Improved upload flow, fixed vulnerability in search.

2023-02-16 20:40:03 +01:00 · 2023-02-16 20:40:03 +01:00 · eb02563714
parent abde8bb815
commit eb02563714
12 changed files with 197 additions and 76 deletions
--- a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/ErrorResponseHandler.java
+++ b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/ErrorResponseHandler.java
@ -1,5 +1,6 @@
 package nl.andrewlalis.gymboard_api.config;

+import nl.andrewlalis.gymboard_api.domains.api.dto.ApiValidationException;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.ExceptionHandler;
@ -33,6 +34,9 @@ public class ErrorResponseHandler {
 			}
 		}
 		responseContent.put("message", message);
+		if (e instanceof ApiValidationException validationException) {
+			responseContent.put("validation_messages", validationException.getValidationResponse().getMessages());
+		}
 		return ResponseEntity.status(e.getStatusCode()).body(responseContent);
 	}
 }
--- a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/SecurityConfig.java
+++ b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/SecurityConfig.java
@ -55,8 +55,6 @@ public class SecurityConfig {
 				).permitAll()
 				.requestMatchers(// Allow the following POST endpoints to be public.
 						HttpMethod.POST,
-						"/gyms/*/submissions",
-						"/gyms/*/submissions/upload",
 						"/auth/token",
 						"/auth/register",
 						"/auth/activate",
--- a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/WebComponents.java
+++ b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/WebComponents.java
@ -1,5 +1,8 @@
 package nl.andrewlalis.gymboard_api.config;

+import nl.andrewlalis.gymboard_api.domains.api.service.cdn_client.CdnClient;
+import nl.andrewlalis.gymboard_api.util.ULID;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@ -11,4 +14,17 @@ public class WebComponents {
 	public PasswordEncoder passwordEncoder() {
 		return new BCryptPasswordEncoder(10);
 	}
+
+	@Bean
+	public ULID ulid() {
+		return new ULID();
+	}
+
+	@Value("${app.cdn-origin}")
+	private String cdnOrigin;
+
+	@Bean
+	public CdnClient cdnClient() {
+		return new CdnClient(cdnOrigin);
+	}
 }
--- a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/WebConfig.java
+++ b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/WebConfig.java
@ -1,13 +0,0 @@
-package nl.andrewlalis.gymboard_api.config;
-
-import nl.andrewlalis.gymboard_api.util.ULID;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-
-@Configuration
-public class WebConfig {
-	@Bean
-	public ULID ulid() {
-		return new ULID();
-	}
-}
--- a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/dto/ApiValidationException.java
+++ b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/dto/ApiValidationException.java
@ -0,0 +1,17 @@
+package nl.andrewlalis.gymboard_api.domains.api.dto;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.server.ResponseStatusException;
+
+public class ApiValidationException extends ResponseStatusException {
+	private final ValidationResponse validationResponse;
+
+	public ApiValidationException(ValidationResponse validationResponse) {
+		super(HttpStatus.BAD_REQUEST, "Validation failed.");
+		this.validationResponse = validationResponse;
+	}
+
+	public ValidationResponse getValidationResponse() {
+		return validationResponse;
+	}
+}
--- a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/dto/ValidationResponse.java
+++ b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/dto/ValidationResponse.java
@ -0,0 +1,22 @@
+package nl.andrewlalis.gymboard_api.domains.api.dto;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class ValidationResponse {
+	private boolean valid = true;
+	private List<String> messages = new ArrayList<>();
+
+	public void addMessage(String message) {
+		this.messages.add(message);
+		this.valid = false;
+	}
+
+	public boolean isValid() {
+		return valid;
+	}
+
+	public List<String> getMessages() {
+		return messages;
+	}
+}
--- a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/service/submission/ExerciseSubmissionService.java
+++ b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/service/submission/ExerciseSubmissionService.java
@ -3,13 +3,13 @@ package nl.andrewlalis.gymboard_api.domains.api.service.submission;
 import nl.andrewlalis.gymboard_api.domains.api.dao.GymRepository;
 import nl.andrewlalis.gymboard_api.domains.api.dao.ExerciseRepository;
 import nl.andrewlalis.gymboard_api.domains.api.dao.submission.SubmissionRepository;
-import nl.andrewlalis.gymboard_api.domains.api.dto.CompoundGymId;
-import nl.andrewlalis.gymboard_api.domains.api.dto.SubmissionPayload;
-import nl.andrewlalis.gymboard_api.domains.api.dto.SubmissionResponse;
+import nl.andrewlalis.gymboard_api.domains.api.dto.*;
 import nl.andrewlalis.gymboard_api.domains.api.model.Gym;
 import nl.andrewlalis.gymboard_api.domains.api.model.WeightUnit;
 import nl.andrewlalis.gymboard_api.domains.api.model.Exercise;
 import nl.andrewlalis.gymboard_api.domains.api.model.submission.Submission;
+import nl.andrewlalis.gymboard_api.domains.api.service.cdn_client.CdnClient;
+import nl.andrewlalis.gymboard_api.domains.api.service.cdn_client.UploadsClient;
 import nl.andrewlalis.gymboard_api.domains.auth.dao.UserRepository;
 import nl.andrewlalis.gymboard_api.domains.auth.model.User;
 import nl.andrewlalis.gymboard_api.util.ULID;
@ -36,16 +36,18 @@ public class ExerciseSubmissionService {
 	private final ExerciseRepository exerciseRepository;
 	private final SubmissionRepository submissionRepository;
 	private final ULID ulid;
+	private final CdnClient cdnClient;

