refactor: standardise S3 URL generation (#362)

* refactor: replace presigned URL uploads with backend upload endpoints

* feat: update avatar upload to use new endpoint

* refactor: use createS3Client in auth hooks

* feat: generate presigned URLs for avatars

* fix: show avatar image in user menu

* fix: hide tooltip if content is empty

* fix: support external avatar URLs in generateAvatarUrl

* fix: remove content type restriction on attachments

Author: hjball

apps/web/src/components/Avatar.tsx

@@ -25,7 +25,7 @@ const Avatar = ({
   icon?: React.ReactNode;
   isLoading?: boolean;
 }) => {
-  const initials = name
+  const initials = name?.trim()
     ? getInitialsFromName(name)
     : inferInitialsFromEmail(email);
 

apps/web/src/components/Dashboard.tsx

@@ -12,6 +12,7 @@ import { authClient } from "@kan/auth/client";
 import { useClickOutside } from "~/hooks/useClickOutside";
 import { useModal } from "~/providers/modal";
 import { useWorkspace, WorkspaceProvider } from "~/providers/workspace";
+import { api } from "~/utils/api";
 import SideNavigation from "./SideNavigation";
 
 interface DashboardProps {
@@ -44,6 +45,12 @@ export default function Dashboard({
   const { availableWorkspaces, hasLoaded } = useWorkspace();
 
   const { data: session, isPending: sessionLoading } = authClient.useSession();
+  const { data: user, isLoading: userLoading } = api.user.getUser.useQuery(
+    undefined,
+    {
+      enabled: !!session?.user,
+    },
+  );
 
   const [isSideNavOpen, setIsSideNavOpen] = useState(false);
   const [isRightPanelOpen, setIsRightPanelOpen] = useState(false);
@@ -155,8 +162,12 @@ export default function Dashboard({
             className={`fixed top-12 z-40 h-[calc(100dvh-3rem)] w-[calc(100vw-1.5rem)] transform transition-transform duration-300 ease-in-out md:relative md:top-0 md:h-full md:w-auto md:translate-x-0 ${isSideNavOpen ? "translate-x-0" : "-translate-x-full md:translate-x-0"} `}
           >
             <SideNavigation
-              user={{ displayName: session?.user.name, email: session?.user.email, image: session?.user.image }}
-              isLoading={sessionLoading}
+              user={{
+                displayName: user?.name ?? session?.user.name,
+                email: user?.email ?? session?.user.email ?? "",
+                image: user?.image ?? undefined,
+              }}
+              isLoading={sessionLoading || userLoading}
               onCloseSideNav={closeSideNav}
             />
           </div>

apps/web/src/components/Tooltip.tsx

@@ -7,7 +7,7 @@ import tippy from "tippy.js";
 
 interface TooltipProps {
   children: ReactNode;
-  content: ReactNode;
+  content?: ReactNode;
   placement?: Placement;
   delay?: number | [number, number];
 }
@@ -24,6 +24,8 @@ export function Tooltip({
   useEffect(() => {
     if (!triggerRef.current) return;
 
+    if (!content) return;
+
     const container = document.createElement("div");
     const root = createRoot(container);
     rootRef.current = root;

