refactor: update parameter order in image and video context processing functions

Author: MagicFun1241

routes/image.go

@@ -38,7 +38,7 @@ func handleImageRequest(logger *zap.Logger, cache *ristretto.Cache[string, Cache
 		pathParams := c.Params("*")
 		logger.Info("image request received", zap.String("pathParams", pathParams))
 
-		ok, status, err, params := validation.ProcessImageContextFromPath(logger, pathParams, config)
+		ok, status, params, err := validation.ProcessImageContextFromPath(logger, pathParams, config)
 		if !ok {
 			return c.Status(status).SendString(err.Error())
 		}
@@ -240,6 +240,7 @@ func processImageData(c *fiber.Ctx, logger *zap.Logger, cache *ristretto.Cache[s
 //#region handleImageUpload
 
 // handleImageUpload processes image upload requests with path parameters
+// Requires: token (in path parameters), optional location and signature for S3 upload
 func handleImageUpload(logger *zap.Logger, cache *ristretto.Cache[string, CacheValue], config *config.Config, counters *metrics.Metrics, s3cache *S3Cache) fiber.Handler {
 	return func(c *fiber.Ctx) error {
 		logger.Info("image upload request received")
@@ -256,11 +257,19 @@ func handleImageUpload(logger *zap.Logger, cache *ristretto.Cache[string, CacheV
 		}
 		defer imageFile.Close()
 
-		ok, status, err, params := validation.ProcessImageUploadFromPath(logger, pathParams, config)
+		ok, status, params, err := validation.ProcessImageUploadFromPath(logger, pathParams, config)
 		if !ok {
 			return c.Status(status).SendString(err.Error())
 		}
 
+		// Check if S3 is required and enabled (when CustomObjectKey is provided)
+		if params.CustomObjectKey != "" {
+			if s3cache == nil || !s3cache.Enabled || s3cache.Client == nil {
+				logger.Error("S3 storage is not enabled or configured")
+				return c.Status(fiber.StatusServiceUnavailable).SendString("image upload service unavailable")
+			}
+		}
+
 		contentType := body.Header.Get("Content-Type")
 		if contentType == "" {
 			return c.Status(fiber.StatusForbidden).SendString("no content type received")

routes/video.go

@@ -51,7 +51,7 @@ func handleVideoPreviewRequest(logger *zap.Logger, cache *ristretto.Cache[string
 		pathParams := c.Params("*")
 		logger.Info("video preview request received", zap.String("pathParams", pathParams))
 
-		ok, status, err, params := validation.ProcessImageContextFromPath(logger, pathParams, config)
+		ok, status, params, err := validation.ProcessImageContextFromPath(logger, pathParams, config)
 		if !ok {
 			return c.Status(status).SendString(err.Error())
 		}
@@ -74,7 +74,7 @@ func handleVideoProxyRequest(logger *zap.Logger, cache *ristretto.Cache[string,
 		pathParams := c.Params("*")
 		logger.Info("video proxy request received", zap.String("pathParams", pathParams))
 
-		ok, status, err, params := validation.ProcessImageContextFromPath(logger, pathParams, config)
+		ok, status, params, err := validation.ProcessImageContextFromPath(logger, pathParams, config)
 		if !ok {
 			return c.Status(status).SendString(err.Error())
 		}

validation/validation.go

@@ -216,42 +216,73 @@ func sanitizeLocation(loc string) (string, error) {
 }
 
 // ProcessImageUploadFromPath processes image upload parameters from path
-func ProcessImageUploadFromPath(logger *zap.Logger, pathParams string, config *config.Config) (bool, int, error, *ImageContext) {
+// Validation: Either validate token OR if location and signature provided, validate signature
+func ProcessImageUploadFromPath(logger *zap.Logger, pathParams string, config *config.Config) (bool, int, *ImageContext, error) {
 	params, err := ParsePathParams(pathParams)
 	if err != nil {
-		return false, fiber.StatusBadRequest, fmt.Errorf("invalid path parameters: %w", err), nil
+		return false, fiber.StatusBadRequest, nil, fmt.Errorf("invalid path parameters: %w", err)
 	}
 
