perf: add database indexes, implement caching, enforce permission guards, and sanitize external URLs

2026-05-10 22:01:06 +02:00
parent 351938aa5c
commit aa4c181b0c
14 changed files with 94 additions and 40 deletions
@@ -1,4 +1,4 @@
-import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { Injectable, Logger, UnauthorizedException } from '@nestjs/common';
 import { InjectRepository } from '@nestjs/typeorm';
 import { Repository } from 'typeorm';
 import { ApiKey } from '../database/entities/api-key.entity';
@@ -6,6 +6,8 @@ import * as crypto from 'crypto';

@Injectable()
 export class ApiKeysService {
+  private readonly logger = new Logger(ApiKeysService.name);
+
  constructor(
    @InjectRepository(ApiKey)
    private readonly apiKeyRepo: Repository<ApiKey>,
@@ -50,7 +52,7 @@ export class ApiKeysService {

    // Update last used timestamp (async, don't wait for it to return response faster)
    apiKey.lastUsedAt = new Date();
-    this.apiKeyRepo.save(apiKey).catch(err => console.error('Error updating lastUsedAt:', err));
+    this.apiKeyRepo.save(apiKey).catch(err => this.logger.error('Fehler beim Aktualisieren von lastUsedAt', err));

    return apiKey;
  }
@@ -17,11 +17,10 @@ export class PermissionsGuard implements CanActivate {
      return true;
    }
    
-    const { user } = context.switchToHttp().getRequest();
-    
-    // Let API Key requests bypass the permissions check for now, unless explicitly denied.
-    // Usually API keys have different scopes, but assuming they act as Admins for automated uploads.
-    if (user && user.apiKey) {
+    const request = context.switchToHttp().getRequest();
+    const { user } = request;
+
+    if (request.apiKeyMetadata) {
      return true;
    }