mirror of
https://github.com/kmc7468/arkvault.git
synced 2026-02-04 08:06:56 +00:00
Compare commits
8 Commits
4b783a36e9
...
v0.7.0
| Author | SHA1 | Date | |
|---|---|---|---|
|
3906ec4371 | ||
|
|
90ac5ba4c3 | ||
|
|
dfffa004ac | ||
|
|
0cd55a413d | ||
|
|
361d966a59 | ||
|
|
aef43b8bfa | ||
|
|
7f128cccf6 | ||
|
|
a198e5f6dc |
@@ -12,7 +12,6 @@ node_modules
|
||||
/data
|
||||
/library
|
||||
/thumbnails
|
||||
/uploads
|
||||
|
||||
# OS
|
||||
.DS_Store
|
||||
|
||||
@@ -12,4 +12,3 @@ USER_CLIENT_CHALLENGE_EXPIRES=
|
||||
SESSION_UPGRADE_CHALLENGE_EXPIRES=
|
||||
LIBRARY_PATH=
|
||||
THUMBNAILS_PATH=
|
||||
UPLOADS_PATH=
|
||||
|
||||
1
.gitignore
vendored
1
.gitignore
vendored
@@ -10,7 +10,6 @@ node_modules
|
||||
/data
|
||||
/library
|
||||
/thumbnails
|
||||
/uploads
|
||||
|
||||
# OS
|
||||
.DS_Store
|
||||
|
||||
@@ -20,7 +20,6 @@ services:
|
||||
- SESSION_UPGRADE_CHALLENGE_EXPIRES
|
||||
- LIBRARY_PATH=/app/data/library
|
||||
- THUMBNAILS_PATH=/app/data/thumbnails
|
||||
- UPLOADS_PATH=/app/data/uploads
|
||||
# SvelteKit
|
||||
- ADDRESS_HEADER=${TRUST_PROXY:+X-Forwarded-For}
|
||||
- XFF_DEPTH=${TRUST_PROXY:-}
|
||||
|
||||
@@ -7,7 +7,6 @@ import {
|
||||
cleanupExpiredSessions,
|
||||
cleanupExpiredSessionUpgradeChallenges,
|
||||
} from "$lib/server/db/session";
|
||||
import { cleanupExpiredUploadSessions } from "$lib/server/db/upload";
|
||||
import { authenticate, setAgentInfo } from "$lib/server/middlewares";
|
||||
|
||||
export const init: ServerInit = async () => {
|
||||
@@ -17,7 +16,6 @@ export const init: ServerInit = async () => {
|
||||
cleanupExpiredUserClientChallenges();
|
||||
cleanupExpiredSessions();
|
||||
cleanupExpiredSessionUpgradeChallenges();
|
||||
cleanupExpiredUploadSessions();
|
||||
});
|
||||
};
|
||||
|
||||
|
||||
@@ -1 +0,0 @@
|
||||
export * from "./upload";
|
||||
@@ -1,5 +0,0 @@
|
||||
export const CHUNK_SIZE = 4 * 1024 * 1024;
|
||||
|
||||
export const AES_GCM_IV_SIZE = 12;
|
||||
export const AES_GCM_TAG_SIZE = 16;
|
||||
export const ENCRYPTION_OVERHEAD = AES_GCM_IV_SIZE + AES_GCM_TAG_SIZE;
|
||||
@@ -1,11 +1,4 @@
|
||||
import { AES_GCM_IV_SIZE } from "$lib/constants";
|
||||
import {
|
||||
encodeString,
|
||||
decodeString,
|
||||
encodeToBase64,
|
||||
decodeFromBase64,
|
||||
concatenateBuffers,
|
||||
} from "./util";
|
||||
import { encodeString, decodeString, encodeToBase64, decodeFromBase64 } from "./util";
|
||||
|
||||
export const generateMasterKey = async () => {
|
||||
return {
|
||||
@@ -93,18 +86,14 @@ export const encryptData = async (data: BufferSource, dataKey: CryptoKey) => {
|
||||
dataKey,
|
||||
data,
|
||||
);
|
||||
return { ciphertext, iv: iv.buffer };
|
||||
return { ciphertext, iv: encodeToBase64(iv.buffer) };
|
||||
};
|
||||
|
||||
export const decryptData = async (
|
||||
ciphertext: BufferSource,
|
||||
iv: string | BufferSource,
|
||||
dataKey: CryptoKey,
|
||||
) => {
|
||||
export const decryptData = async (ciphertext: BufferSource, iv: string, dataKey: CryptoKey) => {
|
||||
return await window.crypto.subtle.decrypt(
|
||||
{
|
||||
name: "AES-GCM",
|
||||
iv: typeof iv === "string" ? decodeFromBase64(iv) : iv,
|
||||
iv: decodeFromBase64(iv),
|
||||
} satisfies AesGcmParams,
|
||||
dataKey,
|
||||
ciphertext,
|
||||
@@ -113,22 +102,9 @@ export const decryptData = async (
|
||||
|
||||
export const encryptString = async (plaintext: string, dataKey: CryptoKey) => {
|
||||
const { ciphertext, iv } = await encryptData(encodeString(plaintext), dataKey);
|
||||
return { ciphertext: encodeToBase64(ciphertext), iv: encodeToBase64(iv) };
|
||||
return { ciphertext: encodeToBase64(ciphertext), iv };
|
||||
};
|
||||
|
||||
export const decryptString = async (ciphertext: string, iv: string, dataKey: CryptoKey) => {
|
||||
return decodeString(await decryptData(decodeFromBase64(ciphertext), iv, dataKey));
|
||||
};
|
||||
|
||||
export const encryptChunk = async (chunk: ArrayBuffer, dataKey: CryptoKey) => {
|
||||
const { ciphertext, iv } = await encryptData(chunk, dataKey);
|
||||
return concatenateBuffers(iv, ciphertext).buffer;
|
||||
};
|
||||
|
||||
export const decryptChunk = async (encryptedChunk: ArrayBuffer, dataKey: CryptoKey) => {
|
||||
return await decryptData(
|
||||
encryptedChunk.slice(AES_GCM_IV_SIZE),
|
||||
encryptedChunk.slice(0, AES_GCM_IV_SIZE),
|
||||
dataKey,
|
||||
);
|
||||
};
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
import axios from "axios";
|
||||
import { limitFunction } from "p-limit";
|
||||
import { CHUNK_SIZE, ENCRYPTION_OVERHEAD } from "$lib/constants";
|
||||
import { decryptChunk, concatenateBuffers } from "$lib/modules/crypto";
|
||||
import { decryptData } from "$lib/modules/crypto";
|
||||
|
||||
export interface FileDownloadState {
|
||||
id: number;
|
||||
@@ -66,21 +65,13 @@ const decryptFile = limitFunction(
|
||||
async (
|
||||
state: FileDownloadState,
|
||||
fileEncrypted: ArrayBuffer,
|
||||
encryptedChunkSize: number,
|
||||
fileEncryptedIv: string,
|
||||
dataKey: CryptoKey,
|
||||
) => {
|
||||
state.status = "decrypting";
|
||||
|
||||
const chunks: ArrayBuffer[] = [];
|
||||
let offset = 0;
|
||||
const fileBuffer = await decryptData(fileEncrypted, fileEncryptedIv, dataKey);
|
||||
|
||||
while (offset < fileEncrypted.byteLength) {
|
||||
const nextOffset = Math.min(offset + encryptedChunkSize, fileEncrypted.byteLength);
|
||||
chunks.push(await decryptChunk(fileEncrypted.slice(offset, nextOffset), dataKey));
|
||||
offset = nextOffset;
|
||||
}
|
||||
|
||||
const fileBuffer = concatenateBuffers(...chunks).buffer;
|
||||
state.status = "decrypted";
|
||||
state.result = fileBuffer;
|
||||
return fileBuffer;
|
||||
@@ -88,7 +79,7 @@ const decryptFile = limitFunction(
|
||||
{ concurrency: 4 },
|
||||
);
|
||||
|
||||
export const downloadFile = async (id: number, dataKey: CryptoKey, isLegacy: boolean) => {
|
||||
export const downloadFile = async (id: number, fileEncryptedIv: string, dataKey: CryptoKey) => {
|
||||
downloadingFiles.push({
|
||||
id,
|
||||
status: "download-pending",
|
||||
@@ -96,13 +87,7 @@ export const downloadFile = async (id: number, dataKey: CryptoKey, isLegacy: boo
|
||||
const state = downloadingFiles.at(-1)!;
|
||||
|
||||
try {
|
||||
const fileEncrypted = await requestFileDownload(state, id);
|
||||
return await decryptFile(
|
||||
state,
|
||||
fileEncrypted,
|
||||
isLegacy ? fileEncrypted.byteLength : CHUNK_SIZE + ENCRYPTION_OVERHEAD,
|
||||
dataKey,
|
||||
);
|
||||
return await decryptFile(state, await requestFileDownload(state, id), fileEncryptedIv, dataKey);
|
||||
} catch (e) {
|
||||
state.status = "error";
|
||||
throw e;
|
||||
|
||||
@@ -5,6 +5,7 @@ import { decryptData } from "$lib/modules/crypto";
|
||||
import type { SummarizedFileInfo } from "$lib/modules/filesystem";
|
||||
import { readFile, writeFile, deleteFile, deleteDirectory } from "$lib/modules/opfs";
|
||||
import { getThumbnailUrl } from "$lib/modules/thumbnail";
|
||||
import { isTRPCClientError, trpc } from "$trpc/client";
|
||||
|
||||
const loadedThumbnails = new LRUCache<number, Writable<string>>({ max: 100 });
|
||||
const loadingThumbnails = new Map<number, Writable<string | undefined>>();
|
||||
@@ -17,18 +18,25 @@ const fetchFromOpfs = async (fileId: number) => {
|
||||
};
|
||||
|
||||
const fetchFromServer = async (fileId: number, dataKey: CryptoKey) => {
|
||||
const res = await fetch(`/api/file/${fileId}/thumbnail/download`);
|
||||
if (!res.ok) return null;
|
||||
try {
|
||||
const [thumbnailEncrypted, { contentIv: thumbnailEncryptedIv }] = await Promise.all([
|
||||
fetch(`/api/file/${fileId}/thumbnail/download`),
|
||||
trpc().file.thumbnail.query({ id: fileId }),
|
||||
]);
|
||||
const thumbnailBuffer = await decryptData(
|
||||
await thumbnailEncrypted.arrayBuffer(),
|
||||
thumbnailEncryptedIv,
|
||||
dataKey,
|
||||
);
|
||||
|
||||
const thumbnailEncrypted = await res.arrayBuffer();
