Merge pull request #530 from netzbegruenung/test-branch

fix: canvas auto-save, docs updated_at, error logging

Author: Movm

apps/api/database/postgres/migrations/add_draft_status_to_shared_media.sql

@@ -0,0 +1,6 @@
+-- Add 'draft' to shared_media status CHECK constraint
+-- This allows auto-save to create draft entries that are promoted to 'ready' on explicit share
+
+ALTER TABLE shared_media DROP CONSTRAINT IF EXISTS shared_media_status_check;
+ALTER TABLE shared_media ADD CONSTRAINT shared_media_status_check
+  CHECK (status IN ('processing', 'ready', 'failed', 'draft'));

apps/api/database/postgres/schema.sql

@@ -633,7 +633,7 @@ CREATE TABLE IF NOT EXISTS shared_media (
     project_id UUID REFERENCES subtitler_projects(id) ON DELETE SET NULL,
     image_type TEXT,
     image_metadata JSONB DEFAULT '{}',
-    status VARCHAR(20) DEFAULT 'ready' CHECK (status IN ('processing', 'ready', 'failed')),
+    status VARCHAR(20) DEFAULT 'ready' CHECK (status IN ('processing', 'ready', 'failed', 'draft')),
     download_count INTEGER DEFAULT 0,
     view_count INTEGER DEFAULT 0,
     created_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP

apps/api/package.json

@@ -73,6 +73,7 @@
     "domhandler": "^5.0.3",
     "dotenv": "^17.3.1",
     "express": "^5.2.1",
+    "express-rate-limit": "^8.3.0",
     "express-session": "^1.19.0",
     "fastembed": "^2.1.0",
     "form-data": "^4.0.5",

apps/api/routes/docs/documentController.ts

@@ -320,17 +320,17 @@ router.put('/:id', async (req: Request, res: Response) => {
     if (content !== undefined) {
       updates.push(`content = $${paramIndex++}`);
       values.push(content);
+      updates.push(`last_edited_by = $${paramIndex++}`);
+      values.push(userId);
+      updates.push(`last_edited_at = CURRENT_TIMESTAMP`);
+      updates.push(`updated_at = CURRENT_TIMESTAMP`);
     }
 
-    updates.push(`last_edited_by = $${paramIndex++}`);
-    values.push(userId);
-    updates.push(`last_edited_at = CURRENT_TIMESTAMP`);
-
     values.push(id);
 
     const result = (await db.query(
       `UPDATE collaborative_documents
-       SET ${updates.join(', ')}, updated_at = CURRENT_TIMESTAMP
+       SET ${updates.join(', ')}
        WHERE id = $${paramIndex}
        RETURNING *`,
       values

apps/api/routes/share/shareController.ts

@@ -7,6 +7,7 @@ import fs from 'fs';
 import path from 'path';
 
 import express, { type Request, type Response, type Router } from 'express';
+import rateLimit from 'express-rate-limit';
 import sharp from 'sharp';
 
 import { requireAuth } from '../../middleware/authMiddleware.js';
@@ -19,6 +20,14 @@ import type { SharedMediaRow, ShareResult } from '../../types/media.js';
 const fsPromises = fs.promises;
 const log = createLogger('share');
 
+// Rate limiters for share mutation routes
+const shareWriteLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 50,
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
 // ============================================================================
 // Types
 // ============================================================================
@@ -57,7 +66,11 @@ interface SharedMediaService {
     userId: string,
     params: CreatePendingVideoShareParams
   ): Promise<ShareResult>;
-  getUserShares(userId: string, type: string | null): Promise<SharedMediaRow[]>;
+  getUserShares(
+    userId: string,
+    type: string | null,
+    status?: string | null
+  ): Promise<SharedMediaRow[]>;
   getUserShareCount(userId: string): Promise<number>;
   getShareByToken(shareToken: string): Promise<SharedMediaRow | null>;
   recordView(shareToken: string): Promise<void>;
@@ -103,6 +116,7 @@ interface CreateImageShareParams {
   imageType: string | null;
   metadata: Record<string, unknown>;
   originalImage: string | null;
+  status?: 'ready' | 'draft';
 }
 
 interface CreateVideoShareParams {
@@ -134,6 +148,7 @@ interface ImageShareRequest extends AuthenticatedRequest {
     imageType?: string;
     metadata?: Record<string, unknown>;
     originalImage?: string;
+    status?: 'ready' | 'draft';
   };
 }
 
@@ -299,53 +314,111 @@ async function triggerBackgroundRender(
 
 const router: Router = express.Router();
 
+// Override global body parser limit for share routes (canvas images can exceed 10MB)
+router.use(express.json({ limit: '50mb' }));
+
 // ============================================================================
 // IMAGE SHARE ROUTES
 // ============================================================================
 
