Merge pull request #17 from kmc7468/dev

v0.7.0

.dockerignore

@@ -12,7 +12,6 @@ node_modules
 /data
 /library
 /thumbnails
-/uploads
 
 # OS
 .DS_Store

.env.example

@@ -12,4 +12,3 @@ USER_CLIENT_CHALLENGE_EXPIRES=
 SESSION_UPGRADE_CHALLENGE_EXPIRES=
 LIBRARY_PATH=
 THUMBNAILS_PATH=
-UPLOADS_PATH=

.github/workflows/docker.yaml

@@ -1,45 +0,0 @@
-name: Docker Image Build
-
-on:
-  release:
-    types: [published]
-
-jobs:
-  build-and-push:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract Docker metadata
-        uses: docker/metadata-action@v5
-        id: meta
-        with:
-          images: ghcr.io/${{ github.repository }}
-          tags: |
-            type=semver,pattern={{version}}
-            type=raw,value=latest
-            type=sha
-
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max

.gitignore

@@ -10,7 +10,6 @@ node_modules
 /data
 /library
 /thumbnails
-/uploads
 
 # OS
 .DS_Store

docker-compose.yaml

@@ -9,7 +9,6 @@ services:
     volumes:
       - ./data/library:/app/data/library
       - ./data/thumbnails:/app/data/thumbnails
-      - ./data/uploads:/app/data/uploads
     environment:
       # ArkVault
       - DATABASE_HOST=database
@@ -21,7 +20,6 @@ services:
       - SESSION_UPGRADE_CHALLENGE_EXPIRES
       - LIBRARY_PATH=/app/data/library
       - THUMBNAILS_PATH=/app/data/thumbnails
-      - UPLOADS_PATH=/app/data/uploads
       # SvelteKit
       - ADDRESS_HEADER=${TRUST_PROXY:+X-Forwarded-For}
       - XFF_DEPTH=${TRUST_PROXY:-}

package.json

@@ -1,7 +1,7 @@
 {
   "name": "arkvault",
   "private": true,
-  "version": "0.8.0",
+  "version": "0.7.0",
   "type": "module",
   "scripts": {
     "dev": "vite dev",
@@ -16,14 +16,13 @@
     "db:migrate": "kysely migrate"
   },
   "devDependencies": {
-    "@eslint/compat": "^2.0.1",
+    "@eslint/compat": "^2.0.0",
     "@eslint/js": "^9.39.2",
-    "@iconify-json/material-symbols": "^1.2.51",
-    "@noble/hashes": "^2.0.1",
+    "@iconify-json/material-symbols": "^1.2.50",
     "@sveltejs/adapter-node": "^5.4.0",
-    "@sveltejs/kit": "^2.49.4",
-    "@sveltejs/vite-plugin-svelte": "^6.2.4",
-    "@tanstack/svelte-virtual": "^3.13.18",
+    "@sveltejs/kit": "^2.49.2",
+    "@sveltejs/vite-plugin-svelte": "^6.2.1",
+    "@tanstack/svelte-virtual": "^3.13.16",
     "@trpc/client": "^11.8.1",
     "@types/file-saver": "^2.0.7",
     "@types/ms": "^0.7.34",
@@ -32,14 +31,13 @@
     "autoprefixer": "^10.4.23",
     "axios": "^1.13.2",
     "dexie": "^4.2.1",
-    "es-hangul": "^2.3.8",
     "eslint": "^9.39.2",
     "eslint-config-prettier": "^10.1.8",
-    "eslint-plugin-svelte": "^3.14.0",
+    "eslint-plugin-svelte": "^3.13.1",
     "eslint-plugin-tailwindcss": "^3.18.2",
-    "exifreader": "^4.35.0",
+    "exifreader": "^4.33.1",
     "file-saver": "^2.0.5",
-    "globals": "^17.0.0",
+    "globals": "^16.5.0",
     "heic2any": "^0.0.4",
     "kysely-ctl": "^0.19.0",
     "lru-cache": "^11.2.4",
@@ -52,11 +50,12 @@
     "svelte-check": "^4.3.5",
     "tailwindcss": "^3.4.19",
     "typescript": "^5.9.3",
-    "typescript-eslint": "^8.52.0",
+    "typescript-eslint": "^8.51.0",
     "unplugin-icons": "^22.5.0",
-    "vite": "^7.3.1"
+    "vite": "^7.3.0"
   },
   "dependencies": {
+    "@fastify/busboy": "^3.2.0",
     "@trpc/server": "^11.8.1",
     "argon2": "^0.44.0",
     "kysely": "^0.28.9",

src/hooks.client.ts

@@ -1,6 +1,7 @@
 import type { ClientInit } from "@sveltejs/kit";
 import { cleanupDanglingInfos, getClientKey, getMasterKeys, getHmacSecrets } from "$lib/indexedDB";
 import { prepareFileCache } from "$lib/modules/file";
+import { prepareOpfs } from "$lib/modules/opfs";
 import { clientKeyStore, masterKeyStore, hmacSecretStore } from "$lib/stores";
 
 const requestPersistentStorage = async () => {
@@ -45,6 +46,7 @@ export const init: ClientInit = async () => {
     prepareClientKeyStore(),
     prepareMasterKeyStore(),
     prepareHmacSecretStore(),
+    prepareOpfs(),
   ]);
 
   cleanupDanglingInfos(); // Intended

src/hooks.server.ts

@@ -8,7 +8,6 @@ import {
   cleanupExpiredSessionUpgradeChallenges,
 } from "$lib/server/db/session";
 import { authenticate, setAgentInfo } from "$lib/server/middlewares";
-import { cleanupExpiredUploadSessions } from "$lib/server/services/upload";
 
 export const init: ServerInit = async () => {
   await migrateDB();
@@ -17,7 +16,6 @@ export const init: ServerInit = async () => {
     cleanupExpiredUserClientChallenges();
     cleanupExpiredSessions();
     cleanupExpiredSessionUpgradeChallenges();
-    cleanupExpiredUploadSessions();
   });
 };
 

src/lib/components/atoms/Chip.svelte

@@ -1,53 +0,0 @@
-<script lang="ts">
-  import type { Snippet } from "svelte";
-  import type { ClassValue } from "svelte/elements";
-
-  import IconClose from "~icons/material-symbols/close";
-
-  interface Props {
-    children: Snippet;
-    class?: ClassValue;
-    onclick?: () => void;
-    onRemoveClick?: () => void;
-    selected?: boolean;
-    removable?: boolean;
-  }
-
-  let {
-    children,
-    class: className,
-    onclick = () => (selected = !selected),
-    onRemoveClick,
-    removable = false,
-    selected = $bindable(false),
-  }: Props = $props();
-</script>
-
-<!-- svelte-ignore a11y_no_static_element_interactions -->
-<!-- svelte-ignore a11y_click_events_have_key_events -->
-<div
-  onclick={onclick && (() => setTimeout(onclick, 100))}
-  class={[
-    "inline-flex cursor-pointer items-center gap-x-1 rounded-lg px-3 py-1.5 text-sm font-medium transition active:scale-95",
-    selected
-      ? "bg-primary-500 text-white active:bg-primary-400"
-      : "bg-gray-100 text-gray-700 active:bg-gray-200",
-    className,
-  ]}
->
-  <span>
-    {@render children()}
-  </span>
-  {#if selected && removable}
-    <button
-      onclick={(e) => {
-        e.stopPropagation();
-        if (onRemoveClick) {
-          setTimeout(onRemoveClick, 100);
-        }
-      }}
-    >
-      <IconClose />
-    </button>
-  {/if}
-</div>

