fix audio issue, implement file migration to new encryption

Author: dabblingwithcode

school_data_hub_client/lib/src/protocol/client.dart

@@ -402,8 +402,7 @@ class EndpointAdminUser extends _i1.EndpointRef {
         },
       );
 
-  /// Batch-creates users. Returns credentials for successes and errors for skipped/failed rows.
-  /// Each create runs in its own transaction; creates are executed in parallel (up to 5 at a time).
+  /// Batch-creates users sequentially. Returns credentials for successes and errors for skipped/failed rows.
   /// Duplicates are detected by the DB (unique constraint); we catch 23505 and report a friendly message.
   _i2.Future<_i13.BatchCreateUsersResponse> batchCreateUsers(
           List<_i14.CreateUserRequest> requests) =>
@@ -3116,6 +3115,22 @@ class EndpointFiles extends _i1.EndpointRef {
         'getUnencryptedImage',
         {'path': path},
       );
+
+  /// Overwrites the stored bytes for the file identified by [documentId] with
+  /// [newEncryptedBytes] without touching the [HubDocument] record
+  /// (preserves [createdBy], [createdAt], etc.).
+  _i2.Future<bool> replaceEncryptedFileBytes(
+    String documentId,
+    _i66.ByteData newEncryptedBytes,
+  ) =>
+      caller.callServerEndpoint<bool>(
+        'files',
+        'replaceEncryptedFileBytes',
+        {
+          'documentId': documentId,
+          'newEncryptedBytes': newEncryptedBytes,
+        },
+      );
 }
 
 class Modules {

school_data_hub_flutter/lib/app_utils/custom_encrypter.dart

@@ -75,6 +75,20 @@ bool _looksLikeImage(Uint8List bytes) {
       (bytes[0] == 0xFF && bytes[1] == 0xD8); // JPEG
 }
 
+/// Returns true if [bytes] look like a known audio format (magic bytes).
+bool _looksLikeAudio(Uint8List bytes) {
+  if (bytes.length < 8) return false;
+  // M4A / MP4 / AAC — ISO Base Media: 'ftyp' box starts at offset 4.
+  if (bytes[4] == 0x66 && bytes[5] == 0x74 && bytes[6] == 0x79 && bytes[7] == 0x70) return true;
+  // MP3 — MPEG sync word (0xFFE0..0xFFFF).
+  if (bytes[0] == 0xFF && (bytes[1] & 0xE0) == 0xE0) return true;
+  // WAV — 'RIFF' header.
+  if (bytes[0] == 0x52 && bytes[1] == 0x49 && bytes[2] == 0x46 && bytes[3] == 0x46) return true;
+  // OGG — 'OggS' capture pattern.
+  if (bytes[0] == 0x4F && bytes[1] == 0x67 && bytes[2] == 0x67 && bytes[3] == 0x53) return true;
+  return false;
+}
+
 // --- CustomEncrypter (uses EnvManager on main isolate only) ---
 
