Improved upload flow, fixed vulnerability in search.

This commit is contained in:
Andrew Lalis 2023-02-16 20:40:03 +01:00
parent abde8bb815
commit eb02563714
12 changed files with 197 additions and 76 deletions

View File

@ -1,5 +1,6 @@
package nl.andrewlalis.gymboard_api.config;
import nl.andrewlalis.gymboard_api.domains.api.dto.ApiValidationException;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.ExceptionHandler;
@ -33,6 +34,9 @@ public class ErrorResponseHandler {
}
}
responseContent.put("message", message);
if (e instanceof ApiValidationException validationException) {
responseContent.put("validation_messages", validationException.getValidationResponse().getMessages());
}
return ResponseEntity.status(e.getStatusCode()).body(responseContent);
}
}

View File

@ -55,8 +55,6 @@ public class SecurityConfig {
).permitAll()
.requestMatchers(// Allow the following POST endpoints to be public.
HttpMethod.POST,
"/gyms/*/submissions",
"/gyms/*/submissions/upload",
"/auth/token",
"/auth/register",
"/auth/activate",

View File

@ -1,5 +1,8 @@
package nl.andrewlalis.gymboard_api.config;
import nl.andrewlalis.gymboard_api.domains.api.service.cdn_client.CdnClient;
import nl.andrewlalis.gymboard_api.util.ULID;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@ -11,4 +14,17 @@ public class WebComponents {
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(10);
}
@Bean
public ULID ulid() {
return new ULID();
}
@Value("${app.cdn-origin}")
private String cdnOrigin;
@Bean
public CdnClient cdnClient() {
return new CdnClient(cdnOrigin);
}
}

View File

@ -1,13 +0,0 @@
package nl.andrewlalis.gymboard_api.config;
import nl.andrewlalis.gymboard_api.util.ULID;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class WebConfig {
@Bean
public ULID ulid() {
return new ULID();
}
}

View File

@ -0,0 +1,17 @@
package nl.andrewlalis.gymboard_api.domains.api.dto;
import org.springframework.http.HttpStatus;
import org.springframework.web.server.ResponseStatusException;
public class ApiValidationException extends ResponseStatusException {
private final ValidationResponse validationResponse;
public ApiValidationException(ValidationResponse validationResponse) {
super(HttpStatus.BAD_REQUEST, "Validation failed.");
this.validationResponse = validationResponse;
}
public ValidationResponse getValidationResponse() {
return validationResponse;
}
}

View File

@ -0,0 +1,22 @@
package nl.andrewlalis.gymboard_api.domains.api.dto;
import java.util.ArrayList;
import java.util.List;
public class ValidationResponse {
private boolean valid = true;
private List<String> messages = new ArrayList<>();
public void addMessage(String message) {
this.messages.add(message);
this.valid = false;
}
public boolean isValid() {
return valid;
}
public List<String> getMessages() {
return messages;
}
}

