First pass at user profile image validation

Author: chriscarrollsmith

pyproject.toml

@@ -20,6 +20,7 @@ dependencies = [
     "resend<3.0.0,>=2.4.0",
     "bcrypt<5.0.0,>=4.2.0",
     "fastapi<1.0.0,>=0.115.5",
+    "pillow>=11.0.0",
 ]
 
 [dependency-groups]

routers/user.py

@@ -1,14 +1,41 @@
-from fastapi import APIRouter, Depends, Form, UploadFile, File
+from fastapi import APIRouter, Depends, Form, UploadFile, File, HTTPException
 from fastapi.responses import RedirectResponse, Response
 from pydantic import BaseModel, EmailStr
 from sqlmodel import Session
 from typing import Optional
 from utils.models import User, DataIntegrityError
 from utils.auth import get_session, get_authenticated_user, verify_password, PasswordValidationError
+from PIL import Image
+import io
 
 router = APIRouter(prefix="/user", tags=["user"])
 
 
+# --- Constants ---
+
+
+# 2MB in bytes
+MAX_FILE_SIZE = 2 * 1024 * 1024
+ALLOWED_CONTENT_TYPES = {
+    'image/jpeg',
+    'image/png',
+    'image/webp'
+}
+MIN_DIMENSION = 100
+MAX_DIMENSION = 2000
+TARGET_SIZE = 500
+
+
+# --- Custom Exceptions ---
+
+
+class InvalidImageError(HTTPException):
+    """Raised when an invalid image is uploaded"""
+
+    def __init__(self, message: str = "Invalid image file"):
+        super().__init__(status_code=400, detail=message)
+
+
 # --- Server Request and Response Models ---
 
 
@@ -61,11 +88,62 @@ async def update_profile(
     user: User = Depends(get_authenticated_user),
     session: Session = Depends(get_session)
 ):
+    # Handle avatar update
+    if user_profile.avatar_file:
+        # Check file size
+        if len(user_profile.avatar_file) > MAX_FILE_SIZE:
+            raise InvalidImageError(
+                message="File too large (max 2MB)"
+            )
+
+        # Check file type
+        if user_profile.avatar_content_type not in ALLOWED_CONTENT_TYPES:
+            raise InvalidImageError(
+                message="Invalid file type. Must be JPEG, PNG, or WebP"
+            )
+
+        try:
+            # Open and validate image
+            image = Image.open(io.BytesIO(user_profile.avatar_file))
+            width, height = image.size
+
+            # Check minimum dimensions
+            if width < MIN_DIMENSION or height < MIN_DIMENSION:
+                raise InvalidImageError(
+                    message=f"Image too small. Minimum dimension is {MIN_DIMENSION}px"
+                )
+
+            # Check maximum dimensions
+            if width > MAX_DIMENSION or height > MAX_DIMENSION:
+                raise InvalidImageError(
+                    message=f"Image too large. Maximum dimension is {MAX_DIMENSION}px"
+                )
+
+            # Crop to square and resize
+            min_dim = min(width, height)
+            left = (width - min_dim) // 2
+            top = (height - min_dim) // 2
+            right = left + min_dim
+            bottom = top + min_dim
+            
+            image = image.crop((left, top, right, bottom))
+            image = image.resize((TARGET_SIZE, TARGET_SIZE), Image.Resampling.LANCZOS)
+
+            # Convert back to bytes
+            output = io.BytesIO()
+            image.save(output, format='PNG')
+            user_profile.avatar_file = output.getvalue()
+            user_profile.avatar_content_type = 'image/png'
+
+        except Exception as e:
+            raise InvalidImageError(
+                message="Invalid image file"
+            )
+
     # Update user details
     user.name = user_profile.name
     user.email = user_profile.email
-
-    # Handle avatar update
+    
     if user_profile.avatar_file:
         user.avatar_data = user_profile.avatar_file
         user.avatar_content_type = user_profile.avatar_content_type