src/lib/components/atoms/RowVirtualizer.svelte

@@ -6,22 +6,13 @@
   interface Props {
     class?: ClassValue;
     count: number;
-    estimateItemHeight: (index: number) => number;
-    getItemKey?: (index: number) => string | number;
     item: Snippet<[index: number]>;
+    itemHeight: (index: number) => number;
     itemGap?: number;
     placeholder?: Snippet;
   }
 
-  let {
-    class: className,
-    count,
-    estimateItemHeight,
-    getItemKey,
-    item,
-    itemGap,
-    placeholder,
-  }: Props = $props();
+  let { class: className, count, item, itemHeight, itemGap, placeholder }: Props = $props();
 
   let element: HTMLElement | undefined = $state();
   let scrollMargin = $state(0);
@@ -29,9 +20,8 @@
   let virtualizer = $derived(
     createWindowVirtualizer({
       count,
-      estimateSize: estimateItemHeight,
+      estimateSize: itemHeight,
       gap: itemGap,
-      getItemKey: getItemKey,
       scrollMargin,
     }),
   );

src/lib/components/atoms/buttons/ActionEntryButton.svelte

@@ -49,7 +49,7 @@
   </div>
 </div>
 
-<style lang="postcss">
+<style>
   #container:active:not(:has(#action-button:active)) {
     @apply bg-gray-100;
   }

src/lib/components/atoms/index.ts

@@ -1,6 +1,5 @@
 export { default as BottomSheet } from "./BottomSheet.svelte";
 export * from "./buttons";
-export { default as Chip } from "./Chip.svelte";
 export * from "./divs";
 export * from "./inputs";
 export { default as Modal } from "./Modal.svelte";

src/lib/components/atoms/inputs/TextInput.svelte

@@ -28,7 +28,7 @@
   </div>
 </div>
 
-<style lang="postcss">
+<style>
   input:focus,
   input:not(:placeholder-shown) {
     @apply border-primary-300;

src/lib/components/molecules/SubCategories.svelte

@@ -10,9 +10,9 @@
     class?: ClassValue;
     info: CategoryInfo;
     onSubCategoryClick: (subCategory: SelectedCategory) => void;
-    onSubCategoryCreateClick?: () => void;
+    onSubCategoryCreateClick: () => void;
     onSubCategoryMenuClick?: (category: SelectedCategory) => void;
-    subCategoryCreatePosition?: "top" | "bottom" | "none";
+    subCategoryCreatePosition?: "top" | "bottom";
     subCategoryMenuIcon?: Component<SvelteHTMLElements["svg"]>;
   }
 
@@ -22,7 +22,7 @@
     onSubCategoryClick,
     onSubCategoryCreateClick,
     onSubCategoryMenuClick,
-    subCategoryCreatePosition = "none",
+    subCategoryCreatePosition = "bottom",
     subCategoryMenuIcon,
   }: Props = $props();
 </script>

src/lib/components/molecules/TopBar.svelte

@@ -8,11 +8,10 @@
     children?: Snippet;
     class?: ClassValue;
     onBackClick?: () => void;
-    showBackButton?: boolean;
     title?: string;
   }
 
-  let { children, class: className, onBackClick, showBackButton = true, title }: Props = $props();
+  let { children, class: className, onBackClick, title }: Props = $props();
 </script>
 
 <div
@@ -21,16 +20,12 @@
     className,
   ]}
 >
-  <div class="w-[2.3rem] flex-shrink-0">
-    {#if showBackButton}
   <button
-        onclick={onBackClick ?? (() => history.back())}
+    onclick={onBackClick || (() => history.back())}
     class="w-[2.3rem] flex-shrink-0 rounded-full p-1 active:bg-black active:bg-opacity-[0.04]"
   >
     <IconArrowBack class="text-2xl" />
   </button>
-    {/if}
-  </div>
   {#if title}
     <p class="flex-grow truncate text-center text-lg font-semibold">{title}</p>
   {/if}

src/lib/constants/index.ts

@@ -1,2 +0,0 @@
-export * from "./serviceWorker";
-export * from "./upload";

src/lib/constants/serviceWorker.ts

@@ -1 +0,0 @@
-export const DECRYPTED_FILE_URL_PREFIX = "/_internal/decryptedFile/";

src/lib/constants/upload.ts

@@ -1,6 +0,0 @@
-export const AES_GCM_IV_SIZE = 12;
-export const AES_GCM_TAG_SIZE = 16;
-export const ENCRYPTION_OVERHEAD = AES_GCM_IV_SIZE + AES_GCM_TAG_SIZE;
-
-export const CHUNK_SIZE = 4 * 1024 * 1024; // 4 MiB
-export const ENCRYPTED_CHUNK_SIZE = CHUNK_SIZE + ENCRYPTION_OVERHEAD;

src/lib/indexedDB/keyStore.ts

@@ -70,12 +70,12 @@ export const storeMasterKeys = async (keys: MasterKey[]) => {
 };
 
 export const getHmacSecrets = async () => {
-  return (await keyStore.hmacSecret.toArray()).filter(({ secret }) => secret.extractable);
+  return await keyStore.hmacSecret.toArray();
 };
 
 export const storeHmacSecrets = async (secrets: HmacSecret[]) => {
-  if (secrets.some(({ secret }) => !secret.extractable)) {
-    throw new Error("Hmac secrets must be extractable");
+  if (secrets.some(({ secret }) => secret.extractable)) {
+    throw new Error("Hmac secrets must be nonextractable");
   }
   await keyStore.hmacSecret.bulkPut(secrets);
 };

src/lib/modules/crypto/aes.ts

@@ -1,15 +1,8 @@
-import { AES_GCM_IV_SIZE } from "$lib/constants";
-import {
-  encodeString,
-  decodeString,
-  encodeToBase64,
-  decodeFromBase64,
-  concatenateBuffers,
-} from "./utils";
+import { encodeString, decodeString, encodeToBase64, decodeFromBase64 } from "./util";
 
 export const generateMasterKey = async () => {
   return {
-    masterKey: await crypto.subtle.generateKey(
+    masterKey: await window.crypto.subtle.generateKey(
       {
         name: "AES-KW",
         length: 256,
@@ -22,7 +15,7 @@ export const generateMasterKey = async () => {
 