View File

@ -3,13 +3,13 @@ package nl.andrewlalis.gymboard_api.domains.api.service.submission;
import nl.andrewlalis.gymboard_api.domains.api.dao.GymRepository;
import nl.andrewlalis.gymboard_api.domains.api.dao.ExerciseRepository;
import nl.andrewlalis.gymboard_api.domains.api.dao.submission.SubmissionRepository;
import nl.andrewlalis.gymboard_api.domains.api.dto.CompoundGymId;
import nl.andrewlalis.gymboard_api.domains.api.dto.SubmissionPayload;
import nl.andrewlalis.gymboard_api.domains.api.dto.SubmissionResponse;
import nl.andrewlalis.gymboard_api.domains.api.dto.*;
import nl.andrewlalis.gymboard_api.domains.api.model.Gym;
import nl.andrewlalis.gymboard_api.domains.api.model.WeightUnit;
import nl.andrewlalis.gymboard_api.domains.api.model.Exercise;
import nl.andrewlalis.gymboard_api.domains.api.model.submission.Submission;
import nl.andrewlalis.gymboard_api.domains.api.service.cdn_client.CdnClient;
import nl.andrewlalis.gymboard_api.domains.api.service.cdn_client.UploadsClient;
import nl.andrewlalis.gymboard_api.domains.auth.dao.UserRepository;
import nl.andrewlalis.gymboard_api.domains.auth.model.User;
import nl.andrewlalis.gymboard_api.util.ULID;
@ -36,16 +36,18 @@ public class ExerciseSubmissionService {
private final ExerciseRepository exerciseRepository;
private final SubmissionRepository submissionRepository;
private final ULID ulid;
private final CdnClient cdnClient;
public ExerciseSubmissionService(GymRepository gymRepository,
UserRepository userRepository, ExerciseRepository exerciseRepository,
SubmissionRepository submissionRepository,
ULID ulid) {
ULID ulid, CdnClient cdnClient) {
this.gymRepository = gymRepository;
this.userRepository = userRepository;
this.exerciseRepository = exerciseRepository;
this.submissionRepository = submissionRepository;
this.ulid = ulid;
this.cdnClient = cdnClient;
}
@Transactional(readOnly = true)
@ -64,16 +66,22 @@ public class ExerciseSubmissionService {
*/
@Transactional
public SubmissionResponse createSubmission(CompoundGymId id, String userId, SubmissionPayload payload) {
User user = userRepository.findById(userId)
.orElseThrow(() -> new ResponseStatusException(HttpStatus.FORBIDDEN));
Gym gym = gymRepository.findByCompoundId(id)
.orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND));
User user = userRepository.findById(userId)
.orElseThrow(() -> new ResponseStatusException(HttpStatus.FORBIDDEN));
if (!user.isActivated()) throw new ResponseStatusException(HttpStatus.FORBIDDEN);
Exercise exercise = exerciseRepository.findById(payload.exerciseShortName())
.orElseThrow(() -> new ResponseStatusException(HttpStatus.BAD_REQUEST, "Invalid exercise."));
// TODO: Validate the submission data.
var validationResponse = validateSubmissionData(gym, user, exercise, payload);
if (!validationResponse.isValid()) {
throw new ApiValidationException(validationResponse);
}
// Create the submission.
LocalDateTime performedAt = payload.performedAt();
if (performedAt == null) performedAt = LocalDateTime.now();
BigDecimal rawWeight = BigDecimal.valueOf(payload.weight());
WeightUnit weightUnit = WeightUnit.parse(payload.weightUnit());
BigDecimal metricWeight = BigDecimal.valueOf(payload.weight());
@ -81,17 +89,47 @@ public class ExerciseSubmissionService {
metricWeight = WeightUnit.toKilograms(rawWeight);
}
Submission submission = submissionRepository.saveAndFlush(new Submission(
ulid.nextULID(),
gym,
exercise,
user,
LocalDateTime.now(),
ulid.nextULID(), gym, exercise, user,
performedAt,
payload.videoFileId(),
rawWeight,
weightUnit,
metricWeight,
payload.reps()
rawWeight, weightUnit, metricWeight, payload.reps()
));
return new SubmissionResponse(submission);
}
private ValidationResponse validateSubmissionData(Gym gym, User user, Exercise exercise, SubmissionPayload data) {
ValidationResponse response = new ValidationResponse();
LocalDateTime cutoff = LocalDateTime.now().minusDays(3);
if (data.performedAt() != null && data.performedAt().isAfter(LocalDateTime.now())) {
response.addMessage("Cannot submit an exercise from the future.");
}
if (data.performedAt() != null && data.performedAt().isBefore(cutoff)) {
response.addMessage("Cannot submit an exercise too far in the past.");
}
if (data.reps() < 1 || data.reps() > 500) {
response.addMessage("Invalid rep count.");
}
BigDecimal rawWeight = BigDecimal.valueOf(data.weight());
WeightUnit weightUnit = WeightUnit.parse(data.weightUnit());
BigDecimal metricWeight = WeightUnit.toKilograms(rawWeight, weightUnit);
if (metricWeight.compareTo(BigDecimal.ZERO) <= 0 || metricWeight.compareTo(BigDecimal.valueOf(1000.0)) > 0) {
response.addMessage("Invalid weight.");
}
try {
UploadsClient.FileMetadataResponse metadata = cdnClient.uploads.getFileMetadata(data.videoFileId());
if (metadata == null) {
response.addMessage("Missing video file.");
} else if (!metadata.availableForDownload()) {
response.addMessage("File not yet available for download.");
} else if (!"video/mp4".equals(metadata.mimeType())) {
response.addMessage("Invalid video file format.");
}
} catch (Exception e) {
log.error("Error fetching file metadata.", e);
throw new ResponseStatusException(HttpStatus.INTERNAL_SERVER_ERROR, "Error fetching uploaded video file metadata.");
}
return response;
}
}