|
||||
const thumbnailBuffer = await decryptData(
|
||||
thumbnailEncrypted.slice(12),
|
||||
thumbnailEncrypted.slice(0, 12),
|
||||
dataKey,
|
||||
);
|
||||
|
||||
void writeFile(`/thumbnail/file/${fileId}`, thumbnailBuffer);
|
||||
return getThumbnailUrl(thumbnailBuffer);
|
||||
void writeFile(`/thumbnail/file/${fileId}`, thumbnailBuffer);
|
||||
return getThumbnailUrl(thumbnailBuffer);
|
||||
} catch (e) {
|
||||
if (isTRPCClientError(e) && e.data?.code === "NOT_FOUND") {
|
||||
return null;
|
||||
}
|
||||
throw e;
|
||||
}
|
||||
};
|
||||
|
||||
export const getFileThumbnail = (file: SummarizedFileInfo) => {
|
||||
|
||||
@@ -1,23 +1,24 @@
|
||||
import axios from "axios";
|
||||
import ExifReader from "exifreader";
|
||||
import { limitFunction } from "p-limit";
|
||||
import { CHUNK_SIZE } from "$lib/constants";
|
||||
import {
|
||||
encodeToBase64,
|
||||
generateDataKey,
|
||||
wrapDataKey,
|
||||
encryptData,
|
||||
encryptString,
|
||||
encryptChunk,
|
||||
digestMessage,
|
||||
signMessageHmac,
|
||||
} from "$lib/modules/crypto";
|
||||
import { Scheduler } from "$lib/modules/scheduler";
|
||||
import { generateThumbnail } from "$lib/modules/thumbnail";
|
||||
import type { FileThumbnailUploadRequest } from "$lib/server/schemas";
|
||||
import type {
|
||||
FileThumbnailUploadRequest,
|
||||
FileUploadRequest,
|
||||
FileUploadResponse,
|
||||
} from "$lib/server/schemas";
|
||||
import type { MasterKey, HmacSecret } from "$lib/stores";
|
||||
import { trpc } from "$trpc/client";
|
||||
import type { RouterInputs } from "$trpc/router.server";
|
||||
|
||||
export interface FileUploadState {
|
||||
name: string;
|
||||
@@ -109,23 +110,6 @@ const extractExifDateTime = (fileBuffer: ArrayBuffer) => {
|
||||
return new Date(utcDate - offsetMs);
|
||||
};
|
||||
|
||||
const encryptChunks = async (fileBuffer: ArrayBuffer, dataKey: CryptoKey) => {
|
||||
const chunksEncrypted: { chunkEncrypted: ArrayBuffer; chunkEncryptedHash: string }[] = [];
|
||||
let offset = 0;
|
||||
|
||||
while (offset < fileBuffer.byteLength) {
|
||||
const nextOffset = Math.min(offset + CHUNK_SIZE, fileBuffer.byteLength);
|
||||
const chunkEncrypted = await encryptChunk(fileBuffer.slice(offset, nextOffset), dataKey);
|
||||
chunksEncrypted.push({
|
||||
chunkEncrypted: chunkEncrypted,
|
||||
chunkEncryptedHash: encodeToBase64(await digestMessage(chunkEncrypted)),
|
||||
});
|
||||
offset = nextOffset;
|
||||
}
|
||||
|
||||
return chunksEncrypted;
|
||||
};
|
||||
|
||||
const encryptFile = limitFunction(
|
||||
async (state: FileUploadState, file: File, fileBuffer: ArrayBuffer, masterKey: MasterKey) => {
|
||||
state.status = "encrypting";
|
||||
@@ -139,7 +123,9 @@ const encryptFile = limitFunction(
|
||||
|
||||
const { dataKey, dataKeyVersion } = await generateDataKey();
|
||||
const dataKeyWrapped = await wrapDataKey(dataKey, masterKey.key);
|
||||
const chunksEncrypted = await encryptChunks(fileBuffer, dataKey);
|
||||
|
||||
const fileEncrypted = await encryptData(fileBuffer, dataKey);
|
||||
const fileEncryptedHash = encodeToBase64(await digestMessage(fileEncrypted.ciphertext));
|
||||
|
||||
const nameEncrypted = await encryptString(file.name, dataKey);
|
||||
const createdAtEncrypted =
|
||||
@@ -156,7 +142,8 @@ const encryptFile = limitFunction(
|
||||
dataKeyWrapped,
|
||||
dataKeyVersion,
|
||||
fileType,
|
||||
chunksEncrypted,
|
||||
fileEncrypted,
|
||||
fileEncryptedHash,
|
||||
nameEncrypted,
|
||||
createdAtEncrypted,
|
||||
lastModifiedAtEncrypted,
|
||||
@@ -167,70 +154,30 @@ const encryptFile = limitFunction(
|
||||
);
|
||||
|
||||
const requestFileUpload = limitFunction(
|
||||
async (
|
||||
state: FileUploadState,
|
||||
metadata: RouterInputs["file"]["startUpload"],
|
||||
chunksEncrypted: { chunkEncrypted: ArrayBuffer; chunkEncryptedHash: string }[],
|
||||
fileSigned: string | undefined,
|
||||
thumbnailForm: FormData | null,
|
||||
) => {
|
||||
async (state: FileUploadState, form: FormData, thumbnailForm: FormData | null) => {
|
||||
state.status = "uploading";
|
||||
|
||||
const { uploadId } = await trpc().file.startUpload.mutate(metadata);
|
||||
|
||||
// Upload chunks with progress tracking
|
||||
const totalBytes = chunksEncrypted.reduce((sum, c) => sum + c.chunkEncrypted.byteLength, 0);
|
||||
let uploadedBytes = 0;
|
||||
const startTime = Date.now();
|
||||
|
||||
for (let i = 0; i < chunksEncrypted.length; i++) {
|
||||
const { chunkEncrypted, chunkEncryptedHash } = chunksEncrypted[i]!;
|
||||
|
||||
const response = await fetch(`/api/file/upload/${uploadId}/chunks/${i}`, {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/octet-stream",
|
||||
"Content-Digest": `sha-256=:${chunkEncryptedHash}:`,
|
||||
},
|
||||
body: chunkEncrypted,
|
||||
});
|
||||
|
||||
if (!response.ok) {
|
||||
throw new Error(`Chunk upload failed: ${response.status} ${response.statusText}`);
|
||||
}
|
||||
|
||||
uploadedBytes += chunkEncrypted.byteLength;
|
||||
|
||||
// Calculate progress, rate, estimated
|
||||
const elapsed = (Date.now() - startTime) / 1000; // seconds
|
||||
const rate = uploadedBytes / elapsed; // bytes per second
|
||||
const remaining = totalBytes - uploadedBytes;
|
||||
const estimated = rate > 0 ? remaining / rate : undefined;
|
||||
|
||||
state.progress = uploadedBytes / totalBytes;
|
||||
state.rate = rate;
|
||||
state.estimated = estimated;
|
||||
}
|
||||
|
||||
// Complete upload
|
||||
const { file: fileId } = await trpc().file.completeUpload.mutate({
|
||||
uploadId,
|
||||
contentHmac: fileSigned,
|
||||
const res = await axios.post("/api/file/upload", form, {
|
||||
onUploadProgress: ({ progress, rate, estimated }) => {
|
||||
state.progress = progress;
|
||||
state.rate = rate;
|
||||
state.estimated = estimated;
|
||||
},
|
||||
});
|
||||
const { file }: FileUploadResponse = res.data;
|
||||
|
||||
// Upload thumbnail if exists
|
||||
if (thumbnailForm) {
|
||||
try {
|
||||
await axios.post(`/api/file/${fileId}/thumbnail/upload`, thumbnailForm);
|
||||
await axios.post(`/api/file/${file}/thumbnail/upload`, thumbnailForm);
|
||||
} catch (e) {
|
||||
// TODO: Error handling for thumbnail upload
|
||||
// TODO
|
||||
console.error(e);
|
||||
}
|
||||
}
|
||||
|
||||
state.status = "uploaded";
|
||||
|
||||
return { fileId };
|
||||
return { fileId: file };
|
||||
},
|
||||
{ concurrency: 1 },
|
||||
);
|
||||
@@ -268,28 +215,36 @@ export const uploadFile = async (
|
||||
dataKeyWrapped,
|
||||
dataKeyVersion,
|
||||
fileType,
|
||||
chunksEncrypted,
|
||||
fileEncrypted,
|
||||
fileEncryptedHash,
|
||||
nameEncrypted,
|
||||
createdAtEncrypted,
|
||||
lastModifiedAtEncrypted,
|
||||
thumbnail,
|
||||
} = await encryptFile(state, file, fileBuffer, masterKey);
|
||||
|
||||
const metadata = {
|
||||
chunks: chunksEncrypted.length,
|
||||
parent: parentId,
|
||||
mekVersion: masterKey.version,
|
||||
dek: dataKeyWrapped,
|
||||
dekVersion: dataKeyVersion,
|
||||
hskVersion: hmacSecret.version,
|
||||
contentType: fileType,
|
||||
name: nameEncrypted.ciphertext,
|
||||
nameIv: nameEncrypted.iv,
|
||||
createdAt: createdAtEncrypted?.ciphertext,
|
||||
createdAtIv: createdAtEncrypted?.iv,
|
||||
lastModifiedAt: lastModifiedAtEncrypted.ciphertext,
|
||||
lastModifiedAtIv: lastModifiedAtEncrypted.iv,
|
||||
};
|
||||
const form = new FormData();
|
||||
form.set(
|
||||
"metadata",
|
||||
JSON.stringify({
|
||||
parent: parentId,
|
||||
mekVersion: masterKey.version,
|
||||
dek: dataKeyWrapped,
|
||||
dekVersion: dataKeyVersion.toISOString(),
|
||||
hskVersion: hmacSecret.version,
|
||||
contentHmac: fileSigned,
|
||||
contentType: fileType,
|
||||
contentIv: fileEncrypted.iv,
|
||||
name: nameEncrypted.ciphertext,
|
||||
nameIv: nameEncrypted.iv,
|
||||
createdAt: createdAtEncrypted?.ciphertext,
|
||||
createdAtIv: createdAtEncrypted?.iv,
|
||||
lastModifiedAt: lastModifiedAtEncrypted.ciphertext,
