till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-14 19:41:09 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
managarten/apps/api/src/modules/website/submit.ts
Till JS 4fc9d6c59c feat(wardrobe): module foundation — garments + outfits space-scoped data layer (M1) 
M1 of docs/plans/wardrobe-module.md — pure data layer + backend plumbing,
zero UI (that's M2). A user can now hold a digital wardrobe per space:
brand merch, club Trikots, family Kleiderschrank, team Kostüme, practice
Dresscode, and personal closet all live as separate pools under the same
Dexie tables, space-scoped like tags/scenes/agents after Phase 2c.

Data model — two tables, no join:

- wardrobeGarments (Dexie v41): single clothing items / accessories.
  Indexed on `category` + `createdAt` + `isArchived`. Encrypted:
  name/brand/color/size/material/tags/notes. Plaintext: category,
  mediaIds, counters, timestamps — all indexed or structural.
  `mediaIds[0]` is the primary photo used for try-on; additional
  ids are alternate views (back, detail) for M7.

- wardrobeOutfits (Dexie v41): named compositions referencing
  garment ids. Encrypted: name/description/tags. Plaintext:
  garmentIds (FK array), occasion (closed enum — useful for
  undecrypted filtering), season, booleans, lastTryOn snapshot.

- picture.images gains `wardrobeOutfitId?: string | null` as a
  plaintext back-reference. Try-on results land in the Picture
  gallery like any other generation; the outfit detail view
  queries them via this id rather than maintaining a third table.

Space scope:

- `wardrobe` added to all five explicit allowlists in shared-types/
  spaces.ts (personal is wildcard, no edit needed). Each space type
  gets a one-line comment explaining the real-world use case.
- App registry: `wardrobe` entry in shared-branding/mana-apps.ts
  with a rose→fuchsia gradient icon (T-shirt on hanger silhouette),
  color #e11d48, tier 'beta', status 'beta'.
- Module registry: wardrobeModuleConfig imported + appended to
  MODULE_CONFIGS so SYNC_APP_MAP picks it up automatically.

Backend:

- MAX_REFERENCE_IMAGES bumped 4 → 8 in picture/generate-with-
  reference (plus the client-side default in ReferenceImagePicker).
  Justified with a comment: face + body + top + bottom + shoes +
  outerwear + 2 accessories = 8. Cost doesn't scale with ref count
  (OpenAI bills per output), so the bump is a pure capability
  expansion with no credit-side risk.
- New POST /api/v1/wardrobe/garments/upload wraps uploadImageToMedia
  with app='wardrobe'. Registered under /api/v1/wardrobe in index.ts.
  Pattern 1:1 with the profile/me-images/upload endpoint; tier-gating
  falls out of wardrobe NOT being in RESOURCE_MODULES (tier='guest'
  works — consistent with picture's plain CRUD).

Stores emit domain events (WardrobeGarmentAdded, WardrobeOutfitCreated,
WardrobeOutfitTryOn, etc.) so later mana-ai missions can observe
activity without polling.

No UI in this commit. M2 (Garments-Grundlayer) wires the route + grid
+ upload-zone; M3 the Outfit composer; M4 the Try-On integration.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-23 18:27:37 +02:00