 export const generateDataKey = async () => {
   return {
-    dataKey: await crypto.subtle.generateKey(
+    dataKey: await window.crypto.subtle.generateKey(
       {
         name: "AES-GCM",
         length: 256,
@@ -35,9 +28,9 @@ export const generateDataKey = async () => {
 };
 
 export const makeAESKeyNonextractable = async (key: CryptoKey) => {
-  return await crypto.subtle.importKey(
+  return await window.crypto.subtle.importKey(
     "raw",
-    await crypto.subtle.exportKey("raw", key),
+    await window.crypto.subtle.exportKey("raw", key),
     key.algorithm,
     false,
     key.usages,
@@ -45,12 +38,12 @@ export const makeAESKeyNonextractable = async (key: CryptoKey) => {
 };
 
 export const wrapDataKey = async (dataKey: CryptoKey, masterKey: CryptoKey) => {
-  return encodeToBase64(await crypto.subtle.wrapKey("raw", dataKey, masterKey, "AES-KW"));
+  return encodeToBase64(await window.crypto.subtle.wrapKey("raw", dataKey, masterKey, "AES-KW"));
 };
 
 export const unwrapDataKey = async (dataKeyWrapped: string, masterKey: CryptoKey) => {
   return {
-    dataKey: await crypto.subtle.unwrapKey(
+    dataKey: await window.crypto.subtle.unwrapKey(
       "raw",
       decodeFromBase64(dataKeyWrapped),
       masterKey,
@@ -63,12 +56,12 @@ export const unwrapDataKey = async (dataKeyWrapped: string, masterKey: CryptoKey
 };
 
 export const wrapHmacSecret = async (hmacSecret: CryptoKey, masterKey: CryptoKey) => {
-  return encodeToBase64(await crypto.subtle.wrapKey("raw", hmacSecret, masterKey, "AES-KW"));
+  return encodeToBase64(await window.crypto.subtle.wrapKey("raw", hmacSecret, masterKey, "AES-KW"));
 };
 
 export const unwrapHmacSecret = async (hmacSecretWrapped: string, masterKey: CryptoKey) => {
   return {
-    hmacSecret: await crypto.subtle.unwrapKey(
+    hmacSecret: await window.crypto.subtle.unwrapKey(
       "raw",
       decodeFromBase64(hmacSecretWrapped),
       masterKey,
@@ -77,15 +70,15 @@ export const unwrapHmacSecret = async (hmacSecretWrapped: string, masterKey: Cry
         name: "HMAC",
         hash: "SHA-256",
       } satisfies HmacImportParams,
-      true, // Extractable
+      false, // Nonextractable
       ["sign", "verify"],
     ),
   };
 };
 
 export const encryptData = async (data: BufferSource, dataKey: CryptoKey) => {
-  const iv = crypto.getRandomValues(new Uint8Array(12));
-  const ciphertext = await crypto.subtle.encrypt(
+  const iv = window.crypto.getRandomValues(new Uint8Array(12));
+  const ciphertext = await window.crypto.subtle.encrypt(
     {
       name: "AES-GCM",
       iv,
@@ -93,18 +86,14 @@ export const encryptData = async (data: BufferSource, dataKey: CryptoKey) => {
     dataKey,
     data,
   );
-  return { ciphertext, iv: iv.buffer };
+  return { ciphertext, iv: encodeToBase64(iv.buffer) };
 };
 
-export const decryptData = async (
-  ciphertext: BufferSource,
-  iv: string | BufferSource,
-  dataKey: CryptoKey,
-) => {
-  return await crypto.subtle.decrypt(
+export const decryptData = async (ciphertext: BufferSource, iv: string, dataKey: CryptoKey) => {
+  return await window.crypto.subtle.decrypt(
     {
       name: "AES-GCM",
-      iv: typeof iv === "string" ? decodeFromBase64(iv) : iv,
+      iv: decodeFromBase64(iv),
     } satisfies AesGcmParams,
     dataKey,
     ciphertext,
@@ -113,22 +102,9 @@ export const decryptData = async (
 
 export const encryptString = async (plaintext: string, dataKey: CryptoKey) => {
   const { ciphertext, iv } = await encryptData(encodeString(plaintext), dataKey);
-  return { ciphertext: encodeToBase64(ciphertext), iv: encodeToBase64(iv) };
+  return { ciphertext: encodeToBase64(ciphertext), iv };
 };
 
 export const decryptString = async (ciphertext: string, iv: string, dataKey: CryptoKey) => {
   return decodeString(await decryptData(decodeFromBase64(ciphertext), iv, dataKey));
 };
-
-export const encryptChunk = async (chunk: ArrayBuffer, dataKey: CryptoKey) => {
-  const { ciphertext, iv } = await encryptData(chunk, dataKey);
-  return concatenateBuffers(iv, ciphertext).buffer;
-};
-
-export const decryptChunk = async (encryptedChunk: ArrayBuffer, dataKey: CryptoKey) => {
-  return await decryptData(
-    encryptedChunk.slice(AES_GCM_IV_SIZE),
-    encryptedChunk.slice(0, AES_GCM_IV_SIZE),
-    dataKey,
-  );
-};

src/lib/modules/crypto/index.ts

@@ -1,4 +1,4 @@
 export * from "./aes";
 export * from "./rsa";
 export * from "./sha";
-export * from "./utils";
+export * from "./util";

src/lib/modules/crypto/rsa.ts

@@ -1,7 +1,7 @@
-import { encodeString, encodeToBase64, decodeFromBase64 } from "./utils";
+import { encodeString, encodeToBase64, decodeFromBase64 } from "./util";
 
 export const generateEncryptionKeyPair = async () => {
-  const keyPair = await crypto.subtle.generateKey(
+  const keyPair = await window.crypto.subtle.generateKey(
     {
       name: "RSA-OAEP",
       modulusLength: 4096,
@@ -18,7 +18,7 @@ export const generateEncryptionKeyPair = async () => {
 };
 
 export const generateSigningKeyPair = async () => {
-  const keyPair = await crypto.subtle.generateKey(
+  const keyPair = await window.crypto.subtle.generateKey(
     {
       name: "RSA-PSS",
       modulusLength: 4096,
@@ -37,7 +37,7 @@ export const generateSigningKeyPair = async () => {
 export const exportRSAKey = async (key: CryptoKey) => {
   const format = key.type === "public" ? ("spki" as const) : ("pkcs8" as const);
   return {
-    key: await crypto.subtle.exportKey(format, key),
+    key: await window.crypto.subtle.exportKey(format, key),
     format,
   };
 };
@@ -54,14 +54,14 @@ export const importEncryptionKeyPairFromBase64 = async (
     name: "RSA-OAEP",
     hash: "SHA-256",
   };
-  const encryptKey = await crypto.subtle.importKey(
+  const encryptKey = await window.crypto.subtle.importKey(
     "spki",
     decodeFromBase64(encryptKeyBase64),
     algorithm,
     true,
     ["encrypt", "wrapKey"],
   );
-  const decryptKey = await crypto.subtle.importKey(
+  const decryptKey = await window.crypto.subtle.importKey(
     "pkcs8",
     decodeFromBase64(decryptKeyBase64),
     algorithm,
@@ -79,14 +79,14 @@ export const importSigningKeyPairFromBase64 = async (
     name: "RSA-PSS",
     hash: "SHA-256",
   };
-  const signKey = await crypto.subtle.importKey(
+  const signKey = await window.crypto.subtle.importKey(
     "pkcs8",
     decodeFromBase64(signKeyBase64),
     algorithm,
     true,
     ["sign"],
   );
-  const verifyKey = await crypto.subtle.importKey(
+  const verifyKey = await window.crypto.subtle.importKey(
     "spki",
     decodeFromBase64(verifyKeyBase64),
     algorithm,
@@ -98,11 +98,17 @@ export const importSigningKeyPairFromBase64 = async (
 