|
||||
lastModifiedAtIv: lastModifiedAtEncrypted.iv,
|
||||
} satisfies FileUploadRequest),
|
||||
);
|
||||
form.set("content", new Blob([fileEncrypted.ciphertext]));
|
||||
form.set("checksum", fileEncryptedHash);
|
||||
|
||||
let thumbnailForm = null;
|
||||
if (thumbnail) {
|
||||
@@ -298,19 +253,13 @@ export const uploadFile = async (
|
||||
"metadata",
|
||||
JSON.stringify({
|
||||
dekVersion: dataKeyVersion.toISOString(),
|
||||
contentIv: encodeToBase64(thumbnail.iv),
|
||||
contentIv: thumbnail.iv,
|
||||
} satisfies FileThumbnailUploadRequest),
|
||||
);
|
||||
thumbnailForm.set("content", new Blob([thumbnail.ciphertext]));
|
||||
}
|
||||
|
||||
const { fileId } = await requestFileUpload(
|
||||
state,
|
||||
metadata,
|
||||
chunksEncrypted,
|
||||
fileSigned,
|
||||
thumbnailForm,
|
||||
);
|
||||
const { fileId } = await requestFileUpload(state, form, thumbnailForm);
|
||||
return { fileId, fileBuffer, thumbnailBuffer: thumbnail?.plaintext };
|
||||
} catch (e) {
|
||||
state.status = "error";
|
||||
|
||||
@@ -47,10 +47,10 @@ const cache = new FilesystemCache<number, MaybeFileInfo>({
|
||||
|
||||
return storeToIndexedDB({
|
||||
id,
|
||||
isLegacy: file.isLegacy,
|
||||
parentId: file.parent,
|
||||
dataKey: metadata.dataKey,
|
||||
contentType: file.contentType,
|
||||
contentIv: file.contentIv,
|
||||
name: metadata.name,
|
||||
createdAt: metadata.createdAt,
|
||||
lastModifiedAt: metadata.lastModifiedAt,
|
||||
@@ -116,9 +116,9 @@ const cache = new FilesystemCache<number, MaybeFileInfo>({
|
||||
return {
|
||||
id,
|
||||
exists: true as const,
|
||||
isLegacy: metadataRaw.isLegacy,
|
||||
parentId: metadataRaw.parent,
|
||||
contentType: metadataRaw.contentType,
|
||||
contentIv: metadataRaw.contentIv,
|
||||
categories,
|
||||
...metadata,
|
||||
};
|
||||
|
||||
@@ -28,10 +28,10 @@ export type SubDirectoryInfo = Omit<LocalDirectoryInfo, "subDirectories" | "file
|
||||
|
||||
export interface FileInfo {
|
||||
id: number;
|
||||
isLegacy?: boolean;
|
||||
parentId: DirectoryId;
|
||||
dataKey?: DataKey;
|
||||
contentType: string;
|
||||
contentIv?: string;
|
||||
name: string;
|
||||
createdAt?: Date;
|
||||
lastModifiedAt: Date;
|
||||
@@ -42,7 +42,7 @@ export type MaybeFileInfo =
|
||||
| (FileInfo & { exists: true })
|
||||
| ({ id: number; exists: false } & AllUndefined<Omit<FileInfo, "id">>);
|
||||
|
||||
export type SummarizedFileInfo = Omit<FileInfo, "categories">;
|
||||
export type SummarizedFileInfo = Omit<FileInfo, "contentIv" | "categories">;
|
||||
export type CategoryFileInfo = SummarizedFileInfo & { isRecursive: boolean };
|
||||
|
||||
interface LocalCategoryInfo {
|
||||
|
||||
@@ -15,6 +15,8 @@ interface Directory {
|
||||
encName: Ciphertext;
|
||||
}
|
||||
|
||||
export type NewDirectory = Omit<Directory, "id">;
|
||||
|
||||
interface File {
|
||||
id: number;
|
||||
parentId: DirectoryId;
|
||||
@@ -26,13 +28,15 @@ interface File {
|
||||
hskVersion: number | null;
|
||||
contentHmac: string | null;
|
||||
contentType: string;
|
||||
encContentIv: string | null;
|
||||
encContentIv: string;
|
||||
encContentHash: string;
|
||||
encName: Ciphertext;
|
||||
encCreatedAt: Ciphertext | null;
|
||||
encLastModifiedAt: Ciphertext;
|
||||
}
|
||||
|
||||
export type NewFile = Omit<File, "id">;
|
||||
|
||||
interface FileCategory {
|
||||
id: number;
|
||||
parentId: CategoryId;
|
||||
@@ -42,7 +46,7 @@ interface FileCategory {
|
||||
encName: Ciphertext;
|
||||
}
|
||||
|
||||
export const registerDirectory = async (params: Omit<Directory, "id">) => {
|
||||
export const registerDirectory = async (params: NewDirectory) => {
|
||||
await db.transaction().execute(async (trx) => {
|
||||
const mek = await trx
|
||||
.selectFrom("master_encryption_key")
|
||||
@@ -210,41 +214,69 @@ export const unregisterDirectory = async (userId: number, directoryId: number) =
|
||||
});
|
||||
};
|
||||
|
||||
export const registerFile = async (trx: typeof db, params: Omit<File, "id">) => {
|
||||
export const registerFile = async (params: NewFile) => {
|
||||
if ((params.hskVersion && !params.contentHmac) || (!params.hskVersion && params.contentHmac)) {
|
||||
throw new Error("Invalid arguments");
|
||||
}
|
||||
|
||||
const { fileId } = await trx
|
||||
.insertInto("file")
|
||||
.values({
|
||||
parent_id: params.parentId !== "root" ? params.parentId : null,
|
||||
user_id: params.userId,
|
||||
path: params.path,
|
||||
master_encryption_key_version: params.mekVersion,
|
||||
encrypted_data_encryption_key: params.encDek,
|
||||
data_encryption_key_version: params.dekVersion,
|
||||
hmac_secret_key_version: params.hskVersion,
|
||||
content_hmac: params.contentHmac,
|
||||
content_type: params.contentType,
|
||||
encrypted_content_iv: params.encContentIv,
|
||||
encrypted_content_hash: params.encContentHash,
|
||||
encrypted_name: params.encName,
|
||||
encrypted_created_at: params.encCreatedAt,
|
||||
encrypted_last_modified_at: params.encLastModifiedAt,
|
||||
})
|
||||
.returning("id as fileId")
|
||||
.executeTakeFirstOrThrow();
|
||||
await trx
|
||||
.insertInto("file_log")
|
||||
.values({
|
||||
file_id: fileId,
|
||||
timestamp: new Date(),
|
||||
action: "create",
|
||||
new_name: params.encName,
|
||||
})
|
||||
.execute();
|
||||
return { id: fileId };
|
||||
return await db.transaction().execute(async (trx) => {
|
||||
const mek = await trx
|
||||
.selectFrom("master_encryption_key")
|
||||
.select("version")
|
||||
.where("user_id", "=", params.userId)
|
||||
.where("state", "=", "active")
|
||||
.limit(1)
|
||||
.forUpdate()
|
||||
.executeTakeFirst();
|
||||
if (mek?.version !== params.mekVersion) {
|
||||
throw new IntegrityError("Inactive MEK version");
|
||||
}
|
||||
|
||||
if (params.hskVersion) {
|
||||
const hsk = await trx
|
||||
.selectFrom("hmac_secret_key")
|
||||
.select("version")
|
||||
.where("user_id", "=", params.userId)
|
||||
.where("state", "=", "active")
|
||||
.limit(1)
|
||||
.forUpdate()
|
||||
.executeTakeFirst();
|
||||
if (hsk?.version !== params.hskVersion) {
|
||||
throw new IntegrityError("Inactive HSK version");
|
||||
}
|
||||
}
|
||||
|
||||
const { fileId } = await trx
|
||||
.insertInto("file")
|
||||
.values({
|
||||
parent_id: params.parentId !== "root" ? params.parentId : null,
|
||||
user_id: params.userId,
|
||||
path: params.path,
|
||||
master_encryption_key_version: params.mekVersion,
|
||||
encrypted_data_encryption_key: params.encDek,
|
||||
data_encryption_key_version: params.dekVersion,
|
||||
hmac_secret_key_version: params.hskVersion,
|
||||
content_hmac: params.contentHmac,
|
||||
content_type: params.contentType,
|
||||
encrypted_content_iv: params.encContentIv,
|
||||
encrypted_content_hash: params.encContentHash,
|
||||
encrypted_name: params.encName,
|
||||
encrypted_created_at: params.encCreatedAt,
|
||||
encrypted_last_modified_at: params.encLastModifiedAt,
|
||||
})
|
||||
.returning("id as fileId")
|
||||
.executeTakeFirstOrThrow();
|
||||
await trx
|
||||
.insertInto("file_log")
|
||||
.values({
|
||||
file_id: fileId,
|
||||
timestamp: new Date(),
|
||||
action: "create",
|
||||
new_name: params.encName,
|
||||
})
|
||||
.execute();
|
||||
return { id: fileId };
|
||||
});
|
||||
};
|
||||
|
||||
export const getAllFilesByParent = async (userId: number, parentId: DirectoryId) => {
|
||||
|
||||
@@ -5,7 +5,6 @@ export * as HskRepo from "./hsk";
|
||||
export * as MediaRepo from "./media";
|
||||
export * as MekRepo from "./mek";
|
||||
export * as SessionRepo from "./session";
|
||||
export * as UploadRepo from "./upload";
|
||||
export * as UserRepo from "./user";
|
||||
|
||||
export * from "./error";
|
||||
|
||||
@@ -1,50 +0,0 @@
|
||||
import { Kysely, sql } from "kysely";
|
||||
|
||||
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
||||
export const up = async (db: Kysely<any>) => {
|
||||
// file.ts
|
||||
