refactor: add input validation and singleton pattern for Langfuse API routes

- Add Zod schema validation for log-feedback and log-save endpoints - Create singleton LangfuseClient to avoid per-request instantiation - Simplify log-save to only flag trace (no XML content sent) - Use generic error messages to prevent info leakage
2026-01-02 14:22:28 +08:00 · 2025-12-04 23:44:00 +09:00
parent d8f2c85dab
commit 46d2d4e078
4 changed files with 73 additions and 68 deletions
--- a/contexts/diagram-context.tsx
+++ b/contexts/diagram-context.tsx
@@ -133,23 +133,21 @@ export function DiagramProvider({ children }: { children: React.ReactNode }) {
                    fileContent = xmlContent;
                    mimeType = "application/xml";
                    extension = ".drawio";
-
-                    // Log XML to Langfuse
-                    logSaveToLangfuse(xmlContent, filename, format, sessionId);
                } else if (format === "png") {
                    // PNG data comes as base64 data URL
                    fileContent = exportData;
                    mimeType = "image/png";
                    extension = ".png";
-                    logSaveToLangfuse(exportData, filename, format, sessionId);
                } else {
                    // SVG format
                    fileContent = exportData;
                    mimeType = "image/svg+xml";
                    extension = ".svg";
-                    logSaveToLangfuse(exportData, filename, format, sessionId);
                }

+                // Log save event to Langfuse (flags the trace)
+                logSaveToLangfuse(filename, format, sessionId);
+
                // Handle download
                let url: string;
                if (typeof fileContent === "string" && fileContent.startsWith("data:")) {
@@ -179,13 +177,13 @@ export function DiagramProvider({ children }: { children: React.ReactNode }) {
        drawioRef.current.exportDiagram({ format: drawioFormat });
    };

-    // Log save event to Langfuse
-    const logSaveToLangfuse = async (content: string, filename: string, format: string, sessionId?: string) => {
+    // Log save event to Langfuse (just flags the trace, doesn't send content)
+    const logSaveToLangfuse = async (filename: string, format: string, sessionId?: string) => {
        try {
            await fetch("/api/log-save", {
                method: "POST",
                headers: { "Content-Type": "application/json" },
-                body: JSON.stringify({ xml: content, filename, format, sessionId }),
+                body: JSON.stringify({ filename, format, sessionId }),
            });
        } catch (error) {
            console.warn("Failed to log save to Langfuse:", error);