 export const makeRSAKeyNonextractable = async (key: CryptoKey) => {
   const { key: exportedKey, format } = await exportRSAKey(key);
-  return await crypto.subtle.importKey(format, exportedKey, key.algorithm, false, key.usages);
+  return await window.crypto.subtle.importKey(
+    format,
+    exportedKey,
+    key.algorithm,
+    false,
+    key.usages,
+  );
 };
 
 export const decryptChallenge = async (challenge: string, decryptKey: CryptoKey) => {
-  return await crypto.subtle.decrypt(
+  return await window.crypto.subtle.decrypt(
     {
       name: "RSA-OAEP",
     } satisfies RsaOaepParams,
@@ -113,7 +119,7 @@ export const decryptChallenge = async (challenge: string, decryptKey: CryptoKey)
 
 export const wrapMasterKey = async (masterKey: CryptoKey, encryptKey: CryptoKey) => {
   return encodeToBase64(
-    await crypto.subtle.wrapKey("raw", masterKey, encryptKey, {
+    await window.crypto.subtle.wrapKey("raw", masterKey, encryptKey, {
       name: "RSA-OAEP",
     } satisfies RsaOaepParams),
   );
@@ -125,7 +131,7 @@ export const unwrapMasterKey = async (
   extractable = false,
 ) => {
   return {
-    masterKey: await crypto.subtle.unwrapKey(
+    masterKey: await window.crypto.subtle.unwrapKey(
       "raw",
       decodeFromBase64(masterKeyWrapped),
       decryptKey,
@@ -140,7 +146,7 @@ export const unwrapMasterKey = async (
 };
 
 export const signMessageRSA = async (message: BufferSource, signKey: CryptoKey) => {
-  return await crypto.subtle.sign(
+  return await window.crypto.subtle.sign(
     {
       name: "RSA-PSS",
       saltLength: 32, // SHA-256
@@ -155,7 +161,7 @@ export const verifySignatureRSA = async (
   signature: BufferSource,
   verifyKey: CryptoKey,
 ) => {
-  return await crypto.subtle.verify(
+  return await window.crypto.subtle.verify(
     {
       name: "RSA-PSS",
       saltLength: 32, // SHA-256

src/lib/modules/crypto/sha.ts

@@ -1,13 +1,10 @@
-import HmacWorker from "$workers/hmac?worker";
-import type { ComputeMessage, ResultMessage } from "$workers/hmac";
-
 export const digestMessage = async (message: BufferSource) => {
-  return await crypto.subtle.digest("SHA-256", message);
+  return await window.crypto.subtle.digest("SHA-256", message);
 };
 
 export const generateHmacSecret = async () => {
   return {
-    hmacSecret: await crypto.subtle.generateKey(
+    hmacSecret: await window.crypto.subtle.generateKey(
       {
         name: "HMAC",
         hash: "SHA-256",
@@ -18,24 +15,6 @@ export const generateHmacSecret = async () => {
   };
 };
 
-export const signMessageHmac = async (message: Blob, hmacSecret: CryptoKey) => {
-  const stream = message.stream();
-  const hmacSecretRaw = new Uint8Array(await crypto.subtle.exportKey("raw", hmacSecret));
-  const worker = new HmacWorker();
-
-  return new Promise<Uint8Array>((resolve, reject) => {
-    worker.onmessage = ({ data }: MessageEvent<ResultMessage>) => {
-      resolve(data.result);
-      worker.terminate();
-    };
-
-    worker.onerror = ({ error }) => {
-      reject(error);
-      worker.terminate();
-    };
-
-    worker.postMessage({ stream, key: hmacSecretRaw } satisfies ComputeMessage, {
-      transfer: [stream, hmacSecretRaw.buffer],
-    });
-  });
+export const signMessageHmac = async (message: BufferSource, hmacSecret: CryptoKey) => {
+  return await window.crypto.subtle.sign("HMAC", hmacSecret, message);
 };

src/lib/modules/crypto/util.ts

@@ -9,8 +9,8 @@ export const decodeString = (data: ArrayBuffer) => {
   return textDecoder.decode(data);
 };
 
-export const encodeToBase64 = (data: ArrayBuffer | Uint8Array) => {
-  return btoa(String.fromCharCode(...(data instanceof ArrayBuffer ? new Uint8Array(data) : data)));
+export const encodeToBase64 = (data: ArrayBuffer) => {
+  return btoa(String.fromCharCode(...new Uint8Array(data)));
 };
 
 export const decodeFromBase64 = (data: string) => {

src/lib/modules/file/download.svelte.ts

@@ -1,7 +1,6 @@
 import axios from "axios";
 import { limitFunction } from "p-limit";
-import { ENCRYPTED_CHUNK_SIZE } from "$lib/constants";
-import { decryptChunk, concatenateBuffers } from "$lib/modules/crypto";
+import { decryptData } from "$lib/modules/crypto";
 
 export interface FileDownloadState {
   id: number;
@@ -66,21 +65,13 @@ const decryptFile = limitFunction(
   async (
     state: FileDownloadState,
     fileEncrypted: ArrayBuffer,
-    encryptedChunkSize: number,
+    fileEncryptedIv: string,
     dataKey: CryptoKey,
   ) => {
     state.status = "decrypting";
 
-    const chunks: ArrayBuffer[] = [];
-    let offset = 0;
+    const fileBuffer = await decryptData(fileEncrypted, fileEncryptedIv, dataKey);
 
-    while (offset < fileEncrypted.byteLength) {
-      const nextOffset = Math.min(offset + encryptedChunkSize, fileEncrypted.byteLength);
-      chunks.push(await decryptChunk(fileEncrypted.slice(offset, nextOffset), dataKey));
-      offset = nextOffset;
-    }
-
-    const fileBuffer = concatenateBuffers(...chunks).buffer;
     state.status = "decrypted";
     state.result = fileBuffer;
     return fileBuffer;
@@ -88,7 +79,7 @@ const decryptFile = limitFunction(
   { concurrency: 4 },
 );
 