await db.schema
|
||||
.alterTable("file")
|
||||
.alterColumn("encrypted_content_iv", (col) => col.dropNotNull())
|
||||
.execute();
|
||||
|
||||
// upload.ts
|
||||
await db.schema
|
||||
.createTable("upload_session")
|
||||
.addColumn("id", "uuid", (col) => col.primaryKey().defaultTo(sql`gen_random_uuid()`))
|
||||
.addColumn("user_id", "integer", (col) => col.references("user.id").notNull())
|
||||
.addColumn("total_chunks", "integer", (col) => col.notNull())
|
||||
.addColumn("uploaded_chunks", sql`integer[]`, (col) => col.notNull().defaultTo(sql`'{}'`))
|
||||
.addColumn("expires_at", "timestamp(3)", (col) => col.notNull())
|
||||
.addColumn("parent_id", "integer", (col) => col.references("directory.id"))
|
||||
.addColumn("master_encryption_key_version", "integer", (col) => col.notNull())
|
||||
.addColumn("encrypted_data_encryption_key", "text", (col) => col.notNull())
|
||||
.addColumn("data_encryption_key_version", "timestamp(3)", (col) => col.notNull())
|
||||
.addColumn("hmac_secret_key_version", "integer")
|
||||
.addColumn("content_type", "text", (col) => col.notNull())
|
||||
.addColumn("encrypted_name", "json", (col) => col.notNull())
|
||||
.addColumn("encrypted_created_at", "json")
|
||||
.addColumn("encrypted_last_modified_at", "json", (col) => col.notNull())
|
||||
.addForeignKeyConstraint(
|
||||
"upload_session_fk01",
|
||||
["user_id", "master_encryption_key_version"],
|
||||
"master_encryption_key",
|
||||
["user_id", "version"],
|
||||
)
|
||||
.addForeignKeyConstraint(
|
||||
"upload_session_fk02",
|
||||
["user_id", "hmac_secret_key_version"],
|
||||
"hmac_secret_key",
|
||||
["user_id", "version"],
|
||||
)
|
||||
.execute();
|
||||
};
|
||||
|
||||
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
||||
export const down = async (db: Kysely<any>) => {
|
||||
await db.schema.dropTable("upload_session").execute();
|
||||
await db.schema
|
||||
.alterTable("file")
|
||||
.alterColumn("encrypted_content_iv", (col) => col.setNotNull())
|
||||
.execute();
|
||||
};
|
||||
@@ -1,11 +1,9 @@
|
||||
import * as Initial1737357000 from "./1737357000-Initial";
|
||||
import * as AddFileCategory1737422340 from "./1737422340-AddFileCategory";
|
||||
import * as AddThumbnail1738409340 from "./1738409340-AddThumbnail";
|
||||
import * as AddChunkedUpload1768062380 from "./1768062380-AddChunkedUpload";
|
||||
|
||||
export default {
|
||||
"1737357000-Initial": Initial1737357000,
|
||||
"1737422340-AddFileCategory": AddFileCategory1737422340,
|
||||
"1738409340-AddThumbnail": AddThumbnail1738409340,
|
||||
"1768062380-AddChunkedUpload": AddChunkedUpload1768062380,
|
||||
};
|
||||
|
||||
@@ -30,7 +30,7 @@ interface FileTable {
|
||||
hmac_secret_key_version: number | null;
|
||||
content_hmac: string | null; // Base64
|
||||
content_type: string;
|
||||
encrypted_content_iv: string | null; // Base64
|
||||
encrypted_content_iv: string; // Base64
|
||||
encrypted_content_hash: string; // Base64
|
||||
encrypted_name: Ciphertext;
|
||||
encrypted_created_at: Ciphertext | null;
|
||||
|
||||
@@ -5,7 +5,6 @@ export * from "./hsk";
|
||||
export * from "./media";
|
||||
export * from "./mek";
|
||||
export * from "./session";
|
||||
export * from "./upload";
|
||||
export * from "./user";
|
||||
export * from "./util";
|
||||
|
||||
|
||||
@@ -1,26 +0,0 @@
|
||||
import type { Generated } from "kysely";
|
||||
import type { Ciphertext } from "./util";
|
||||
|
||||
interface UploadSessionTable {
|
||||
id: Generated<string>;
|
||||
user_id: number;
|
||||
total_chunks: number;
|
||||
uploaded_chunks: Generated<number[]>;
|
||||
expires_at: Date;
|
||||
|
||||
parent_id: number | null;
|
||||
master_encryption_key_version: number;
|
||||
encrypted_data_encryption_key: string; // Base64
|
||||
data_encryption_key_version: Date;
|
||||
hmac_secret_key_version: number | null;
|
||||
content_type: string;
|
||||
encrypted_name: Ciphertext;
|
||||
encrypted_created_at: Ciphertext | null;
|
||||
encrypted_last_modified_at: Ciphertext;
|
||||
}
|
||||
|
||||
declare module "./index" {
|
||||
interface Database {
|
||||
upload_session: UploadSessionTable;
|
||||
}
|
||||
}
|
||||
@@ -1,122 +0,0 @@
|
||||
import { sql } from "kysely";
|
||||
import { IntegrityError } from "./error";
|
||||
import db from "./kysely";
|
||||
import type { Ciphertext } from "./schema";
|
||||
|
||||
interface UploadSession {
|
||||
id: string;
|
||||
userId: number;
|
||||
totalChunks: number;
|
||||
uploadedChunks: number[];
|
||||
expiresAt: Date;
|
||||
|
||||
parentId: DirectoryId;
|
||||
mekVersion: number;
|
||||
encDek: string;
|
||||
dekVersion: Date;
|
||||
hskVersion: number | null;
|
||||
contentType: string;
|
||||
encName: Ciphertext;
|
||||
encCreatedAt: Ciphertext | null;
|
||||
encLastModifiedAt: Ciphertext;
|
||||
}
|
||||
|
||||
export const createUploadSession = async (params: Omit<UploadSession, "id" | "uploadedChunks">) => {
|
||||
return await db.transaction().execute(async (trx) => {
|
||||
const mek = await trx
|
||||
.selectFrom("master_encryption_key")
|
||||
.select("version")
|
||||
.where("user_id", "=", params.userId)
|
||||
.where("state", "=", "active")
|
||||
.limit(1)
|
||||
.forUpdate()
|
||||
.executeTakeFirst();
|
||||
if (mek?.version !== params.mekVersion) {
|
||||
throw new IntegrityError("Inactive MEK version");
|
||||
}
|
||||
|
||||
if (params.hskVersion) {
|
||||
const hsk = await trx
|
||||
.selectFrom("hmac_secret_key")
|
||||
.select("version")
|
||||
.where("user_id", "=", params.userId)
|
||||
.where("state", "=", "active")
|
||||
.limit(1)
|
||||
.forUpdate()
|
||||
.executeTakeFirst();
|
||||
if (hsk?.version !== params.hskVersion) {
|
||||
throw new IntegrityError("Inactive HSK version");
|
||||
}
|
||||
}
|
||||
|
||||
const { sessionId } = await trx
|
||||
.insertInto("upload_session")
|
||||
.values({
|
||||
user_id: params.userId,
|
||||
total_chunks: params.totalChunks,
|
||||
expires_at: params.expiresAt,
|
||||
parent_id: params.parentId !== "root" ? params.parentId : null,
|
||||
master_encryption_key_version: params.mekVersion,
|
||||
encrypted_data_encryption_key: params.encDek,
|
||||
data_encryption_key_version: params.dekVersion,
|
||||
hmac_secret_key_version: params.hskVersion,
|
||||
content_type: params.contentType,
|
||||
encrypted_name: params.encName,
|
||||
encrypted_created_at: params.encCreatedAt,
|
||||
encrypted_last_modified_at: params.encLastModifiedAt,
|
||||
})
|
||||
.returning("id as sessionId")
|
||||
.executeTakeFirstOrThrow();
|
||||
return { id: sessionId };
|
||||
});
|
||||
};
|
||||
|
||||
export const getUploadSession = async (sessionId: string, userId: number) => {
|
||||
const session = await db
|
||||
.selectFrom("upload_session")
|
||||
.selectAll()
|
||||
.where("id", "=", sessionId)
|
||||
.where("user_id", "=", userId)
|
||||
.where("expires_at", ">", new Date())
|
||||
.limit(1)
|
||||
.executeTakeFirst();
|
||||
return session
|
||||
? ({
|
||||
id: session.id,
|
||||
userId: session.user_id,
|
||||
totalChunks: session.total_chunks,
|
||||
uploadedChunks: session.uploaded_chunks,
|
||||
expiresAt: session.expires_at,
|
||||
parentId: session.parent_id ?? "root",
|
||||
mekVersion: session.master_encryption_key_version,
|
||||
encDek: session.encrypted_data_encryption_key,
|
||||
dekVersion: session.data_encryption_key_version,
|
||||
hskVersion: session.hmac_secret_key_version,
|
||||
contentType: session.content_type,
|
||||
encName: session.encrypted_name,
|
||||
encCreatedAt: session.encrypted_created_at,
|
||||
encLastModifiedAt: session.encrypted_last_modified_at,
|
||||
} satisfies UploadSession)
|
||||
: null;
|
||||
};
|
||||
|
||||
export const markChunkAsUploaded = async (sessionId: string, chunkIndex: number) => {
|
||||
await db
|
||||
.updateTable("upload_session")
|
||||
.set({ uploaded_chunks: sql`array_append(uploaded_chunks, ${chunkIndex})` })
|
||||
