i/next-ai-draw-io
1
0
Fork 0
mirror of https://github.com/DayuanJiang/next-ai-draw-io.git synced 2026-01-02 14:22:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

refactor: add input validation and singleton pattern for Langfuse API routes

Browse Source 
- Add Zod schema validation for log-feedback and log-save endpoints
- Create singleton LangfuseClient to avoid per-request instantiation
- Simplify log-save to only flag trace (no XML content sent)
- Use generic error messages to prevent info leakage
This commit is contained in:
dayuan.jiang
2025-12-04 23:44:00 +09:00
parent d8f2c85dab
commit 46d2d4e078
4 changed files with 73 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
app/api/log-feedback/route.ts
View File

@@ -1,26 +1,34 @@
import { LangfuseClient } from '@langfuse/client';
import { getLangfuseClient } from '@/lib/langfuse';
import { randomUUID } from 'crypto';
import { z } from 'zod';
const feedbackSchema = z.object({
messageId: z.string().min(1).max(200),
feedback: z.enum(['good', 'bad']),
sessionId: z.string().min(1).max(200).optional(),
});
export async function POST(req: Request) {
// Check if Langfuse is configured
if (!process.env.LANGFUSE_PUBLIC_KEY || !process.env.LANGFUSE_SECRET_KEY) {
const langfuse = getLangfuseClient();
if (!langfuse) {
return Response.json({ success: true, logged: false });
}
const { messageId, feedback, sessionId } = await req.json();
// Validate input
let data;
try {
data = feedbackSchema.parse(await req.json());
} catch {
return Response.json({ success: false, error: 'Invalid input' }, { status: 400 });
}
const { messageId, feedback, sessionId } = data;
// Get user IP for tracking
const forwardedFor = req.headers.get('x-forwarded-for');
const userId = forwardedFor?.split(',')[0]?.trim() || 'anonymous';
try {
// Create Langfuse client
const langfuse = new LangfuseClient({
publicKey: process.env.LANGFUSE_PUBLIC_KEY,
secretKey: process.env.LANGFUSE_SECRET_KEY,
baseUrl: process.env.LANGFUSE_BASEURL,
});
// Find the most recent chat trace for this session to attach the score to
const tracesResponse = await langfuse.api.trace.list({
sessionId,
@@ -90,6 +98,6 @@ export async function POST(req: Request) {
return Response.json({ success: true, logged: true });
} catch (error) {
console.error('Langfuse feedback error:', error);
return Response.json({ success: false, error: String(error) }, { status: 500 });
return Response.json({ success: false, error: 'Failed to log feedback' }, { status: 500 });
}
}