-export const downloadFile = async (id: number, dataKey: CryptoKey, isLegacy: boolean) => {
+export const downloadFile = async (id: number, fileEncryptedIv: string, dataKey: CryptoKey) => {
   downloadingFiles.push({
     id,
     status: "download-pending",
@@ -96,13 +87,7 @@ export const downloadFile = async (id: number, dataKey: CryptoKey, isLegacy: boo
   const state = downloadingFiles.at(-1)!;
 
   try {
-    const fileEncrypted = await requestFileDownload(state, id);
-    return await decryptFile(
-      state,
-      fileEncrypted,
-      isLegacy ? fileEncrypted.byteLength : ENCRYPTED_CHUNK_SIZE,
-      dataKey,
-    );
+    return await decryptFile(state, await requestFileDownload(state, id), fileEncryptedIv, dataKey);
   } catch (e) {
     state.status = "error";
     throw e;

src/lib/modules/file/thumbnail.ts

@@ -1,10 +1,11 @@
 import { LRUCache } from "lru-cache";
 import { writable, type Writable } from "svelte/store";
 import { browser } from "$app/environment";
-import { decryptChunk } from "$lib/modules/crypto";
+import { decryptData } from "$lib/modules/crypto";
 import type { SummarizedFileInfo } from "$lib/modules/filesystem";
 import { readFile, writeFile, deleteFile, deleteDirectory } from "$lib/modules/opfs";
 import { getThumbnailUrl } from "$lib/modules/thumbnail";
+import { isTRPCClientError, trpc } from "$trpc/client";
 
 const loadedThumbnails = new LRUCache<number, Writable<string>>({ max: 100 });
 const loadingThumbnails = new Map<number, Writable<string | undefined>>();
@@ -17,13 +18,25 @@ const fetchFromOpfs = async (fileId: number) => {
 };
 
 const fetchFromServer = async (fileId: number, dataKey: CryptoKey) => {
-  const res = await fetch(`/api/file/${fileId}/thumbnail/download`);
-  if (!res.ok) return null;
-
-  const thumbnailBuffer = await decryptChunk(await res.arrayBuffer(), dataKey);
+  try {
+    const [thumbnailEncrypted, { contentIv: thumbnailEncryptedIv }] = await Promise.all([
+      fetch(`/api/file/${fileId}/thumbnail/download`),
+      trpc().file.thumbnail.query({ id: fileId }),
+    ]);
+    const thumbnailBuffer = await decryptData(
+      await thumbnailEncrypted.arrayBuffer(),
+      thumbnailEncryptedIv,
+      dataKey,
+    );
 
     void writeFile(`/thumbnail/file/${fileId}`, thumbnailBuffer);
     return getThumbnailUrl(thumbnailBuffer);
+  } catch (e) {
+    if (isTRPCClientError(e) && e.data?.code === "NOT_FOUND") {
+      return null;
+    }
+    throw e;
+  }
 };
 
 export const getFileThumbnail = (file: SummarizedFileInfo) => {

src/lib/modules/file/upload.svelte.ts

@@ -1,16 +1,26 @@
+import axios from "axios";
 import ExifReader from "exifreader";
 import { limitFunction } from "p-limit";
-import { CHUNK_SIZE } from "$lib/constants";
-import { encodeToBase64, generateDataKey, wrapDataKey, encryptString } from "$lib/modules/crypto";
-import { signMessageHmac } from "$lib/modules/crypto";
+import {
+  encodeToBase64,
+  generateDataKey,
+  wrapDataKey,
+  encryptData,
+  encryptString,
+  digestMessage,
+  signMessageHmac,
+} from "$lib/modules/crypto";
+import { Scheduler } from "$lib/modules/scheduler";
 import { generateThumbnail } from "$lib/modules/thumbnail";
-import { uploadBlob } from "$lib/modules/upload";
+import type {
+  FileThumbnailUploadRequest,
+  FileUploadRequest,
+  FileUploadResponse,
+} from "$lib/server/schemas";
 import type { MasterKey, HmacSecret } from "$lib/stores";
-import { Scheduler } from "$lib/utils";
 import { trpc } from "$trpc/client";
 
 export interface FileUploadState {
-  id: string;
   name: string;
   parentId: DirectoryId;
   status:
@@ -32,7 +42,7 @@ export type LiveFileUploadState = FileUploadState & {
 };
 
 const scheduler = new Scheduler<
-  { fileId: number; fileBuffer?: ArrayBuffer; thumbnailBuffer?: ArrayBuffer } | undefined
+  { fileId: number; fileBuffer: ArrayBuffer; thumbnailBuffer?: ArrayBuffer } | undefined
 >();
 let uploadingFiles: FileUploadState[] = $state([]);
 
@@ -51,21 +61,16 @@ export const clearUploadedFiles = () => {
 };
 
 const requestDuplicateFileScan = limitFunction(
-  async (
-    state: FileUploadState,
-    file: File,
-    hmacSecret: HmacSecret,
-    onDuplicate: () => Promise<boolean>,
-  ) => {
-    state.status = "encryption-pending";
+  async (file: File, hmacSecret: HmacSecret, onDuplicate: () => Promise<boolean>) => {
+    const fileBuffer = await file.arrayBuffer();
+    const fileSigned = encodeToBase64(await signMessageHmac(fileBuffer, hmacSecret.secret));
 
-    const fileSigned = encodeToBase64(await signMessageHmac(file, hmacSecret.secret));
     const files = await trpc().file.listByHash.query({
       hskVersion: hmacSecret.version,
       contentHmac: fileSigned,
     });
     if (files.length === 0 || (await onDuplicate())) {
-      return { fileSigned };
+      return { fileBuffer, fileSigned };
     } else {
       return {};
     }
@@ -105,98 +110,74 @@ const extractExifDateTime = (fileBuffer: ArrayBuffer) => {
   return new Date(utcDate - offsetMs);
 };
 
-interface FileMetadata {
-  parentId: "root" | number;
-  name: string;
-  createdAt?: Date;
-  lastModifiedAt: Date;
-}
-
-const requestFileMetadataEncryption = limitFunction(
-  async (
-    state: FileUploadState,
-    file: Blob,
-    fileMetadata: FileMetadata,
-    masterKey: MasterKey,
-    hmacSecret: HmacSecret,
-  ) => {
+const encryptFile = limitFunction(
+  async (state: FileUploadState, file: File, fileBuffer: ArrayBuffer, masterKey: MasterKey) => {
     state.status = "encrypting";
 
+    const fileType = getFileType(file);
+
+    let createdAt;
+    if (fileType.startsWith("image/")) {
+      createdAt = extractExifDateTime(fileBuffer);
+    }
+
     const { dataKey, dataKeyVersion } = await generateDataKey();
     const dataKeyWrapped = await wrapDataKey(dataKey, masterKey.key);
 