.where("id", "=", sessionId)
|
||||
.execute();
|
||||
};
|
||||
|
||||
export const deleteUploadSession = async (trx: typeof db, sessionId: string) => {
|
||||
await trx.deleteFrom("upload_session").where("id", "=", sessionId).execute();
|
||||
};
|
||||
|
||||
export const cleanupExpiredUploadSessions = async () => {
|
||||
const sessions = await db
|
||||
.deleteFrom("upload_session")
|
||||
.where("expires_at", "<", new Date())
|
||||
.returning("id")
|
||||
.execute();
|
||||
return sessions.map(({ id }) => id);
|
||||
};
|
||||
@@ -26,5 +26,4 @@ export default {
|
||||
},
|
||||
libraryPath: env.LIBRARY_PATH || "library",
|
||||
thumbnailsPath: env.THUMBNAILS_PATH || "thumbnails",
|
||||
uploadsPath: env.UPLOADS_PATH || "uploads",
|
||||
};
|
||||
|
||||
@@ -1,7 +1,4 @@
|
||||
import { unlink } from "fs/promises";
|
||||
import env from "$lib/server/loadenv";
|
||||
|
||||
export const getChunkDirectoryPath = (sessionId: string) => `${env.uploadsPath}/${sessionId}`;
|
||||
|
||||
export const safeUnlink = async (path: string | null | undefined) => {
|
||||
if (path) {
|
||||
|
||||
@@ -1,14 +0,0 @@
|
||||
export const parseRangeHeader = (rangeHeader: string | null) => {
|
||||
if (!rangeHeader) return undefined;
|
||||
|
||||
const firstRange = rangeHeader.split(",")[0]!.trim();
|
||||
const parts = firstRange.replace(/bytes=/, "").split("-");
|
||||
return {
|
||||
start: parts[0] ? parseInt(parts[0], 10) : undefined,
|
||||
end: parts[1] ? parseInt(parts[1], 10) : undefined,
|
||||
};
|
||||
};
|
||||
|
||||
export const getContentRangeHeader = (range?: { start: number; end: number; total: number }) => {
|
||||
return range && { "Content-Range": `bytes ${range.start}-${range.end}/${range.total}` };
|
||||
};
|
||||
@@ -1,7 +1,36 @@
|
||||
import mime from "mime";
|
||||
import { z } from "zod";
|
||||
import { directoryIdSchema } from "./directory";
|
||||
|
||||
export const fileThumbnailUploadRequest = z.object({
|
||||
dekVersion: z.iso.datetime(),
|
||||
contentIv: z.base64().nonempty(),
|
||||
});
|
||||
export type FileThumbnailUploadRequest = z.input<typeof fileThumbnailUploadRequest>;
|
||||
|
||||
export const fileUploadRequest = z.object({
|
||||
parent: directoryIdSchema,
|
||||
mekVersion: z.int().positive(),
|
||||
dek: z.base64().nonempty(),
|
||||
dekVersion: z.iso.datetime(),
|
||||
hskVersion: z.int().positive(),
|
||||
contentHmac: z.base64().nonempty(),
|
||||
contentType: z
|
||||
.string()
|
||||
.trim()
|
||||
.nonempty()
|
||||
.refine((value) => mime.getExtension(value) !== null), // MIME type
|
||||
contentIv: z.base64().nonempty(),
|
||||
name: z.base64().nonempty(),
|
||||
nameIv: z.base64().nonempty(),
|
||||
createdAt: z.base64().nonempty().optional(),
|
||||
createdAtIv: z.base64().nonempty().optional(),
|
||||
lastModifiedAt: z.base64().nonempty(),
|
||||
lastModifiedAtIv: z.base64().nonempty(),
|
||||
});
|
||||
export type FileUploadRequest = z.input<typeof fileUploadRequest>;
|
||||
|
||||
export const fileUploadResponse = z.object({
|
||||
file: z.int().positive(),
|
||||
});
|
||||
export type FileUploadResponse = z.output<typeof fileUploadResponse>;
|
||||
|
||||
@@ -6,80 +6,34 @@ import { dirname } from "path";
|
||||
import { Readable } from "stream";
|
||||
import { pipeline } from "stream/promises";
|
||||
import { v4 as uuidv4 } from "uuid";
|
||||
import { CHUNK_SIZE, ENCRYPTION_OVERHEAD } from "$lib/constants";
|
||||
import { FileRepo, MediaRepo, UploadRepo, IntegrityError } from "$lib/server/db";
|
||||
import { FileRepo, MediaRepo, IntegrityError } from "$lib/server/db";
|
||||
import env from "$lib/server/loadenv";
|
||||
import { getChunkDirectoryPath, safeUnlink } from "$lib/server/modules/filesystem";
|
||||
import { safeUnlink } from "$lib/server/modules/filesystem";
|
||||
|
||||
const uploadLocks = new Set<string>();
|
||||
|
||||
const createEncContentStream = async (
|
||||
path: string,
|
||||
iv?: Buffer,
|
||||
range?: { start?: number; end?: number },
|
||||
) => {
|
||||
const { size: fileSize } = await stat(path);
|
||||
const ivSize = iv?.byteLength ?? 0;
|
||||
const totalSize = fileSize + ivSize;
|
||||
|
||||
const start = range?.start ?? 0;
|
||||
const end = range?.end ?? totalSize - 1;
|
||||
if (start > end || start < 0 || end >= totalSize) {
|
||||
error(416, "Invalid range");
|
||||
}
|
||||
|
||||
return {
|
||||
encContentStream: Readable.toWeb(
|
||||
Readable.from(
|
||||
(async function* () {
|
||||
if (start < ivSize) {
|
||||
yield iv!.subarray(start, Math.min(end + 1, ivSize));
|
||||
}
|
||||
if (end >= ivSize) {
|
||||
yield* createReadStream(path, {
|
||||
start: Math.max(0, start - ivSize),
|
||||
end: end - ivSize,
|
||||
});
|
||||
}
|
||||
})(),
|
||||
),
|
||||
),
|
||||
range: { start, end, total: totalSize },
|
||||
};
|
||||
};
|
||||
|
||||
export const getFileStream = async (
|
||||
userId: number,
|
||||
fileId: number,
|
||||
range?: { start?: number; end?: number },
|
||||
) => {
|
||||
export const getFileStream = async (userId: number, fileId: number) => {
|
||||
const file = await FileRepo.getFile(userId, fileId);
|
||||
if (!file) {
|
||||
error(404, "Invalid file id");
|
||||
}
|
||||
|
||||
return createEncContentStream(
|
||||
file.path,
|
||||
file.encContentIv ? Buffer.from(file.encContentIv, "base64") : undefined,
|
||||
range,
|
||||
);
|
||||
const { size } = await stat(file.path);
|
||||
return {
|
||||
encContentStream: Readable.toWeb(createReadStream(file.path)),
|
||||
encContentSize: size,
|
||||
};
|
||||
};
|
||||
|
||||
export const getFileThumbnailStream = async (
|
||||
userId: number,
|
||||
fileId: number,
|
||||
range?: { start?: number; end?: number },
|
||||
) => {
|
||||
export const getFileThumbnailStream = async (userId: number, fileId: number) => {
|
||||
const thumbnail = await MediaRepo.getFileThumbnail(userId, fileId);
|
||||
if (!thumbnail) {
|
||||
error(404, "File or its thumbnail not found");
|
||||
}
|
||||
|
||||
return createEncContentStream(
|
||||
thumbnail.path,
|
||||
Buffer.from(thumbnail.encContentIv, "base64"),
|
||||
range,
|
||||
);
|
||||
const { size } = await stat(thumbnail.path);
|
||||
return {
|
||||
encContentStream: Readable.toWeb(createReadStream(thumbnail.path)),
|
||||
encContentSize: size,
|
||||
};
|
||||
};
|
||||
|
||||
export const uploadFileThumbnail = async (
|
||||
@@ -117,70 +71,56 @@ export const uploadFileThumbnail = async (
|
||||
}
|
||||
};
|
||||
|
||||
export const uploadChunk = async (
|
||||
userId: number,
|
||||
sessionId: string,
|
||||
chunkIndex: number,
|
||||
encChunkStream: Readable,
|
||||
encChunkHash: string,
|
||||
export const uploadFile = async (
|
||||
params: Omit<FileRepo.NewFile, "path" | "encContentHash">,
|
||||
encContentStream: Readable,
|
||||
encContentHash: Promise<string>,
|
||||
) => {
|
||||
const lockKey = `${sessionId}/${chunkIndex}`;
|
||||
if (uploadLocks.has(lockKey)) {
|
||||
error(409, "Chunk already uploaded"); // TODO: Message
|
||||
} else {
|
||||
uploadLocks.add(lockKey);
|
||||
const oneDayAgo = new Date(Date.now() - 24 * 60 * 60 * 1000);
|
||||
const oneMinuteLater = new Date(Date.now() + 60 * 1000);
|
||||
if (params.dekVersion <= oneDayAgo || params.dekVersion >= oneMinuteLater) {
|
||||
error(400, "Invalid DEK version");
|
||||
}
|
||||
|
||||
const filePath = `${getChunkDirectoryPath(sessionId)}/${chunkIndex}`;
|
||||
const path = `${env.libraryPath}/${params.userId}/${uuidv4()}`;
|
||||
await mkdir(dirname(path), { recursive: true });
|
||||
|
||||
try {
|
||||
const session = await UploadRepo.getUploadSession(sessionId, userId);
|
||||
if (!session) {
|
||||
error(404, "Invalid upload id");
|
||||
} else if (chunkIndex >= session.totalChunks) {
|
||||
error(400, "Invalid chunk index");
|
||||
} else if (session.uploadedChunks.includes(chunkIndex)) {
|
||||
error(409, "Chunk already uploaded");
|
||||
}
|
||||
|