apps/web/src/pages/api/upload/attachment.ts

@@ -0,0 +1,128 @@
+import type { NextApiRequest, NextApiResponse } from "next";
+import { PutObjectCommand } from "@aws-sdk/client-s3";
+
+import { createNextApiContext } from "@kan/api/trpc";
+import * as cardRepo from "@kan/db/repository/card.repo";
+import * as cardActivityRepo from "@kan/db/repository/cardActivity.repo";
+import * as cardAttachmentRepo from "@kan/db/repository/cardAttachment.repo";
+import { generateUID } from "@kan/shared/utils";
+
+import { env } from "~/env";
+import { withRateLimit } from "@kan/api/utils/rateLimit";
+import { createS3Client } from "@kan/shared/utils";
+import { assertPermission } from "@kan/api/utils/permissions";
+
+const MAX_SIZE_BYTES = 50 * 1024 * 1024; // 50MB
+
+export const config = {
+  api: {
+    bodyParser: false,
+  },
+};
+
+export default withRateLimit(
+  { points: 100, duration: 60 },
+  async (req: NextApiRequest, res: NextApiResponse) => {
+    if (req.method !== "POST") {
+      return res.status(405).json({ error: "Method not allowed" });
+    }
+
+    try {
+      const { user, db } = await createNextApiContext(req);
+
+      if (!user) {
+        return res.status(401).json({ error: "Unauthorized" });
+      }
+
+      const bucket = env.NEXT_PUBLIC_ATTACHMENTS_BUCKET_NAME;
+      if (!bucket) {
+        return res.status(500).json({ error: "Attachments bucket not configured" });
+      }
+
+      const cardPublicId = req.query.cardPublicId;
+      if (typeof cardPublicId !== "string" || cardPublicId.length < 12) {
+        return res.status(400).json({ error: "Invalid cardPublicId" });
+      }
+
+      const contentType = req.headers["content-type"];
+      const contentLengthHeader = req.headers["content-length"];
+      const contentLength = contentLengthHeader
+        ? Number.parseInt(contentLengthHeader, 10)
+        : NaN;
+
+      if (typeof contentType !== "string") {
+        return res.status(400).json({ error: "Missing content type" });
+      }
+
+      if (!Number.isFinite(contentLength) || contentLength <= 0) {
+        return res.status(400).json({ error: "Missing or invalid content length" });
+      }
+
+      if (contentLength > MAX_SIZE_BYTES) {
+        return res.status(400).json({ error: "File too large" });
+      }
+
+      const originalFilenameHeader =
+        (req.headers["x-original-filename"] as string | undefined) ?? "file";
+
+      const sanitizedFilename = originalFilenameHeader
+        .replace(/[^a-zA-Z0-9._-]/g, "_")
+        .substring(0, 200);
+
+      // Get card and check permissions
+      const card = await cardRepo.getWorkspaceAndCardIdByCardPublicId(
+        db,
+        cardPublicId,
+      );
+
+      if (!card) {
+        return res.status(404).json({ error: "Card not found" });
+      }
+
+      // Check if user has permission to edit the card
+      try {
+        await assertPermission(db, user.id, card.workspaceId, "card:edit");
+      } catch {
+        return res.status(403).json({ error: "Permission denied" });
+      }
+
+      const s3Key = `${card.workspaceId}/${cardPublicId}/${generateUID()}-${sanitizedFilename}`;
+
+      const client = createS3Client();
+
+      // Upload the file to S3
+      await client.send(
+        new PutObjectCommand({
+          Bucket: bucket,
+          Key: s3Key,
+          Body: req,
+          ContentType: contentType,
+          ContentLength: contentLength,
+        }),
+      );
+
+      // Create attachment record and log activity
+      const attachment = await cardAttachmentRepo.create(db, {
+        cardId: card.id,
+        filename: sanitizedFilename,
+        originalFilename: originalFilenameHeader,
+        contentType,
+        size: contentLength,
+        s3Key,
+        createdBy: user.id,
+      });
+
+      await cardActivityRepo.create(db, {
+        type: "card.updated.attachment.added",
+        cardId: card.id,
+        createdBy: user.id,
+      });
+
+      return res.status(200).json({ attachment });
+    } catch (error) {
+      console.error("Attachment upload failed", error);
+      return res.status(500).json({ error: "Internal server error" });
+    }
+  },
+);
+