-    const [nameEncrypted, createdAtEncrypted, lastModifiedAtEncrypted, thumbnailBuffer] =
-      await Promise.all([
-        encryptString(fileMetadata.name, dataKey),
-        fileMetadata.createdAt &&
-          encryptString(fileMetadata.createdAt.getTime().toString(), dataKey),
-        encryptString(fileMetadata.lastModifiedAt.getTime().toString(), dataKey),
-        generateThumbnail(file).then((blob) => blob?.arrayBuffer()),
-      ]);
+    const fileEncrypted = await encryptData(fileBuffer, dataKey);
+    const fileEncryptedHash = encodeToBase64(await digestMessage(fileEncrypted.ciphertext));
 
-    const { uploadId } = await trpc().upload.startFileUpload.mutate({
-      chunks: Math.ceil(file.size / CHUNK_SIZE),
-      parent: fileMetadata.parentId,
-      mekVersion: masterKey.version,
-      dek: dataKeyWrapped,
-      dekVersion: dataKeyVersion,
-      hskVersion: hmacSecret.version,
-      contentType: file.type,
-      name: nameEncrypted.ciphertext,
-      nameIv: nameEncrypted.iv,
-      createdAt: createdAtEncrypted?.ciphertext,
-      createdAtIv: createdAtEncrypted?.iv,
-      lastModifiedAt: lastModifiedAtEncrypted.ciphertext,
-      lastModifiedAtIv: lastModifiedAtEncrypted.iv,
-    });
+    const nameEncrypted = await encryptString(file.name, dataKey);
+    const createdAtEncrypted =
+      createdAt && (await encryptString(createdAt.getTime().toString(), dataKey));
+    const lastModifiedAtEncrypted = await encryptString(file.lastModified.toString(), dataKey);
+
+    const thumbnail = await generateThumbnail(fileBuffer, fileType);
+    const thumbnailBuffer = await thumbnail?.arrayBuffer();
+    const thumbnailEncrypted = thumbnailBuffer && (await encryptData(thumbnailBuffer, dataKey));
 
     state.status = "upload-pending";
-    return { uploadId, thumbnailBuffer, dataKey, dataKeyVersion };
+
+    return {
+      dataKeyWrapped,
+      dataKeyVersion,
+      fileType,
+      fileEncrypted,
+      fileEncryptedHash,
+      nameEncrypted,
+      createdAtEncrypted,
+      lastModifiedAtEncrypted,
+      thumbnail: thumbnailEncrypted && { plaintext: thumbnailBuffer, ...thumbnailEncrypted },
+    };
   },
   { concurrency: 4 },
 );
 
 const requestFileUpload = limitFunction(
-  async (
-    state: FileUploadState,
-    uploadId: string,
-    file: Blob,
-    fileSigned: string,
-    thumbnailBuffer: ArrayBuffer | undefined,
-    dataKey: CryptoKey,
-    dataKeyVersion: Date,
-  ) => {
+  async (state: FileUploadState, form: FormData, thumbnailForm: FormData | null) => {
     state.status = "uploading";
 
-    await uploadBlob(uploadId, file, dataKey, {
-      onProgress(s) {
-        state.progress = s.progress;
-        state.rate = s.rate;
+    const res = await axios.post("/api/file/upload", form, {
+      onUploadProgress: ({ progress, rate, estimated }) => {
+        state.progress = progress;
+        state.rate = rate;
+        state.estimated = estimated;
       },
     });
+    const { file }: FileUploadResponse = res.data;
 
-    const { file: fileId } = await trpc().upload.completeFileUpload.mutate({
-      uploadId,
-      contentHmac: fileSigned,
-    });
-
-    if (thumbnailBuffer) {
+    if (thumbnailForm) {
       try {
-        const { uploadId } = await trpc().upload.startFileThumbnailUpload.mutate({
-          file: fileId,
-          dekVersion: dataKeyVersion,
-        });
-
-        await uploadBlob(uploadId, new Blob([thumbnailBuffer]), dataKey);
-
-        await trpc().upload.completeFileThumbnailUpload.mutate({ uploadId });
+        await axios.post(`/api/file/${file}/thumbnail/upload`, thumbnailForm);
       } catch (e) {
+        // TODO
         console.error(e);
       }
     }
 
     state.status = "uploaded";
-    return { fileId };
+
+    return { fileId: file };
   },
   { concurrency: 1 },
 );
@@ -204,12 +185,11 @@ const requestFileUpload = limitFunction(
 export const uploadFile = async (
   file: File,
   parentId: "root" | number,
-  masterKey: MasterKey,
   hmacSecret: HmacSecret,
+  masterKey: MasterKey,
   onDuplicate: () => Promise<boolean>,
 ) => {
   uploadingFiles.push({
-    id: crypto.randomUUID(),
     name: file.name,
     parentId,
     status: "queued",
@@ -217,44 +197,70 @@ export const uploadFile = async (
   const state = uploadingFiles.at(-1)!;
 
   return await scheduler.schedule(file.size, async () => {
-    try {
-      const { fileSigned } = await requestDuplicateFileScan(state, file, hmacSecret, onDuplicate);
+    state.status = "encryption-pending";
 
-      if (!fileSigned) {
+    try {
+      const { fileBuffer, fileSigned } = await requestDuplicateFileScan(
+        file,
+        hmacSecret,
+        onDuplicate,
+      );
+      if (!fileBuffer || !fileSigned) {
         state.status = "canceled";
         uploadingFiles = uploadingFiles.filter((file) => file !== state);
-        return;
+        return undefined;
       }
 
-      let fileBuffer;
-      const fileType = getFileType(file);
-      const fileMetadata: FileMetadata = {
-        parentId,
-        name: file.name,
-        lastModifiedAt: new Date(file.lastModified),
-      };
-
-      if (fileType.startsWith("image/")) {
-        fileBuffer = await file.arrayBuffer();
-        fileMetadata.createdAt = extractExifDateTime(fileBuffer);
-      }
-
-      const blob = new Blob([file], { type: fileType });
-
-      const { uploadId, thumbnailBuffer, dataKey, dataKeyVersion } =
-        await requestFileMetadataEncryption(state, blob, fileMetadata, masterKey, hmacSecret);
-
-      const { fileId } = await requestFileUpload(
-        state,
-        uploadId,
-        blob,
-        fileSigned,
-        thumbnailBuffer,
-        dataKey,
+      const {
+        dataKeyWrapped,
         dataKeyVersion,
-      );
+        fileType,
+        fileEncrypted,
+        fileEncryptedHash,
+        nameEncrypted,
+        createdAtEncrypted,
+        lastModifiedAtEncrypted,
+        thumbnail,
+      } = await encryptFile(state, file, fileBuffer, masterKey);
 
