fix: info leak in screenshots api

2025-11-12 15:52:39 +10:00 · 2025-05-27 15:14:50 -04:00
parent 4b009f1aca
commit 0816d2ab3e
3 changed files with 30 additions and 6 deletions
--- a/server/api/v1/screenshots/[id]/index.delete.ts
+++ b/server/api/v1/screenshots/[id]/index.delete.ts
@ -16,12 +16,11 @@ export default defineEventHandler(async (h3) => {
  const result = await screenshotManager.get(screenshotId);
  if (!result)
    throw createError({
-      statusCode: 400,
-      statusMessage: "Incorrect screenshot ID",
+      statusCode: 404,
    });
  else if (result.userId !== userId)
    throw createError({
-      statusCode: 403,
+      statusCode: 404,
    });

  await screenshotManager.delete(screenshotId);
--- a/server/api/v1/screenshots/[id]/index.get.ts
+++ b/server/api/v1/screenshots/[id]/index.get.ts
@ -16,12 +16,11 @@ export default defineEventHandler(async (h3) => {
  const result = await screenshotManager.get(screenshotId);
  if (!result)
    throw createError({
-      statusCode: 400,
-      statusMessage: "Incorrect screenshot ID",
+      statusCode: 404,
    });
  else if (result.userId !== userId)
    throw createError({
-      statusCode: 403,
+      statusCode: 404,
    });
  return result;
 });
--- a/server/internal/screenshots/index.ts
+++ b/server/internal/screenshots/index.ts
@ -5,6 +5,11 @@ import stream from "node:stream/promises";
 import prisma from "../db/database";

 class ScreenshotManager {
+  /**
+   * Gets a specific screenshot
+   * @param id
+   * @returns
+   */
  async get(id: string) {
    return await prisma.screenshot.findUnique({
      where: {
@ -13,6 +18,11 @@ class ScreenshotManager {
    });
  }

+  /**
+   * Get all user screenshots
+   * @param userId
+   * @returns
+   */
  async getUserAll(userId: string) {
    const results = await prisma.screenshot.findMany({
      where: {
@ -22,6 +32,12 @@ class ScreenshotManager {
    return results;
  }

+  /**
+   * Get all user screenshots in a specific game
+   * @param userId
+   * @param gameId
+   * @returns
+   */
  async getUserAllByGame(userId: string, gameId: string) {
    const results = await prisma.screenshot.findMany({
      where: {
@ -32,6 +48,10 @@ class ScreenshotManager {
    return results;
  }

+  /**
+   * Delete a specific screenshot
+   * @param id
+   */
  async delete(id: string) {
    await prisma.screenshot.delete({
      where: {
@ -40,6 +60,12 @@ class ScreenshotManager {
    });
  }

+  /**
+   * Allows a user to upload a screenshot
+   * @param userId
+   * @param gameId
+   * @param inputStream
+   */
  async upload(userId: string, gameId: string, inputStream: IncomingMessage) {
    const objectId = randomUUID();
    const saveStream = await objectHandler.createWithStream(