||||
const isLastChunk = chunkIndex === session.totalChunks - 1;
|
||||
|
||||
let writtenBytes = 0;
|
||||
const hashStream = createHash("sha256");
|
||||
const writeStream = createWriteStream(filePath, { flags: "wx", mode: 0o600 });
|
||||
|
||||
for await (const chunk of encChunkStream) {
|
||||
writtenBytes += chunk.length;
|
||||
hashStream.update(chunk);
|
||||
writeStream.write(chunk);
|
||||
}
|
||||
|
||||
await new Promise<void>((resolve, reject) => {
|
||||
writeStream.end((e: any) => (e ? reject(e) : resolve()));
|
||||
});
|
||||
|
||||
if (hashStream.digest("base64") !== encChunkHash) {
|
||||
const [, hash] = await Promise.all([
|
||||
pipeline(
|
||||
encContentStream,
|
||||
async function* (source) {
|
||||
for await (const chunk of source) {
|
||||
hashStream.update(chunk);
|
||||
yield chunk;
|
||||
}
|
||||
},
|
||||
createWriteStream(path, { flags: "wx", mode: 0o600 }),
|
||||
),
|
||||
encContentHash,
|
||||
]);
|
||||
if (hashStream.digest("base64") !== hash) {
|
||||
throw new Error("Invalid checksum");
|
||||
} else if (
|
||||
(!isLastChunk && writtenBytes !== CHUNK_SIZE + ENCRYPTION_OVERHEAD) ||
|
||||
(isLastChunk &&
|
||||
(writtenBytes <= ENCRYPTION_OVERHEAD || writtenBytes > CHUNK_SIZE + ENCRYPTION_OVERHEAD))
|
||||
) {
|
||||
throw new Error("Invalid chunk size");
|
||||
}
|
||||
|
||||
await UploadRepo.markChunkAsUploaded(sessionId, chunkIndex);
|
||||
const { id: fileId } = await FileRepo.registerFile({
|
||||
...params,
|
||||
path,
|
||||
encContentHash: hash,
|
||||
});
|
||||
return { fileId };
|
||||
} catch (e) {
|
||||
await safeUnlink(filePath);
|
||||
await safeUnlink(path);
|
||||
|
||||
if (
|
||||
if (e instanceof IntegrityError && e.message === "Inactive MEK version") {
|
||||
error(400, "Invalid MEK version");
|
||||
} else if (
|
||||
e instanceof Error &&
|
||||
(e.message === "Invalid checksum" || e.message === "Invalid chunk size")
|
||||
(e.message === "Invalid request body" || e.message === "Invalid checksum")
|
||||
) {
|
||||
error(400, "Invalid request body");
|
||||
}
|
||||
throw e;
|
||||
} finally {
|
||||
uploadLocks.delete(lockKey);
|
||||
}
|
||||
};
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
import { getAllFileInfos } from "$lib/indexedDB/filesystem";
|
||||
import { encodeToBase64 } from "$lib/modules/crypto";
|
||||
import {
|
||||
getFileCache,
|
||||
storeFileCache,
|
||||
@@ -12,13 +11,13 @@ import { trpc } from "$trpc/client";
|
||||
|
||||
export const requestFileDownload = async (
|
||||
fileId: number,
|
||||
fileEncryptedIv: string,
|
||||
dataKey: CryptoKey,
|
||||
isLegacy: boolean,
|
||||
) => {
|
||||
const cache = await getFileCache(fileId);
|
||||
if (cache) return cache;
|
||||
|
||||
const fileBuffer = await downloadFile(fileId, dataKey, isLegacy);
|
||||
const fileBuffer = await downloadFile(fileId, fileEncryptedIv, dataKey);
|
||||
storeFileCache(fileId, fileBuffer); // Intended
|
||||
return fileBuffer;
|
||||
};
|
||||
@@ -26,14 +25,14 @@ export const requestFileDownload = async (
|
||||
export const requestFileThumbnailUpload = async (
|
||||
fileId: number,
|
||||
dataKeyVersion: Date,
|
||||
thumbnailEncrypted: { ciphertext: ArrayBuffer; iv: ArrayBuffer },
|
||||
thumbnailEncrypted: { ciphertext: ArrayBuffer; iv: string },
|
||||
) => {
|
||||
const form = new FormData();
|
||||
form.set(
|
||||
"metadata",
|
||||
JSON.stringify({
|
||||
dekVersion: dataKeyVersion.toISOString(),
|
||||
contentIv: encodeToBase64(thumbnailEncrypted.iv),
|
||||
contentIv: thumbnailEncrypted.iv,
|
||||
} satisfies FileThumbnailUploadRequest),
|
||||
);
|
||||
form.set("content", new Blob([thumbnailEncrypted.ciphertext]));
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
import { page } from "$app/state";
|
||||
import { FullscreenDiv } from "$lib/components/atoms";
|
||||
import { Categories, IconEntryButton, TopBar } from "$lib/components/molecules";
|
||||
import { getFileInfo, type MaybeFileInfo } from "$lib/modules/filesystem";
|
||||
import { getFileInfo, type FileInfo, type MaybeFileInfo } from "$lib/modules/filesystem";
|
||||
import { captureVideoThumbnail } from "$lib/modules/thumbnail";
|
||||
import { getFileDownloadState } from "$lib/modules/file";
|
||||
import { masterKeyStore } from "$lib/stores";
|
||||
@@ -95,12 +95,14 @@
|
||||
untrack(() => {
|
||||
if (!downloadState && !isDownloadRequested) {
|
||||
isDownloadRequested = true;
|
||||
requestFileDownload(data.id, info!.dataKey!.key, info!.isLegacy!).then(async (buffer) => {
|
||||
const blob = await updateViewer(buffer, contentType);
|
||||
if (!viewerType) {
|
||||
FileSaver.saveAs(blob, info!.name);
|
||||
}
|
||||
});
|
||||
requestFileDownload(data.id, info!.contentIv!, info!.dataKey!.key).then(
|
||||
async (buffer) => {
|
||||
const blob = await updateViewer(buffer, contentType);
|
||||
if (!viewerType) {
|
||||
FileSaver.saveAs(blob, info!.name);
|
||||
}
|
||||
},
|
||||
);
|
||||
}
|
||||
});
|
||||
}
|
||||
@@ -108,9 +110,7 @@
|
||||
|
||||
$effect(() => {
|
||||
if (info?.exists && downloadState?.status === "decrypted") {
|
||||
untrack(
|
||||
() => !isDownloadRequested && updateViewer(downloadState.result!, info!.contentType!),
|
||||
);
|
||||
untrack(() => !isDownloadRequested && updateViewer(downloadState.result!, info!.contentIv!));
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
@@ -50,7 +50,7 @@ const requestThumbnailUpload = limitFunction(
|
||||
async (
|
||||
fileId: number,
|
||||
dataKeyVersion: Date,
|
||||
thumbnail: { plaintext: ArrayBuffer; ciphertext: ArrayBuffer; iv: ArrayBuffer },
|
||||
thumbnail: { plaintext: ArrayBuffer; ciphertext: ArrayBuffer; iv: string },
|
||||
) => {
|
||||
statuses.set(fileId, "uploading");
|
||||
|
||||
@@ -77,7 +77,7 @@ export const requestThumbnailGeneration = async (fileInfo: FileInfo) => {
|
||||
await scheduler.schedule(
|
||||
async () => {
|
||||
statuses.set(fileInfo.id, "generation-pending");
|
||||
file = await requestFileDownload(fileInfo.id, fileInfo.dataKey?.key!, fileInfo.isLegacy!);
|
||||
file = await requestFileDownload(fileInfo.id, fileInfo.contentIv!, fileInfo.dataKey?.key!);
|
||||
return file.byteLength;
|
||||
},
|
||||
async () => {
|
||||
|
||||
@@ -1,15 +1,10 @@
|
||||
import { error } from "@sveltejs/kit";
|
||||
import { z } from "zod";
|
||||
import { authorize } from "$lib/server/modules/auth";
|
||||
import { parseRangeHeader, getContentRangeHeader } from "$lib/server/modules/http";
|
||||
import { getFileStream } from "$lib/server/services/file";
|
||||
import type { RequestHandler } from "./$types";
|
||||
|
||||
const downloadHandler = async (
|
||||
locals: App.Locals,
|
||||
params: Record<string, string>,
|
||||
request: Request,
|
||||
) => {
|
||||
export const GET: RequestHandler = async ({ locals, params }) => {
|
||||
const { userId } = await authorize(locals, "activeClient");
|
||||
|
||||
const zodRes = z
|
||||
@@ -20,29 +15,11 @@ const downloadHandler = async (
|
||||
if (!zodRes.success) error(400, "Invalid path parameters");
|
||||
const { id } = zodRes.data;
|
||||
|
||||
const { encContentStream, range } = await getFileStream(
|
||||
userId,
|
||||
id,
|
||||
parseRangeHeader(request.headers.get("Range")),
|
||||
);
|
||||
return {
|
||||
stream: encContentStream,
|
||||
const { encContentStream, encContentSize } = await getFileStream(userId, id);
|
||||
return new Response(encContentStream as ReadableStream, {
|
||||
headers: {
|
||||
"Accept-Ranges": "bytes",
|
||||
"Content-Length": (range.end - range.start + 1).toString(),
|
||||
"Content-Type": "application/octet-stream",
|
||||
...getContentRangeHeader(range),
|
||||
"Content-Length": encContentSize.toString(),
|
||||
},
|
||||
isRangeRequest: !!range,
|
||||
};
|
||||
};
|
||||
|
||||
export const GET: RequestHandler = async ({ locals, params, request }) => {
|
||||
const { stream, headers, isRangeRequest } = await downloadHandler(locals, params, request);
