hobbyhimmel/Project-Image-Uploader
8
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
04b13872c9
Project-Image-Uploader/README.md

594 lines
24 KiB
Markdown
Raw Blame History

# Image Uploader with Multi-Upload & Slideshow
A self-hosted image uploader with multi-image upload capabilities and automatic slideshow functionality.
## Features
**Multi-Image Upload**: Upload multiple images at once with batch processing
**Telegram Notifications**: 🆕 Real-time notifications for uploads, consent changes, deletions, and daily warnings
**Social Media Consent Management**: 🆕 GDPR-compliant consent system for workshop display and social media publishing
**Automatic Cleanup**: 🆕 Unapproved groups are automatically deleted after 7 days
**Deletion Log**: 🆕 Complete audit trail of automatically deleted content
**Drag-and-Drop Reordering**: 🆕 User during upload and admins can reorder images via intuitive drag-and-drop interface
**Slideshow Mode**: Automatic fullscreen slideshow with smooth transitions (respects custom ordering)
**Preview Image Optimization**: Automatic thumbnail generation for faster gallery loading (96-98% size reduction)
**Touch-Friendly Interface**: 🆕 Mobile-optimized drag handles and responsive design
**Moderation Panel**: Dedicated moderation interface with consent filtering and export
**Persistent Storage**: Docker volumes ensure data persistence across restarts
**Clean UI**: Minimalist design focused on user experience
**Self-Hosted**: Complete control over your data and infrastructure
## What's New
This project extends the original [Image-Uploader by vallezw](https://github.com/vallezw/Image-Uploader) with enhanced multi-upload and slideshow capabilities.
See the [CHANGELOG](CHANGELOG.md) for a detailed list of improvements and new features.
## Quick Start
### Docker Deployment (Recommended)
#### Production Environment
```bash
# Start production environment
./prod.sh
# Or manually:
docker compose -f docker/prod/docker-compose.yml up -d
```
#### Development Environment
```bash
# Start development environment
./dev.sh
# Or manually:
docker compose -f docker/dev/docker-compose.yml up -d
### Access URLs
#### Production (Port 80):
- Upload Interface: `http://localhost`
- Slideshow Mode: `http://localhost/slideshow`
- Groups Overview: `http://localhost/groups`
- Moderation Panel: `http://localhost/moderation` (requires authentication)
#### Development (Port 3000):
- Upload Interface: `http://localhost:3000`
- Backend API: `http://localhost:5001`
- Slideshow Mode: `http://localhost:3000/slideshow`
### Multi-Image Upload
1. Visit `http://localhost`
2. Drag & drop multiple images or click to select
3. Add an optional description for your image collection
4. **Grant Consent** (mandatory):
- ✅ **Workshop Display**: Required consent to display images on local monitor
- ☐ **Social Media** (optional): Per-platform consent for Facebook, Instagram, TikTok
5. Click "Upload Images" to process the batch
6. Receive your **Group ID** and **Management Link** as reference
7. Images are grouped and await moderation approval
### Self-Service Management Portal
After upload, users receive a unique management link (`/manage/:token`) to:
- **View Upload**: See all images and metadata
- **Manage Consents**: Revoke or restore workshop/social media consents
- **Edit Metadata**: Update title, description, year (triggers re-moderation)
- **Manage Images**: Add new images or delete existing ones
- **Delete Group**: Complete removal with double-confirmation
- **Email Contact**: Request deletion of already published social media posts
**Security Features**:
- No authentication required (token-based access)
- Rate limiting: 10 requests per hour per IP
- Brute-force protection: 20 failed attempts → 24h ban
- Complete audit trail of all management actions
### Slideshow Mode
- **Automatic Access**: Navigate to `http://localhost/slideshow`
- **Features**:
- Fullscreen presentation
- 4-second display per image
- Automatic progression through all slideshow collections
- **🆕 Chronological order**: Groups play from oldest to newest (year → upload date)
- **🆕 Intelligent preloading**: Next images load in background for seamless transitions
- **🆕 Zero loading delays**: Pre-cached images for instant display
- Smooth fade transitions (0.5s)
- **Keyboard Controls**:
- **ESC**: Exit slideshow / Return to upload page
- **Spacebar / Arrow Right**: Manually advance to next image
- **Home Button**: Return to main upload interface
### Preview Image Optimization
The application automatically generates optimized preview thumbnails for all uploaded images to significantly improve gallery loading performance.
