AI fix problems

gravit0 · gravit0 · commit 36b5563cff1d · 2026-01-17T17:01:20.000+07:00
diff --git a/.env.example b/.env.example
@@ -52,3 +52,21 @@ SERVER_PORT=3000
 # Default is 28800 seconds (8 hours)
 # This should be relatively short since username<->uuid mappings are unreliable
 USERNAME_CACHE_SECONDS=28800
+
+# Hash-based Endpoint Cache Configuration
+# Cache lifetime in seconds for the /download/:hash endpoint
+# Default is 1209600 seconds (14 days)
+# This can be longer since texture hashes don't change
+HASH_CACHE_SECONDS=1209600
+
+# CORS Configuration
+# Comma-separated list of allowed origins for CORS
+# Use "*" to allow all origins (NOT recommended for production)
+# Example: CORS_ALLOWED_ORIGINS=https://example.com,https://app.example.com
+# If not set, defaults to allowing all origins (development mode)
+CORS_ALLOWED_ORIGINS=*
+
+# Use Database Username in Mojang Requests
+# If true, attempts to look up username from database and resolve via Mojang API
+# Default is true
+USE_DATABASE_USERNAME_IN_MOJANG_REQUESTS=true
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -53,7 +53,6 @@ base64 = "0.22"
 # Logging
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
-dotenv = "0.15.0"
 
 [features]
 default = ["s3"]
diff --git a/src/auth.rs b/src/auth.rs
@@ -165,7 +165,23 @@ where
             .strip_prefix("admin_token:")
             .unwrap_or(&admin_token);
 
-        if token != expected_token {
+        // Use constant-time comparison to prevent timing attacks
+        // Convert both tokens to fixed-size arrays for comparison
+        let token_bytes = token.as_bytes();
+        let expected_bytes = expected_token.as_bytes();
+        
+        // Compare lengths first in constant time
+        if token_bytes.len() != expected_bytes.len() {
+            return Err((StatusCode::UNAUTHORIZED, "Invalid admin token".to_string()));
+        }
+        
+        // Compare byte by byte in constant time
+        let mut result = 0u8;
+        for (a, b) in token_bytes.iter().zip(expected_bytes.iter()) {
+            result |= a ^ b;
+        }
+        
+        if result != 0 {
             return Err((StatusCode::UNAUTHORIZED, "Invalid admin token".to_string()));
         }
 
diff --git a/src/config.rs b/src/config.rs
@@ -20,6 +20,7 @@ pub struct Config {
     pub username_cache_seconds: u64,
     pub hash_cache_seconds: u64,
     pub use_database_username_in_mojang_requests: bool,
+    pub cors_allowed_origins: Option<String>,
 }
 
 #[derive(Debug, Deserialize, Clone, PartialEq)]
@@ -75,7 +76,6 @@ impl Config {
 
         Ok(Config {
             database_url: env::var("DATABASE_URL")
-                .or_else(|_| env::var("DATABASE_URL"))
                 .map_err(|_| anyhow::anyhow!("DATABASE_URL must be set"))?,
             jwt_public_key: env::var("JWT_PUBLIC_KEY")
                 .map_err(|_| anyhow::anyhow!("JWT_PUBLIC_KEY must be set"))?,
@@ -110,6 +110,7 @@ impl Config {
                 .unwrap_or_else(|_| "true".to_string()) // 14 days default
                 .parse()
                 .map_err(|e| anyhow::anyhow!("Invalid USE_DATABASE_USERNAME_IN_MOJANG_REQUESTS: {}", e))?,
+            cors_allowed_origins: env::var("CORS_ALLOWED_ORIGINS").ok(),
         })
     }
 
diff --git a/src/handlers.rs b/src/handlers.rs
@@ -17,6 +17,10 @@ use sqlx::PgPool;
 use std::sync::Arc;
 use uuid::Uuid;
 
+/// Maximum file size for uploads (1 MB)
+/// PNG texture files for Minecraft skins/capes should never exceed this
+const MAX_FILE_SIZE: usize = 1_048_576; // 1 MB in bytes
+
 #[derive(Clone)]
 pub struct AppState {
     pub db: PgPool,
@@ -144,6 +148,18 @@ pub async fn upload_texture(
                     )
                 })?;
 
+                // Validate file size
+                if data.len() > MAX_FILE_SIZE {
+                    return Err((
+                        StatusCode::BAD_REQUEST,
+                        format!(
+                            "File size {} bytes exceeds maximum allowed size of {} bytes (1 MB)",
+                            data.len(),
+                            MAX_FILE_SIZE
+                        ),
+                    ));
+                }
+
                 // Validate PNG
                 if !is_png(&data) {
                     return Err((
@@ -331,6 +347,18 @@ pub async fn admin_upload_texture(
                     )
                 })?;
 
+                // Validate file size
+                if data.len() > MAX_FILE_SIZE {
+                    return Err((
+                        StatusCode::BAD_REQUEST,
+                        format!(
+                            "File size {} bytes exceeds maximum allowed size of {} bytes (1 MB)",
+                            data.len(),
+                            MAX_FILE_SIZE
+                        ),
+                    ));
+                }
+
                 // Validate PNG
                 if !is_png(&data) {
                     return Err((
diff --git a/src/main.rs b/src/main.rs
@@ -17,6 +17,7 @@ use std::net::SocketAddr;
 use std::sync::Arc;
 use storage::create_storage;
 use tower_http::cors::{Any, CorsLayer};
+use tracing::warn;
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
 
 use crate::auth::decode_key;
@@ -94,12 +95,7 @@ async fn main() -> anyhow::Result<()> {
             state.clone(),
             add_public_key_to_state,
         ))
-        .layer(
-            CorsLayer::new()
-                .allow_origin(Any)
-                .allow_methods(Any)
-                .allow_headers(Any),
-        )
+        .layer(build_cors_layer(&config))
         .with_state(state);
 