|
||||
return new Response(stream as ReadableStream, { status: isRangeRequest ? 206 : 200, headers });
|
||||
};
|
||||
|
||||
export const HEAD: RequestHandler = async ({ locals, params, request }) => {
|
||||
const { headers, isRangeRequest } = await downloadHandler(locals, params, request);
|
||||
return new Response(null, { status: isRangeRequest ? 206 : 200, headers });
|
||||
});
|
||||
};
|
||||
|
||||
@@ -1,15 +1,10 @@
|
||||
import { error } from "@sveltejs/kit";
|
||||
import { z } from "zod";
|
||||
import { authorize } from "$lib/server/modules/auth";
|
||||
import { parseRangeHeader, getContentRangeHeader } from "$lib/server/modules/http";
|
||||
import { getFileThumbnailStream } from "$lib/server/services/file";
|
||||
import type { RequestHandler } from "./$types";
|
||||
|
||||
const downloadHandler = async (
|
||||
locals: App.Locals,
|
||||
params: Record<string, string>,
|
||||
request: Request,
|
||||
) => {
|
||||
export const GET: RequestHandler = async ({ locals, params }) => {
|
||||
const { userId } = await authorize(locals, "activeClient");
|
||||
|
||||
const zodRes = z
|
||||
@@ -20,29 +15,11 @@ const downloadHandler = async (
|
||||
if (!zodRes.success) error(400, "Invalid path parameters");
|
||||
const { id } = zodRes.data;
|
||||
|
||||
const { encContentStream, range } = await getFileThumbnailStream(
|
||||
userId,
|
||||
id,
|
||||
parseRangeHeader(request.headers.get("Range")),
|
||||
);
|
||||
return {
|
||||
stream: encContentStream,
|
||||
const { encContentStream, encContentSize } = await getFileThumbnailStream(userId, id);
|
||||
return new Response(encContentStream as ReadableStream, {
|
||||
headers: {
|
||||
"Accept-Ranges": "bytes",
|
||||
"Content-Length": (range.end - range.start + 1).toString(),
|
||||
"Content-Type": "application/octet-stream",
|
||||
...getContentRangeHeader(range),
|
||||
"Content-Length": encContentSize.toString(),
|
||||
},
|
||||
isRangeRequest: !!range,
|
||||
};
|
||||
};
|
||||
|
||||
export const GET: RequestHandler = async ({ locals, params, request }) => {
|
||||
const { stream, headers, isRangeRequest } = await downloadHandler(locals, params, request);
|
||||
return new Response(stream as ReadableStream, { status: isRangeRequest ? 206 : 200, headers });
|
||||
};
|
||||
|
||||
export const HEAD: RequestHandler = async ({ locals, params, request }) => {
|
||||
const { headers, isRangeRequest } = await downloadHandler(locals, params, request);
|
||||
return new Response(null, { status: isRangeRequest ? 206 : 200, headers });
|
||||
});
|
||||
};
|
||||
|
||||
108
src/routes/api/file/upload/+server.ts
Normal file
108
src/routes/api/file/upload/+server.ts
Normal file
@@ -0,0 +1,108 @@
|
||||
import Busboy from "@fastify/busboy";
|
||||
import { error, json } from "@sveltejs/kit";
|
||||
import { Readable, Writable } from "stream";
|
||||
import { authorize } from "$lib/server/modules/auth";
|
||||
import {
|
||||
fileUploadRequest,
|
||||
fileUploadResponse,
|
||||
type FileUploadResponse,
|
||||
} from "$lib/server/schemas";
|
||||
import { uploadFile } from "$lib/server/services/file";
|
||||
import type { RequestHandler } from "./$types";
|
||||
|
||||
type FileMetadata = Parameters<typeof uploadFile>[0];
|
||||
|
||||
const parseFileMetadata = (userId: number, json: string) => {
|
||||
const zodRes = fileUploadRequest.safeParse(JSON.parse(json));
|
||||
if (!zodRes.success) error(400, "Invalid request body");
|
||||
const {
|
||||
parent,
|
||||
mekVersion,
|
||||
dek,
|
||||
dekVersion,
|
||||
hskVersion,
|
||||
contentHmac,
|
||||
contentType,
|
||||
contentIv,
|
||||
name,
|
||||
nameIv,
|
||||
createdAt,
|
||||
createdAtIv,
|
||||
lastModifiedAt,
|
||||
lastModifiedAtIv,
|
||||
} = zodRes.data;
|
||||
if ((createdAt && !createdAtIv) || (!createdAt && createdAtIv))
|
||||
error(400, "Invalid request body");
|
||||
|
||||
return {
|
||||
userId,
|
||||
parentId: parent,
|
||||
mekVersion,
|
||||
encDek: dek,
|
||||
dekVersion: new Date(dekVersion),
|
||||
hskVersion,
|
||||
contentHmac,
|
||||
contentType,
|
||||
encContentIv: contentIv,
|
||||
encName: { ciphertext: name, iv: nameIv },
|
||||
encCreatedAt: createdAt && createdAtIv ? { ciphertext: createdAt, iv: createdAtIv } : null,
|
||||
encLastModifiedAt: { ciphertext: lastModifiedAt, iv: lastModifiedAtIv },
|
||||
} satisfies FileMetadata;
|
||||
};
|
||||
|
||||
export const POST: RequestHandler = async ({ locals, request }) => {
|
||||
const { userId } = await authorize(locals, "activeClient");
|
||||
|
||||
const contentType = request.headers.get("Content-Type");
|
||||
if (!contentType?.startsWith("multipart/form-data") || !request.body) {
|
||||
error(400, "Invalid request body");
|
||||
}
|
||||
|
||||
return new Promise<Response>((resolve, reject) => {
|
||||
const bb = Busboy({ headers: { "content-type": contentType } });
|
||||
const handler =
|
||||
<T extends unknown[]>(f: (...args: T) => Promise<void>) =>
|
||||
(...args: T) => {
|
||||
f(...args).catch(reject);
|
||||
};
|
||||
|
||||
let metadata: FileMetadata | null = null;
|
||||
let content: Readable | null = null;
|
||||
const checksum = new Promise<string>((resolveChecksum, rejectChecksum) => {
|
||||
bb.on(
|
||||
"field",
|
||||
handler(async (fieldname, val) => {
|
||||
if (fieldname === "metadata") {
|
||||
// Ignore subsequent metadata fields
|
||||
if (!metadata) {
|
||||
metadata = parseFileMetadata(userId, val);
|
||||
}
|
||||
} else if (fieldname === "checksum") {
|
||||
// Ignore subsequent checksum fields
|
||||
resolveChecksum(val);
|
||||
} else {
|
||||
error(400, "Invalid request body");
|
||||
}
|
||||
}),
|
||||
);
|
||||
bb.on(
|
||||
"file",
|
||||
handler(async (fieldname, file) => {
|
||||
if (fieldname !== "content") error(400, "Invalid request body");
|
||||
if (!metadata || content) error(400, "Invalid request body");
|
||||
content = file;
|
||||
|
||||
const { fileId } = await uploadFile(metadata, content, checksum);
|
||||
resolve(json(fileUploadResponse.parse({ file: fileId } satisfies FileUploadResponse)));
|
||||
}),
|
||||
);
|
||||
bb.on("finish", () => rejectChecksum(new Error("Invalid request body")));
|
||||
bb.on("error", (e) => {
|
||||
content?.emit("error", e) ?? reject(e);
|
||||
rejectChecksum(e);
|
||||
});
|
||||
});
|
||||
|
||||
request.body!.pipeTo(Writable.toWeb(bb)).catch(() => {}); // busboy will handle the error
|
||||
});
|
||||
};
|
||||
@@ -1,43 +0,0 @@
|
||||
import { error, text } from "@sveltejs/kit";
|
||||
import { Readable } from "stream";
|
||||
import { z } from "zod";
|
||||
import { authorize } from "$lib/server/modules/auth";
|
||||
import { uploadChunk } from "$lib/server/services/file";
|
||||
import type { RequestHandler } from "./$types";
|
||||
|
||||
export const POST: RequestHandler = async ({ locals, params, request }) => {
|
||||
const { userId } = await authorize(locals, "activeClient");
|
||||
|
||||
const zodRes = z
|
||||
.object({
|
||||
id: z.uuidv4(),
|
||||
index: z.coerce.number().int().nonnegative(),
|
||||
})
|
||||
.safeParse(params);
|
||||
if (!zodRes.success) error(400, "Invalid path parameters");
|
||||
const { id: uploadId, index: chunkIndex } = zodRes.data;
|
||||
|
||||
// Parse Content-Digest header (RFC 9530)
|
||||
// Expected format: sha-256=:base64hash:
|
||||
const contentDigest = request.headers.get("Content-Digest");
|
||||
if (!contentDigest) error(400, "Missing Content-Digest header");
|
||||
|
||||
const digestMatch = contentDigest.match(/^sha-256=:([A-Za-z0-9+/=]+):$/);
|
||||
if (!digestMatch || !digestMatch[1])
|
||||
error(400, "Invalid Content-Digest format, must be sha-256=:base64:");
|
||||
const encChunkHash = digestMatch[1];
|
||||
|
||||
const contentType = request.headers.get("Content-Type");
|
||||
if (contentType !== "application/octet-stream" || !request.body) {
|
||||
