Conversation
update CVE Signed-off-by: Damien <mouette03@yahoo.fr>
Signed-off-by: Damien <mouette03@yahoo.fr>
Signed-off-by: Damien <mouette03@yahoo.fr>
Updated Node.js and npm engine requirements and upgraded nodemailer types. Signed-off-by: Damien <mouette03@yahoo.fr>
Signed-off-by: Damien <mouette03@yahoo.fr>
Signed-off-by: Damien <mouette03@yahoo.fr>
Signed-off-by: Damien <mouette03@yahoo.fr>
Signed-off-by: Damien <mouette03@yahoo.fr>
* Add avatar upload with size limit and streaming Implemented streaming upload for avatar with size limit. Signed-off-by: Damien <mouette03@yahoo.fr> * Update settings.ts Signed-off-by: Damien <mouette03@yahoo.fr> * Improve error handling for avatar upload Handle specific error cases for avatar upload. Signed-off-by: Damien <mouette03@yahoo.fr> * Improve error handling for logo upload Enhance error handling for logo upload by checking response status and code. Signed-off-by: Damien <mouette03@yahoo.fr> * Improve file upload size validation and error handling Refactor file upload handling to check size limits during write process and handle errors more gracefully. Signed-off-by: Damien <mouette03@yahoo.fr> --------- Signed-off-by: Damien <mouette03@yahoo.fr>
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughLes handlers d'upload backend passent du buffering en mémoire au streaming vers disque avec limites (avatar 3 MB, logo 2 MB, uploads selon token), gestion du backpressure et nettoyage des fichiers partiels; le frontend détecte 413/ Changes
Sequence Diagram(s)sequenceDiagram
participant Client as Client (navigateur)
participant Frontend as Frontend (React)
participant Server as API (Fastify)
participant FS as Filesystem
participant DB as Database (Prisma)
Client->>Frontend: sélectionne fichier et POST /upload
Frontend->>Server: POST multipart/form-data
Server->>FS: crée WriteStream vers fichier temporaire
Server-->>Server: lit chunks et appelle write(chunk)
alt write() retourne false (backpressure)
Server->>Server: attend événement "drain"
end
Server->>Server: accumulateur de taille vérifié après chaque chunk
alt taille cumulée > maxBytes
Server->>FS: destroy stream et supprime fichier partiel
Server->>Frontend: HTTP 413 { code: "FILE_TOO_LARGE" }
else succès
Server->>DB: mise à jour (avatarUrl / appSettings / metadata)
Server->>Frontend: HTTP 200 (success)
end
Frontend->>Client: affiche toast (success ou imageTooLarge)
Estimated code review effort🎯 4 (Complex) | ⏱️ ~50 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@backend/src/routes/auth.ts`:
- Around line 127-146: The write stream (ws) is ended with ws.end() but not
awaited, so prisma.user.update may set avatarUrl before the file is flushed;
change the logic around ws.end() in backend/src/routes/auth.ts to await the
stream completion by attaching 'finish'/'error' listeners (the same pattern used
in uploadRequests.ts) and only proceed to call prisma.user.update(...) after the
promise resolves successfully; ensure you still destroy/remove the file on error
and propagate the error so late stream errors are caught.
In `@backend/src/routes/settings.ts`:
- Around line 207-227: The stream write in settings.ts uses ws.end() but does
not wait for the stream to finish, so the subsequent upsert may record logoUrl
before the file is fully written and late stream errors won't be caught; change
the logic after ws.end() to await a Promise that resolves on ws.once('finish')
and rejects on ws.once('error') (mirroring the safe pattern in
backend/src/routes/uploadRequests.ts lines ~145-149), ensuring you still destroy
and remove the file on error and only proceed to the upsert after the finish
event completes.
In `@backend/src/routes/uploadRequests.ts`:
- Around line 133-139: When a part exceeds maxBytes inside the for-await loop
(in uploadRequests.ts, the loop reading part.file and the variables size,
maxBytes, writeStream, savedFiles), ensure you clean up all already-written
files before returning 413: destroy/close the current writeStream, iterate
savedFiles and remove each path (use fs.remove and catch errors), and optionally
remove the request directory (UPLOAD_DIR/received/<request.id>) before sending
reply.code(413). Also ensure savedFiles is updated only after a successful write
so cleanup covers only actual files on disk.
