Improve canvas handling

Author: Ategon

features/quilts/service.ts

@@ -303,6 +303,19 @@ export async function submitQuiltPixels({
   if (quilt.endsAt.getTime() <= Date.now()) {
     throw new BadRequestError("This quilt has ended.");
   }
+  const existingPending = await db.quiltSubmission.findFirst({
+    where: {
+      quiltId: quilt.id,
+      authorId: actor.id,
+      status: QuiltSubmissionStatus.PENDING,
+    },
+    select: { id: true },
+  });
+  if (existingPending) {
+    throw new BadRequestError(
+      "You already have a pending quilt change. Edit it instead of submitting another one.",
+    );
+  }
   const unique = new Map<string, QuiltPixel>();
   for (const pixel of input.pixels) {
     if (pixel.x >= quilt.width || pixel.y >= quilt.height) {

features/users/profile.assets.ts

@@ -1,12 +1,36 @@
 import { appConfig } from "../../config/app.js";
 import { env } from "../../config/env.js";
 
+function isUploadApiPath(pathname: string) {
+  const apiBasePath = appConfig.uploads.apiBasePath.replace(/\/$/, "");
+  return (
+    pathname.startsWith(
+      `${apiBasePath}/${appConfig.uploads.imageRoute}/`,
+    ) ||
+    pathname.startsWith(
+      `${apiBasePath}/${appConfig.uploads.profileImageRoute}/`,
+    )
+  );
+}
+
 export function isAllowedAssetUrl(value: unknown): boolean {
   if (value === null || value === undefined || value === "") return true;
   if (typeof value !== "string") return false;
+  if (isUploadApiPath(value)) return true;
   if (value.startsWith(appConfig.uploads.staticImagesPath)) {
     return true;
   }
+  try {
+    const parsed = new URL(value);
+    if (
+      (parsed.protocol === "http:" || parsed.protocol === "https:") &&
+      isUploadApiPath(parsed.pathname)
+    ) {
+      return true;
+    }
+  } catch {
+    // Relative URLs are handled above.
+  }
   if (value.startsWith(`${appConfig.publicOrigin}${appConfig.uploads.staticImagesPath}`)) {
     return true;
   }