-      return { fileId, fileBuffer, thumbnailBuffer };
+      const form = new FormData();
+      form.set(
+        "metadata",
+        JSON.stringify({
+          parent: parentId,
+          mekVersion: masterKey.version,
+          dek: dataKeyWrapped,
+          dekVersion: dataKeyVersion.toISOString(),
+          hskVersion: hmacSecret.version,
+          contentHmac: fileSigned,
+          contentType: fileType,
+          contentIv: fileEncrypted.iv,
+          name: nameEncrypted.ciphertext,
+          nameIv: nameEncrypted.iv,
+          createdAt: createdAtEncrypted?.ciphertext,
+          createdAtIv: createdAtEncrypted?.iv,
+          lastModifiedAt: lastModifiedAtEncrypted.ciphertext,
+          lastModifiedAtIv: lastModifiedAtEncrypted.iv,
+        } satisfies FileUploadRequest),
+      );
+      form.set("content", new Blob([fileEncrypted.ciphertext]));
+      form.set("checksum", fileEncryptedHash);
+
+      let thumbnailForm = null;
+      if (thumbnail) {
+        thumbnailForm = new FormData();
+        thumbnailForm.set(
+          "metadata",
+          JSON.stringify({
+            dekVersion: dataKeyVersion.toISOString(),
+            contentIv: thumbnail.iv,
+          } satisfies FileThumbnailUploadRequest),
+        );
+        thumbnailForm.set("content", new Blob([thumbnail.ciphertext]));
+      }
+
+      const { fileId } = await requestFileUpload(state, form, thumbnailForm);
+      return { fileId, fileBuffer, thumbnailBuffer: thumbnail?.plaintext };
     } catch (e) {
       state.status = "error";
       throw e;

src/lib/modules/filesystem/category.ts

@@ -1,7 +1,6 @@
 import * as IndexedDB from "$lib/indexedDB";
 import { trpc, isTRPCClientError } from "$trpc/client";
-import { decryptFileMetadata, decryptCategoryMetadata } from "./common";
-import { FilesystemCache } from "./FilesystemCache.svelte";
+import { FilesystemCache, decryptFileMetadata, decryptCategoryMetadata } from "./internal.svelte";
 import type { CategoryInfo, MaybeCategoryInfo } from "./types";
 
 const cache = new FilesystemCache<CategoryId, MaybeCategoryInfo>({

src/lib/modules/filesystem/common.ts

@@ -1,50 +0,0 @@
-import { unwrapDataKey, decryptString } from "$lib/modules/crypto";
-
-export const decryptDirectoryMetadata = async (
-  metadata: { dek: string; dekVersion: Date; name: string; nameIv: string },
-  masterKey: CryptoKey,
-) => {
-  const { dataKey } = await unwrapDataKey(metadata.dek, masterKey);
-  const name = await decryptString(metadata.name, metadata.nameIv, dataKey);
-
-  return {
-    dataKey: { key: dataKey, version: metadata.dekVersion },
-    name,
-  };
-};
-
-const decryptDate = async (ciphertext: string, iv: string, dataKey: CryptoKey) => {
-  return new Date(parseInt(await decryptString(ciphertext, iv, dataKey), 10));
-};
-
-export const decryptFileMetadata = async (
-  metadata: {
-    dek: string;
-    dekVersion: Date;
-    name: string;
-    nameIv: string;
-    createdAt?: string;
-    createdAtIv?: string;
-    lastModifiedAt: string;
-    lastModifiedAtIv: string;
-  },
-  masterKey: CryptoKey,
-) => {
-  const { dataKey } = await unwrapDataKey(metadata.dek, masterKey);
-  const [name, createdAt, lastModifiedAt] = await Promise.all([
-    decryptString(metadata.name, metadata.nameIv, dataKey),
-    metadata.createdAt
-      ? decryptDate(metadata.createdAt, metadata.createdAtIv!, dataKey)
-      : undefined,
-    decryptDate(metadata.lastModifiedAt, metadata.lastModifiedAtIv, dataKey),
-  ]);
-
-  return {
-    dataKey: { key: dataKey, version: metadata.dekVersion },
-    name,
-    createdAt,
-    lastModifiedAt,
-  };
-};
-
-export const decryptCategoryMetadata = decryptDirectoryMetadata;

src/lib/modules/filesystem/directory.ts

@@ -1,7 +1,6 @@
 import * as IndexedDB from "$lib/indexedDB";
 import { trpc, isTRPCClientError } from "$trpc/client";
-import { decryptDirectoryMetadata, decryptFileMetadata } from "./common";
-import { FilesystemCache, type FilesystemCacheOptions } from "./FilesystemCache.svelte";
+import { FilesystemCache, decryptDirectoryMetadata, decryptFileMetadata } from "./internal.svelte";
 import type { DirectoryInfo, MaybeDirectoryInfo } from "./types";
 
 const cache = new FilesystemCache<DirectoryId, MaybeDirectoryInfo>({
@@ -98,12 +97,6 @@ const storeToIndexedDB = (info: DirectoryInfo) => {
   return { ...info, exists: true as const };
 };
 
-export const getDirectoryInfo = (
-  id: DirectoryId,
-  masterKey: CryptoKey,
-  options?: {
-    fetchFromServer?: FilesystemCacheOptions<DirectoryId, MaybeDirectoryInfo>["fetchFromServer"];
-  },
-) => {
-  return cache.get(id, masterKey, options);
+export const getDirectoryInfo = (id: DirectoryId, masterKey: CryptoKey) => {
+  return cache.get(id, masterKey);
 };

src/lib/modules/filesystem/file.ts

@@ -1,7 +1,6 @@
 import * as IndexedDB from "$lib/indexedDB";
 import { trpc, isTRPCClientError } from "$trpc/client";
-import { decryptFileMetadata, decryptCategoryMetadata } from "./common";
-import { FilesystemCache, type FilesystemCacheOptions } from "./FilesystemCache.svelte";
+import { FilesystemCache, decryptFileMetadata, decryptCategoryMetadata } from "./internal.svelte";
 import type { FileInfo, MaybeFileInfo } from "./types";
 
 const cache = new FilesystemCache<number, MaybeFileInfo>({
@@ -48,10 +47,10 @@ const cache = new FilesystemCache<number, MaybeFileInfo>({
 
       return storeToIndexedDB({
         id,
-        isLegacy: file.isLegacy,
         parentId: file.parent,
         dataKey: metadata.dataKey,
         contentType: file.contentType,
+        contentIv: file.contentIv,
         name: metadata.name,
         createdAt: metadata.createdAt,
         lastModifiedAt: metadata.lastModifiedAt,
@@ -117,9 +116,9 @@ const cache = new FilesystemCache<number, MaybeFileInfo>({
         return {
           id,
           exists: true as const,
-          isLegacy: metadataRaw.isLegacy,
           parentId: metadataRaw.parent,
           contentType: metadataRaw.contentType,
+          contentIv: metadataRaw.contentIv,
           categories,
           ...metadata,
         };
@@ -169,12 +168,8 @@ const bulkStoreToIndexedDB = (infos: FileInfo[]) => {
   return infos.map((info) => [info.id, { ...info, exists: true }] as const);
 };
 