 final customEncrypter = CustomEncrypter();
@@ -252,7 +266,7 @@ class CustomEncrypter {
     final newResult = Uint8List.fromList(
       _decryptCbc(iv, ciphertext, _keyBytes),
     );
-    if (_looksLikeImage(newResult)) return newResult;
+    if (_looksLikeImage(newResult) || _looksLikeAudio(newResult)) return newResult;
     // Legacy format: entire blob is ciphertext, fixed IV from env (old encrypt package).
     if (encryptedBytes.length % 16 != 0) return newResult;
     final fixedIv = _fixedIv();
@@ -272,7 +286,7 @@ class CustomEncrypter {
         encryptedBytes,
         keyBytes,
       ]);
-      if (_looksLikeImage(result)) return result;
+      if (_looksLikeImage(result) || _looksLikeAudio(result)) return result;
       // Legacy format: ciphertext-only with fixed IV (old encrypt package).
       if (encryptedBytes.length % 16 != 0) return result;
       final fixedIv = _fixedIv();
@@ -290,4 +304,48 @@ class CustomEncrypter {
     final encrypted = _encryptCbc(bytes, _keyBytes, iv);
     return Uint8List.fromList([...iv, ...encrypted]);
   }
+
+  /// Decrypts [encryptedBytes] and indicates whether the input was in the
+  /// legacy format (ciphertext-only, fixed IV) vs. the new format (IV prepended).
+  ///
+  /// Returns `({Uint8List bytes, bool wasLegacy})`.
+  /// Use [wasLegacy] to trigger a fire-and-forget re-encryption migration.
+  Future<({Uint8List bytes, bool wasLegacy})> decryptFileBytesAsync(
+      Uint8List encryptedBytes) async {
+    if (encryptedBytes.length <= 16) {
+      return (bytes: encryptedBytes, wasLegacy: false);
+    }
+    final keyBytes = Uint8List.fromList(
+      utf8.encode(di<EnvManager>().activeEnv!.key!),
+    );
+
+    // Try new format first (IV prepended).
+    final newResult = kReleaseMode || kProfileMode
+        ? await compute(decryptBytesWithKey, <dynamic>[encryptedBytes, keyBytes])
+        : decryptTheseBytes(encryptedBytes);
+
+    if (_looksLikeImage(newResult) || _looksLikeAudio(newResult)) {
+      return (bytes: newResult, wasLegacy: false);
+    }
+
+    // Legacy format: ciphertext-only, fixed IV.
+    if (encryptedBytes.length % 16 != 0) {
+      // Not block-aligned — new format result is the best we can do.
+      return (bytes: newResult, wasLegacy: false);
+    }
+
+    final fixedIv = _fixedIv();
+    final legacyResult = kReleaseMode || kProfileMode
+        ? await compute(decryptBytesWithKey,
+            <dynamic>[encryptedBytes, keyBytes, fixedIv])
+        : Uint8List.fromList(
+            _decryptCbc(fixedIv, encryptedBytes, _keyBytes));
+
+    if (_looksLikeImage(legacyResult) || _looksLikeAudio(legacyResult)) {
+      return (bytes: legacyResult, wasLegacy: true);
+    }
+
+    // Cannot determine format — return new-format result, not legacy.
+    return (bytes: newResult, wasLegacy: false);
+  }
 }

school_data_hub_flutter/lib/app_utils/download_and_decrypt_file.dart

@@ -24,16 +24,19 @@ Future<File?> downloadAndDecryptFile({
     }
 
     final fileBytes = await fileInfo.file.readAsBytes();
-    final decryptedBytes = await customEncrypter.decryptTheseBytesAsync(
-      fileBytes,
-    );
+    final (:bytes, :wasLegacy) =
+        await customEncrypter.decryptFileBytesAsync(fileBytes);
+
+    if (wasLegacy) {
+      _migrateToNewFormat(documentId, bytes, cacheManager);
+    }
 
     final tempDir = await Directory.systemTemp.createTemp();
     final extension = p.extension(documentId);
     final tempFile = File(
       '${tempDir.path}/decrypted_${documentId.hashCode}$extension',
     );
-    await tempFile.writeAsBytes(decryptedBytes);
+    await tempFile.writeAsBytes(bytes);
     return tempFile;
   }
 
@@ -62,15 +65,41 @@ Future<File?> downloadAndDecryptFile({
     return tempFile;
   }
 
-  final decryptedBytes = await customEncrypter.decryptTheseBytesAsync(
-    fileBytes,
-  );
+  final (:bytes, :wasLegacy) =
+      await customEncrypter.decryptFileBytesAsync(fileBytes);
+
+  if (wasLegacy) {
+    _migrateToNewFormat(documentId, bytes, cacheManager);
+  }
 
   final tempDir = await Directory.systemTemp.createTemp();
   final extension = p.extension(documentId);
   final tempFile = File(
     '${tempDir.path}/decrypted_${documentId.hashCode}$extension',
   );
-  await tempFile.writeAsBytes(decryptedBytes);
+  await tempFile.writeAsBytes(bytes);
   return tempFile;
 }
+
+/// Fire-and-forget: re-encrypt [plainBytes] in the new format, update the
+/// server file, and refresh the local cache — all without blocking the caller.
+void _migrateToNewFormat(
+  String documentId,
+  Uint8List plainBytes,
+  DefaultCacheManager cacheManager,
+) {
+  Future(() async {
+    try {
+      final newEncrypted = customEncrypter.encryptTheseBytes(plainBytes);
+      final byteData = ByteData.sublistView(newEncrypted);
+      final ok = await di<Client>()
+          .files
+          .replaceEncryptedFileBytes(documentId, byteData);
+      if (ok) {
+        await cacheManager.putFile(documentId, newEncrypted);
+      }
+    } catch (_) {
+      // Migration is best-effort; silently ignore failures.
+    }
+  });
+}

