const express = require('express'); const multer = require('multer'); const path = require('path'); const fs = require('fs'); const crypto = require('crypto'); const User = require('../models/User'); const Asset = require('../models/Asset'); const Scene = require('../models/Scene'); const { protect, optionalAuth } = require('../middlewares/authMiddleware'); const { verifyReferer, setNoCacheHeaders } = require('../middlewares/securityMiddleware'); const { resizeTo8K } = require('../utils/imageHelper'); const { getGPSCoordinates, injectGPSCoordinates } = require('../utils/exifHelper'); const router = express.Router(); // Ensure upload directories exist const uploadDir = path.join(__dirname, '../uploads'); const tempDir = path.join(uploadDir, 'temp'); if (!fs.existsSync(uploadDir)) fs.mkdirSync(uploadDir, { recursive: true }); if (!fs.existsSync(tempDir)) fs.mkdirSync(tempDir, { recursive: true }); // Configure Multer for temp uploads const storage = multer.diskStorage({ destination: (req, file, cb) => { cb(null, tempDir); }, filename: (req, file, cb) => { cb(null, `${Date.now()}_${crypto.randomBytes(4).toString('hex')}${path.extname(file.originalname)}`); } }); const upload = multer({ storage: storage, fileFilter: (req, file, cb) => { // Only accept images if (file.mimetype.startsWith('image/')) { cb(null, true); } else { cb(new Error('Only image files are allowed!'), false); } } }); /** * @route POST /api/scenes * @desc Create a new 3D scene (with 360 photo, 8K resize, EXIF injection) * @access Private (Registered Users) */ router.post('/scenes', protect, upload.single('panorama'), async (req, res) => { try { const { title, lat, lng, privacy, sharedWithUsers } = req.body; if (!req.file) { return res.status(400).json({ message: 'Please upload a panorama image' }); } const latitude = parseFloat(lat); const longitude = parseFloat(lng); if (isNaN(latitude) || isNaN(longitude)) { // Cleanup uploaded file on validation error fs.unlinkSync(req.file.path); return res.status(400).json({ message: 'Valid lat and lng are required' }); } const tempFilePath = req.file.path; const processedFileName = `processed_${req.file.filename}.jpg`; const processedFilePath = path.join(uploadDir, processedFileName); // 1. Process and resize image to 8K JPEG (8192x4096) await resizeTo8K(tempFilePath, processedFilePath); // 2. Analyze EXIF GPS from original file const originalGPS = await getGPSCoordinates(tempFilePath); // 3. Inject Map Lat/Lng coordinates into processed 8K file binary EXIF await injectGPSCoordinates(processedFilePath, latitude, longitude); // 4. Remove original temp file if (fs.existsSync(tempFilePath)) { fs.unlinkSync(tempFilePath); } // 5. Save Asset to DB const asset = new Asset({ filePath: processedFilePath, uploadedBy: req.user._id, coordinates: originalGPS ? { lat: originalGPS.lat, lng: originalGPS.lng } : undefined }); await asset.save(); // 6. Handle share token if privacy is 'shared' let shareToken = undefined; if (privacy === 'shared') { shareToken = crypto.randomBytes(24).toString('hex'); } // Handle sharedWith User IDs let parsedSharedWith = []; if (sharedWithUsers) { try { parsedSharedWith = JSON.parse(sharedWithUsers); } catch (e) { // Ignore parse error } } // 7. Save Scene to DB const scene = new Scene({ title, assetId: asset._id, lat: latitude, lng: longitude, owner: req.user._id, privacy: privacy || 'private', shareToken, sharedWith: parsedSharedWith }); await scene.save(); res.status(201).json({ message: 'Scene created successfully', scene }); } catch (error) { // Cleanup file if error occurs if (req.file && fs.existsSync(req.file.path)) { try { fs.unlinkSync(req.file.path); } catch (e) {} } res.status(500).json({ message: error.message }); } }); /** * @route GET /api/scenes * @desc Get all accessible scenes for the map (respecting privacy rules) * @access Public / Private */ router.get('/scenes', optionalAuth, async (req, res) => { try { let query = {}; if (req.user) { // Logged in: See public, member-only, owned, or shared-with-me scenes query = { $or: [ { privacy: 'public' }, { privacy: 'member' }, { privacy: 'shared' }, // shareToken will be required to fetch panorama, but coordinates show on map { owner: req.user._id }, { sharedWith: req.user._id } ] }; } else { // Guests: See only public or shared scenes query = { $or: [ { privacy: 'public' }, { privacy: 'shared' } ] }; } const scenes = await Scene.find(query) .populate('owner', 'username') .populate('assetId', 'coordinates createdAt'); res.json(scenes); } catch (error) { res.status(500).json({ message: error.message }); } }); /** * @route GET /api/scenes/:id * @desc Get single scene detail (respecting privacy rules) * @access Public / Private */ router.get('/scenes/:id', optionalAuth, async (req, res) => { try { const scene = await Scene.findById(req.id || req.params.id) .populate('owner', 'username') .populate('assetId'); if (!scene) { return res.status(404).json({ message: 'Scene not found' }); } const hasAccess = scene.privacy === 'public' || (scene.privacy === 'member' && req.user) || (req.user && scene.owner._id.toString() === req.user._id.toString()) || (req.user && scene.sharedWith.includes(req.user._id)) || (scene.privacy === 'shared' && req.query.token === scene.shareToken); if (!hasAccess) { return res.status(403).json({ message: 'Access denied to this scene' }); } res.json(scene); } catch (error) { res.status(500).json({ message: error.message }); } }); /** * @route GET /api/assets/view/:assetId * @desc Securely stream panorama images (prevents direct link / unauthorized downloads) * @access Public / Private + Referer Verification + Token validation */ router.get('/assets/view/:assetId', verifyReferer, setNoCacheHeaders, optionalAuth, async (req, res) => { try { const asset = await Asset.findById(req.params.assetId); if (!asset) { return res.status(404).json({ message: 'Asset not found' }); } // Find associated scene to verify privacy const scene = await Scene.findOne({ assetId: asset._id }); if (!scene) { // Orphaned asset, only owner can view if (!req.user || req.user._id.toString() !== asset.uploadedBy.toString()) { return res.status(403).json({ message: 'Access denied' }); } } else { const hasAccess = scene.privacy === 'public' || (scene.privacy === 'member' && req.user) || (req.user && scene.owner.toString() === req.user._id.toString()) || (req.user && scene.sharedWith.includes(req.user._id)) || (scene.privacy === 'shared' && req.query.token === scene.shareToken); if (!hasAccess) { return res.status(403).json({ message: 'Access denied: You do not have permission to view this asset' }); } } if (!fs.existsSync(asset.filePath)) { return res.status(404).json({ message: 'Physical file not found on disk' }); } // Stream file securely res.sendFile(path.resolve(asset.filePath)); } catch (error) { res.status(500).json({ message: error.message }); } }); module.exports = router;