-router.post('/image', requireAuth, async (req: ImageShareRequest, res: Response<ShareResponse>) => {
-  try {
-    const userId = req.user!.id;
-    const { imageData, title, imageType, metadata, originalImage } = req.body;
+router.post(
+  '/image',
+  shareWriteLimiter,
+  requireAuth,
+  async (req: ImageShareRequest, res: Response<ShareResponse>) => {
+    try {
+      const userId = req.user!.id;
+      const { imageData, title, imageType, metadata, originalImage, status } = req.body;
 
-    if (!imageData) {
-      return res.status(400).json({
+      if (!imageData) {
+        return res.status(400).json({
+          success: false,
+          error: 'Bilddaten werden benötigt',
+        });
+      }
+
+      const service = await getSharedMediaService();
+      const share = await service.createImageShare(userId, {
+        imageBase64: imageData,
+        title: title || 'Geteiltes Bild',
+        imageType: imageType || null,
+        metadata: metadata || {},
+        originalImage: originalImage || null,
+        status: status === 'draft' ? 'draft' : 'ready',
+      });
+
+      log.info(
+        `Image share created: ${share.shareToken} by user ${userId}${originalImage ? ' (with original)' : ''}`
+      );
+
+      return res.json({
+        success: true,
+        share: {
+          shareToken: share.shareToken,
+          shareUrl: share.shareUrl,
+          createdAt: share.createdAt,
+          mediaType: 'image',
+          hasOriginalImage: share.hasOriginalImage || false,
+        },
+      });
+    } catch (error) {
+      log.error('Failed to create image share:', error);
+      return res.status(500).json({
         success: false,
-        error: 'Bilddaten werden benötigt',
+        error: 'Bild konnte nicht geteilt werden',
       });
     }
+  }
+);
 
-    const service = await getSharedMediaService();
-    const share = await service.createImageShare(userId, {
-      imageBase64: imageData,
-      title: title || 'Geteiltes Bild',
-      imageType: imageType || null,
-      metadata: metadata || {},
-      originalImage: originalImage || null,
-    });
+// Promote a draft to ready (publish)
+router.put(
+  '/:shareToken/publish',
+  shareWriteLimiter,
+  requireAuth,
+  async (req: Request<ShareTokenParams>, res: Response<ShareResponse>) => {
+    try {
+      const userId = (req as AuthenticatedRequest).user!.id;
+      const { shareToken } = req.params;
 
-    log.info(
-      `Image share created: ${share.shareToken} by user ${userId}${originalImage ? ' (with original)' : ''}`
-    );
+      const service = await getSharedMediaService();
+      const share = await service.getShareByToken(shareToken as string);
 
-    return res.json({
-      success: true,
-      share: {
-        shareToken: share.shareToken,
-        shareUrl: share.shareUrl,
-        createdAt: share.createdAt,
-        mediaType: 'image',
-        hasOriginalImage: share.hasOriginalImage || false,
-      },
-    });
-  } catch (error) {
-    log.error('Failed to create image share:', error);
-    return res.status(500).json({
-      success: false,
-      error: 'Bild konnte nicht geteilt werden',
-    });
+      if (!share) {
+        return res.status(404).json({ success: false, error: 'Share nicht gefunden' });
+      }
+
+      if (share.user_id !== userId) {
+        return res.status(403).json({ success: false, error: 'Nicht berechtigt' });
+      }
+
+      const pg = (await import('../../database/services/PostgresService.js')).getPostgresInstance();
+      await pg.query('UPDATE shared_media SET status = $1 WHERE share_token = $2', [
+        'ready',
+        shareToken,
+      ]);
+
+      log.info(`Share ${shareToken} published by user ${userId}`);
+
+      return res.json({
+        success: true,
+        share: {
+          shareToken: share.share_token,
+          shareUrl: `/share/${shareToken}`,
+          createdAt: share.created_at,
+          mediaType: share.media_type as 'image' | 'video',
+          status: 'ready',
+        },
+      });
+    } catch (error) {
+      log.error('Failed to publish share:', error);
+      return res.status(500).json({
+        success: false,
+        error: 'Share konnte nicht veröffentlicht werden',
+      });
+    }
   }
-});
+);
 
 // ============================================================================
 // VIDEO SHARE ROUTES
@@ -580,9 +653,10 @@ router.get(
     try {
       const userId = req.user!.id;
       const type = req.query.type as string | undefined;
+      const status = req.query.status as string | undefined;
 
       const service = await getSharedMediaService();
-      const shares = await service.getUserShares(userId, type || null);
+      const shares = await service.getUserShares(userId, type || null, status || null);
       const count = await service.getUserShareCount(userId);
 
       res.json({

apps/api/server.ts

@@ -553,6 +553,13 @@ async function startWorker(): Promise<void> {
     let errorMessage = 'Bitte versuchen Sie es später erneut';
     let statusCode = 500;
 
