o Fý¤hH ã@s¤dZddlZddlZddlZddlZddlmZmZmZm Z m Z ddl m Z ddl mZddlmZmZmZedeƒZd ed efd d „Ze d ¡defdd„ƒZdS)aê media_routes.py Purpose: Serve user-owned images through signed URLs instead of exposing /static/User-photos directly. Requires the user to be authenticated and to own the camera the image belongs to. Routes: - GET /media/ Security: - Token is an HMAC of the normalized relative path under User-photos using SECRET_KEY - No expiry to remain stable; access still requires session auth + ownership check - Prevents enumeration of /static/User-photos and direct linking éN)Ú BlueprintÚabortÚ send_fileÚsessionÚ current_appé)Úget_db)Ú STATIC_PATH)Úparse_ts_from_anyÚnormalize_to_static_user_photosÚresolve_share_tokenÚ media_routesÚdataÚreturncCs dt|ƒ d}t ||¡S)Nú=é)ÚlenÚbase64Úurlsafe_b64decode)rÚpadding©rú)/var/www/html/app_modules/media_routes.pyÚ_b64url_decodesrz/media/ÚtokencCsþd}d}| d¡dkr*t|ƒ}|stdƒ|\}}ddl}| ¡|kr'tdƒd}nlt d¡}|s5td ƒd|vr=td ƒ| dd ¡\}}z t|ƒ d ¡}Wn t y[td ƒYnwt |ƒ}t j  d ¡pgd  d ¡} t | |  d ¡tj¡ ¡} zt|ƒ} Wn t y‹td ƒYnwt | | ¡s–tdƒt|ƒ\} } | s¢tdƒtƒ}|sÐ| dtd| f¡ ¡}|sÐ| dtdf¡ ¡}|rÌt|dpÈdƒd krÐtdƒtj t|¡}tj |¡}| tj t¡¡sêtd ƒtj |¡sôtdƒt |ƒ}d|j!d<|S)NFú.éi“rišTÚuser_idi‘irzutf-8Ú SECRET_KEYÚi”z5SELECT 1 FROM cameras WHERE user_id=? AND camera_id=?z%SELECT is_admin FROM users WHERE id=?Úis_adminzprivate, max-age=300z Cache-Control)"Úcountr rÚtimerÚgetÚsplitrÚdecodeÚ Exceptionr rÚconfigÚencodeÚhmacÚnewÚhashlibÚsha256ÚdigestÚcompare_digestr rÚexecuteÚfetchoneÚintÚosÚpathÚjoinr ÚrealpathÚ startswithÚexistsrÚheaders)rÚrelÚ is_publicÚresolvedÚexpÚ_trÚb64_relÚb64_macÚsecretÚexpectedÚprovidedÚ_ÚcamÚdbÚownerÚrowÚabs_pathÚreal_absÚresprrrÚ media_get#sf    ÿ   ÿ     rJ)Ú__doc__r1rr(r*ÚflaskrrrrrrDrÚpathsr Úhelpersr r r Ú__name__ÚbpÚstrÚbytesrÚrouterJrrrrÚs