brendan/nanodrop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d8fb9105d51e6cd6a8d93f60101ee5e4f35821f
nanodrop/src/routes/api/v1/files.ts
Brendan Chen 6d8fb9105d Code review fixes, Docker, and deployment config 
- Fix tsconfig: switch to ESNext/Bundler module resolution (tsx compatible)
- Sanitize file extensions against path traversal (^.[a-zA-Z0-9]+$ only)
- Sanitize Content-Disposition filename to prevent header injection
- Extract tokenCookieOptions helper to eliminate duplication across auth handlers
- Remove unused baseUrl param from fileListPage
- Add Dockerfile (multi-stage build with alpine + native tools for bcrypt)
- Add docker-compose.yml with named volume for data persistence
- Add .env.example with all environment variables documented

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-03 15:58:39 -08:00

73 lines
2.3 KiB
TypeScript
Raw Blame History

import type { FastifyPluginAsync } from 'fastify';
import { extname } from 'path';
import { nanoid } from 'nanoid';
import type Database from 'better-sqlite3';
import type { Config } from '../../../config.ts';
import type { Logger } from '../../../middleware/logging.ts';
import type { JwtPayload } from '../../../types.ts';
import { createFile, getFilesByUserId, getFileById, deleteFile } from '../../../db/files.ts';
import { saveFile, deleteStoredFile } from '../../../services/storage.ts';
import { requireAuth } from '../../../middleware/auth.ts';
interface Deps {
db: Database.Database;
config: Config;
logger: Logger;
}
export const filesApiRoutes: FastifyPluginAsync<{ deps: Deps }> = async (app, { deps }) => {
const { db, config } = deps;
app.get('/', { preHandler: requireAuth }, async (request, reply) => {
const { sub: userId } = request.user as JwtPayload;
const files = getFilesByUserId(db, userId);
reply.send({ files });
});
app.post('/', { preHandler: requireAuth }, async (request, reply) => {
const { sub: userId } = request.user as JwtPayload;
const data = await request.file();
if (!data) {
return reply.status(400).send({ error: 'No file uploaded' });
}
const fileBuffer = await data.toBuffer();
const id = nanoid();
const rawExt = extname(data.filename);
const ext = /^\.[a-zA-Z0-9]+$/.test(rawExt) ? rawExt : '';
const storedName = `${id}${ext}`;
await saveFile(config.uploadDir, storedName, fileBuffer);
const file = createFile(db, {
id,
userId,
originalName: data.filename,
mimeType: data.mimetype,
size: fileBuffer.length,
storedName,
});
reply.status(201).send({ file, url: `${config.baseUrl}/f/${id}` });
});
app.delete('/:id', { preHandler: requireAuth }, async (request, reply) => {
const { sub: userId } = request.user as JwtPayload;
const { id } = request.params as { id: string };
const file = getFileById(db, id);
if (!file) {
return reply.status(404).send({ error: 'File not found' });
}
const deleted = deleteFile(db, id, userId);
if (!deleted) {
return reply.status(403).send({ error: 'Forbidden' });
}
await deleteStoredFile(config.uploadDir, file.stored_name);
reply.send({ ok: true });
});
};
Reference in New Issue View Git Blame Copy Permalink