- **Automatic Generation**:
- Preview images are created automatically on server startup
- Existing images without previews are processed on-demand
- New uploads generate previews immediately during upload
- **Technical Specifications**:
- **Max Width**: 800px (maintains aspect ratio)
- **Format**: JPEG with 85% quality
- **Size Reduction**: 96-98% smaller than originals (e.g., 2076KB → 58.5KB)
- **Performance**: ~30x faster gallery loading times
- **Smart Image Loading**:
- **Galleries & Overview**: Load lightweight preview images (~50-100KB)
- **Slideshow Mode**: Uses full-resolution originals for best quality
- **Fallback**: Automatically uses originals if preview generation fails
- **Storage**:
- Originals: `backend/src/data/images/` (~2-4MB per image)
- Previews: `backend/src/data/previews/` (~50-100KB per image)
- Database: `preview_path` column stores preview filename
### Moderation Interface (Protected)
- **Access**: `http://localhost/moderation` (requires admin session)
- **Authentication Flow**:
- Built-in login form establishes a server session stored in HttpOnly cookies
- First-time setup wizard creates the initial admin user once `ADMIN_SESSION_SECRET` is configured
- CSRF token must be included (header `X-CSRF-Token`) for any mutating admin API call
- `AUTHENTICATION.md` documents CLI/cURL examples for managing sessions and CSRF tokens
- **Protected Endpoints**: All `/api/admin/*` routes require authentication
- **Features**:
- Review pending image groups before public display
- Visual countdown showing days until automatic deletion (7 days for unapproved groups)
- **Consent Management**:
- Visual consent badges showing social media platforms
- Filter by consent status (All / Workshop-only / Facebook / Instagram / TikTok)
- Export consent data as CSV/JSON for legal compliance
- Consent timestamp tracking
- Approve or reject submitted collections with instant feedback
- Delete individual images from approved groups
- View group details (title, creator, description, image count)
- **Deletion Log** (bottom of moderation page):
- Statistics: Total groups/images deleted, storage freed
- Detailed history table with timestamps and reasons
- Toggle between last 10 entries and complete history
- Bulk moderation actions
- **Automatic Cleanup**:
- Unapproved groups are automatically deleted after 7 days
- Daily cleanup runs at 10:00 AM (Europe/Berlin timezone)
- Complete removal: Database entries + physical files (originals + previews)
- Full audit trail logged for compliance
- **Note**: Approved groups are NEVER automatically deleted
- **Security Features**:
- Password protected access via nginx HTTP Basic Auth
- Hidden from search engines (`robots.txt` + `noindex` meta tags)
- No public links or references in main interface
### Public Overview of all approved slideshows
- **Group Management**: Navigate to `http://localhost/groups`
- Overview of all approved slideshow collections
- Launch slideshow mode from any group
- View group statistics and metadata
## Docker Structure
The application uses separate Docker configurations for development and production with **simplified environment variable management**:
```
docker/
├── .env.backend.example # Backend environment variables documentation
├── .env.frontend.example # Frontend environment variables documentation
├── dev/ # Development environment
│ ├── .env # 🆕 Central dev secrets (gitignored)
│ ├── .env.example # Dev environment template
│ ├── docker-compose.yml # All ENV vars defined here
│ ├── backend/
│ │ └── Dockerfile # Development backend container
│ └── frontend/
│ ├── config/env.sh # Generates window._env_ from ENV
│ ├── Dockerfile # Development frontend container
│ ├── nginx.conf # Development nginx configuration
│ └── start.sh # Development startup script
└── prod/ # Production environment
├── .env # 🆕 Central prod secrets (gitignored)
├── .env.example # Production environment template
├── docker-compose.yml # All ENV vars defined here
├── backend/
│ └── Dockerfile # Production backend container
└── frontend/
├── config/env.sh # Generates window._env_ from ENV
├── config/htpasswd # HTTP Basic Auth credentials
├── Dockerfile # Production frontend container
└── nginx.conf # Production nginx configuration
```
### Environment Configuration
**🆕 Simplified ENV Structure (Nov 2025):**
- **2 central `.env` files** (down from 16 files!)
