sojorn/_legacy/supabase/functions/upload-image/index.ts

import { serve } from "https://deno.land/std@0.168.0/http/server.ts"
import { AwsClient } from 'https://esm.sh/aws4fetch@1.0.17'
import { trySignR2Url } from "../_shared/r2_signer.ts";

const corsHeaders = {
  'Access-Control-Allow-Origin': '*',
  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
}

serve(async (req) => {
  if (req.method === 'OPTIONS') return new Response('ok', { headers: corsHeaders })

  try {
    // 1. AUTH CHECK
    const authHeader = req.headers.get('Authorization')
    if (!authHeader) {
      return new Response(JSON.stringify({ code: 401, message: 'Missing authorization header' }), {
        status: 401,
        headers: { ...corsHeaders, 'Content-Type': 'application/json' },
      })
    }

    // Extract user ID from JWT without full validation
    // The JWT is already validated by Supabase's edge runtime
    let userId: string
    try {
      const token = authHeader.replace('Bearer ', '')
      const payload = JSON.parse(atob(token.split('.')[1]))
      userId = payload.sub
      if (!userId) throw new Error('No user ID in token')
      console.log('Authenticated user:', userId)
    } catch (e) {
      console.error('Failed to parse JWT:', e)
      return new Response(JSON.stringify({ code: 401, message: 'Invalid JWT' }), {
        status: 401,
        headers: { ...corsHeaders, 'Content-Type': 'application/json' },
      })
    }

    // 2. CONFIGURATION
    const R2_BUCKET = 'sojorn-media'
    const ACCOUNT_ID = (Deno.env.get('R2_ACCOUNT_ID') ?? '').trim()
    const ACCESS_KEY = (Deno.env.get('R2_ACCESS_KEY') ?? '').trim()
    const SECRET_KEY = (Deno.env.get('R2_SECRET_KEY') ?? '').trim()
    if (!ACCOUNT_ID || !ACCESS_KEY || !SECRET_KEY) throw new Error('Missing R2 Secrets')

    // 3. PARSE MULTIPART FORM DATA (image + metadata)
    const contentType = req.headers.get('content-type') || ''

    if (!contentType.includes('multipart/form-data')) {
      throw new Error('Request must be multipart/form-data')
    }

    const formData = await req.formData()
    const imageFile = formData.get('image') as File
    const fileName = formData.get('fileName') as string

    if (!imageFile) {
      throw new Error('No image file provided')
    }

    // Extract and sanitize extension from filename
    let extension = 'jpg';
    if (fileName) {
      const parts = fileName.split('.');
      if (parts.length > 1) {
        const ext = parts[parts.length - 1].toLowerCase();
        // Only allow safe image extensions
        if (['jpg', 'jpeg', 'png', 'gif', 'webp'].includes(ext)) {
          extension = ext;
        }
      }
    }
    const safeFileName = `${crypto.randomUUID()}.${extension}`
    const imageContentType = imageFile.type || 'application/octet-stream'

    console.log(`Direct upload: fileName=${fileName}, contentType=${imageContentType}, size=${imageFile.size}`)

    // 4. INIT R2 CLIENT
    const r2 = new AwsClient({
      accessKeyId: ACCESS_KEY,
      secretAccessKey: SECRET_KEY,
      region: 'auto',
      service: 's3',
    })

    // 5. UPLOAD DIRECTLY TO R2 FROM EDGE FUNCTION
    const url = `https://${ACCOUNT_ID}.r2.cloudflarestorage.com/${R2_BUCKET}/${safeFileName}`
    const imageBytes = await imageFile.arrayBuffer()

    const uploadResponse = await r2.fetch(url, {
      method: 'PUT',
      body: imageBytes,
      headers: {
        'Content-Type': imageContentType,
        'Content-Length': imageBytes.byteLength.toString(),
      },
    })

    if (!uploadResponse.ok) {
      const errorText = await uploadResponse.text()
      console.error('R2 upload failed:', errorText)
      throw new Error(`R2 upload failed: ${uploadResponse.status} ${errorText}`)
    }

    console.log('Successfully uploaded to R2:', safeFileName)

    // 6. RETURN SUCCESS RESPONSE
    // Always return a signed URL to avoid public bucket access.
    const signedUrl = await trySignR2Url(safeFileName)
    if (!signedUrl) {
      throw new Error('Failed to generate signed URL')
    }

    return new Response(
      JSON.stringify({
        publicUrl: signedUrl,
        signedUrl,
        signed_url: signedUrl,
        fileKey: safeFileName,
        fileName: safeFileName,
        fileSize: imageFile.size,
        contentType: imageContentType,
      }),
      {
        headers: {
          ...corsHeaders,
          'Content-Type': 'application/json',
        }
      }
    )

  } catch (error: unknown) {
    const errorMessage = error instanceof Error ? error.message : 'Unknown error'
    console.error('Upload function error:', errorMessage)
    return new Response(
      JSON.stringify({
        error: errorMessage,
        hint: 'Make sure you are logged in and R2 credentials are configured.'
      }),
      {
        status: 400,
        headers: {
          ...corsHeaders,
          'Content-Type': 'application/json'
        }
      }
    )
  }
})