From 46d2d4e078904df82ea01c86531814fd2aa6b35d Mon Sep 17 00:00:00 2001 From: "dayuan.jiang" Date: Thu, 4 Dec 2025 23:44:00 +0900 Subject: [PATCH] refactor: add input validation and singleton pattern for Langfuse API routes - Add Zod schema validation for log-feedback and log-save endpoints - Create singleton LangfuseClient to avoid per-request instantiation - Simplify log-save to only flag trace (no XML content sent) - Use generic error messages to prevent info leakage --- app/api/log-feedback/route.ts | 32 +++++++++------ app/api/log-save/route.ts | 75 +++++++++++++---------------------- contexts/diagram-context.tsx | 14 +++---- lib/langfuse.ts | 20 ++++++++++ 4 files changed, 73 insertions(+), 68 deletions(-) diff --git a/app/api/log-feedback/route.ts b/app/api/log-feedback/route.ts index 0b93f02..a0dbb09 100644 --- a/app/api/log-feedback/route.ts +++ b/app/api/log-feedback/route.ts @@ -1,26 +1,34 @@ -import { LangfuseClient } from '@langfuse/client'; +import { getLangfuseClient } from '@/lib/langfuse'; import { randomUUID } from 'crypto'; +import { z } from 'zod'; + +const feedbackSchema = z.object({ + messageId: z.string().min(1).max(200), + feedback: z.enum(['good', 'bad']), + sessionId: z.string().min(1).max(200).optional(), +}); export async function POST(req: Request) { - // Check if Langfuse is configured - if (!process.env.LANGFUSE_PUBLIC_KEY || !process.env.LANGFUSE_SECRET_KEY) { + const langfuse = getLangfuseClient(); + if (!langfuse) { return Response.json({ success: true, logged: false }); } - const { messageId, feedback, sessionId } = await req.json(); + // Validate input + let data; + try { + data = feedbackSchema.parse(await req.json()); + } catch { + return Response.json({ success: false, error: 'Invalid input' }, { status: 400 }); + } + + const { messageId, feedback, sessionId } = data; // Get user IP for tracking const forwardedFor = req.headers.get('x-forwarded-for'); const userId = forwardedFor?.split(',')[0]?.trim() || 'anonymous'; try { - // Create Langfuse client - const langfuse = new LangfuseClient({ - publicKey: process.env.LANGFUSE_PUBLIC_KEY, - secretKey: process.env.LANGFUSE_SECRET_KEY, - baseUrl: process.env.LANGFUSE_BASEURL, - }); - // Find the most recent chat trace for this session to attach the score to const tracesResponse = await langfuse.api.trace.list({ sessionId, @@ -90,6 +98,6 @@ export async function POST(req: Request) { return Response.json({ success: true, logged: true }); } catch (error) { console.error('Langfuse feedback error:', error); - return Response.json({ success: false, error: String(error) }, { status: 500 }); + return Response.json({ success: false, error: 'Failed to log feedback' }, { status: 500 }); } } diff --git a/app/api/log-save/route.ts b/app/api/log-save/route.ts index 0be7ff4..e4862c9 100644 --- a/app/api/log-save/route.ts +++ b/app/api/log-save/route.ts @@ -1,29 +1,33 @@ -import { LangfuseClient } from '@langfuse/client'; +import { getLangfuseClient } from '@/lib/langfuse'; import { randomUUID } from 'crypto'; +import { z } from 'zod'; + +const saveSchema = z.object({ + filename: z.string().min(1).max(255), + format: z.enum(['drawio', 'png', 'svg']), + sessionId: z.string().min(1).max(200).optional(), +}); export async function POST(req: Request) { - // Check if Langfuse is configured - if (!process.env.LANGFUSE_PUBLIC_KEY || !process.env.LANGFUSE_SECRET_KEY) { + const langfuse = getLangfuseClient(); + if (!langfuse) { return Response.json({ success: true, logged: false }); } - const { xml, filename, format, sessionId } = await req.json(); + // Validate input + let data; + try { + data = saveSchema.parse(await req.json()); + } catch { + return Response.json({ success: false, error: 'Invalid input' }, { status: 400 }); + } - // Get user IP for tracking - const forwardedFor = req.headers.get('x-forwarded-for'); - const userId = forwardedFor?.split(',')[0]?.trim() || 'anonymous'; + const { filename, format, sessionId } = data; try { - // Create Langfuse client - const langfuse = new LangfuseClient({ - publicKey: process.env.LANGFUSE_PUBLIC_KEY, - secretKey: process.env.LANGFUSE_SECRET_KEY, - baseUrl: process.env.LANGFUSE_BASEURL, - }); - const timestamp = new Date().toISOString(); - // Find the most recent chat trace for this session to attach the save event to + // Find the most recent chat trace for this session to attach the save flag const tracesResponse = await langfuse.api.trace.list({ sessionId, limit: 1, @@ -33,54 +37,29 @@ export async function POST(req: Request) { const latestTrace = traces[0]; if (latestTrace) { - // Create a span on the existing chat trace for the save event + // Add a score to the existing trace to flag that user saved await langfuse.api.ingestion.batch({ batch: [ { - type: 'span-create', + type: 'score-create', id: randomUUID(), timestamp, body: { id: randomUUID(), traceId: latestTrace.id, - name: 'diagram-save', - input: { filename, format }, - output: { xmlPreview: xml?.substring(0, 500), contentLength: xml?.length || 0 }, - metadata: { source: 'save-button' }, - startTime: timestamp, - endTime: timestamp, - }, - }, - ], - }); - } else { - // No trace found - create a standalone trace - const traceId = randomUUID(); - - await langfuse.api.ingestion.batch({ - batch: [ - { - type: 'trace-create', - id: randomUUID(), - timestamp, - body: { - id: traceId, - name: 'diagram-save', - sessionId, - userId, - input: { filename, format }, - output: { xmlPreview: xml?.substring(0, 500), contentLength: xml?.length || 0 }, - metadata: { source: 'save-button', note: 'standalone - no chat trace found' }, - timestamp, + name: 'diagram-saved', + value: 1, + comment: `User saved diagram as ${filename}.${format}`, }, }, ], }); } + // If no trace found, skip logging (user hasn't chatted yet) - return Response.json({ success: true, logged: true }); + return Response.json({ success: true, logged: !!latestTrace }); } catch (error) { console.error('Langfuse save error:', error); - return Response.json({ success: false, error: String(error) }, { status: 500 }); + return Response.json({ success: false, error: 'Failed to log save' }, { status: 500 }); } } diff --git a/contexts/diagram-context.tsx b/contexts/diagram-context.tsx index 3903e4e..1995f71 100644 --- a/contexts/diagram-context.tsx +++ b/contexts/diagram-context.tsx @@ -133,23 +133,21 @@ export function DiagramProvider({ children }: { children: React.ReactNode }) { fileContent = xmlContent; mimeType = "application/xml"; extension = ".drawio"; - - // Log XML to Langfuse - logSaveToLangfuse(xmlContent, filename, format, sessionId); } else if (format === "png") { // PNG data comes as base64 data URL fileContent = exportData; mimeType = "image/png"; extension = ".png"; - logSaveToLangfuse(exportData, filename, format, sessionId); } else { // SVG format fileContent = exportData; mimeType = "image/svg+xml"; extension = ".svg"; - logSaveToLangfuse(exportData, filename, format, sessionId); } + // Log save event to Langfuse (flags the trace) + logSaveToLangfuse(filename, format, sessionId); + // Handle download let url: string; if (typeof fileContent === "string" && fileContent.startsWith("data:")) { @@ -179,13 +177,13 @@ export function DiagramProvider({ children }: { children: React.ReactNode }) { drawioRef.current.exportDiagram({ format: drawioFormat }); }; - // Log save event to Langfuse - const logSaveToLangfuse = async (content: string, filename: string, format: string, sessionId?: string) => { + // Log save event to Langfuse (just flags the trace, doesn't send content) + const logSaveToLangfuse = async (filename: string, format: string, sessionId?: string) => { try { await fetch("/api/log-save", { method: "POST", headers: { "Content-Type": "application/json" }, - body: JSON.stringify({ xml: content, filename, format, sessionId }), + body: JSON.stringify({ filename, format, sessionId }), }); } catch (error) { console.warn("Failed to log save to Langfuse:", error); diff --git a/lib/langfuse.ts b/lib/langfuse.ts index 56b1c54..1b74cd3 100644 --- a/lib/langfuse.ts +++ b/lib/langfuse.ts @@ -1,6 +1,26 @@ import { observe, updateActiveTrace } from '@langfuse/tracing'; +import { LangfuseClient } from '@langfuse/client'; import * as api from '@opentelemetry/api'; +// Singleton LangfuseClient instance for direct API calls +let langfuseClient: LangfuseClient | null = null; + +export function getLangfuseClient(): LangfuseClient | null { + if (!process.env.LANGFUSE_PUBLIC_KEY || !process.env.LANGFUSE_SECRET_KEY) { + return null; + } + + if (!langfuseClient) { + langfuseClient = new LangfuseClient({ + publicKey: process.env.LANGFUSE_PUBLIC_KEY, + secretKey: process.env.LANGFUSE_SECRET_KEY, + baseUrl: process.env.LANGFUSE_BASEURL, + }); + } + + return langfuseClient; +} + // Check if Langfuse is configured export function isLangfuseEnabled(): boolean { return !!process.env.LANGFUSE_PUBLIC_KEY;