 	public ExerciseSubmissionService(GymRepository gymRepository,
 									 UserRepository userRepository, ExerciseRepository exerciseRepository,
 									 SubmissionRepository submissionRepository,
-									 ULID ulid) {
+									 ULID ulid, CdnClient cdnClient) {
 		this.gymRepository = gymRepository;
 		this.userRepository = userRepository;
 		this.exerciseRepository = exerciseRepository;
 		this.submissionRepository = submissionRepository;
 		this.ulid = ulid;
+		this.cdnClient = cdnClient;
 	}

 	@Transactional(readOnly = true)
@ -64,16 +66,22 @@ public class ExerciseSubmissionService {
 	 */
 	@Transactional
 	public SubmissionResponse createSubmission(CompoundGymId id, String userId, SubmissionPayload payload) {
-		User user = userRepository.findById(userId)
-				.orElseThrow(() -> new ResponseStatusException(HttpStatus.FORBIDDEN));
 		Gym gym = gymRepository.findByCompoundId(id)
 				.orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND));
+		User user = userRepository.findById(userId)
+				.orElseThrow(() -> new ResponseStatusException(HttpStatus.FORBIDDEN));
+		if (!user.isActivated()) throw new ResponseStatusException(HttpStatus.FORBIDDEN);
 		Exercise exercise = exerciseRepository.findById(payload.exerciseShortName())
 				.orElseThrow(() -> new ResponseStatusException(HttpStatus.BAD_REQUEST, "Invalid exercise."));

-		// TODO: Validate the submission data.
+		var validationResponse = validateSubmissionData(gym, user, exercise, payload);
+		if (!validationResponse.isValid()) {
+			throw new ApiValidationException(validationResponse);
+		}