school_data_hub_flutter/lib/common/widgets/generic_components/generic_app_bar.dart

@@ -60,6 +60,10 @@ class GenericAppBar extends StatelessWidget implements PreferredSizeWidget {
       title: Row(
         mainAxisAlignment: MainAxisAlignment.center,
         children: [
+          const Padding(
+            padding: EdgeInsets.only(left: 5),
+            child: HubConnectionStateIndicator(),
+          ),
           Expanded(
             child: Center(
               child: SingleChildScrollView(
@@ -76,10 +80,6 @@ class GenericAppBar extends StatelessWidget implements PreferredSizeWidget {
               ),
             ),
           ),
-          const Padding(
-            padding: EdgeInsets.only(right: 5),
-            child: HubConnectionStateIndicator(),
-          ),
         ],
       ),
     );

school_data_hub_flutter/lib/core/client/client_helper.dart

@@ -1,5 +1,6 @@
 import 'package:flutter_it/flutter_it.dart';
 import 'package:school_data_hub_client/school_data_hub_client.dart';
+import 'package:school_data_hub_flutter/common/services/hub_stream_service.dart';
 import 'package:school_data_hub_flutter/common/services/notification_service.dart';
 import 'package:school_data_hub_flutter/core/session/hub_session_manager.dart';
 
@@ -23,20 +24,33 @@ class ClientHelper {
       return result;
     } on ServerpodClientException catch (e) {
       _notificationService.apiRunning(false);
+
+      // 502 / 503 during a server restart are expected transients.
+      // Suppress them while the hub stream is not yet connected so the
+      // reconnect-flush doesn't clutter the overlay with gateway errors.
+      if (e.statusCode == 502 || e.statusCode == 503) {
+        try {
+          final hub = di<HubStreamService>();
+          if (hub.connectionState.value != HubConnectionState.connected) {
+            return null;
+          }
+        } catch (_) {
+          // HubStreamService not yet registered — fall through to show error.
+        }
+      }
+
       _notificationService.showInformationDialog(
         NotificationType.error,
         'API Fehler: ${errorMessage ?? "Unbekannt"}: $e',
       );
 
       if (e.toString().contains('Not authorized') ||
           e.toString().contains('401')) {
-        // Handle authentication error specifically
         _notificationService.showInformationDialog(
           NotificationType.error,
           'Authentication required. Please log in again.',
         );
         _hubSessionManager.signOutDevice();
-        // Optionally, trigger a logout or redirect to login
       }
       return null;
     } catch (e) {

school_data_hub_flutter/lib/features/timetable/presentation/room_timetable_grid/room_timetable_grid_widget.dart

@@ -25,7 +25,7 @@ class _RoomTimetableGridWidgetState extends State<RoomTimetableGridWidget> {
   static const double _timeColumnWidth = 64;
   static const double _roomHeaderHeight = 48;
   static const double _minSlotHeight = 12;
-  static const double _maxSlotHeight = 16;
+  static const double _maxSlotHeight = 12;
 
   double _slotHeight = 40;
   double _slotHeightAtScaleStart = 40;