+    log.error(`[GlobalErrorHandler] ${err.name}: ${err.message}`, {
+      path: req.path,
+      method: req.method,
+      statusCode,
+      errorCode: (err as NodeJS.ErrnoException).code,
+    });
+
     if (
       err.name === 'AuthenticationError' ||
       (err.message && err.message.includes('authentication'))

apps/api/services/sharedMediaService.ts

@@ -227,7 +227,14 @@ class SharedMediaService {
     await this.ensureInitialized();
     await this.enforceUserLimit(userId);
 
-    const { imageBase64, title, imageType, metadata = {}, originalImage = null } = params;
+    const {
+      imageBase64,
+      title,
+      imageType,
+      metadata = {},
+      originalImage = null,
+      status = 'ready',
+    } = params;
     const shareToken = this.generateShareToken();
     const shareDir = getSafeShareDir(shareToken);
 
@@ -300,7 +307,7 @@ class SharedMediaService {
                 INSERT INTO shared_media
                 (user_id, share_token, media_type, title, file_path, file_name, thumbnail_path,
                  file_size, mime_type, image_type, image_metadata, status)
-                VALUES ($1, $2, 'image', $3, $4, $5, $6, $7, $8, $9, $10, 'ready')
+                VALUES ($1, $2, 'image', $3, $4, $5, $6, $7, $8, $9, $10, $11)
                 RETURNING id, share_token, created_at
             `;
 
@@ -319,6 +326,7 @@ class SharedMediaService {
         mimeType,
         imageType || null,
         JSON.stringify(enrichedMetadata),
+        status,
       ]);
 
       console.log(
@@ -480,7 +488,8 @@ class SharedMediaService {
 
   async getUserShares(
     userId: string,
-    mediaType: 'image' | 'video' | null = null
+    mediaType: 'image' | 'video' | null = null,
+    status: string | null = null
   ): Promise<SharedMediaRow[]> {
     await this.ensureInitialized();
 
@@ -492,10 +501,18 @@ class SharedMediaService {
                 WHERE user_id = $1
             `;
       const params: unknown[] = [userId];
+      let paramIndex = 2;
 
       if (mediaType) {
-        query += ` AND media_type = $2`;
+        query += ` AND media_type = $${paramIndex}`;
         params.push(mediaType);
+        paramIndex++;
+      }
+
+      if (status) {
+        query += ` AND status = $${paramIndex}`;
+        params.push(status);
+        paramIndex++;
       }
 
       query += ` ORDER BY created_at DESC LIMIT 100`;
@@ -905,6 +922,7 @@ class SharedMediaService {
       }
 
       const shareDir = getSafeShareDir(shareToken);
+      await fs.mkdir(shareDir, { recursive: true });
 
       const base64Data = imageBase64.replace(/^data:image\/\w+;base64,/, '');
       const imageBuffer = Buffer.from(base64Data, 'base64');

apps/api/types/media.d.ts

@@ -36,7 +36,7 @@ export interface SharedMediaRow {
   project_id: string | null;
   image_type: string | null;
   image_metadata: Record<string, unknown> | null;
-  status: 'processing' | 'ready' | 'failed';
+  status: 'processing' | 'ready' | 'failed' | 'draft';
   download_count: number;
   view_count: number;
   is_library_item: boolean;
@@ -90,6 +90,7 @@ export interface CreateImageShareParams {
   imageType?: string;
   metadata?: Record<string, unknown>;
   originalImage?: string | null;
+  status?: 'ready' | 'draft';
 }
 
 /**

apps/docs/server.ts

@@ -78,14 +78,23 @@ app.use(
     setHeaders(res, filePath) {
       // index.html must not be cached — it references hashed chunks that change on each deploy
       if (filePath.endsWith('.html')) {
-        res.setHeader('Cache-Control', 'no-cache');
+        res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
       }
     },
   })
 );
 
+// Missing assets should 404, not fall through to SPA (prevents serving index.html as JS)
+app.use('/assets', (_req, res) => {
+  res.status(404).end();
+});
+app.use('/fonts', (_req, res) => {
+  res.status(404).end();
+});
+
 // SPA fallback - send all non-matched requests to index.html
 app.use((_req, res) => {
+  res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
   res.sendFile(path.join(DIST_PATH, 'index.html'));
 });
 

apps/web/src/features/image-studio/canvas-editor/hooks/useCanvasAutoSave.ts

@@ -230,6 +230,7 @@ export const useCanvasAutoSave = (
           imageType: refs.canvasType,
           metadata,
           originalImage: originalImageBase64,
+          status: 'draft',
         });
       }