 		// Create the submission.
+		LocalDateTime performedAt = payload.performedAt();
+		if (performedAt == null) performedAt = LocalDateTime.now();
 		BigDecimal rawWeight = BigDecimal.valueOf(payload.weight());
 		WeightUnit weightUnit = WeightUnit.parse(payload.weightUnit());
 		BigDecimal metricWeight = BigDecimal.valueOf(payload.weight());
@ -81,17 +89,47 @@ public class ExerciseSubmissionService {
 			metricWeight = WeightUnit.toKilograms(rawWeight);
 		}
 		Submission submission = submissionRepository.saveAndFlush(new Submission(
-				ulid.nextULID(),
-				gym,
-				exercise,
-				user,
-				LocalDateTime.now(),
+				ulid.nextULID(), gym, exercise, user,
+				performedAt,
 				payload.videoFileId(),
-				rawWeight,
-				weightUnit,
-				metricWeight,
-				payload.reps()
+				rawWeight, weightUnit, metricWeight, payload.reps()
 		));
 		return new SubmissionResponse(submission);
 	}
+
+	private ValidationResponse validateSubmissionData(Gym gym, User user, Exercise exercise, SubmissionPayload data) {
+		ValidationResponse response = new ValidationResponse();
+		LocalDateTime cutoff = LocalDateTime.now().minusDays(3);
+		if (data.performedAt() != null && data.performedAt().isAfter(LocalDateTime.now())) {
+			response.addMessage("Cannot submit an exercise from the future.");
+		}
+		if (data.performedAt() != null && data.performedAt().isBefore(cutoff)) {
+			response.addMessage("Cannot submit an exercise too far in the past.");
+		}
+		if (data.reps() < 1 || data.reps() > 500) {
+			response.addMessage("Invalid rep count.");
+		}
+		BigDecimal rawWeight = BigDecimal.valueOf(data.weight());
+		WeightUnit weightUnit = WeightUnit.parse(data.weightUnit());
+		BigDecimal metricWeight = WeightUnit.toKilograms(rawWeight, weightUnit);
+
+		if (metricWeight.compareTo(BigDecimal.ZERO) <= 0 || metricWeight.compareTo(BigDecimal.valueOf(1000.0)) > 0) {
+			response.addMessage("Invalid weight.");
+		}
+
+		try {
+			UploadsClient.FileMetadataResponse metadata = cdnClient.uploads.getFileMetadata(data.videoFileId());
+			if (metadata == null) {
+				response.addMessage("Missing video file.");
+			} else if (!metadata.availableForDownload()) {
+				response.addMessage("File not yet available for download.");
+			} else if (!"video/mp4".equals(metadata.mimeType())) {
+				response.addMessage("Invalid video file format.");
+			}
+		} catch (Exception e) {
+			log.error("Error fetching file metadata.", e);
+			throw new ResponseStatusException(HttpStatus.INTERNAL_SERVER_ERROR, "Error fetching uploaded video file metadata.");
+		}
+		return response;
+	}
 }
--- a/gymboard-app/src/api/main/submission.ts
+++ b/gymboard-app/src/api/main/submission.ts
@ -4,12 +4,12 @@ import { api } from 'src/api/main/index';
 import { getGymCompoundId, GymRoutable } from 'src/router/gym-routing';
 import { DateTime } from 'luxon';
 import {User} from 'src/api/main/auth';
+import {AuthStoreType} from 'stores/auth-store';

 /**
 * The data that's sent when creating a submission.
 */
 export interface ExerciseSubmissionPayload {
-  name: string;
  exerciseShortName: string;
  weight: number;
  weightUnit: string;
@ -59,10 +59,11 @@ class SubmissionsModule {

