fix(drawings): copy S3 storage on duplicate so the original can be deleted

POST /drawings/:id/duplicate previously copied elements/appState/files
verbatim, including the dataURLs that point at the *original*
drawing's S3 prefix (`/api/files/origId/fileId` or
`https://.../excalidash/owner/origId/fileId.ext`). The duplicate's
images therefore pointed at storage owned by the original. Deleting
the original then ran the new prefix-scoped S3 cleanup and silently
broke every image in the duplicate.

Now the duplicate handler does a server-side CopyObject for every
S3File row of the original under the new drawingId path, writes a
fresh (newDrawingId, fileId) S3File row, and rewrites the dataURLs
in the new drawing's files JSON to match the new drawing id. Each
drawing — original and duplicate — owns its own storage from the
moment of duplication, so DELETE /drawings/:origId can no longer
strand the duplicate.

Adds a bucket-internal copyS3Object() helper to s3.ts (uses S3
CopyObject; no download/re-upload).

Change-Id: If57d006fce8964fe04e702680e96866a3ec3b6f0
Co-developed-by: Claude <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: OhYee

backend/src/routes/dashboard/drawings.ts

@@ -5,6 +5,7 @@ import {
   isS3Enabled,
   listS3Objects,
   deleteS3Object,
+  copyS3Object,
   drawingS3Prefix,
 } from "../../s3";
 import { DashboardRouteDeps, SortDirection, SortField } from "./types";
@@ -705,14 +706,84 @@ export const registerDrawingRoutes = (
         version: 1,
       },
     });
+
+    // Copy S3 storage so the duplicate stops sharing objects with the
+    // original. Without this, deleting the original (which prunes the
+    // original's S3 prefix) would silently break every image in the
+    // duplicate's scene.
+    let duplicatedFilesJson = newDrawing.files;
+    if (isS3Enabled()) {
+      const sourceFiles = await prisma.s3File.findMany({
+        where: { drawingId: original.id },
+      });
+
+      if (sourceFiles.length > 0) {
+        const filesObj = parseJsonField<Record<string, any>>(
+          newDrawing.files,
+          {},
+        );
+
+        for (const src of sourceFiles) {
+          // Replace `/{originalId}/` with `/{newId}/` exactly once at
+          // the per-drawing folder boundary in the s3Key.
+          const destKey = src.s3Key.replace(
+            `/${original.id}/`,
+            `/${newDrawing.id}/`,
+          );
+
+          try {
+            await copyS3Object(src.s3Key, destKey, src.mimeType);
+          } catch (err) {
+            console.error(
+              `[drawings/duplicate] Failed to copy ${src.s3Key} -> ${destKey}`,
+              err,
+            );
+            continue;
+          }
+
+          await prisma.s3File.create({
+            data: {
+              drawingId: newDrawing.id,
+              fileId: src.fileId,
+              userId: req.user.id,
+              s3Key: destKey,
+              mimeType: src.mimeType,
+            },
+          });
+
+          // Rewrite dataURL so private-bucket redirects and public CDN
+          // links point at the new object instead of the original's.
+          const file = filesObj[src.fileId];
+          if (file && typeof file.dataURL === "string") {
+            const next = file.dataURL
+              .replace(
+                `/api/files/${original.id}/`,
+                `/api/files/${newDrawing.id}/`,
+              )
+              .replace(`/${original.id}/`, `/${newDrawing.id}/`);
+            if (next !== file.dataURL) {
+              filesObj[src.fileId] = { ...file, dataURL: next };
+            }
+          }
+        }
+
+        const serialised = JSON.stringify(filesObj);
+        await prisma.drawing.update({
+          where: { id: newDrawing.id },
+          data: { files: serialised },
+        });
+        duplicatedFilesJson = serialised;
+      }
+    }
+
     invalidateDrawingsCache();
 
     return res.json({
       ...newDrawing,
       collectionId: toPublicTrashCollectionId(newDrawing.collectionId, req.user.id),
       elements: parseJsonField(newDrawing.elements, []),
       appState: parseJsonField(newDrawing.appState, {}),
-      files: parseJsonField(newDrawing.files, {}),
+      files: parseJsonField(duplicatedFilesJson, {}),
     });
   }));
 

backend/src/s3.ts

@@ -8,6 +8,7 @@ import {
   GetObjectCommand,
   DeleteObjectCommand,
   ListObjectsV2Command,
+  CopyObjectCommand,
 } from "@aws-sdk/client-s3";
 import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
 
@@ -233,6 +234,32 @@ export const listS3Objects = async (
   return results;
 };
 
+/**
+ * Copy an object inside the same bucket (server-side copy — no
+ * download/re-upload). Used by the duplicate-drawing path so each
+ * drawing owns its own object under its own (drawingId) prefix.
+ */
+export const copyS3Object = async (
+  sourceKey: string,
+  destKey: string,
+  mimeType?: string,
+): Promise<void> => {
+  if (!s3Client || !s3Config) {
+    throw new Error("S3 is not configured");
+  }
+
+  const command = new CopyObjectCommand({
+    Bucket: s3Config.bucket,
+    Key: destKey,
+    CopySource: `${s3Config.bucket}/${sourceKey}`,
+    ContentType: mimeType,
+    CacheControl: "public, max-age=31536000, immutable",
+    MetadataDirective: mimeType ? "REPLACE" : "COPY",
+  });
+
+  await s3Client.send(command);
+};
+
 /**
  * Delete an object from S3. Best-effort — errors are thrown to the caller.
  */