- `docker/dev/.env` - All development secrets
- `docker/prod/.env` - All production secrets
- **docker-compose.yml** - All environment variables defined in `environment:` sections
- **No .env files in Docker images** - All configuration via docker-compose
- **Frontend env.sh** - Generates `window._env_` JavaScript object from ENV variables at runtime
**How it works:**
1. Docker Compose automatically reads `.env` from the same directory
2. Variables are injected into containers via `environment:` sections using `${VAR}` placeholders
3. Frontend `env.sh` script reads ENV variables and generates JavaScript config at container startup
4. Secrets stay in gitignored `.env` files, never in code or images
- **Development**: Uses `docker/dev/` configuration with live reloading
- **Production**: Uses `docker/prod/` configuration with optimized builds
- **Scripts**: Use `./dev.sh` or `./prod.sh` for easy deployment
## Data Structure
Data are stored in SQLite database. The structure is as follows:
### Core Tables
``` sql
-- Groups table (extended with consent fields)
CREATE TABLE groups (
id INTEGER PRIMARY KEY AUTOINCREMENT,
group_id TEXT UNIQUE NOT NULL,
year INTEGER NOT NULL,
title TEXT NOT NULL,
description TEXT,
name TEXT,
upload_date DATETIME NOT NULL,
approved BOOLEAN DEFAULT FALSE,
display_in_workshop BOOLEAN NOT NULL DEFAULT 0, -- Consent for workshop display
consent_timestamp DATETIME, -- When consent was granted
management_token TEXT, -- For Phase 2: Self-service portal
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
);
-- Images table
CREATE TABLE images (
id INTEGER PRIMARY KEY AUTOINCREMENT,
group_id TEXT NOT NULL,
file_name TEXT NOT NULL,
original_name TEXT NOT NULL,
file_path TEXT NOT NULL,
preview_path TEXT, -- Optimized thumbnail path
image_description TEXT, -- Individual image description
upload_order INTEGER NOT NULL,
file_size INTEGER,
mime_type TEXT,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (group_id) REFERENCES groups(group_id) ON DELETE CASCADE
);
-- Deletion log for audit trail
CREATE TABLE deletion_log (
id INTEGER PRIMARY KEY AUTOINCREMENT,
group_id TEXT NOT NULL,
title TEXT,
name TEXT,
upload_date DATETIME,
image_count INTEGER,
total_size INTEGER,
deletion_reason TEXT,
deleted_at DATETIME DEFAULT CURRENT_TIMESTAMP
);
```
### Social Media Consent Tables
``` sql
-- Configurable social media platforms
CREATE TABLE social_media_platforms (
id INTEGER PRIMARY KEY AUTOINCREMENT,
platform_name TEXT UNIQUE NOT NULL, -- e.g., 'facebook', 'instagram', 'tiktok'
display_name TEXT NOT NULL, -- e.g., 'Facebook', 'Instagram', 'TikTok'
icon_name TEXT, -- Material-UI Icon name
is_active BOOLEAN DEFAULT 1,
sort_order INTEGER DEFAULT 0,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP
);
-- Per-group, per-platform consent tracking
CREATE TABLE group_social_media_consents (
id INTEGER PRIMARY KEY AUTOINCREMENT,
group_id TEXT NOT NULL,
platform_id INTEGER NOT NULL,
consented BOOLEAN NOT NULL DEFAULT 0,
consent_timestamp DATETIME NOT NULL,
revoked BOOLEAN DEFAULT 0, -- For Phase 2: Consent revocation
revoked_timestamp DATETIME, -- When consent was revoked
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (group_id) REFERENCES groups(group_id) ON DELETE CASCADE,
FOREIGN KEY (platform_id) REFERENCES social_media_platforms(id) ON DELETE CASCADE,
UNIQUE(group_id, platform_id)
);
-- Management audit log (Phase 2)
CREATE TABLE management_audit_log (
id INTEGER PRIMARY KEY AUTOINCREMENT,
group_id TEXT,
