store question assets in BLOB columns rather than disk

Author: usrbinsam

CodeChallenge/api/questions.py

@@ -1,3 +1,5 @@
+import os
+from hashlib import blake2s
 from hmac import compare_digest as str_cmp
 
 from flask import Blueprint, current_app, jsonify, request
@@ -52,10 +54,21 @@ def next_question():
  return jsonify(status="error",
  reason=f"no questions for rank {rank!r}"), 404
 
+ # make filename less predictable
+ data = bytes(current_app.config["SECRET_KEY"] + str(q.rank), "ascii")
+ filename = blake2s(data).hexdigest()
+
+ asset = f"assets/{filename}{q.asset_ext}"
+ asset_path = os.path.join(current_app.config["APP_DIR"], asset)
+
+ if not os.path.isfile(asset_path):
+ with open(asset_path, "wb") as fhandle:
+ fhandle.write(q.asset)
+
  return jsonify(status="success",
  question=q.title,
  rank=rank,
- asset=f"assets/{q.asset}"), 200
+ asset=asset), 200
 
 
 def answer_limit_attempts():

CodeChallenge/cli/questions.py

@@ -1,3 +1,5 @@
+import os.path
+
 import click
 from flask import Blueprint
 from tabulate import tabulate
@@ -22,6 +24,7 @@ def q_add(title, answer, rank, asset):
  ASSET is a path to a file to upload for a question
  """
 
+ asset = os.path.abspath(asset)
  qid = add_question(title, answer, rank, asset)
 
  click.echo(f"added question id {qid}")
@@ -33,11 +36,11 @@ def q_ls(tablefmt):
  """List all questions in the database"""
  table = []
 
- for q in Question.query.all():
- table.append((q.id, q.title, q.answer, q.rank, q.asset))
+ for q in Question.query.all(): # type: Question
+ table.append((q.id, q.title, q.answer, q.rank, f"{len(q.asset)} length blob", q.asset_ext))
 
  click.echo(tabulate(table,
- ("id", "title", "answer", "rank", "asset"),
+ ("id", "title", "answer", "rank", "asset", "asset_ext"),
  tablefmt=tablefmt))
 
  if not table:

CodeChallenge/config.py

@@ -53,6 +53,7 @@ class ProductionConfig(DefaultConfig):
 class DevelopmentConfig(ProductionConfig):
  SQLALCHEMY_DATABASE_URI = "mysql://cc-user:password@localhost" \
  "/code_challenge_local"
+ # SQLALCHEMY_DATABASE_URI = "mysql+mysqldb://codechallenge:cHALcw9Z0HqB2gD9B1Kkmy83GvTI19x0NzRNO3zqZhqbIKqY9P@learndb002.cm1f2l4z67tv.us-west-2.rds.amazonaws.com/code_challenge"
  JWT_COOKIE_SECURE = False
  CODE_CHALLENGE_START = os.getenv("CODE_CHALLENGE_START", "1578596347")
  JWT_SECRET_KEY = "SuperSecret"

CodeChallenge/manage.py

@@ -1,8 +1,4 @@
 import os
-import secrets
-import shutil
-
-from flask import current_app
 
 from .models import Question, db
 
@@ -14,19 +10,14 @@ def add_question(title, answer, rank, asset) -> Question:
  if q is not None:
  raise ValueError(f"a question with rank {rank} already exists")
 
- ext = os.path.splitext(asset)[1]
- asset_dir = os.path.join(current_app.config["APP_DIR"], "assets")
-
- filename = secrets.token_urlsafe() + ext
-
- save_path = os.path.join(asset_dir, filename)
-
- shutil.copyfile(asset, save_path)
-
  q = Question()
  q.title = title
  q.answer = answer
- q.asset = filename
+
+ with open(asset, "rb") as fhandle:
+ q.asset = fhandle.read()
+
+ q.asset_ext = os.path.splitext(asset)[1]
  q.rank = rank
 
  db.session.add(q)
@@ -42,17 +33,6 @@ def del_question(question_id):
  if q is None:
  return False
 
- if q.asset is not None:
-
- asset_dir = os.path.join(current_app.config["APP_DIR"], "assets")
- filename = os.path.join(asset_dir, q.asset)
- try:
- os.remove(filename)
- except FileNotFoundError:
- print("warning: could not delete asset; "
- f"file not found: {filename}")
- pass
-
  Question.query.filter_by(id=q.id).delete()
 
  return True

CodeChallenge/models.py

@@ -16,7 +16,8 @@ class Question(db.Model):
  title = db.Column(db.String(5000), nullable=False)
  answer = db.Column(db.String(255), nullable=False)
  rank = db.Column(db.Integer, nullable=False) 
- asset = db.Column(db.String(255))
+ asset = db.Column(db.BLOB)
+ asset_ext = db.Column(db.String(10))
 
  def __repr__(self):
  return '<Question %r>' % self.id