224 lines
7.3 KiB
TypeScript
Raw Blame History

/**
* Public form-submit endpoint — UNAUTHENTICATED.
*
* Flow:
* 1. Look up the current published snapshot for this site
* 2. Walk the snapshot blob to find the block, extract its form schema
* 3. Validate incoming payload against declared fields (type + length
* + required)
* 4. Honeypot check (the block renderer adds a hidden `_trap` field —
* if present and non-empty, silently 202 without recording)
* 5. Rate-limit per IP (10 submissions / 5 minutes / site)
* 6. Insert into website.submissions with status='received'
*
* M4 first-pass: target delivery is not wired. The owner sees
* submissions in /website/[id]/submissions. Contacts / notify
* forwarding is M4.x once server-side tool handlers exist.
*
* Security: this route runs BEFORE authMiddleware so anonymous visitors
* can submit. Every bit of user-controlled input (site slug, block id,
* payload) is treated as untrusted.
*/
import { Hono } from 'hono';
import { and, eq } from 'drizzle-orm';
import { db, publishedSnapshots, submissions } from './schema';
import { websiteSubmissionsTotal } from '../../lib/metrics';
const routes = new Hono();
// Simple in-memory rate limit (per-IP, per-site, sliding window).
// Replace with Redis when the service scales horizontally (M7).
const RATE_WINDOW_MS = 5 * 60 * 1000;
const RATE_MAX = 10;
const rateLimits = new Map<string, { count: number; windowStart: number }>();
function rateLimitHit(key: string): boolean {
const now = Date.now();
const bucket = rateLimits.get(key);
if (!bucket || now - bucket.windowStart > RATE_WINDOW_MS) {
rateLimits.set(key, { count: 1, windowStart: now });
return false;
}
bucket.count += 1;
return bucket.count > RATE_MAX;
}
interface SnapshotBlob {
version: string;
pages?: Array<{
blocks?: SnapshotBlock[];
}>;
}
interface SnapshotBlock {
id: string;
type: string;
props: unknown;
children?: SnapshotBlock[];
}
interface FormBlockProps {
fields: Array<{
name: string;
label: string;
type: 'text' | 'email' | 'tel' | 'url' | 'textarea' | 'number';
required: boolean;
maxLength: number;
}>;
target: 'inbox';
}
function findFormBlock(blob: SnapshotBlob, blockId: string): SnapshotBlock | null {
const pages = blob.pages ?? [];
for (const page of pages) {
const hit = walk(page.blocks ?? [], blockId);
if (hit) return hit;
}
return null;
}
function walk(blocks: SnapshotBlock[], blockId: string): SnapshotBlock | null {
for (const block of blocks) {
if (block.id === blockId) return block;
if (block.children) {
const hit = walk(block.children, blockId);
if (hit) return hit;
}
}
return null;
}
function isFormBlock(block: SnapshotBlock): block is SnapshotBlock & { props: FormBlockProps } {
if (block.type !== 'form') return false;
const props = block.props as Partial<FormBlockProps>;
return Array.isArray(props?.fields);
}
const EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
function validateField(
field: FormBlockProps['fields'][number],
raw: unknown
): { ok: true; value: string } | { ok: false; error: string } {
if (typeof raw !== 'string') {
return { ok: false, error: `Feld "${field.name}" muss Text sein` };
}
const trimmed = raw.trim();
if (field.required && trimmed.length === 0) {
return { ok: false, error: `Pflichtfeld "${field.label}" fehlt` };
}
if (trimmed.length > field.maxLength) {
return { ok: false, error: `Feld "${field.label}" ist zu lang` };
}
if (trimmed.length === 0) return { ok: true, value: '' };
if (field.type === 'email' && !EMAIL_RE.test(trimmed)) {
return { ok: false, error: `"${field.label}" ist keine gültige E-Mail` };
}
if (field.type === 'url') {
try {
new URL(trimmed);
} catch {
return { ok: false, error: `"${field.label}" ist keine gültige URL` };
}
}
if (field.type === 'number' && !/^-?\d+(\.\d+)?$/.test(trimmed)) {
return { ok: false, error: `"${field.label}" muss eine Zahl sein` };
}
return { ok: true, value: trimmed };
}
routes.post('/submit/:siteSlug/:blockId', async (c) => {
const { siteSlug, blockId } = c.req.param();
if (!siteSlug || !blockId) {
return c.json({ error: 'siteSlug + blockId required' }, 400);
}
// Rate-limit. `cf-connecting-ip` + `x-forwarded-for` for proxied
// deployments, fall back to a generic bucket if we can't find
// anything (better than letting the bucket be "nothing").
const ip =
c.req.header('cf-connecting-ip') ??
c.req.header('x-forwarded-for')?.split(',')[0]?.trim() ??
'unknown';
if (rateLimitHit(`${siteSlug}:${ip}`)) {
websiteSubmissionsTotal.inc({ result: 'rate_limit' });
return c.json({ error: 'Rate limit überschritten — bitte später erneut versuchen' }, 429);
}
// Load current published snapshot to find the block schema. The
// block definition lives IN the snapshot blob, not in a separate
// table — this keeps the source of truth in one place and prevents
// a block-edit race (site gets unpublished while a form is in the
// middle of being submitted).
const snapshotRow = await db
.select({ blob: publishedSnapshots.blob, siteId: publishedSnapshots.siteId })
.from(publishedSnapshots)
.where(and(eq(publishedSnapshots.slug, siteSlug), eq(publishedSnapshots.isCurrent, true)))
.limit(1);
if (!snapshotRow[0]) {
websiteSubmissionsTotal.inc({ result: 'not_found' });
return c.json({ error: 'Website nicht gefunden oder offline' }, 404);
}
const block = findFormBlock(snapshotRow[0].blob as SnapshotBlob, blockId);
if (!block) {
websiteSubmissionsTotal.inc({ result: 'not_found' });
return c.json({ error: 'Block nicht gefunden' }, 404);
}
if (!isFormBlock(block)) {
websiteSubmissionsTotal.inc({ result: 'invalid' });
return c.json({ error: 'Block ist kein Formular' }, 400);
}
const rawBody = (await c.req.json().catch(() => null)) as Record<string, unknown> | null;
if (!rawBody || typeof rawBody !== 'object') {
websiteSubmissionsTotal.inc({ result: 'invalid' });
return c.json({ error: 'Payload fehlt oder ungültig' }, 400);
}
// Honeypot — the renderer names the trap input whatever value is in
// `_trap`. For M4 it's the public `honeypot` field bound in the
// Form renderer. We also look for a generic "_trap" key.
const trap = rawBody.honeypot ?? rawBody._trap;
if (typeof trap === 'string' && trap.trim().length > 0) {
websiteSubmissionsTotal.inc({ result: 'spam' });
// Act as success to the bot, store nothing.
return c.json({ ok: true, spam: true }, 202);
}
// Validate every declared field. Ignore unknown keys the client
// tried to sneak in.
const cleaned: Record<string, string> = {};
for (const field of block.props.fields) {
const result = validateField(field, rawBody[field.name]);
if (!result.ok) {
websiteSubmissionsTotal.inc({ result: 'invalid' });
return c.json({ error: result.error, field: field.name }, 400);
}
cleaned[field.name] = result.value;
}
const userAgent = c.req.header('user-agent') ?? null;
const [row] = await db
.insert(submissions)
.values({
siteId: snapshotRow[0].siteId,
blockId,
payload: cleaned,
targetModule: 'inbox',
targetAction: 'inbox',
status: 'received',
ip: ip === 'unknown' ? null : ip,
userAgent: userAgent && userAgent.length > 500 ? userAgent.slice(0, 500) : userAgent,
})
.returning({ id: submissions.id });
websiteSubmissionsTotal.inc({ result: 'received' });
return c.json({ ok: true, submissionId: row?.id ?? null }, 201);
});
export const websiteSubmitRoutes = routes;
Reference in a new issue View git blame Copy permalink