management_token TEXT, -- First 8 characters only (masked)
action TEXT NOT NULL, -- validate_token, revoke_consent, edit_metadata, add_images, delete_image, delete_group
success BOOLEAN NOT NULL,
error_message TEXT,
ip_address TEXT,
user_agent TEXT,
request_data TEXT, -- JSON of request body
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (group_id) REFERENCES groups(group_id) ON DELETE SET NULL
);
-- Indexes for performance
CREATE INDEX IF NOT EXISTS idx_audit_group_id ON management_audit_log(group_id);
CREATE INDEX IF NOT EXISTS idx_audit_action ON management_audit_log(action);
CREATE INDEX IF NOT EXISTS idx_audit_success ON management_audit_log(success);
CREATE INDEX IF NOT EXISTS idx_audit_created_at ON management_audit_log(created_at);
CREATE INDEX IF NOT EXISTS idx_audit_ip_address ON management_audit_log(ip_address);
revoked_timestamp DATETIME,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (group_id) REFERENCES groups(group_id) ON DELETE CASCADE,
FOREIGN KEY (platform_id) REFERENCES social_media_platforms(id) ON DELETE CASCADE,
UNIQUE(group_id, platform_id)
);
-- Migration tracking
CREATE TABLE schema_migrations (
id INTEGER PRIMARY KEY AUTOINCREMENT,
migration_name TEXT UNIQUE NOT NULL,
applied_at DATETIME DEFAULT CURRENT_TIMESTAMP
);
```
### Indexes
``` sql
-- Groups indexes
CREATE INDEX idx_groups_group_id ON groups(group_id);
CREATE INDEX idx_groups_year ON groups(year);
CREATE INDEX idx_groups_upload_date ON groups(upload_date);
CREATE INDEX idx_groups_display_consent ON groups(display_in_workshop);
CREATE UNIQUE INDEX idx_groups_management_token ON groups(management_token) WHERE management_token IS NOT NULL;
-- Images indexes
CREATE INDEX idx_images_group_id ON images(group_id);
CREATE INDEX idx_images_upload_order ON images(upload_order);
-- Consent indexes
CREATE INDEX idx_consents_group_id ON group_social_media_consents(group_id);
CREATE INDEX idx_consents_platform_id ON group_social_media_consents(platform_id);
CREATE INDEX idx_consents_consented ON group_social_media_consents(consented);
```
### Triggers
``` sql
-- Update timestamp on groups modification
CREATE TRIGGER update_groups_timestamp
AFTER UPDATE ON groups
FOR EACH ROW
BEGIN
UPDATE groups SET updated_at = CURRENT_TIMESTAMP WHERE id = NEW.id;
END;
-- Update timestamp on consent modification
CREATE TRIGGER update_consents_timestamp
AFTER UPDATE ON group_social_media_consents
FOR EACH ROW
BEGIN
UPDATE group_social_media_consents SET updated_at = CURRENT_TIMESTAMP WHERE id = NEW.id;
END;
```
## Architecture
### Backend (Node.js + Express)
- **Multi-upload API**: `/api/upload/batch` - Handles batch file processing
- **Groups API**: `/api/groups` - Retrieves slideshow collections
- **Preview Generation**: Automatic thumbnail creation using Sharp (800px JPEG, 85% quality)
- **File Storage**: Organized in `/upload` directory (originals) and `/data/previews` (thumbnails)
- **Database Storage**: sqlite database in `/app/src/data/db/image_uploader.db`
### Frontend (React + Material-UI)
- **Multi-Upload Interface**: Drag & drop with preview gallery
- **Progress Tracking**: Real-time upload status
- **Spacebar / Arrow Right**: Manually advance to next image
- **Slideshow Engine**: Fullscreen presentation with automatic progression
- **Responsive Design**: Mobile and desktop optimized
- **Home Button**: Return to main upload interface
### Storage Architecture
```
Docker Volume (app-data)
src
└── app
├── src
├── upload (originals, ~2-4MB each)
│ ├── ZMmHXzHbqw.jpg
│ ├── tjjnngOmXS.jpg
│ └── ...
