feat: Add WebP format support for admin panel image uploads

[zzstoatzz]

Closes #59

Summary

Adds support for uploading WebP format images in the admin panel's image upload functionality.

Changes

• Updated client-side file input validation to accept image/webp
• Enhanced server-side upload_emoji function to detect and handle WebP format
• Added file type detection based on content-type header and file signatures
• Updated documentation to reflect WebP support

Benefits

• WebP provides better compression than PNG/JPEG with similar quality
• Smaller file sizes = faster loading times
• Reduces storage and bandwidth usage

Generated with Claude Code

[claude]

Code Review for PR #60: WebP Support for Admin Panel Image Uploads

Thank you for implementing WebP support! Here's my comprehensive review:

✅ Strengths

• Clean implementation of WebP format detection using both content-type headers and file signatures
• Proper fallback mechanism when content-type is unavailable
• Consistent updates across frontend (HTML) and backend (Rust)
• Documentation updated appropriately

🔍 Code Quality & Best Practices

1. File signature detection is robust - The implementation correctly checks magic bytes for PNG, GIF, and WebP formats
2. Good defensive programming - Fallback to file signature detection when content-type is missing
3. Consistent error messaging - Clear error messages for unsupported formats

⚠️ Potential Issues & Recommendations

1. Missing file size validation (src/api/status_write.rs)

   • The README mentions "max 5MB" but there's no actual size validation in the code
   • Recommendation: Add size check before processing:

   const MAX_FILE_SIZE: usize = 5 * 1024 * 1024; // 5MB
   if file_bytes.len() > MAX_FILE_SIZE {
       return Err(AppError::ValidationError("File too large. Maximum size is 5MB.".into()));
   }

2. Code duplication in format detection (src/api/status_write.rs:67-95)

   • The file signature detection logic is duplicated
   • Recommendation: Extract into a helper function:

   fn detect_image_format(bytes: &[u8]) -> Option<&'static str> {
       if bytes.starts_with(&[0x89, 0x50, 0x4E, 0x47]) {
           Some("png")
       } else if bytes.starts_with(&[0x47, 0x49, 0x46]) {
           Some("gif")
       } else if bytes.starts_with(b"RIFF") && bytes.len() > 12 && &bytes[8..12] == b"WEBP" {
           Some("webp")
       } else {
           None
       }
   }

3. Security: Path traversal vulnerability (src/api/status_write.rs:102)

   • The filename is used directly in the path without sanitization
   • Recommendation: Sanitize the filename to prevent directory traversal:

   let filename = name
       .filter(|s| !s.is_empty() && !s.contains('/') && !s.contains('\\') && !s.contains(".."))
       .unwrap_or_else(|| format!("emoji_{}", chrono::Utc::now().timestamp()));

🚀 Performance Considerations

1. WebP validation is efficient - Checking only the necessary bytes for format detection
2. Consider image optimization - WebP files can still be large; consider implementing server-side compression/optimization

🔒 Security Concerns

1. Critical: Path traversal risk - As mentioned above, filename needs sanitization
2. Missing file size limit enforcement - Could lead to DoS via large file uploads
3. Content validation - Consider adding deeper validation to ensure files are valid images (not just checking headers)

🧪 Test Coverage

• Missing tests - No unit tests added for the new WebP functionality
• Recommendation: Add tests for:
  • WebP file signature detection
  • Content-type header parsing
  • Edge cases (malformed WebP, files with incorrect extensions)
  • File size limits
  • Path traversal attempts

📝 Additional Suggestions

1. Consider adding MIME type validation using a proper MIME type library
2. Add logging for upload attempts (success/failure) for audit purposes
3. Consider supporting other modern formats (AVIF) in the future

Summary

The implementation is functional and adds valuable WebP support. However, please address the security concerns (path traversal and file size limits) before merging. The code duplication issue can be addressed in a follow-up PR if needed.