- Around line 130-136: Change maxSizeBytes to remain a BigInt (do not Number()
it); set const maxBytes = request.maxSizeBytes === null ? null :
request.maxSizeBytes and initialize let size = 0n, then inside the loop add size
+= BigInt(chunk.length) and check explicitly if (maxBytes !== null && size >
maxBytes) to enforce limits (handle 0n correctly). Also when triggering the 413
response in the part.file loop, ensure you clean up previously written files in
savedFiles (same cleanup used in the password-failure branch) before returning
so no temporary files remain orphaned.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 5dad2d49-6eec-4cf2-abb8-a7d94ea9943d
📒 Files selected for processing (7)
.github/workflows/docker.ymlbackend/package.jsonbackend/src/routes/auth.tsbackend/src/routes/settings.tsbackend/src/routes/uploadRequests.tsfrontend/src/pages/ProfilePage.tsxfrontend/src/pages/SettingsPage.tsx
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: Damien <mouette03@yahoo.fr>
Signed-off-by: Damien <mouette03@yahoo.fr>
There was a problem hiding this comment.
🧹 Nitpick comments (1)
backend/src/routes/settings.ts (1)
207-231: Implémentation de streaming bien réalisée, correctif dufinishappliqué.La gestion du backpressure avec
drainet l'attente definishavant l'upsertsont correctes. Le nettoyage dans lecatchest approprié.Suggestion mineure : pendant la boucle
for await(lignes 213-221), aucun listenererrorn'est attaché àws. Si une erreur d'écriture survient (ex: disque plein), l'événement serait non géré, ce qui pourrait causer un crash ou un blocage si on attenddrain. Pour plus de robustesse :♻️ Proposition pour capturer les erreurs du write stream pendant l'itération
const ws = fs.createWriteStream(filePath) let received = 0 + let writeError: Error | null = null + ws.on('error', (err) => { writeError = err }) try { for await (const chunk of data.file) { + if (writeError) throw writeError received += chunk.length if (received > MAX_BYTES) { ws.destroy() await fs.remove(filePath).catch(() => {}) return reply.code(413).send({ code: 'FILE_TOO_LARGE', maxBytes: MAX_BYTES }) } if (!ws.write(chunk)) await new Promise<void>(r => ws.once('drain', r)) } + if (writeError) throw writeError await new Promise<void>((resolve, reject) => {Note :
fs.ensureFile(filePath)(ligne 209) est redondant carcreateWriteStreamcrée automatiquement le fichier, mais ce n'est pas problématique.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@backend/src/routes/settings.ts` around lines 207 - 231, Attach an 'error' listener to the write stream (ws) before entering the for-await loop to catch write failures (e.g., disk full) and propagate them to the existing cleanup/exception path; ensure this listener rejects/throws so the outer try/catch can remove the partial file and respond appropriately, and remove the listener when the stream finishes or errors to avoid leaks. Specifically, add a handler on ws (used in the for-await over data.file and referenced alongside MAX_BYTES and the 'drain' wait) that signals/throws on write errors, so awaiting the 'drain' or the final 'finish' cannot deadlock on an unhandled write error. Ensure the handler is cleaned up after ws.once('finish')/ws.once('error') resolution.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@backend/src/routes/settings.ts`:
- Around line 207-231: Attach an 'error' listener to the write stream (ws)
before entering the for-await loop to catch write failures (e.g., disk full) and
propagate them to the existing cleanup/exception path; ensure this listener
rejects/throws so the outer try/catch can remove the partial file and respond
appropriately, and remove the listener when the stream finishes or errors to
avoid leaks. Specifically, add a handler on ws (used in the for-await over
data.file and referenced alongside MAX_BYTES and the 'drain' wait) that
signals/throws on write errors, so awaiting the 'drain' or the final 'finish'
cannot deadlock on an unhandled write error. Ensure the handler is cleaned up
after ws.once('finish')/ws.once('error') resolution.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: e8f3dafc-ff10-43eb-98bb-e246c3351860
📒 Files selected for processing (1)
backend/src/routes/settings.ts
|
Note Docstrings generation - SUCCESS |