-	if params.Token != config.Token {
-		return false, fiber.StatusForbidden, fmt.Errorf("invalid token"), nil
+	// Handle optional S3 location with signature validation (if provided, use signature validation instead of token)
+	var customObjectKey string
+	if params.Location != "" && params.Signature != "" {
+		// Signature validation mode for S3 upload
+		if config.HmacKey == "" {
+			return false, fiber.StatusInternalServerError, nil, fmt.Errorf("hmac key not configured")
+		}
+
+		// Decode location
+		decodedLocation, err := DecodeBase64URL(params.Location)
+		if err != nil {
+			return false, fiber.StatusBadRequest, nil, fmt.Errorf("invalid location encoding: %w", err)
+		}
+
+		// Sanitize location
+		sanitized, err := sanitizeLocation(decodedLocation)
+		if err != nil {
+			return false, fiber.StatusBadRequest, nil, fmt.Errorf("invalid location: %w", err)
+		}
+
+		// Validate signature: HMAC(location)
+		if !compareHmacForMessage(sanitized, params.Signature, config.HmacKey) {
+			return false, fiber.StatusForbidden, nil, fmt.Errorf("invalid signature")
+		}
+
+		customObjectKey = sanitized
+	} else {
+		// Token validation mode (default)
+		if params.Token != config.Token {
+			return false, fiber.StatusForbidden, nil, fmt.Errorf("invalid token")
+		}
 	}
 
 	if params.Quality < 1 || params.Quality > 100 {
-		return false, fiber.StatusBadRequest, fmt.Errorf("quality must be between 1 and 100"), nil
+		return false, fiber.StatusBadRequest, nil, fmt.Errorf("quality must be between 1 and 100")
 	}
 
 	if params.Width > 0 && params.Height > 0 && (params.Width < 1 || params.Height < 1) {
-		return false, fiber.StatusBadRequest, fmt.Errorf("width and height must be greater than 0"), nil
+		return false, fiber.StatusBadRequest, nil, fmt.Errorf("width and height must be greater than 0")
 	}
 
 	if params.Scale < 0 || params.Scale > 1 {
-		return false, fiber.StatusBadRequest, fmt.Errorf("scale must be between 0 and 1"), nil
+		return false, fiber.StatusBadRequest, nil, fmt.Errorf("scale must be between 0 and 1")
 	}
 
 	// Apply default webp setting if not specified
 	if !params.Webp && config.Webp {
 		params.Webp = config.Webp
 	}
 
-	return true, fiber.StatusOK, nil, &ImageContext{
-		Quality:       params.Quality,
-		Width:         params.Width,
-		Height:        params.Height,
-		Scale:         params.Scale,
-		Interpolation: params.Interpolation,
-		Webp:          params.Webp,
-		FramePosition: params.FramePosition,
-	}
+	return true, fiber.StatusOK, &ImageContext{
+		Quality:         params.Quality,
+		Width:           params.Width,
+		Height:          params.Height,
+		Scale:           params.Scale,
+		Interpolation:   params.Interpolation,
+		Webp:            params.Webp,
+		FramePosition:   params.FramePosition,
+		CustomObjectKey: customObjectKey,
+	}, nil
 }
 
 func ProcessImageUpload(logger *zap.Logger, c *fiber.Ctx, config *config.Config) (ok bool, status int, err error, params *ImageContext) {
@@ -294,35 +325,35 @@ func ProcessImageUpload(logger *zap.Logger, c *fiber.Ctx, config *config.Config)
 }
 
 // ProcessImageContextFromPath processes image context from path parameters
-func ProcessImageContextFromPath(logger *zap.Logger, pathParams string, config *config.Config) (bool, int, error, *ImageContext) {
+func ProcessImageContextFromPath(logger *zap.Logger, pathParams string, config *config.Config) (bool, int, *ImageContext, error) {
 	params, err := ParsePathParams(pathParams)
 	if err != nil {
-		return false, fiber.StatusBadRequest, fmt.Errorf("invalid path parameters: %w", err), nil
+		return false, fiber.StatusBadRequest, nil, fmt.Errorf("invalid path parameters: %w", err)
 	}
 
 	// URL is optional if location is provided
 	urlParam := ""
 	if params.EncodedURL != "" {
 		urlParam, err = DecodeURL(params.EncodedURL)
 		if err != nil {
-			return false, fiber.StatusBadRequest, fmt.Errorf("failed to decode URL: %w", err), nil
+			return false, fiber.StatusBadRequest, nil, fmt.Errorf("failed to decode URL: %w", err)
 		}
 	}
 