Once the security issues are fixed, this will be a great addition to the project! 🎉

[zzstoatzz]

@claude numerous formatting issues, you need to run formatting and stuff dude

[claude]

Claude finished @zzstoatzz's task —— View job

---

✅ Formatting issues fixed

I've applied formatting fixes to src/api/status_write.rs to improve code readability.

Changes made:

• Alphabetized imports for consistency
• Broke long lines (especially the WebP detection conditions) for better readability
• Formatted error handling blocks consistently
• Improved spacing in JSON response formatting

Todo List:

• Identify formatting tools used in the project
• Run formatting tools (manually formatted long lines)
• Commit and push changes

The formatting has been successfully applied and pushed to the branch.

---

🔗 Job Run • Branch: claude/issue-59-20250914-0329

[claude]

Code Review for PR #60: WebP Support for Admin Panel Image Uploads

✅ Strengths

• Good file type detection: Implements both content-type header checking and file signature validation as a fallback
• Backwards compatible: Maintains support for existing PNG and GIF formats
• Clear error messages: Provides informative validation errors when unsupported formats are uploaded
• Consistent implementation: Updates both backend validation and frontend accept attributes

🔍 Issues & Recommendations

1. Security Concerns 🔴

• Missing file size validation: The code doesn't enforce the 5MB limit mentioned in the README
• Path traversal vulnerability: The filename isn't sanitized for directory traversal attacks (e.g., ../../../etc/passwd)
• Missing authentication check for admin: Only checks for session DID, not if it's the admin DID

Suggested fix for src/api/status_write.rs:25-26:

// Add proper admin check
let admin_did = app_config.admin_did.clone();
let session_did = session.get::<String>("did").unwrap_or(None);
if session_did.is_none() || session_did.unwrap() != admin_did {
    return Ok(HttpResponse::Unauthorized().body("Admin access required"));
}

2. Code Duplication 🟡

The file signature detection logic is duplicated (lines 75-88 and 93-106). Consider extracting this into a helper function:

fn detect_image_format(bytes: &[u8]) -> Option<&'static str> {
    if bytes.starts_with(&[0x89, 0x50, 0x4E, 0x47]) {
        Some("png")
    } else if bytes.starts_with(&[0x47, 0x49, 0x46]) {
        Some("gif")
    } else if bytes.starts_with(b"RIFF") && bytes.len() > 12 && &bytes[8..12] == b"WEBP" {
        Some("webp")
    } else {
        None
    }
}

3. Input Validation 🟡

• Filename sanitization needed: Should validate the filename to prevent path traversal and ensure valid characters
• File size check missing: Should enforce the 5MB limit before processing

Suggested additions:

// Add after line 65
if file_bytes.len() > 5 * 1024 * 1024 {
    return Err(AppError::ValidationError("File too large. Maximum size is 5MB.".into()));
}

// Sanitize filename (after line 111)
let filename = name
    .filter(|s| !s.is_empty() && s.chars().all(|c| c.is_alphanumeric() || c == '-' || c == '_'))
    .unwrap_or_else(|| format!("emoji_{}", chrono::Utc::now().timestamp()));

4. Performance Consideration 🟡

Loading entire file into memory could be problematic for large files. While 5MB isn't huge, consider streaming to disk for better memory efficiency in high-traffic scenarios.

5. Missing Tests 🔴

No test coverage for the new WebP functionality. Consider adding tests for:

• WebP file signature detection
• Content-type header handling
• Invalid format rejection
• File size limits
• Filename sanitization

📋 Summary

The PR successfully adds WebP support but has critical security issues that must be addressed before merging:

1. Must fix: Add proper admin authentication check
2. Must fix: Implement file size validation
3. Must fix: Sanitize filenames to prevent path traversal
4. Should fix: Extract duplicate code into helper function
5. Should add: Test coverage for new functionality

The WebP implementation itself is correct, but the security gaps need immediate attention. Please address these issues and I'll be happy to re-review!