  public async createSubmission(
    gym: GymRoutable,
-    payload: ExerciseSubmissionPayload
+    payload: ExerciseSubmissionPayload,
+    authStore: AuthStoreType
  ): Promise<ExerciseSubmission> {
    const gymId = getGymCompoundId(gym);
-    const response = await api.post(`/gyms/${gymId}/submissions`, payload);
+    const response = await api.post(`/gyms/${gymId}/submissions`, payload, authStore.axiosConfig);
    return parseSubmission(response.data);
  }
 }
--- a/gymboard-app/src/i18n/en-US/index.ts
+++ b/gymboard-app/src/i18n/en-US/index.ts
@ -31,13 +31,18 @@ export default {
      recentLifts: 'Recent Lifts',
    },
    submitPage: {
-      name: 'Your Name',
+      loginToSubmit: 'Login or register to submit your lift',
      exercise: 'Exercise',
      weight: 'Weight',
      reps: 'Repetitions',
      date: 'Date',
      upload: 'Video File to Upload',
      submit: 'Submit',
+      submitUploading: 'Uploading video...',
+      submitCreatingSubmission: 'Creating submission...',
+      submitVideoProcessing: 'Processing...',
+      submitComplete: 'Submission complete!',
+      submitFailed: 'Submission processing failed. Please try again later.',
    },
  },
  userPage: {
--- a/gymboard-app/src/i18n/nl-NL/index.ts
+++ b/gymboard-app/src/i18n/nl-NL/index.ts
@ -31,7 +31,7 @@ export default {
      recentLifts: 'Recente liften',
    },
    submitPage: {
-      name: 'Jouw naam',
+      loginToSubmit: 'Log in of meld je aan om je lift te indienen',
      exercise: 'Oefening',
      weight: 'Gewicht',
      reps: 'Repetities',
--- a/gymboard-app/src/pages/gym/GymSubmissionPage.vue
+++ b/gymboard-app/src/pages/gym/GymSubmissionPage.vue
@ -11,17 +11,10 @@ A high-level overview of the submission process is as follows:
 5. We wait on the submission page until the submission is done processing, then show a message and navigate to the submission page.
 -->
 <template>
-  <q-page v-if="gym">
+  <q-page v-if="gym && authStore.loggedIn">
    <!-- The below form contains the fields that will become part of the submission. -->
    <q-form @submit="onSubmitted">
      <SlimForm>
-        <div class="row">
-          <q-input
-            :label="$t('gymPage.submitPage.name')"
-            v-model="submissionModel.name"
-            class="col-12"
-          />
-        </div>
        <div class="row">
          <q-select
            :options="exerciseOptions"
@ -76,57 +69,66 @@ A high-level overview of the submission process is as follows:
        </div>
        <div class="row">
          <q-btn
-            :label="$t('gymPage.submitPage.submit')"
+            :label="submitButtonLabel"
            color="primary"
            type="submit"
            class="q-mt-md col-12"
            :disable="!submitButtonEnabled()"
          />
        </div>
-        <div class="row text-center" v-if="infoMessage">
-          <p>{{ infoMessage }}</p>
-        </div>
      </SlimForm>
    </q-form>
  </q-page>
+
+  <!-- If the user is not logged in, show a link to log in. -->
+  <q-page v-if="!authStore.loggedIn">
+    <div class="q-mt-lg text-center">
+      <router-link :to="`/login?next=${route.fullPath}`" class="text-primary">Login or register to submit your lift</router-link>
+    </div>
+  </q-page>
 </template>

 <script setup lang="ts">
-import { onMounted, ref, Ref } from 'vue';
-import { getGymFromRoute, getGymRoute } from 'src/router/gym-routing';
+import {onMounted, ref, Ref} from 'vue';
+import {getGymFromRoute} from 'src/router/gym-routing';
 import SlimForm from 'components/SlimForm.vue';
 import api from 'src/api/main';
-import { Gym } from 'src/api/main/gyms';
-import { Exercise } from 'src/api/main/exercises';
-import { useRouter } from 'vue-router';
-import { sleep } from 'src/utils';
-import { uploadVideoToCDN, VideoProcessingStatus, waitUntilVideoProcessingComplete } from 'src/api/cdn';
+import {Gym} from 'src/api/main/gyms';
+import {Exercise} from 'src/api/main/exercises';
+import {useRoute, useRouter} from 'vue-router';
+import {showApiErrorToast, sleep} from 'src/utils';
+import {uploadVideoToCDN, VideoProcessingStatus, waitUntilVideoProcessingComplete} from 'src/api/cdn';
+import {useAuthStore} from 'stores/auth-store';
+import {useI18n} from 'vue-i18n';
+import {useQuasar} from "quasar";
+
+const authStore = useAuthStore();
+const router = useRouter();
+const route = useRoute();
+const i18n = useI18n();
+const quasar = useQuasar();

 interface Option {
  value: string;
  label: string;
 }

-const router = useRouter();
-
 const gym: Ref<Gym | undefined> = ref<Gym>();
 const exercises: Ref<Array<Exercise> | undefined> = ref<Array<Exercise>>();
 const exerciseOptions: Ref<Array<Option>> = ref([]);
 let submissionModel = ref({
-  name: '',
  exerciseShortName: '',
  weight: 100,
  weightUnit: 'Kg',
  reps: 1,
  videoFileId: '',
-  videoFile: null,
  date: new Date().toLocaleDateString('en-CA'),
 });
 const selectedVideoFile: Ref<File | undefined> = ref<File>();
 const weightUnits = ['KG', 'LBS'];

 const submitting = ref(false);
-const infoMessage: Ref<string | undefined> = ref();
+const submitButtonLabel = ref(i18n.t('gymPage.submitPage.submit'));

 onMounted(async () => {
  try {
@ -154,30 +156,59 @@ function validateForm() {
  return true;
 }

