brendan/nanodrop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add server, routes, views, CLI, CSS, and integration tests

Browse Source 
- Server factory with Fastify plugins (JWT, cookie, multipart, formbody, static)
- Auth middleware: requireAuth preHandler (401 for API, redirect for pages)
- Auth API routes: POST /api/v1/auth/login, POST /api/v1/auth/logout
- File API routes: GET/POST /api/v1/files, DELETE /api/v1/files/:id
- Page routes: /, /login, /logout, /upload, /files, /files/:id/delete, /f/:id, /f/:id/raw
- HTML views: layout, login, upload, file-list, file-view, not-found
- CLI register-user script
- public/style.css dark theme
- Test helpers: createTestApp, loginAs, buildMultipart
- Integration tests for auth API, file API, and page routes (51 tests passing)
- Update CLAUDE.md with red/green TDD and commit instructions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Brendan Chen
2026-03-03 15:55:14 -08:00
parent 157d1e8230
commit 8fd1464b9d
19 changed files with 1180 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
src/routes/api/v1/auth.ts Normal file
View File

@@ -0,0 +1,56 @@
import type { FastifyPluginAsync } from 'fastify';
import type Database from 'better-sqlite3';
import type { Config } from '../../../config.ts';
import type { Logger } from '../../../middleware/logging.ts';
import { getUserByUsername } from '../../../db/users.ts';
import { verifyPassword } from '../../../services/auth.ts';
import { requireAuth } from '../../../middleware/auth.ts';
interface Deps {
db: Database.Database;
config: Config;
logger: Logger;
}
interface LoginBody {
username: string;
password: string;
}
export const authApiRoutes: FastifyPluginAsync<{ deps: Deps }> = async (app, { deps }) => {
const { db, config, logger } = deps;
app.post<{ Body: LoginBody }>('/login', async (request, reply) => {
const { username, password } = request.body ?? {};
const ip = request.ip;
const userAgent = request.headers['user-agent'] ?? '';
if (!username || !password) {
return reply.status(400).send({ error: 'username and password are required' });
}
const user = getUserByUsername(db, username);
const valid = user ? await verifyPassword(password, user.password_hash) : false;
if (!user || !valid) {
await logger.authFailure({ ip, userAgent, username });
return reply.status(401).send({ error: 'Invalid credentials' });
}
await logger.authSuccess({ ip, userAgent, username });
const token = app.jwt.sign({ sub: user.id, username: user.username }, { expiresIn: config.jwtExpiry });
reply
.setCookie('token', token, {
httpOnly: true,
sameSite: 'strict',
secure: config.cookieSecure,
path: '/',
})
.send({ ok: true });
});
app.post('/logout', { preHandler: requireAuth }, async (_request, reply) => {
reply.clearCookie('token', { path: '/' }).send({ ok: true });
});
};

71
src/routes/api/v1/files.ts Normal file
View File

@@ -0,0 +1,71 @@
import type { FastifyPluginAsync } from 'fastify';
import { extname } from 'path';
import { nanoid } from 'nanoid';
import type Database from 'better-sqlite3';
import type { Config } from '../../../config.ts';
import type { Logger } from '../../../middleware/logging.ts';
import type { JwtPayload } from '../../../types.ts';
import { createFile, getFilesByUserId, getFileById, deleteFile } from '../../../db/files.ts';
import { saveFile, deleteStoredFile } from '../../../services/storage.ts';
import { requireAuth } from '../../../middleware/auth.ts';
interface Deps {
db: Database.Database;
config: Config;
logger: Logger;
}
export const filesApiRoutes: FastifyPluginAsync<{ deps: Deps }> = async (app, { deps }) => {
const { db, config } = deps;
app.get('/', { preHandler: requireAuth }, async (request, reply) => {
const { sub: userId } = request.user as JwtPayload;
const files = getFilesByUserId(db, userId);
reply.send({ files });
});
app.post('/', { preHandler: requireAuth }, async (request, reply) => {
const { sub: userId } = request.user as JwtPayload;
const data = await request.file();
if (!data) {
return reply.status(400).send({ error: 'No file uploaded' });
}
const fileBuffer = await data.toBuffer();
const id = nanoid();
const ext = extname(data.filename);
const storedName = `${id}${ext}`;
await saveFile(config.uploadDir, storedName, fileBuffer);
const file = createFile(db, {
id,
userId,
originalName: data.filename,
mimeType: data.mimetype,
size: fileBuffer.length,
storedName,
});
reply.status(201).send({ file, url: `${config.baseUrl}/f/${id}` });
});
app.delete('/:id', { preHandler: requireAuth }, async (request, reply) => {
const { sub: userId } = request.user as JwtPayload;
const { id } = request.params as { id: string };
const file = getFileById(db, id);
if (!file) {
return reply.status(404).send({ error: 'File not found' });
}
const deleted = deleteFile(db, id, userId);
if (!deleted) {
return reply.status(403).send({ error: 'Forbidden' });
}
await deleteStoredFile(config.uploadDir, file.stored_name);
reply.send({ ok: true });
});
};