[claude]

Code Review for PR #60: WebP Format Support

✅ Strengths

• Clean implementation: The WebP detection logic is well-structured with proper fallbacks
• Backwards compatible: Maintains support for existing PNG/GIF formats
• Security conscious: File validation via both content-type headers and magic bytes
• Consistent updates: Both client-side and server-side changes are aligned

🔍 Issues & Recommendations

1. Security: File Size Validation Missing

The code removed "Basic validation omitted for brevity" comment but doesn't implement actual file size validation. The README mentions "max 5MB" but this isn't enforced in upload_emoji().

Recommendation: Add validation before processing:

const MAX_FILE_SIZE: usize = 5 * 1024 * 1024; // 5MB
if file_bytes.len() > MAX_FILE_SIZE {
    return Err(AppError::ValidationError("File exceeds 5MB limit".into()));
}

2. Code Duplication: File Type Detection

The file signature detection logic is duplicated (lines 68-87 and 91-105 in status_write.rs).

Recommendation: Extract to a helper function:

fn detect_image_format(bytes: &[u8]) -> Option<&'static str> {
    if bytes.starts_with(&[0x89, 0x50, 0x4E, 0x47]) {
        Some("png")
    } else if bytes.starts_with(&[0x47, 0x49, 0x46]) {
        Some("gif")
    } else if bytes.starts_with(b"RIFF") && bytes.len() > 12 && &bytes[8..12] == b"WEBP" {
        Some("webp")
    } else {
        None
    }
}

3. Error Handling: Incomplete WebP Validation

The WebP detection checks for "RIFF" header and "WEBP" fourCC, but doesn't validate the actual WebP format (VP8/VP8L/VP8X chunks).

Recommendation: Consider using a proper image validation library like image or webp crate for robust validation.

4. Performance: Unnecessary String Allocation

Line 112 creates a new string for the response when filename and extension are already available.

Minor optimization:

Ok(HttpResponse::Ok()
    .json(serde_json::json!({"ok": true, "name": format!("{}.{}", filename, extension)})))

Could use: "name": &file_path[emoji_dir.len()+1..] to avoid allocation.

5. Missing Tests

No tests were added for the new WebP functionality. Critical paths to test:

• WebP file upload with correct content-type
• WebP file upload without content-type (magic byte detection)
• Invalid WebP files
• File size limits
• Malformed RIFF headers

📋 Additional Considerations

1. Documentation: Consider adding supported formats to API documentation or adding an endpoint to query supported formats
2. Migration: Existing emojis won't benefit from WebP compression - consider a migration script if significant storage savings are expected
3. Browser Support: WebP is well-supported but consider fallback for older browsers if needed

✅ Summary

The implementation is solid and follows the existing patterns well. The main concerns are around security (file size validation) and code maintainability (duplication). With the suggested improvements, this will be a valuable addition for reducing bandwidth and storage costs.

Verdict: Approve with minor changes recommended

[claude]

Code Review for PR #60: WebP Format Support

✅ Strengths

• Good format detection: Implements both content-type header and file signature detection as fallback
• Proper priority ordering: Clear preference hierarchy (PNG > WebP > GIF) for duplicate emoji names
• Clean error handling: Appropriate validation errors for unsupported formats
• Documentation updates: README correctly reflects the new WebP support

🔍 Issues & Recommendations

1. Security Concern: File Size Validation Missing

The PR removes the comment about "Basic validation omitted for brevity" but doesn't add actual file size validation. The README mentions "max 5MB" but this isn't enforced in code.

Recommendation: Add file size validation:

const MAX_FILE_SIZE: usize = 5 * 1024 * 1024; // 5MB
if file_bytes.len() > MAX_FILE_SIZE {
    return Err(AppError::ValidationError(
        format!("File too large. Maximum size is 5MB, got {}MB", 
                file_bytes.len() / (1024 * 1024)).into()
    ));
}

2. Code Duplication: File Signature Detection

The file signature detection logic is duplicated in the content-type match arm's fallback and the else branch.