Docstrings generation was requested by @Mouette03. * #4 (comment) The following files were modified: * `backend/src/routes/auth.ts` * `backend/src/routes/settings.ts` * `backend/src/routes/uploadRequests.ts` * `frontend/src/pages/ProfilePage.tsx` * `frontend/src/pages/SettingsPage.tsx`
Docstrings generation was requested by @Mouette03. * #4 (comment) The following files were modified: * `backend/src/routes/auth.ts` * `backend/src/routes/settings.ts` * `backend/src/routes/uploadRequests.ts` * `frontend/src/pages/ProfilePage.tsx` * `frontend/src/pages/SettingsPage.tsx` Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Update dependencies in package.json update CVE Signed-off-by: Damien <mouette03@yahoo.fr> * Update Fastify dependencies to latest versions Signed-off-by: Damien <mouette03@yahoo.fr> * Update caching strategy for Docker builds Signed-off-by: Damien <mouette03@yahoo.fr> * Modify package.json for engine versions and types Updated Node.js and npm engine requirements and upgraded nodemailer types. Signed-off-by: Damien <mouette03@yahoo.fr> * Update Node.js engine version requirement Signed-off-by: Damien <mouette03@yahoo.fr> * Add license scanning workflow for frontend and backend Signed-off-by: Damien <mouette03@yahoo.fr> * Rename licences check .yml to license-checker.yml Signed-off-by: Damien <mouette03@yahoo.fr> * Delete .github/workflows/license-checker.yml Signed-off-by: Damien <mouette03@yahoo.fr> * Limite upload logo avatar (#3) * Add avatar upload with size limit and streaming Implemented streaming upload for avatar with size limit. Signed-off-by: Damien <mouette03@yahoo.fr> * Update settings.ts Signed-off-by: Damien <mouette03@yahoo.fr> * Improve error handling for avatar upload Handle specific error cases for avatar upload. Signed-off-by: Damien <mouette03@yahoo.fr> * Improve error handling for logo upload Enhance error handling for logo upload by checking response status and code. Signed-off-by: Damien <mouette03@yahoo.fr> * Improve file upload size validation and error handling Refactor file upload handling to check size limits during write process and handle errors more gracefully. Signed-off-by: Damien <mouette03@yahoo.fr> --------- Signed-off-by: Damien <mouette03@yahoo.fr> * Update backend/src/routes/auth.ts Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: Damien <mouette03@yahoo.fr> * Update uploadRequests.ts Signed-off-by: Damien <mouette03@yahoo.fr> * Update uploadRequests.ts * Update settings.ts * 📝 Add docstrings to `cve` (#5) Docstrings generation was requested by @Mouette03. * #4 (comment) The following files were modified: * `backend/src/routes/auth.ts` * `backend/src/routes/settings.ts` * `backend/src/routes/uploadRequests.ts` * `frontend/src/pages/ProfilePage.tsx` * `frontend/src/pages/SettingsPage.tsx` Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --------- Signed-off-by: Damien <mouette03@yahoo.fr> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
This pull request introduces several important improvements to file upload handling and dependency management in both the backend and frontend. The main focus is on adding server-side file size limits for avatar, logo, and upload request files, improving error handling for oversized uploads, and updating dependencies to their latest major versions for better compatibility and security.
Backend: File upload size limits and streaming improvements
auth.tsto prevent excessive memory usage and large file uploads.settings.ts, ensuring large files are rejected early and efficiently.maxSizeBytesduring streaming, aborting and cleaning up if the file is too large, and removed redundant post-upload size checks.Frontend: User feedback for oversized uploads
ProfilePage.tsxandSettingsPage.tsxto display specific toast messages when an uploaded image exceeds the allowed size, improving user experience. [1] [2]Backend: Dependency and environment updates
backend/package.json(includingfastify,@fastify/*, andnodemailer) and added required Node.js and npm engine versions for better reliability and compatibility. [1] [2]CI/CD: Docker build cache optimization
.github/workflows/docker.ymlto improve CI build efficiency and avoid cache collisions. [1] [2]Summary by CodeRabbit
Corrections de bogues
Améliorations
Chores