error(400, "Invalid request body");
|
||||
}
|
||||
|
||||
// Convert web ReadableStream to Node Readable
|
||||
const nodeReadable = Readable.fromWeb(
|
||||
request.body as unknown as Parameters<typeof Readable.fromWeb>[0],
|
||||
);
|
||||
|
||||
await uploadChunk(userId, uploadId, chunkIndex, nodeReadable, encChunkHash);
|
||||
|
||||
return text("Chunk uploaded", { headers: { "Content-Type": "text/plain" } });
|
||||
};
|
||||
@@ -1,20 +1,9 @@
|
||||
import { TRPCError } from "@trpc/server";
|
||||
import { createHash } from "crypto";
|
||||
import { createReadStream, createWriteStream } from "fs";
|
||||
import { mkdir, rm } from "fs/promises";
|
||||
import mime from "mime";
|
||||
import { dirname } from "path";
|
||||
import { v4 as uuidv4 } from "uuid";
|
||||
import { z } from "zod";
|
||||
import { FileRepo, MediaRepo, UploadRepo, IntegrityError } from "$lib/server/db";
|
||||
import db from "$lib/server/db/kysely";
|
||||
import env from "$lib/server/loadenv";
|
||||
import { getChunkDirectoryPath, safeUnlink } from "$lib/server/modules/filesystem";
|
||||
import { directoryIdSchema } from "$lib/server/schemas";
|
||||
import { FileRepo, MediaRepo, IntegrityError } from "$lib/server/db";
|
||||
import { safeUnlink } from "$lib/server/modules/filesystem";
|
||||
import { router, roleProcedure } from "../init.server";
|
||||
|
||||
const uploadLocks = new Set<string>();
|
||||
|
||||
const fileRouter = router({
|
||||
get: roleProcedure["activeClient"]
|
||||
.input(
|
||||
@@ -30,12 +19,12 @@ const fileRouter = router({
|
||||
|
||||
const categories = await FileRepo.getAllFileCategories(input.id);
|
||||
return {
|
||||
isLegacy: !!file.encContentIv,
|
||||
parent: file.parentId,
|
||||
mekVersion: file.mekVersion,
|
||||
dek: file.encDek,
|
||||
dekVersion: file.dekVersion,
|
||||
contentType: file.contentType,
|
||||
contentIv: file.encContentIv,
|
||||
name: file.encName.ciphertext,
|
||||
nameIv: file.encName.iv,
|
||||
createdAt: file.encCreatedAt?.ciphertext,
|
||||
@@ -64,12 +53,12 @@ const fileRouter = router({
|
||||
const files = await FileRepo.getFilesWithCategories(ctx.session.userId, input.ids);
|
||||
return files.map((file) => ({
|
||||
id: file.id,
|
||||
isLegacy: !!file.encContentIv,
|
||||
parent: file.parentId,
|
||||
mekVersion: file.mekVersion,
|
||||
dek: file.encDek,
|
||||
dekVersion: file.dekVersion,
|
||||
contentType: file.contentType,
|
||||
contentIv: file.encContentIv,
|
||||
name: file.encName.ciphertext,
|
||||
nameIv: file.encName.iv,
|
||||
createdAt: file.encCreatedAt?.ciphertext,
|
||||
@@ -169,138 +158,7 @@ const fileRouter = router({
|
||||
throw new TRPCError({ code: "NOT_FOUND", message: "File or its thumbnail not found" });
|
||||
}
|
||||
|
||||
return { updatedAt: thumbnail.updatedAt };
|
||||
}),
|
||||
|
||||
startUpload: roleProcedure["activeClient"]
|
||||
.input(
|
||||
z.object({
|
||||
chunks: z.int().positive(),
|
||||
parent: directoryIdSchema,
|
||||
mekVersion: z.int().positive(),
|
||||
dek: z.base64().nonempty(),
|
||||
dekVersion: z.date(),
|
||||
hskVersion: z.int().positive().optional(),
|
||||
contentType: z
|
||||
.string()
|
||||
.trim()
|
||||
.nonempty()
|
||||
.refine((value) => mime.getExtension(value) !== null),
|
||||
name: z.base64().nonempty(),
|
||||
nameIv: z.base64().nonempty(),
|
||||
createdAt: z.base64().nonempty().optional(),
|
||||
createdAtIv: z.base64().nonempty().optional(),
|
||||
lastModifiedAt: z.base64().nonempty(),
|
||||
lastModifiedAtIv: z.base64().nonempty(),
|
||||
}),
|
||||
)
|
||||
.mutation(async ({ ctx, input }) => {
|
||||
const oneMinuteAgo = new Date(Date.now() - 60 * 1000);
|
||||
const oneMinuteLater = new Date(Date.now() + 60 * 1000);
|
||||
if (input.dekVersion <= oneMinuteAgo || input.dekVersion >= oneMinuteLater) {
|
||||
throw new TRPCError({ code: "BAD_REQUEST", message: "Invalid DEK version" });
|
||||
}
|
||||
|
||||
try {
|
||||
const { id: sessionId } = await UploadRepo.createUploadSession({
|
||||
userId: ctx.session.userId,
|
||||
totalChunks: input.chunks,
|
||||
expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000), // 24 hours
|
||||
parentId: input.parent,
|
||||
mekVersion: input.mekVersion,
|
||||
encDek: input.dek,
|
||||
dekVersion: input.dekVersion,
|
||||
hskVersion: input.hskVersion ?? null,
|
||||
contentType: input.contentType,
|
||||
encName: { ciphertext: input.name, iv: input.nameIv },
|
||||
encCreatedAt:
|
||||
input.createdAt && input.createdAtIv
|
||||
? { ciphertext: input.createdAt, iv: input.createdAtIv }
|
||||
: null,
|
||||
encLastModifiedAt: { ciphertext: input.lastModifiedAt, iv: input.lastModifiedAtIv },
|
||||
});
|
||||
await mkdir(getChunkDirectoryPath(sessionId), { recursive: true });
|
||||
return { uploadId: sessionId };
|
||||
} catch (e) {
|
||||
if (e instanceof IntegrityError) {
|
||||
if (e.message === "Inactive MEK version") {
|
||||
throw new TRPCError({ code: "BAD_REQUEST", message: "Invalid MEK version" });
|
||||
} else if (e.message === "Inactive HSK version") {
|
||||
throw new TRPCError({ code: "BAD_REQUEST", message: "Invalid HSK version" });
|
||||
}
|
||||
}
|
||||
throw e;
|
||||
}
|
||||
}),
|
||||
|
||||
completeUpload: roleProcedure["activeClient"]
|
||||
.input(
|
||||
z.object({
|
||||
uploadId: z.uuidv4(),
|
||||
contentHmac: z.base64().nonempty().optional(),
|
||||
}),
|
||||
)
|
||||
.mutation(async ({ ctx, input }) => {
|
||||
const { uploadId } = input;
|
||||
if (uploadLocks.has(uploadId)) {
|
||||
throw new TRPCError({ code: "CONFLICT", message: "Upload already in progress" }); // TODO: Message
|
||||
} else {
|
||||
uploadLocks.add(uploadId);
|
||||
}
|
||||
|
||||
const filePath = `${env.libraryPath}/${ctx.session.userId}/${uuidv4()}`;
|
||||
await mkdir(dirname(filePath), { recursive: true });
|
||||
|
||||
try {
|
||||
const session = await UploadRepo.getUploadSession(uploadId, ctx.session.userId);
|
||||
if (!session) {
|
||||
throw new TRPCError({ code: "NOT_FOUND", message: "Invalid upload id" });
|
||||
} else if (
|
||||
(session.hskVersion && !input.contentHmac) ||
|
||||
(!session.hskVersion && input.contentHmac)
|
||||
) {
|
||||
throw new TRPCError({ code: "BAD_REQUEST", message: "Invalid content hmac" }); // TODO: message
|
||||
} else if (session.uploadedChunks.length < session.totalChunks) {
|
||||
throw new TRPCError({ code: "BAD_REQUEST", message: "Upload not complete" }); // TODO: Message
|
||||
}
|
||||
|
||||
const chunkDirectoryPath = getChunkDirectoryPath(uploadId);
|
||||
const hashStream = createHash("sha256");
|
||||
const writeStream = createWriteStream(filePath, { flags: "wx", mode: 0o600 });
|
||||
|
||||
for (let i = 0; i < session.totalChunks; i++) {
|
||||
for await (const chunk of createReadStream(`${chunkDirectoryPath}/${i}`)) {
|
||||
hashStream.update(chunk);
|
||||
writeStream.write(chunk);
|
||||
}
|
||||
}
|
||||
|
||||
await new Promise<void>((resolve, reject) => {
|
||||
writeStream.end((e: any) => (e ? reject(e) : resolve()));
|
||||
});
|
||||
|
||||
const hash = hashStream.digest("base64");
|
||||
const fileId = await db.transaction().execute(async (trx) => {
|
||||
const { id: fileId } = await FileRepo.registerFile(trx, {
|
||||
...session,
|
||||
userId: ctx.session.userId,
|
||||
path: filePath,
|
||||
contentHmac: input.contentHmac ?? null,
|
||||
encContentHash: hash,
|
||||
encContentIv: null,
|
||||
});
|
||||
await UploadRepo.deleteUploadSession(trx, uploadId);
|
||||
return fileId;
|
||||
});
|
||||
|
||||
await rm(chunkDirectoryPath, { recursive: true }).catch((e) => console.error(e));
|
||||
return { file: fileId };
|
||||
} catch (e) {
|
||||
await safeUnlink(filePath);
|
||||
throw e;
|
||||
} finally {
|
||||
uploadLocks.delete(uploadId);
|
||||
}
|
||||
return { updatedAt: thumbnail.updatedAt, contentIv: thumbnail.encContentIv };
|
||||
}),
|
||||
});
|
||||
|
||||
|
||||
Reference in New Issue
Block a user