Save workspace changes

.deploy/artwork-evolution-release/app/Http/Requests/Uploads/UploadFinishRequest.php

@@ -0,0 +1,144 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Uploads;
+
+use App\Models\Artwork;
+use App\Repositories\Uploads\UploadSessionRepository;
+use App\Services\Uploads\UploadTokenService;
+use Illuminate\Foundation\Http\FormRequest;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+
+final class UploadFinishRequest extends FormRequest
+{
+    private ?Artwork $artwork = null;
+
+    public function authorize(): bool
+    {
+        $user = $this->user();
+        if (! $user) {
+            $this->logUnauthorized('missing_user');
+            $this->denyAsNotFound();
+        }
+
+        $sessionId = (string) $this->input('session_id');
+        if ($sessionId === '') {
+            $this->logUnauthorized('missing_session_id');
+            $this->denyAsNotFound();
+        }
+
+        $sessions = $this->container->make(UploadSessionRepository::class);
+        $session = $sessions->get($sessionId);
+        if (! $session || $session->userId !== $user->id) {
+            $this->logUnauthorized('not_owned_or_missing');
+            $this->denyAsNotFound();
+        }
+
+        $token = $this->header('X-Upload-Token') ?: $this->input('upload_token');
+        if ($token) {
+            $tokens = $this->container->make(UploadTokenService::class);
+            $payload = $tokens->get((string) $token);
+            if (! $payload) {
+                $this->logUnauthorized('invalid_token');
+                $this->denyAsNotFound();
+            }
+
+            if (($payload['session_id'] ?? null) !== $sessionId) {
+                $this->logUnauthorized('token_session_mismatch');
+                $this->denyAsNotFound();
+            }
+
+            if ((int) ($payload['user_id'] ?? 0) !== (int) $user->id) {
+                $this->logUnauthorized('token_user_mismatch');
+                $this->denyAsNotFound();
+            }
+        }
+
+        $artworkId = (int) $this->input('artwork_id');
+        if ($artworkId <= 0) {
+            $this->logUnauthorized('missing_artwork_id');
+            $this->denyAsNotFound();
+        }
+
+        $archiveSessionId = (string) $this->input('archive_session_id');
+        if ($archiveSessionId !== '') {
+            $archiveSession = $sessions->get($archiveSessionId);
+            if (! $archiveSession || $archiveSession->userId !== $user->id) {
+                $this->logUnauthorized('archive_session_not_owned_or_missing');
+                $this->denyAsNotFound();
+            }
+        }
+
+        $additionalScreenshotSessions = $this->input('additional_screenshot_sessions', []);
+        if (is_array($additionalScreenshotSessions)) {
+            foreach ($additionalScreenshotSessions as $index => $payload) {
+                $screenshotSessionId = (string) data_get($payload, 'session_id', '');
+                if ($screenshotSessionId === '') {
+                    continue;
+                }
+
+                $screenshotSession = $sessions->get($screenshotSessionId);
+                if (! $screenshotSession || $screenshotSession->userId !== $user->id) {
+                    $this->logUnauthorized('additional_screenshot_session_not_owned_or_missing');
+                    logger()->warning('Upload finish additional screenshot session rejected', [
+                        'index' => $index,
+                        'session_id' => $screenshotSessionId,
+                        'user_id' => $user->id,
+                    ]);
+                    $this->denyAsNotFound();
+                }
+            }
+        }
+
+        $artwork = Artwork::query()->find($artworkId);
+        if (! $artwork || (int) $artwork->user_id !== (int) $user->id) {
+            $this->logUnauthorized('artwork_not_owned_or_missing');
+            $this->denyAsNotFound();
+        }
+
+        $this->artwork = $artwork;
+
+        return true;
+    }
+
+    public function rules(): array
+    {
+        return [
+            'session_id' => 'required|uuid',
+            'artwork_id' => 'required|integer',
+            'upload_token' => 'nullable|string|min:40|max:200',
+            'file_name' => 'nullable|string|max:255',
+            'archive_session_id' => 'nullable|uuid|different:session_id',
+            'archive_file_name' => 'nullable|string|max:255',
+            'additional_screenshot_sessions' => 'nullable|array|max:4',
+            'additional_screenshot_sessions.*.session_id' => 'required|uuid|distinct|different:session_id|different:archive_session_id',
+            'additional_screenshot_sessions.*.file_name' => 'nullable|string|max:255',
+        ];
+    }
+
+    public function artwork(): Artwork
+    {
+        if (! $this->artwork) {
+            $this->denyAsNotFound();
+        }
+
+        return $this->artwork;
+    }
+
+    private function denyAsNotFound(): void
+    {
+        throw new NotFoundHttpException();
+    }
+
+    private function logUnauthorized(string $reason): void
+    {
+        logger()->warning('Upload finish unauthorized access', [
+            'reason' => $reason,
+            'session_id' => (string) $this->input('session_id'),
+            'artwork_id' => $this->input('artwork_id'),
+            'user_id' => $this->user()?->id,
+            'ip' => $this->ip(),
+        ]);
+    }
+}