View File

@ -4,12 +4,12 @@ import { api } from 'src/api/main/index';
import { getGymCompoundId, GymRoutable } from 'src/router/gym-routing';
import { DateTime } from 'luxon';
import {User} from 'src/api/main/auth';
import {AuthStoreType} from 'stores/auth-store';
/**
* The data that's sent when creating a submission.
*/
export interface ExerciseSubmissionPayload {
name: string;
exerciseShortName: string;
weight: number;
weightUnit: string;
@ -59,10 +59,11 @@ class SubmissionsModule {
public async createSubmission(
gym: GymRoutable,
payload: ExerciseSubmissionPayload
payload: ExerciseSubmissionPayload,
authStore: AuthStoreType
): Promise<ExerciseSubmission> {
const gymId = getGymCompoundId(gym);
const response = await api.post(`/gyms/${gymId}/submissions`, payload);
const response = await api.post(`/gyms/${gymId}/submissions`, payload, authStore.axiosConfig);
return parseSubmission(response.data);
}
}

View File

@ -31,13 +31,18 @@ export default {
recentLifts: 'Recent Lifts',
},
submitPage: {
name: 'Your Name',
loginToSubmit: 'Login or register to submit your lift',
exercise: 'Exercise',
weight: 'Weight',
reps: 'Repetitions',
date: 'Date',
upload: 'Video File to Upload',
submit: 'Submit',
submitUploading: 'Uploading video...',
submitCreatingSubmission: 'Creating submission...',
submitVideoProcessing: 'Processing...',
submitComplete: 'Submission complete!',
submitFailed: 'Submission processing failed. Please try again later.',
},
},
userPage: {

View File

@ -31,7 +31,7 @@ export default {
recentLifts: 'Recente liften',
},
submitPage: {
name: 'Jouw naam',
loginToSubmit: 'Log in of meld je aan om je lift te indienen',
exercise: 'Oefening',
weight: 'Gewicht',
reps: 'Repetities',