75
app/api/log-save/route.ts
View File

@@ -1,29 +1,33 @@
import { LangfuseClient } from '@langfuse/client';
import { getLangfuseClient } from '@/lib/langfuse';
import { randomUUID } from 'crypto';
import { z } from 'zod';
const saveSchema = z.object({
filename: z.string().min(1).max(255),
format: z.enum(['drawio', 'png', 'svg']),
sessionId: z.string().min(1).max(200).optional(),
});
export async function POST(req: Request) {
// Check if Langfuse is configured
if (!process.env.LANGFUSE_PUBLIC_KEY || !process.env.LANGFUSE_SECRET_KEY) {
const langfuse = getLangfuseClient();
if (!langfuse) {
return Response.json({ success: true, logged: false });
}
const { xml, filename, format, sessionId } = await req.json();
// Validate input
let data;
try {
data = saveSchema.parse(await req.json());
} catch {
return Response.json({ success: false, error: 'Invalid input' }, { status: 400 });
}
// Get user IP for tracking
const forwardedFor = req.headers.get('x-forwarded-for');
const userId = forwardedFor?.split(',')[0]?.trim() || 'anonymous';
const { filename, format, sessionId } = data;
try {
// Create Langfuse client
const langfuse = new LangfuseClient({
publicKey: process.env.LANGFUSE_PUBLIC_KEY,
secretKey: process.env.LANGFUSE_SECRET_KEY,
baseUrl: process.env.LANGFUSE_BASEURL,
});
const timestamp = new Date().toISOString();
// Find the most recent chat trace for this session to attach the save event to
// Find the most recent chat trace for this session to attach the save flag
const tracesResponse = await langfuse.api.trace.list({
sessionId,
limit: 1,
@@ -33,54 +37,29 @@ export async function POST(req: Request) {
const latestTrace = traces[0];
if (latestTrace) {
// Create a span on the existing chat trace for the save event
// Add a score to the existing trace to flag that user saved
await langfuse.api.ingestion.batch({
batch: [
{
type: 'span-create',
type: 'score-create',
id: randomUUID(),
timestamp,
body: {
id: randomUUID(),
traceId: latestTrace.id,
name: 'diagram-save',
input: { filename, format },
output: { xmlPreview: xml?.substring(0, 500), contentLength: xml?.length || 0 },
metadata: { source: 'save-button' },
startTime: timestamp,
endTime: timestamp,
},
},
],
});
} else {
// No trace found - create a standalone trace
const traceId = randomUUID();
await langfuse.api.ingestion.batch({
batch: [
{
type: 'trace-create',
id: randomUUID(),
timestamp,
body: {
id: traceId,
name: 'diagram-save',
sessionId,
userId,
input: { filename, format },
output: { xmlPreview: xml?.substring(0, 500), contentLength: xml?.length || 0 },
metadata: { source: 'save-button', note: 'standalone - no chat trace found' },
timestamp,
name: 'diagram-saved',
value: 1,
comment: `User saved diagram as ${filename}.${format}`,
},
},
],
});
}
// If no trace found, skip logging (user hasn't chatted yet)
return Response.json({ success: true, logged: true });
return Response.json({ success: true, logged: !!latestTrace });
} catch (error) {
console.error('Langfuse save error:', error);
return Response.json({ success: false, error: String(error) }, { status: 500 });
return Response.json({ success: false, error: 'Failed to log save' }, { status: 500 });
}
}

14
contexts/diagram-context.tsx
View File

@@ -133,23 +133,21 @@ export function DiagramProvider({ children }: { children: React.ReactNode }) {
fileContent = xmlContent;
mimeType = "application/xml";
extension = ".drawio";
// Log XML to Langfuse
logSaveToLangfuse(xmlContent, filename, format, sessionId);
} else if (format === "png") {
// PNG data comes as base64 data URL
fileContent = exportData;
mimeType = "image/png";
extension = ".png";
logSaveToLangfuse(exportData, filename, format, sessionId);
} else {
// SVG format
fileContent = exportData;
mimeType = "image/svg+xml";
extension = ".svg";
logSaveToLangfuse(exportData, filename, format, sessionId);
}
// Log save event to Langfuse (flags the trace)
logSaveToLangfuse(filename, format, sessionId);
// Handle download
let url: string;
if (typeof fileContent === "string" && fileContent.startsWith("data:")) {
@@ -179,13 +177,13 @@ export function DiagramProvider({ children }: { children: React.ReactNode }) {
drawioRef.current.exportDiagram({ format: drawioFormat });
};
// Log save event to Langfuse
const logSaveToLangfuse = async (content: string, filename: string, format: string, sessionId?: string) => {
// Log save event to Langfuse (just flags the trace, doesn't send content)
const logSaveToLangfuse = async (filename: string, format: string, sessionId?: string) => {
try {
await fetch("/api/log-save", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ xml: content, filename, format, sessionId }),
body: JSON.stringify({ filename, format, sessionId }),
});
} catch (error) {
console.warn("Failed to log save to Langfuse:", error);

20
lib/langfuse.ts
View File

@@ -1,6 +1,26 @@
import { observe, updateActiveTrace } from '@langfuse/tracing';
import { LangfuseClient } from '@langfuse/client';
import * as api from '@opentelemetry/api';
// Singleton LangfuseClient instance for direct API calls
let langfuseClient: LangfuseClient | null = null;
export function getLangfuseClient(): LangfuseClient | null {
if (!process.env.LANGFUSE_PUBLIC_KEY || !process.env.LANGFUSE_SECRET_KEY) {
return null;
}
if (!langfuseClient) {
langfuseClient = new LangfuseClient({
publicKey: process.env.LANGFUSE_PUBLIC_KEY,
secretKey: process.env.LANGFUSE_SECRET_KEY,
baseUrl: process.env.LANGFUSE_BASEURL,
});
}
return langfuseClient;
}
// Check if Langfuse is configured
export function isLangfuseEnabled(): boolean {
return !!process.env.LANGFUSE_PUBLIC_KEY;