     // Start server
@@ -130,3 +126,43 @@ async fn add_public_key_to_state(
 
     next.run(request).await
 }
+
+/// Build CORS layer based on configuration
+/// If CORS_ALLOWED_ORIGINS is set, use those specific origins
+/// Otherwise, allow all origins (for development)
+fn build_cors_layer(config: &Config) -> CorsLayer {
+    if let Some(ref allowed_origins) = config.cors_allowed_origins {
+        // Parse comma-separated list of origins
+        let origins: Vec<&str> = allowed_origins.split(',').map(|s| s.trim()).collect();
+        
+        if origins.is_empty() || (origins.len() == 1 && origins[0] == "*") {
+            // Allow all origins
+            tracing::warn!("CORS configured to allow all origins - this should not be used in production!");
+            CorsLayer::new()
+                .allow_origin(Any)
+                .allow_methods(Any)
+                .allow_headers(Any)
+        } else {
+            // Allow specific origins
+            tracing::info!("CORS configured to allow specific origins: {:?}", origins);
+            let mut cors = CorsLayer::new();
+            
+            for origin in origins {
+                cors = cors.allow_origin(origin.parse::<axum::http::HeaderValue>().unwrap_or_else(|_| {
+                    tracing::warn!("Invalid origin '{}', skipping", origin);
+                    axum::http::HeaderValue::from_static("")
+                }));
+            }
+            
+            cors.allow_methods(Any)
+                .allow_headers(Any)
+        }
+    } else {
+        // Default: allow all origins (development mode)
+        tracing::warn!("CORS_ALLOWED_ORIGINS not set, allowing all origins - configure this for production!");
+        CorsLayer::new()
+            .allow_origin(Any)
+            .allow_methods(Any)
+            .allow_headers(Any)
+    }
+}
diff --git a/src/retrieval/mojang.rs b/src/retrieval/mojang.rs
@@ -246,21 +246,32 @@ impl TextureRetriever for MojangRetriever {
                     "#,
                     user_uuid
                 ).fetch_optional(db).await {
-                    Ok(e) => {
-                        if let Some(record) = e {
-                            fetch_uuid = self
-                                .resolve_username_to_uuid(&record.username)
-                                .await
-                                .map_err(|_| anyhow!("Failed to lookup username from mojang"))?
-                                .ok_or(anyhow!("Failed to lookup username from mojang"))?;
+                    Ok(Some(record)) => {
+                        match self.resolve_username_to_uuid(&record.username).await {
+                            Ok(Some(resolved_uuid)) => {
+                                fetch_uuid = resolved_uuid;
+                            }
+                            Ok(None) => {
+                                tracing::warn!(
+                                    "Username '{}' not found in Mojang API, using original UUID",
+                                    record.username
+                                );
+                                // Keep using the original UUID
+                            }
+                            Err(e) => {
+                                tracing::error!("Failed to resolve username from Mojang: {}", e);
+                                // Continue with original UUID
+                            }
                         }
                     }
+                    Ok(None) => {
+                        tracing::debug!("No username mapping found for UUID {}", user_uuid);
+                    }
                     Err(e) => {
-                        tracing::error!("Failed to lookup username: {}", e);
-                        return Err(e)
-                            .map_err(|_| anyhow!("Failed to lookup username from mojang"));
+                        tracing::error!("Failed to lookup username from database: {}", e);
+                        // Continue with original UUID
                     }
-                };
+                }
             }
         }
 
diff --git a/src/storage/s3.rs b/src/storage/s3.rs
@@ -38,13 +38,15 @@ impl S3Storage {
         #[cfg(feature = "s3")]
         {
             use aws_config::BehaviorVersion;
-            use aws_sdk_s3::config::Credentials;
+            use aws_sdk_s3::config::{Builder, Credentials, Region};
+            use aws_sdk_s3::Config;
 
-            let mut config_loader = aws_config::defaults(BehaviorVersion::latest());
+            let region = Region::new(self.region.clone());
+            let mut builder = Builder::new().region(region.clone());
 
             // Add credentials if provided
             if let Some(creds) = &self.credentials {
-                config_loader = config_loader.credentials_provider(Credentials::new(
+                builder = builder.credentials_provider(Credentials::new(
                     &creds.access_key,
                     &creds.secret_key,
                     None,
@@ -53,8 +55,20 @@ impl S3Storage {
                 ));
             }
 
-            let config = config_loader.load().await;
-            Ok(aws_sdk_s3::Client::new(&config))
+            // Configure custom endpoint if provided (for S3-compatible services)
+            let config = if let Some(endpoint) = &self.endpoint {
+                // For custom S3-compatible services (MinIO, Wasabi, etc.)
+                builder.endpoint_url(endpoint).build()
+            } else {
+                // Use standard AWS S3 configuration
+                let aws_config = aws_config::defaults(BehaviorVersion::latest())
+                    .region(region)
+                    .load()
+                    .await;
+                builder.build()
+            };
+
+            Ok(aws_sdk_s3::Client::from_conf(config))
         }
 
         #[cfg(not(feature = "s3"))]
