Hartmut/Nexus
1
0
Fork 0
Code Issues 11 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
5b60cf5553db7e3d2c751d2276e693b71a30e328
Nexus/packages/api/src/gemini-client.ts
T
Hartmut 9d43e4b113 feat: ACN Application Security Standard V7.30 compliance (19/23 items) 
CRITICAL — Authentication & Access:
- TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration,
  admin disable override, /account/security self-service page
- Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge)
- Failed Auth Logging: Pino warn for invalid password/user/totp,
  info for successful login, audit entries for all auth events
- Concurrent Session Limit: ActiveSession model, oldest-kick strategy,
  max 3 per user (configurable in SystemSettings)

CRITICAL — HTTP Security:
- HSTS: max-age=31536000; includeSubDomains
- CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist
- X-XSS-Protection: 0 (CSP replaces legacy)
- Auth page cache: no-store, no-cache, must-revalidate
- Rate Limiting: 100/15min general API, 5/15min auth (Map-based)

Data Protection:
- XSS Sanitization: DOMPurify on comment bodies
- autocomplete="new-password" on all password/secret fields
- SameSite=Strict on all cookies (Credentials-only, no OAuth)
- File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF)

Logging & Monitoring:
- Login/Logout audit entries (Auth entityType)
- External API call logging with timing (OpenAI, Gemini)
- Input validation failure logging at warn level
- Concurrent session tracking in ActiveSession table

Documentation:
- docs/security-architecture.md (11 sections)
- docs/sdlc.md (CI pipeline, security gates, incident response)
- .gitea/PULL_REQUEST_TEMPLATE.md (security checklist)

Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/
sessionIdleTimeout/maxConcurrentSessions, ActiveSession model

Tests: 310 engine + 37 staffing pass. TypeScript clean.

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-03-27 14:16:39 +01:00

103 lines
3.7 KiB
TypeScript
Raw Blame History

import { logger } from "./lib/logger.js";
type GeminiSettings = {
geminiApiKey?: string | null;
geminiModel?: string | null;
};
/** Returns true if the settings have a Gemini API key configured. */
export function isGeminiConfigured(settings: GeminiSettings | null | undefined): boolean {
return !!settings?.geminiApiKey;
}
/**
* Generates an image using the Google Gemini API.
* @returns A base64 data URL of the generated image.
*/
export async function generateGeminiImage(
apiKey: string,
prompt: string,
model = "gemini-2.5-flash-image",
): Promise<string> {
const fullPrompt = `Generate a professional, cinematic cover image for a 3D production project. ${prompt}`;
const start = performance.now();
const response = await fetch(
`https://generativelanguage.googleapis.com/v1beta/models/${model}:generateContent?key=${apiKey}`,
{
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
contents: [{ parts: [{ text: fullPrompt }] }],
generationConfig: { responseModalities: ["TEXT", "IMAGE"] },
}),
},
);
if (!response.ok) {
const responseTimeMs = Math.round(performance.now() - start);
const body = await response.text();
let msg = body;
try {
const parsed = JSON.parse(body) as { error?: { message?: string } };
if (parsed.error?.message) msg = parsed.error.message;
} catch {
/* keep raw */
}
logger.warn({ provider: "gemini", model, promptLength: fullPrompt.length, responseTimeMs, status: response.status }, "External API call failed");
throw new Error(`HTTP ${response.status}: ${msg}`);
}
const data = (await response.json()) as {
candidates?: Array<{
content?: {
parts?: Array<{
inlineData?: { data: string; mimeType: string };
text?: string;
}>;
};
}>;
};
const imagePart = data.candidates?.[0]?.content?.parts?.find(
(p) => p.inlineData,
);
if (!imagePart?.inlineData?.data) {
throw new Error("No image data returned from Gemini");
}
const responseTimeMs = Math.round(performance.now() - start);
logger.info({ provider: "gemini", model, promptLength: fullPrompt.length, responseTimeMs }, "External API call");
const base64 = imagePart.inlineData.data;
const mimeType = imagePart.inlineData.mimeType ?? "image/png";
return `data:${mimeType};base64,${base64}`;
}
/** Turns Gemini API errors into actionable human-readable messages. */
export function parseGeminiError(err: unknown): string {
const msg = err instanceof Error ? err.message : String(err);
const lower = msg.toLowerCase();
if (lower.includes("400") || lower.includes("invalid")) {
return "Invalid request — check the Gemini model name and prompt.";
}
if (lower.includes("401") || lower.includes("unauthorized") || lower.includes("api_key_invalid") || lower.includes("api key not valid")) {
return "Invalid API key — make sure you copied it correctly from Google AI Studio.";
}
if (lower.includes("403") || lower.includes("forbidden") || lower.includes("permission")) {
return "Access denied — your API key may not have permission to use image generation.";
}
if (lower.includes("404") || lower.includes("not found")) {
return "Model not found — verify the Gemini model name is correct.";
}
if (lower.includes("429") || lower.includes("rate limit") || lower.includes("quota")) {
return "Rate limit or quota exceeded — wait a moment and try again.";
}
if (lower.includes("econnrefused") || lower.includes("enotfound") || lower.includes("fetch failed")) {
return "Cannot reach the Gemini API — check your network connection.";
}
return msg.replace(/^Error: /, "").slice(0, 300);
}
Reference in New Issue View Git Blame Copy Permalink