Add validation schemas and improve texture handling

Introduces zod-based validation schemas for Minecraft and Mojang API endpoints. Refactors texture route to support hash-based file serving and removes the old static texture route. Updates database schema for player properties and adds an event to clean expired certificates. Improves ValidationError formatting, adjusts skin/cape URL construction, and adds SSRF protection for skin uploads.
2025-12-28 09:02:10 +01:00
parent 1fe46a03fd
commit 5cfadfd7ac
29 changed files with 490 additions and 24 deletions
--- a/routes/minecraftservices/minecraft/profile/namechange.js
+++ b/routes/minecraftservices/minecraft/profile/namechange.js
@@ -3,7 +3,7 @@ const router = express.Router()
 const userService = require("../../../../services/userService")
 const authService = require("../../../../services/authService")

-router.put("/", async (req, res) => {
+router.get("/", async (req, res) => {
    const player = await authService.verifyAccessToken({ accessToken: req.headers.authorization.replace("Bearer ", "") })
    const nameChangeInformation = await userService.getPlayerNameChangeStatus(player.user.uuid)
    return res.status(nameChangeInformation.code).json(nameChangeInformation.data)
--- a/routes/minecraftservices/minecraft/profile/skins/index.js
+++ b/routes/minecraftservices/minecraft/profile/skins/index.js
@@ -1,3 +1,5 @@
+const fs = require("node:fs")
+const path = require("node:path")
 const express = require("express")
 const router = express.Router()
 const multer = require("multer")
@@ -22,7 +24,11 @@ const uploadLimiter = rateLimit({
    max: 20,
    standardHeaders: true,
    legacyHeaders: false,
+    validate: {
+        ip: false
+    },
    keyGenerator: (req) => {
+        rateLimit.ipKeyGenerator()
        return req.headers.authorization || req.ip
    },
    handler: (req, res, next, options) => {
--- a/routes/textures/texture.js
+++ b/routes/textures/texture.js
@@ -1,13 +0,0 @@
-const express = require("express")
-const router = express.Router()
-const path = require("node:path")
-const fs = require("node:fs")
-
-const TEXTURES_DIR = path.join(process.cwd(), "data", "textures")
-if (!fs.existsSync(TEXTURES_DIR)) {
-    fs.mkdirSync(TEXTURES_DIR, { recursive: true })
-}
-
-router.use(express.static(TEXTURES_DIR))
-
-module.exports = router
--- a/routes/textures/texture/[hash].js
+++ b/routes/textures/texture/[hash].js
@@ -0,0 +1,27 @@
+const express = require("express")
+const router = express.Router({ mergeParams: true })
+const path = require("node:path")
+const fs = require("node:fs")
+const { DefaultError } = require("../../../errors/errors")
+
+const TEXTURES_DIR = path.join(process.cwd(), "data", "textures")
+
+router.get("/", async (req, res, next) => {
+    try {
+        const hash = req.params.hash
+        if (!/^[a-f0-9]{64}$/i.test(hash)) {
+            throw new DefaultError(404, "Texture not found")
+        }
+
+        const subDir = hash.substring(0, 2)
+        const filePath = path.join(TEXTURES_DIR, subDir, hash)
+        if (!fs.existsSync(filePath)) {
+            throw new DefaultError(404, "Texture not found")
+        }
+        res.sendFile(filePath)
+    } catch (err) {
+        return next(err)
+    }
+})
+
+module.exports = router