Files
infiplot-web/apps/web/app/api/vision/route.ts
T
yuanzonghao 203e63edc2 fix: server-side payload cap + cleaner image abort
Addresses Copilot review on PR #9:

- /api/vision: add MAX_ANNOTATED_BYTES (3 MB) cap on annotatedImageBase64,
  plus an explicit type/non-empty check. Browser annotator resizes to 768
  wide (typically 200-800 KB base64), so 3 MB rejects abusive direct-API
  payloads that would otherwise inflate upstream vision LLM costs.
- annotateClient: replace `img.src = ""` on timeout with removeAttribute
  to avoid the legacy browser behavior of treating empty src as a
  navigation to the current document URL.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-02 22:13:40 +08:00

53 lines
1.6 KiB
TypeScript

import { visionDecide } from "@infiplot/engine";
import type { VisionRequest } from "@infiplot/types";
import { NextResponse } from "next/server";
import { loadEngineConfig } from "@/lib/config";
export const runtime = "nodejs";
export const maxDuration = 60;
// Browser annotator resizes to 768 wide → typically 200-800 KB base64.
// 3 MB caps abusive direct-API payloads (which would inflate upstream
// vision LLM costs) while leaving ~4x headroom for legitimate inputs.
const MAX_ANNOTATED_BYTES = 3 * 1024 * 1024;
export async function POST(req: Request) {
let body: VisionRequest;
try {
body = (await req.json()) as VisionRequest;
} catch {
return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
}
if (!body.session) {
return NextResponse.json(
{ error: "session is required" },
{ status: 400 },
);
}
if (
typeof body.annotatedImageBase64 !== "string" ||
body.annotatedImageBase64.length === 0
) {
return NextResponse.json(
{ error: "annotatedImageBase64 must be a non-empty string" },
{ status: 400 },
);
}
if (body.annotatedImageBase64.length > MAX_ANNOTATED_BYTES) {
return NextResponse.json(
{ error: `annotatedImageBase64 exceeds ${MAX_ANNOTATED_BYTES} bytes` },
{ status: 413 },
);
}
try {
const config = loadEngineConfig();
const result = await visionDecide(config, body);
return NextResponse.json(result);
} catch (err) {
const message = err instanceof Error ? err.message : "Unknown error";
return NextResponse.json({ error: message }, { status: 500 });
}
}