school_data_hub_server/lib/src/_shared/endpoints/file_endpoints.dart

@@ -72,4 +72,31 @@ class FilesEndpoint extends Endpoint {
       path: path,
     );
   }
+
+  // TODO: delete when no longer needed (legacy -> new encryption format migration)
+  /// Overwrites the stored bytes for the file identified by [documentId] with
+  /// [newEncryptedBytes] without touching the [HubDocument] record
+  /// (preserves [createdBy], [createdAt], etc.).
+  Future<bool> replaceEncryptedFileBytes(
+      Session session, String documentId, ByteData newEncryptedBytes) async {
+    final HubDocument? document = await HubDocument.db
+        .findFirstRow(session, where: (t) => t.documentId.equals(documentId));
+    if (document == null) return false;
+    final path = document.documentPath;
+    if (path == null) return false;
+    final exists = await session.storage.fileExists(
+      storageId: 'private',
+      path: path,
+    );
+    if (!exists) return false;
+    await session.storage.storeFile(
+      storageId: 'private',
+      path: path,
+      byteData: newEncryptedBytes,
+    );
+    session.log(
+        level: LogLevel.info,
+        'File with documentId $documentId replaced: $path');
+    return true;
+  }
 }

school_data_hub_server/lib/src/generated/endpoints.dart

@@ -164,7 +164,8 @@ import 'package:school_data_hub_server/src/generated/_features/workbooks/models/
     as _i91;
 import 'package:school_data_hub_server/src/generated/_features/workbooks/models/workbook.dart'
     as _i92;
-import 'package:serverpod_auth_server/serverpod_auth_server.dart' as _i93;
+import 'dart:typed_data' as _i93;
+import 'package:serverpod_auth_server/serverpod_auth_server.dart' as _i94;
 
 class Endpoints extends _i1.EndpointDispatch {
   @override
@@ -6485,8 +6486,33 @@ class Endpoints extends _i1.EndpointDispatch {
             params['path'],
           ),
         ),
+        'replaceEncryptedFileBytes': _i1.MethodConnector(
+          name: 'replaceEncryptedFileBytes',
+          params: {
+            'documentId': _i1.ParameterDescription(
+              name: 'documentId',
+              type: _i1.getType<String>(),
+              nullable: false,
+            ),
+            'newEncryptedBytes': _i1.ParameterDescription(
+              name: 'newEncryptedBytes',
+              type: _i1.getType<_i93.ByteData>(),
+              nullable: false,
+            ),
+          },
+          call: (
+            _i1.Session session,
+            Map<String, dynamic> params,
+          ) async =>
+              (endpoints['files'] as _i45.FilesEndpoint)
+                  .replaceEncryptedFileBytes(
+            session,
+            params['documentId'],
+            params['newEncryptedBytes'],
+          ),
+        ),
       },
     );
-    modules['serverpod_auth'] = _i93.Endpoints()..initializeEndpoints(server);
+    modules['serverpod_auth'] = _i94.Endpoints()..initializeEndpoints(server);
   }
 }

school_data_hub_server/lib/src/generated/protocol.yaml

@@ -299,3 +299,4 @@ files:
   - verifyUpload:
   - getImage:
   - getUnencryptedImage:
+  - replaceEncryptedFileBytes:

school_data_hub_server/test/integration/test_tools/serverpod_test_tools.dart

@@ -8974,4 +8974,37 @@ class _FilesEndpoint {
       }
     });
   }
+
+  _i3.Future<bool> replaceEncryptedFileBytes(
+    _i1.TestSessionBuilder sessionBuilder,
+    String documentId,
+    _i67.ByteData newEncryptedBytes,
+  ) async {
+    return _i1.callAwaitableFunctionAndHandleExceptions(() async {
+      var _localUniqueSession =
+          (sessionBuilder as _i1.InternalTestSessionBuilder).internalBuild(
+        endpoint: 'files',
+        method: 'replaceEncryptedFileBytes',
+      );
+      try {
+        var _localCallContext = await _endpointDispatch.getMethodCallContext(
+          createSessionCallback: (_) => _localUniqueSession,
+          endpointPath: 'files',
+          methodName: 'replaceEncryptedFileBytes',
+          parameters: _i1.testObjectToJson({
+            'documentId': documentId,
+            'newEncryptedBytes': newEncryptedBytes,
+          }),
+          serializationManager: _serializationManager,
+        );
+        var _localReturnValue = await (_localCallContext.method.call(
+          _localUniqueSession,
+          _localCallContext.arguments,
+        ) as _i3.Future<bool>);
+        return _localReturnValue;
+      } finally {
+        await _localUniqueSession.close();
+      }
+    });
+  }
 }