└── data
├── previews (thumbnails, ~50-100KB each)
│ ├── ZMmHXzHbqw.jpg
│ ├── tjjnngOmXS.jpg
│ └── ...
└── db
└── image_uploader.db
```
### Hosting it with Docker
- **Frontend**: React 17, Material-UI, React Router
- **Backend**: Node.js, Express, Multer (file handling)
- **Containerization**: Docker, Docker Compose
- **Reverse Proxy**: nginx (routing & file serving)[In order to host the project you will need to create a docker-compose file. These files are combining multiple docker images to interact with each other.
- **File Upload**: Drag & drop with react-dropzone
- **Notifications**: SweetAlert2
## API Endpoints
### Upload Operations
- `POST /api/upload/batch` - Upload multiple images with description and consent data
- `GET /api/groups` - Retrieve all slideshow groups
- `GET /api/groups/:id` - Get specific slideshow group
### Consent Management
- `GET /api/social-media/platforms` - Get list of active social media platforms
- `POST /api/groups/:groupId/consents` - Save consent data for a group
- `GET /api/groups/:groupId/consents` - Get consent data for a group
- `GET /api/admin/groups/by-consent` - Filter groups by consent status (query params: `?workshopConsent=true&platform=facebook`)
- `GET /api/admin/consents/export` - Export all consent data as CSV/JSON
### User Self-Service Management Portal (Phase 2 - Backend Complete)
**Management Portal APIs** (Token-based authentication):
- `GET /api/manage/:token` - Validate management token and retrieve group data
- `PUT /api/manage/:token/consents` - Revoke or restore consents (workshop & social media)
- `PUT /api/manage/:token/metadata` - Edit group title and description (resets approval status)
- `POST /api/manage/:token/images` - Add new images to existing group (max 50 total, resets approval)
- `DELETE /api/manage/:token/images/:imageId` - Delete individual image (prevents deleting last image)
- `DELETE /api/manage/:token` - Delete entire group with all images and data
**Management Audit Log APIs** (Admin access only):
- `GET /api/admin/management-audit?limit=N` - Retrieve recent management actions (default: 10)
- `GET /api/admin/management-audit/stats` - Get statistics (total actions, success rate, unique IPs)
- `GET /api/admin/management-audit/group/:groupId` - Get audit log for specific group
**Security Features**:
- IP-based rate limiting: 10 requests per hour per IP
- Brute-force protection: 20 failed token validations → 24-hour IP ban
- Complete audit trail: All management actions logged with IP, User-Agent, timestamp
- Token masking: Only first 8 characters stored in audit log for privacy
- Automatic file cleanup: Physical deletion of images when removed via API
### Moderation Operations (Protected)
- `GET /moderation/groups` - Get all groups pending moderation (includes consent info)
- `PATCH /groups/:id/approve` - Approve/unapprove a group for public display
- `DELETE /groups/:id` - Delete an entire group
- `DELETE /groups/:id/images/:imageId` - Delete individual image from group
### Admin Operations (Protected by /moderation access)
- `GET /api/admin/deletion-log?limit=N` - Get recent deletion log entries (default: 10)
- `GET /api/admin/deletion-log/all` - Get complete deletion history
- `GET /api/admin/deletion-log/stats` - Get deletion statistics (total groups/images deleted, storage freed)
- `POST /api/admin/cleanup/trigger` - Manually trigger cleanup (for testing)
- `GET /api/admin/cleanup/preview` - Preview which groups would be deleted (dry-run)
### File Access
- `GET /api/upload/:filename` - Access uploaded image files (legacy, use `/api/download` instead)
- `GET /api/download/:filename` - Download original full-resolution images