163
src/routes/pages.ts Normal file
View File

@@ -0,0 +1,163 @@
import type { FastifyPluginAsync } from 'fastify';
import { extname } from 'path';
import { readFile } from 'fs/promises';
import { nanoid } from 'nanoid';
import type Database from 'better-sqlite3';
import type { Config } from '../config.ts';
import type { Logger } from '../middleware/logging.ts';
import type { JwtPayload } from '../types.ts';
import { getUserByUsername } from '../db/users.ts';
import { createFile, getFileById, getFilesByUserId, deleteFile } from '../db/files.ts';
import { verifyPassword } from '../services/auth.ts';
import { saveFile, deleteStoredFile, getFilePath } from '../services/storage.ts';
import { requireAuth } from '../middleware/auth.ts';
import { loginPage } from '../views/login.ts';
import { uploadPage, uploadResultPage } from '../views/upload.ts';
import { fileListPage } from '../views/file-list.ts';
import { fileViewPage } from '../views/file-view.ts';
import { notFoundPage } from '../views/not-found.ts';
interface Deps {
db: Database.Database;
config: Config;
logger: Logger;
}
export const pageRoutes: FastifyPluginAsync<{ deps: Deps }> = async (app, { deps }) => {
const { db, config, logger } = deps;
// GET / — login page or redirect if authed
app.get('/', async (request, reply) => {
try {
await request.jwtVerify();
return reply.redirect('/upload');
} catch {
return reply.type('text/html').send(loginPage());
}
});
// POST /login — form login
app.post<{ Body: { username?: string; password?: string } }>('/login', async (request, reply) => {
const { username = '', password = '' } = request.body ?? {};
const ip = request.ip;
const userAgent = request.headers['user-agent'] ?? '';
const user = getUserByUsername(db, username);
const valid = user ? await verifyPassword(password, user.password_hash) : false;
if (!user || !valid) {
await logger.authFailure({ ip, userAgent, username });
return reply.type('text/html').send(loginPage({ error: 'Invalid username or password' }));
}
await logger.authSuccess({ ip, userAgent, username });
const token = app.jwt.sign({ sub: user.id, username: user.username }, { expiresIn: config.jwtExpiry });
reply
.setCookie('token', token, {
httpOnly: true,
sameSite: 'strict',
secure: config.cookieSecure,
path: '/',
})
.redirect('/upload');
});
// POST /logout
app.post('/logout', { preHandler: requireAuth }, async (_request, reply) => {
reply.clearCookie('token', { path: '/' }).redirect('/');
});
// GET /upload
app.get('/upload', { preHandler: requireAuth }, async (_request, reply) => {
reply.type('text/html').send(uploadPage());
});
// POST /upload
app.post('/upload', { preHandler: requireAuth }, async (request, reply) => {
const { sub: userId } = request.user as JwtPayload;
const data = await request.file();
if (!data) {
return reply.type('text/html').send(uploadPage({ error: 'No file selected' }));
}
const fileBuffer = await data.toBuffer();
const id = nanoid();
const ext = extname(data.filename);
const storedName = `${id}${ext}`;
await saveFile(config.uploadDir, storedName, fileBuffer);
createFile(db, {
id,
userId,
originalName: data.filename,
mimeType: data.mimetype,
size: fileBuffer.length,
storedName,
});
const shareUrl = `${config.baseUrl}/f/${id}`;
reply.type('text/html').send(uploadResultPage(shareUrl, data.filename));
});
// GET /files
app.get('/files', { preHandler: requireAuth }, async (request, reply) => {
const { sub: userId } = request.user as JwtPayload;
const files = getFilesByUserId(db, userId);
reply.type('text/html').send(fileListPage(files, config.baseUrl));
});
// POST /files/:id/delete
app.post<{ Params: { id: string } }>('/files/:id/delete', { preHandler: requireAuth }, async (request, reply) => {
const { sub: userId } = request.user as JwtPayload;
const { id } = request.params;
const file = getFileById(db, id);
if (file) {
const deleted = deleteFile(db, id, userId);
if (deleted) {
await deleteStoredFile(config.uploadDir, file.stored_name);
}
}
reply.redirect('/files');
});
// GET /f/:id — public file view
app.get<{ Params: { id: string } }>('/f/:id', async (request, reply) => {
const { id } = request.params;
const file = getFileById(db, id);
if (!file) {
await logger.fileNotFound({ ip: request.ip, userAgent: request.headers['user-agent'] ?? '', fileId: id });
return reply.status(404).type('text/html').send(notFoundPage());
}
reply.type('text/html').send(fileViewPage(file));
});
// GET /f/:id/raw — serve raw file
app.get<{ Params: { id: string } }>('/f/:id/raw', async (request, reply) => {
const { id } = request.params;
const file = getFileById(db, id);
if (!file) {
await logger.fileNotFound({ ip: request.ip, userAgent: request.headers['user-agent'] ?? '', fileId: id });
return reply.status(404).send({ error: 'Not found' });
}
const filePath = getFilePath(config.uploadDir, file.stored_name);
const data = await readFile(filePath);
reply
.header('Content-Type', file.mime_type)
.header('Content-Disposition', `inline; filename="${file.original_name}"`)
.send(data);
});
// 404 handler
app.setNotFoundHandler((_request, reply) => {
reply.status(404).type('text/html').send(notFoundPage());
});
};