {
+    background: #f0ede8;
+}
+
+.checkin-confirm-ocr .collapsible-content {
+    padding: 1rem;
+    border-top: 1px solid var(--border-color);
+}
+
+.checkin-confirm-ocr .ocr-text-container {
+    max-height: 200px;
+    overflow-y: auto;
+}
+
+.checkin-confirm-ocr pre {
+    white-space: pre-wrap;
+    font-size: 0.85rem;
+    background: var(--background-color);
+    padding: 0.75rem;
+    border-radius: var(--radius);
+    margin-top: 0.5rem;
+}
+
+@media (max-width: 768px) {
+    .checkin-confirm-content {
+        grid-template-columns: 1fr;
+    }
+
+    .checkin-confirm-image {
+        width: 100%;
+        height: 200px;
+    }
+
+    .checkin-confirm-form .form-grid {
+        grid-template-columns: 1fr;
+    }
+
+    .modal-content.modal-large {
+        max-width: 100%;
+    }
+}
+
 .modal-close {
     position: absolute;
     top: 1rem;
@@ -1044,6 +1178,19 @@ h3 {
     font-weight: 500;
 }
 
+.user-info .username-link {
+    color: rgba(255, 255, 255, 0.9);
+    text-decoration: none;
+    padding: 0.4rem 0.75rem;
+    border-radius: var(--radius);
+    transition: all 0.2s ease;
+}
+
+.user-info .username-link:hover {
+    background: rgba(255, 255, 255, 0.15);
+    color: white;
+}
+
 .user-info .btn {
     padding: 0.4rem 0.75rem;
     font-size: 0.85rem;
@@ -1056,6 +1203,60 @@ h3 {
     background: rgba(255, 255, 255, 0.3);
 }
 
+/* Settings Page */
+.settings-section {
+    background: var(--card-background);
+    border-radius: var(--radius-lg);
+    padding: 1.5rem;
+    margin-bottom: 1.5rem;
+    box-shadow: var(--shadow);
+    border: 1px solid var(--border-color);
+}
+
+.settings-section h3 {
+    color: var(--primary-color);
+    margin-bottom: 1rem;
+    padding-bottom: 0.75rem;
+    border-bottom: 1px solid var(--border-color);
+}
+
+.settings-description {
+    color: var(--text-muted);
+    font-size: 0.9rem;
+    margin-bottom: 1rem;
+    line-height: 1.5;
+}
+
+.api-key-status {
+    display: flex;
+    align-items: center;
+    gap: 0.5rem;
+    padding: 0.75rem 1rem;
+    background: var(--background-color);
+    border-radius: var(--radius);
+    margin-bottom: 1rem;
+}
+
+.api-key-status .status-indicator {
+    width: 10px;
+    height: 10px;
+    border-radius: 50%;
+    background: var(--text-muted);
+}
+
+.api-key-status.configured .status-indicator {
+    background: var(--success-color);
+}
+
+.api-key-status.not-configured .status-indicator {
+    background: var(--warning-color);
+}
+
+.api-key-status .status-text {
+    font-size: 0.9rem;
+    color: var(--text-color);
+}
+
 /* Hide main content when not logged in */
 body.logged-out main {
     display: none;