- `GET /api/previews/:filename` - Access optimized preview thumbnails (~100KB, 800px width)
## Testing
### Automatic Cleanup Testing
The application includes comprehensive testing tools for the automatic cleanup feature:
```bash
# Run interactive test helper (recommended)
./tests/test-cleanup.sh
# Available test operations:
# 1. View unapproved groups with age
# 2. Backdate groups for testing (simulate 7+ day old groups)
# 3. Preview cleanup (dry-run)
# 4. Execute cleanup manually
# 5. View deletion log history
```
**Testing Workflow:**
1. Upload a test group (don't approve it)
2. Use test script to backdate it by 8 days
3. Preview what would be deleted
4. Execute cleanup and verify deletion log
For detailed testing instructions, see: [`tests/TESTING-CLEANUP.md`](tests/TESTING-CLEANUP.md)
## Configuration
### Environment Variables
**Simplified ENV Management (Nov 2025):**
All environment variables are now managed through **2 central `.env` files** and `docker-compose.yml`:
**Core Variables:**
| Variable | Default | Description |
|----------|---------|-------------|
| `API_URL` | `http://localhost:5001` | Backend API endpoint (frontend → backend) |
| `PUBLIC_HOST` | `public.test.local` | Public upload subdomain (no admin access) |
| `INTERNAL_HOST` | `internal.test.local` | Internal admin subdomain (full access) |
| `ADMIN_SESSION_SECRET` | - | Secret for admin session cookies (required) |
**Telegram Notifications (Optional):**
| Variable | Default | Description |
|----------|---------|-------------|
| `TELEGRAM_ENABLED` | `false` | Enable/disable Telegram notifications |
| `TELEGRAM_BOT_TOKEN` | - | Telegram Bot API token (from @BotFather) |
| `TELEGRAM_CHAT_ID` | - | Telegram chat/group ID for notifications |
| `TELEGRAM_SEND_TEST_ON_START` | `false` | Send test message on service startup (dev only) |
**Configuration Files:**
- `docker/dev/.env` - Development secrets (gitignored)
- `docker/prod/.env` - Production secrets (gitignored)
- `docker/dev/.env.example` - Development template (committed)
- `docker/prod/.env.example` - Production template (committed)
**How to configure:**
1. Copy `.env.example` to `.env` in the respective environment folder
2. Edit `.env` and set your secrets (ADMIN_SESSION_SECRET, Telegram tokens, etc.)
3. Docker Compose automatically reads `.env` and injects variables into containers
4. Never commit `.env` files (already in `.gitignore`)
**Telegram Setup:** See `scripts/README.telegram.md` for complete configuration guide.
### Volume Configuration
- **Upload Limits**: 100MB maximum file size for batch uploads
- **Supported Formats**: JPG, JPEG, PNG, GIF, WebP
### Backup & Restore
#### Backup slideshow data
```sh
docker cp image-uploader-backend:/usr/src/app/src/data/ ./image-uploader-backup-data
```
#### Restore slideshow data
```sh
docker cp ./image-uploader-backup-data image-uploader-backend:/usr/src/app/src/data
```
## Contributing
Contributions are welcome!
This project extends the original work by [vallezw](https://github.com/vallezw/Image-Uploader).
### Development Setup
1. Fork the repository
2. Create feature branch: `git checkout -b feature/amazing-feature`
3. Commit changes: `git commit -m 'Add amazing feature'`
4. Push to branch: `git push origin feature/amazing-feature`| Field | Type | Description |#### Changing the URL
5. Open a Pull Request
## License
This project is distributed under the MIT License. See `LICENSE` for more information.
## Acknowledgments
- Original project: [Image-Uploader by vallezw](https://github.com/vallezw/Image-Uploader)
Reference in New Issue View Git Blame Copy Permalink