View File

@ -11,17 +11,10 @@ A high-level overview of the submission process is as follows:
5. We wait on the submission page until the submission is done processing, then show a message and navigate to the submission page.
-->
<template>
<q-page v-if="gym">
<q-page v-if="gym && authStore.loggedIn">
<!-- The below form contains the fields that will become part of the submission. -->
<q-form @submit="onSubmitted">
<SlimForm>
<div class="row">
<q-input
:label="$t('gymPage.submitPage.name')"
v-model="submissionModel.name"
class="col-12"
/>
</div>
<div class="row">
<q-select
:options="exerciseOptions"
@ -76,57 +69,66 @@ A high-level overview of the submission process is as follows:
</div>
<div class="row">
<q-btn
:label="$t('gymPage.submitPage.submit')"
:label="submitButtonLabel"
color="primary"
type="submit"
class="q-mt-md col-12"
:disable="!submitButtonEnabled()"
/>
</div>
<div class="row text-center" v-if="infoMessage">
<p>{{ infoMessage }}</p>
</div>
</SlimForm>
</q-form>
</q-page>
<!-- If the user is not logged in, show a link to log in. -->
<q-page v-if="!authStore.loggedIn">
<div class="q-mt-lg text-center">
<router-link :to="`/login?next=${route.fullPath}`" class="text-primary">Login or register to submit your lift</router-link>
</div>
</q-page>
</template>
<script setup lang="ts">
import {onMounted, ref, Ref} from 'vue';
import { getGymFromRoute, getGymRoute } from 'src/router/gym-routing';
import {getGymFromRoute} from 'src/router/gym-routing';
import SlimForm from 'components/SlimForm.vue';
import api from 'src/api/main';
import {Gym} from 'src/api/main/gyms';
import {Exercise} from 'src/api/main/exercises';
import { useRouter } from 'vue-router';
import { sleep } from 'src/utils';
import {useRoute, useRouter} from 'vue-router';
import {showApiErrorToast, sleep} from 'src/utils';
import {uploadVideoToCDN, VideoProcessingStatus, waitUntilVideoProcessingComplete} from 'src/api/cdn';
import {useAuthStore} from 'stores/auth-store';
import {useI18n} from 'vue-i18n';
import {useQuasar} from "quasar";
const authStore = useAuthStore();
const router = useRouter();
const route = useRoute();
const i18n = useI18n();
const quasar = useQuasar();
interface Option {
value: string;
label: string;
}
const router = useRouter();
const gym: Ref<Gym | undefined> = ref<Gym>();
const exercises: Ref<Array<Exercise> | undefined> = ref<Array<Exercise>>();
const exerciseOptions: Ref<Array<Option>> = ref([]);
let submissionModel = ref({
name: '',
exerciseShortName: '',
weight: 100,
weightUnit: 'Kg',
reps: 1,
videoFileId: '',
videoFile: null,
date: new Date().toLocaleDateString('en-CA'),
});
const selectedVideoFile: Ref<File | undefined> = ref<File>();
const weightUnits = ['KG', 'LBS'];
const submitting = ref(false);
const infoMessage: Ref<string | undefined> = ref();
const submitButtonLabel = ref(i18n.t('gymPage.submitPage.submit'));
onMounted(async () => {
try {
@ -154,30 +156,59 @@ function validateForm() {
return true;
}
/**
* Runs through the entire submission process.
*/
async function onSubmitted() {
if (!selectedVideoFile.value || !gym.value) throw new Error('Invalid state.');
if (!selectedVideoFile.value || !gym.value) return;
submitting.value = true;
try {
infoMessage.value = 'Uploading video...';
// 1. Upload the video to the CDN.
submitButtonLabel.value = i18n.t('gymPage.submitPage.submitUploading');
await sleep(1000);
submissionModel.value.videoFileId = await uploadVideoToCDN(selectedVideoFile.value);
infoMessage.value = 'Creating submission...';
// 2. Wait for the video to be processed.
submitButtonLabel.value = i18n.t('gymPage.submitPage.submitVideoProcessing');
const processingStatus = await waitUntilVideoProcessingComplete(submissionModel.value.videoFileId);
// 3. If successful upload, create the submission.
if (processingStatus === VideoProcessingStatus.COMPLETED) {
try {
submitButtonLabel.value = i18n.t('gymPage.submitPage.submitCreatingSubmission');
await sleep(1000);
const submission = await api.gyms.submissions.createSubmission(
gym.value,
submissionModel.value
submissionModel.value,
authStore
);
infoMessage.value = 'Submission processing...';
const finalStatus = await waitUntilVideoProcessingComplete(submission.videoFileId);
if (finalStatus === VideoProcessingStatus.COMPLETED) {
infoMessage.value = 'Submission complete!';
await sleep(1000);
await router.push(getGymRoute(gym.value));
submitButtonLabel.value = i18n.t('gymPage.submitPage.submitComplete');
await sleep(2000);
await router.push(`/submissions/${submission.id}`);
} catch (error: any) {
if (error.response && error.response.status === 400) {
quasar.notify({
message: error.response.data.message,
type: 'warning',
position: 'top'
});
submitButtonLabel.value = i18n.t('gymPage.submitPage.submitFailed');
await sleep(3000);
} else {
infoMessage.value = 'Submission processing failed. Please try again later.';
showApiErrorToast(i18n, quasar);
}
}
// Otherwise, report the failed submission and give up.
} else {
submitButtonLabel.value = i18n.t('gymPage.submitPage.submitFailed');
await sleep(3000);
}
} catch (error: any) {
showApiErrorToast(i18n, quasar);
} finally {
submitting.value = false;
submitButtonLabel.value = i18n.t('gymPage.submitPage.submit');
}
}
</script>

View File

@ -23,7 +23,9 @@ public class WeightedWildcardQueryBuilder {
}
public Optional<Query> build(String rawSearchQuery) {
if (rawSearchQuery == null || rawSearchQuery.isBlank()) return Optional.empty();
if (rawSearchQuery == null) return Optional.empty();
rawSearchQuery = rawSearchQuery.replaceAll("\\*", "");
if (rawSearchQuery.isBlank()) return Optional.empty();
String[] terms = rawSearchQuery.toLowerCase().split("\\s+");
for (String term : terms) {
String searchTerm = term + "*";