Recommendation: Extract to a helper function:

fn detect_image_format(bytes: &[u8]) -> Option<&'static str> {
    if bytes.starts_with(&[0x89, 0x50, 0x4E, 0x47]) {
        Some("png")
    } else if bytes.starts_with(&[0x47, 0x49, 0x46]) {
        Some("gif")
    } else if bytes.starts_with(b"RIFF") 
        && bytes.len() > 12 
        && &bytes[8..12] == b"WEBP" {
        Some("webp")
    } else {
        None
    }
}

3. Missing Input Validation

The filename sanitization only checks for empty strings but doesn't validate for path traversal or invalid characters.

Recommendation: Add proper filename validation:

fn validate_filename(name: &str) -> Result<String, AppError> {
    let re = regex::Regex::new(r"^[a-zA-Z0-9_-]+$").unwrap();
    if !re.is_match(name) {
        return Err(AppError::ValidationError(
            "Invalid filename. Only letters, numbers, hyphens, and underscores allowed".into()
        ));
    }
    Ok(name.to_string())
}

4. Performance Consideration

The priority logic in get_custom_emojis could be simplified using a match expression for better readability:

let priority = |ext: &str| match ext {
    "png" => 3,
    "webp" => 2,
    "gif" => 1,
    _ => 0,
};

5. Missing Tests

No tests were added for the new WebP functionality. Consider adding:

• Unit tests for file format detection
• Integration tests for WebP upload endpoint
• Tests for the priority ordering logic

🚨 Critical Issues

1. File size validation is not implemented - This could allow DoS attacks through large file uploads
2. No proper filename sanitization - Potential for directory traversal attacks

📊 Overall Assessment

The implementation is functional and follows the existing codebase patterns well. However, it needs security improvements before merging, particularly around file size limits and input validation. The code duplication should also be addressed for maintainability.

Verdict: Changes Requested - Please address the security concerns and consider the code quality improvements before merging.

🤖 Generated with Claude Code

[claude]

Code Review for PR #60: WebP Format Support

Thank you for adding WebP support to the admin panel image uploads! Here's my comprehensive review:

✅ Strengths

• Clean implementation with proper fallback detection using both content-type headers and file signatures
• Maintains backward compatibility with existing PNG/GIF uploads
• Consistent updates across all relevant files (backend, frontend, documentation)
• Good preference ordering (PNG > WebP > GIF) for duplicate emoji names

🔍 Code Quality Observations

1. File Type Detection Logic (src/api/status_write.rs:67-105)

The dual approach (content-type + file signature) is robust, but there's code duplication between the two branches. Consider extracting the detection logic:

fn detect_image_format(bytes: &[u8]) -> Option<&'static str> {
    if bytes.starts_with(&[0x89, 0x50, 0x4E, 0x47]) {
        Some("png")
    } else if bytes.starts_with(&[0x47, 0x49, 0x46]) {
        Some("gif")
    } else if bytes.starts_with(b"RIFF") && bytes.len() > 12 && &bytes[8..12] == b"WEBP" {
        Some("webp")
    } else {
        None
    }
}

2. Security Considerations

• ✅ File size limit (5MB) is maintained
• ✅ Proper validation of file signatures prevents content-type spoofing
• ⚠️ Consider adding additional validation for WebP files (e.g., checking VP8/VP8L/VP8X chunks) to ensure they're valid images

3. Performance

• The priority-based duplicate handling in get_custom_emojis is efficient
• WebP's better compression will reduce bandwidth and storage usage as mentioned

⚠️ Potential Issues

1. Missing Error Handling for Malformed WebP: While you check the RIFF header, malformed WebP files might still pass initial validation. Consider using an image processing library to verify the file can be decoded.

2. Browser Compatibility: WebP is well-supported in modern browsers, but you might want to document minimum browser versions in the README.