apps/web/src/pages/api/upload/avatar.ts

@@ -0,0 +1,101 @@
+import type { NextApiRequest, NextApiResponse } from "next";
+import { PutObjectCommand } from "@aws-sdk/client-s3";
+
+import { createNextApiContext } from "@kan/api/trpc";
+import * as userRepo from "@kan/db/repository/user.repo";
+
+import { env } from "~/env";
+import { withRateLimit } from "@kan/api/utils/rateLimit";
+import { createS3Client } from "@kan/shared/utils";
+
+const MAX_SIZE_BYTES = 2 * 1024 * 1024; // 2MB
+const allowedContentTypes = ["image/jpeg", "image/png", "image/webp"];
+
+export const config = {
+  api: {
+    bodyParser: false,
+  },
+};
+
+export default withRateLimit(
+  { points: 100, duration: 60 },
+  async (req: NextApiRequest, res: NextApiResponse) => {
+    if (req.method !== "POST") {
+      return res.status(405).json({ error: "Method not allowed" });
+    }
+
+    try {
+      const { user, db } = await createNextApiContext(req);
+
+      if (!user) {
+        return res.status(401).json({ error: "Unauthorized" });
+      }
+
+      const bucket = env.NEXT_PUBLIC_AVATAR_BUCKET_NAME;
+      if (!bucket) {
+        return res.status(500).json({ error: "Avatar bucket not configured" });
+      }
+
+      const contentType = req.headers["content-type"];
+      const contentLengthHeader = req.headers["content-length"];
+      const contentLength = contentLengthHeader
+        ? Number.parseInt(contentLengthHeader, 10)
+        : NaN;
+
+      if (typeof contentType !== "string") {
+        return res.status(400).json({ error: "Missing content type" });
+      }
+
+      if (!allowedContentTypes.includes(contentType)) {
+        return res.status(400).json({ error: "Invalid content type" });
+      }
+
+      if (!Number.isFinite(contentLength) || contentLength <= 0) {
+        return res.status(400).json({ error: "Missing or invalid content length" });
+      }
+
+      if (contentLength > MAX_SIZE_BYTES) {
+        return res.status(400).json({ error: "File too large" });
+      }
+
+      const originalFilenameHeader =
+        (req.headers["x-original-filename"] as string | undefined) ?? "file";
+
+      const sanitizedFilename = originalFilenameHeader
+        .replace(/[^a-zA-Z0-9._-]/g, "_")
+        .substring(0, 200);
+
+      const s3Key = `${user.id}/${sanitizedFilename}`;
+
+      const client = createS3Client();
+
+      // Upload the file to S3
+      await client.send(
+        new PutObjectCommand({
+          Bucket: bucket,
+          Key: s3Key,
+          Body: req,
+          ContentType: contentType,
+          ContentLength: contentLength,
+        }),
+      );
+
+      // Update user image in database
+      const updatedUser = await userRepo.update(db, user.id, {
+        image: s3Key,
+      });
+
+      return res.status(200).json({
+        key: s3Key,
+        filename: sanitizedFilename,
+        contentType,
+        size: contentLength,
+        user: updatedUser,
+      });
+    } catch (error) {
+      console.error("Avatar upload failed", error);
+      return res.status(500).json({ error: "Internal server error" });
+    }
+  },
+);
+

apps/web/src/pages/api/upload/image.ts

@@ -1,5 +1,3 @@
-import { env } from "next-runtime-env";
-
 export const formatToArray = (
   value: string | string[] | undefined,
 ): string[] => {
@@ -52,14 +50,5 @@ export const getAvatarUrl = (imageOrKey: string | null) => {
     return imageOrKey;
   }
 
-  const bucket = env("NEXT_PUBLIC_AVATAR_BUCKET_NAME");
-  const useVirtualHostedUrls = env("NEXT_PUBLIC_USE_VIRTUAL_HOSTED_URLS");
-  const storageDomain = env("NEXT_PUBLIC_STORAGE_DOMAIN");
-
-  if (useVirtualHostedUrls === "true" && storageDomain) {
-    return `https://${bucket}.${storageDomain}/${imageOrKey}`;
-  }
-
-  const storageUrl = env("NEXT_PUBLIC_STORAGE_URL");
-  return `${storageUrl}/${bucket}/${imageOrKey}`;
+  return "";
 };