 	// If custom location is requested, require signature and validate location
 	customObjectKey := ""
 	if params.Location != "" {
 		if config.HmacKey == "" || params.Signature == "" {
-			return false, fiber.StatusForbidden, fmt.Errorf("signature required for custom location"), nil
+			return false, fiber.StatusForbidden, nil, fmt.Errorf("signature required for custom location")
 		}
 		// Expect location to be base64 URL-safe encoded
 		decodedLocation, derr := DecodeBase64URL(params.Location)
 		if derr != nil {
-			return false, fiber.StatusBadRequest, derr, nil
+			return false, fiber.StatusBadRequest, nil, derr
 		}
 		sanitized, serr := sanitizeLocation(decodedLocation)
 		if serr != nil {
-			return false, fiber.StatusBadRequest, serr, nil
+			return false, fiber.StatusBadRequest, nil, serr
 		}
 
 		// If URL is provided, sign URL|location, otherwise just sign location
@@ -334,23 +365,23 @@ func ProcessImageContextFromPath(logger *zap.Logger, pathParams string, config *
 		}
 
 		if !compareHmacForMessage(signedMsg, params.Signature, config.HmacKey) {
-			return false, fiber.StatusForbidden, fmt.Errorf("invalid signature for location"), nil
+			return false, fiber.StatusForbidden, nil, fmt.Errorf("invalid signature for location")
 		}
 		customObjectKey = sanitized
 	} else if params.Signature != "" { // normal signature over URL only
 		if config.HmacKey == "" {
-			return false, fiber.StatusForbidden, fmt.Errorf("hmac key is not set"), nil
+			return false, fiber.StatusForbidden, nil, fmt.Errorf("hmac key is not set")
 		}
 		if urlParam == "" {
-			return false, fiber.StatusBadRequest, fmt.Errorf("url is required when signature is provided without location"), nil
+			return false, fiber.StatusBadRequest, nil, fmt.Errorf("url is required when signature is provided without location")
 		}
 		if !compareHmac(urlParam, params.Signature, config.HmacKey) {
-			return false, fiber.StatusForbidden, fmt.Errorf("invalid signature"), nil
+			return false, fiber.StatusForbidden, nil, fmt.Errorf("invalid signature")
 		}
 	} else {
 		// Neither location nor signature provided, URL is required
 		if urlParam == "" {
-			return false, fiber.StatusBadRequest, fmt.Errorf("url or location is required"), nil
+			return false, fiber.StatusBadRequest, nil, fmt.Errorf("url or location is required")
 		}
 	}
 
@@ -359,29 +390,29 @@ func ProcessImageContextFromPath(logger *zap.Logger, pathParams string, config *
 	if urlParam != "" {
 		validOrigin, validHostname := pool.ValidateUrl(logger, urlParam, config.AllowedOrigins)
 		if !validOrigin {
-			return false, fiber.StatusForbidden, fmt.Errorf("url is not allowed"), nil
+			return false, fiber.StatusForbidden, nil, fmt.Errorf("url is not allowed")
 		}
 		hostname = validHostname
 	}
 
 	if params.Quality < 1 || params.Quality > 100 {
-		return false, fiber.StatusBadRequest, fmt.Errorf("quality must be between 1 and 100"), nil
+		return false, fiber.StatusBadRequest, nil, fmt.Errorf("quality must be between 1 and 100")
 	}
 
 	if params.Width > 0 && params.Height > 0 && (params.Width < 1 || params.Height < 1) {
-		return false, fiber.StatusBadRequest, fmt.Errorf("width and height must be greater than 0"), nil
+		return false, fiber.StatusBadRequest, nil, fmt.Errorf("width and height must be greater than 0")
 	}
 
 	if params.Scale < 0 || params.Scale > 1 {
-		return false, fiber.StatusBadRequest, fmt.Errorf("scale must be between 0 and 1"), nil
+		return false, fiber.StatusBadRequest, nil, fmt.Errorf("scale must be between 0 and 1")
 	}
 
 	// Apply default webp setting if not specified
 	if !params.Webp && config.Webp {
 		params.Webp = config.Webp
 	}
 
-	return true, fiber.StatusOK, nil, &ImageContext{
+	return true, fiber.StatusOK, &ImageContext{
 		Url:             urlParam,
 		Quality:         params.Quality,
 		Width:           params.Width,
@@ -392,7 +423,7 @@ func ProcessImageContextFromPath(logger *zap.Logger, pathParams string, config *
 		FramePosition:   params.FramePosition,
 		Hostname:        hostname,
 		CustomObjectKey: customObjectKey,
-	}
+	}, nil
 }
 
 func ProcessImageContext(logger *zap.Logger, c *fiber.Ctx, config *config.Config) (ok bool, status int, err error, params *ImageContext) {