3. Migration Path: Existing users might want to convert their PNG/GIF emojis to WebP. Consider documenting a migration strategy.

🧪 Test Coverage Gap

There are no tests for the upload_emoji function. This is a critical gap that should be addressed:

Recommended test cases:

• Valid PNG/GIF/WebP uploads
• Invalid file format rejection
• File size limit enforcement
• Filename sanitization
• Content-type spoofing prevention
• Malformed WebP handling

📚 Documentation

The README updates are clear, but consider adding:

• Supported browser versions for WebP
• File size recommendations for optimal performance
• Example WebP conversion commands for existing emojis

🎯 Recommendations

1. High Priority: Add comprehensive tests for the upload functionality
2. Medium Priority: Refactor duplicate detection logic to reduce code duplication
3. Low Priority: Add WebP-specific validation beyond header checks

✨ Overall Assessment

This is a solid implementation that adds valuable functionality. The code is well-structured and maintains consistency with the existing codebase. The main concern is the lack of test coverage for this critical admin functionality. With tests added and minor refactoring for code deduplication, this would be ready to merge.

Great work on implementing this feature! The WebP support will definitely improve performance and reduce bandwidth usage. 🚀

[claude]

Code Review for PR #60: WebP Format Support

✅ Strengths

• Comprehensive format detection: Good implementation of both content-type header and file signature detection for PNG, GIF, and WebP formats
• Improved error handling: Enhanced error messages with proper JSON responses and detailed logging
• Client-server consistency: Both frontend and backend properly validate supported formats
• Backwards compatibility: Maintains existing PNG/GIF support while adding WebP

🔍 Areas for Improvement

1. Security Considerations

• Missing image validation: The code only checks file signatures but doesn't validate that the uploaded file is actually a valid image. Consider using an image processing library to verify the file can be decoded.
• Path traversal protection: While the code sanitizes filenames, ensure the emoji_dir configuration can't be manipulated to write outside intended directories.

2. Performance Optimizations

• File signature checking efficiency: Currently checking file signatures sequentially. Consider using a match statement for cleaner code:

let extension = match &file_bytes[..] {
    bytes if bytes.starts_with(&[0x89, 0x50, 0x4E, 0x47]) => "png",
    bytes if bytes.starts_with(&[0x47, 0x49, 0x46]) => "gif",
    bytes if bytes.len() > 12 && bytes.starts_with(b"RIFF") && &bytes[8..12] == b"WEBP" => "webp",
    _ => return Err(AppError::ValidationError("Unsupported format".into()))
};

3. Code Quality Issues

• Duplicate code: The emoji upload JavaScript is duplicated in feed.html and status.html. Consider extracting to a shared script file.
• Magic numbers: File size limit (5MB) is hardcoded in multiple places. Define as a constant.
• Inconsistent response format: Some endpoints return {"ok": true} while others use {"success": true}. Standardize on one format.

4. Potential Bugs

• Race condition: No file locking when checking if a file exists before writing. Two simultaneous uploads with the same name could overwrite each other.
• Missing WebP MIME type validation: The code checks for "image/webp" content-type but some browsers/tools might send "image/webp-base64" or variations.

5. Test Coverage

• No tests found: This PR lacks unit tests for the new WebP support. Consider adding tests for:
  • File type detection logic
  • Upload size validation
  • Error handling paths
  • WebP file priority in the emoji listing

📝 Recommendations

1. Add image validation using a library like image crate to ensure uploaded files are valid images
2. Extract common JavaScript to a shared file to reduce duplication
3. Add comprehensive tests for the upload functionality
4. Consider adding rate limiting to the upload endpoint to prevent abuse
5. Document the WebP browser compatibility requirements

✨ Overall Assessment

The implementation is functional and adds valuable WebP support. However, it needs security hardening, test coverage, and some refactoring to reduce code duplication. The error handling improvements are excellent and the logging additions will help with debugging.

Recommendation: Address the security concerns and add basic test coverage before merging.