+/**
+ * Runs through the entire submission process.
+ */
 async function onSubmitted() {
-  if (!selectedVideoFile.value || !gym.value) throw new Error('Invalid state.');
+  if (!selectedVideoFile.value || !gym.value) return;
+
  submitting.value = true;
  try {
-    infoMessage.value = 'Uploading video...';
+    // 1. Upload the video to the CDN.
+    submitButtonLabel.value = i18n.t('gymPage.submitPage.submitUploading');
    await sleep(1000);
    submissionModel.value.videoFileId = await uploadVideoToCDN(selectedVideoFile.value);
-    infoMessage.value = 'Creating submission...';
-    await sleep(1000);
-    const submission = await api.gyms.submissions.createSubmission(
-      gym.value,
-      submissionModel.value
-    );
-    infoMessage.value = 'Submission processing...';
-    const finalStatus = await waitUntilVideoProcessingComplete(submission.videoFileId);
-    if (finalStatus === VideoProcessingStatus.COMPLETED) {
-      infoMessage.value = 'Submission complete!';
-      await sleep(1000);
-      await router.push(getGymRoute(gym.value));
+
+    // 2. Wait for the video to be processed.
+    submitButtonLabel.value = i18n.t('gymPage.submitPage.submitVideoProcessing');
+    const processingStatus = await waitUntilVideoProcessingComplete(submissionModel.value.videoFileId);
+
+    // 3. If successful upload, create the submission.
+    if (processingStatus === VideoProcessingStatus.COMPLETED) {
+      try {
+        submitButtonLabel.value = i18n.t('gymPage.submitPage.submitCreatingSubmission');
+        await sleep(1000);
+        const submission = await api.gyms.submissions.createSubmission(
+          gym.value,
+          submissionModel.value,
+          authStore
+        );
+        submitButtonLabel.value = i18n.t('gymPage.submitPage.submitComplete');
+        await sleep(2000);
+        await router.push(`/submissions/${submission.id}`);
+      } catch (error: any) {
+        if (error.response && error.response.status === 400) {
+          quasar.notify({
+            message: error.response.data.message,
+            type: 'warning',
+            position: 'top'
+          });
+          submitButtonLabel.value = i18n.t('gymPage.submitPage.submitFailed');
+          await sleep(3000);
+        } else {
+          showApiErrorToast(i18n, quasar);
+        }
+      }
+    // Otherwise, report the failed submission and give up.
    } else {
-      infoMessage.value = 'Submission processing failed. Please try again later.';
+      submitButtonLabel.value = i18n.t('gymPage.submitPage.submitFailed');
+      await sleep(3000);
    }
+  } catch (error: any) {
+    showApiErrorToast(i18n, quasar);
  } finally {
    submitting.value = false;
+    submitButtonLabel.value = i18n.t('gymPage.submitPage.submit');
  }
 }
 </script>
--- a/gymboard-search/src/main/java/nl/andrewlalis/gymboardsearch/index/WeightedWildcardQueryBuilder.java
+++ b/gymboard-search/src/main/java/nl/andrewlalis/gymboardsearch/index/WeightedWildcardQueryBuilder.java
@ -23,7 +23,9 @@ public class WeightedWildcardQueryBuilder {
 	}

 	public Optional<Query> build(String rawSearchQuery) {
-		if (rawSearchQuery == null || rawSearchQuery.isBlank()) return Optional.empty();
+		if (rawSearchQuery == null) return Optional.empty();
+		rawSearchQuery = rawSearchQuery.replaceAll("\\*", "");
+		if (rawSearchQuery.isBlank()) return Optional.empty();
 		String[] terms = rawSearchQuery.toLowerCase().split("\\s+");
 		for (String term : terms) {
 			String searchTerm = term + "*";