-export const getFileInfo = (
-  id: number,
-  masterKey: CryptoKey,
-  options?: { fetchFromServer?: FilesystemCacheOptions<number, MaybeFileInfo>["fetchFromServer"] },
-) => {
-  return cache.get(id, masterKey, options);
+export const getFileInfo = (id: number, masterKey: CryptoKey) => {
+  return cache.get(id, masterKey);
 };
 
 export const bulkGetFileInfo = (ids: number[], masterKey: CryptoKey) => {

src/lib/modules/filesystem/index.ts

@@ -1,5 +1,4 @@
 export * from "./category";
-export * from "./common";
 export * from "./directory";
 export * from "./file";
 export * from "./types";

src/lib/modules/filesystem/internal.svelte.ts

@@ -1,6 +1,7 @@
 import { untrack } from "svelte";
+import { unwrapDataKey, decryptString } from "$lib/modules/crypto";
 
-export interface FilesystemCacheOptions<K, V> {
+interface FilesystemCacheOptions<K, V> {
   fetchFromIndexedDB: (key: K) => Promise<V | undefined>;
   fetchFromServer: (key: K, cachedValue: V | undefined, masterKey: CryptoKey) => Promise<V>;
   bulkFetchFromIndexedDB?: (keys: Set<K>) => Promise<Map<K, V>>;
@@ -15,11 +16,7 @@ export class FilesystemCache<K, V extends object> {
 
   constructor(private readonly options: FilesystemCacheOptions<K, V>) {}
 
-  get(
-    key: K,
-    masterKey: CryptoKey,
-    options?: { fetchFromServer?: FilesystemCacheOptions<K, V>["fetchFromServer"] },
-  ) {
+  get(key: K, masterKey: CryptoKey) {
     return untrack(() => {
       let state = this.map.get(key);
       if (state?.promise) return state.value ?? state.promise;
@@ -42,9 +39,7 @@ export class FilesystemCache<K, V extends object> {
             return loadedInfo;
           })
       )
-        .then((cachedInfo) =>
-          (options?.fetchFromServer ?? this.options.fetchFromServer)(key, cachedInfo, masterKey),
-        )
+        .then((cachedInfo) => this.options.fetchFromServer(key, cachedInfo, masterKey))
         .then((loadedInfo) => {
           if (state.value) {
             Object.assign(state.value, loadedInfo);
@@ -126,3 +121,52 @@ export class FilesystemCache<K, V extends object> {
     });
   }
 }
+
+export const decryptDirectoryMetadata = async (
+  metadata: { dek: string; dekVersion: Date; name: string; nameIv: string },
+  masterKey: CryptoKey,
+) => {
+  const { dataKey } = await unwrapDataKey(metadata.dek, masterKey);
+  const name = await decryptString(metadata.name, metadata.nameIv, dataKey);
+
+  return {
+    dataKey: { key: dataKey, version: metadata.dekVersion },
+    name,
+  };
+};
+
+const decryptDate = async (ciphertext: string, iv: string, dataKey: CryptoKey) => {
+  return new Date(parseInt(await decryptString(ciphertext, iv, dataKey), 10));
+};
+
+export const decryptFileMetadata = async (
+  metadata: {
+    dek: string;
+    dekVersion: Date;
+    name: string;
+    nameIv: string;
+    createdAt?: string;
+    createdAtIv?: string;
+    lastModifiedAt: string;
+    lastModifiedAtIv: string;
+  },
+  masterKey: CryptoKey,
+) => {
+  const { dataKey } = await unwrapDataKey(metadata.dek, masterKey);
+  const [name, createdAt, lastModifiedAt] = await Promise.all([
+    decryptString(metadata.name, metadata.nameIv, dataKey),
+    metadata.createdAt
+      ? decryptDate(metadata.createdAt, metadata.createdAtIv!, dataKey)
+      : undefined,
+    decryptDate(metadata.lastModifiedAt, metadata.lastModifiedAtIv, dataKey),
+  ]);
+
+  return {
+    dataKey: { key: dataKey, version: metadata.dekVersion },
+    name,
+    createdAt,
+    lastModifiedAt,
+  };
+};
+
+export const decryptCategoryMetadata = decryptDirectoryMetadata;

src/lib/modules/filesystem/types.ts

@@ -1,7 +1,7 @@
 export type DataKey = { key: CryptoKey; version: Date };
 type AllUndefined<T> = { [K in keyof T]?: undefined };
 
-export interface LocalDirectoryInfo {
+interface LocalDirectoryInfo {
   id: number;
   parentId: DirectoryId;
   dataKey?: DataKey;
@@ -10,7 +10,7 @@ export interface LocalDirectoryInfo {
   files: SummarizedFileInfo[];
 }
 
-export interface RootDirectoryInfo {
+interface RootDirectoryInfo {
   id: "root";
   parentId?: undefined;
   dataKey?: undefined;
@@ -28,10 +28,10 @@ export type SubDirectoryInfo = Omit<LocalDirectoryInfo, "subDirectories" | "file
 
 export interface FileInfo {
   id: number;
-  isLegacy?: boolean;
   parentId: DirectoryId;
   dataKey?: DataKey;
   contentType: string;
+  contentIv?: string;
   name: string;
   createdAt?: Date;
   lastModifiedAt: Date;
@@ -42,10 +42,10 @@ export type MaybeFileInfo =
   | (FileInfo & { exists: true })
   | ({ id: number; exists: false } & AllUndefined<Omit<FileInfo, "id">>);
 
-export type SummarizedFileInfo = Omit<FileInfo, "categories">;
+export type SummarizedFileInfo = Omit<FileInfo, "contentIv" | "categories">;
 export type CategoryFileInfo = SummarizedFileInfo & { isRecursive: boolean };
 
-export interface LocalCategoryInfo {
+interface LocalCategoryInfo {
   id: number;
   parentId: DirectoryId;
   dataKey?: DataKey;
@@ -55,7 +55,7 @@ export interface LocalCategoryInfo {
   isFileRecursive: boolean;
 }
 
-export interface RootCategoryInfo {
+interface RootCategoryInfo {
   id: "root";
   parentId?: undefined;
   dataKey?: undefined;

src/lib/modules/http.ts

@@ -1,22 +0,0 @@
-export const parseRangeHeader = (value: string | null) => {
-  if (!value) return undefined;
-
-  const firstRange = value.split(",")[0]!.trim();
-  const parts = firstRange.replace(/bytes=/, "").split("-");
-  return {
-    start: parts[0] ? parseInt(parts[0], 10) : undefined,
-    end: parts[1] ? parseInt(parts[1], 10) : undefined,
-  };
-};
-
-export const getContentRangeHeader = (range?: { start: number; end: number; total: number }) => {
-  return range && { "Content-Range": `bytes ${range.start}-${range.end}/${range.total}` };
-};
-
-export const parseContentDigestHeader = (value: string | null) => {
-  if (!value) return undefined;
-
-  const firstDigest = value.split(",")[0]!.trim();
-  const match = firstDigest.match(/^sha-256=:([A-Za-z0-9+/=]+):$/);
-  return match?.[1];
-};

src/lib/modules/key.ts

@@ -2,7 +2,7 @@ import { z } from "zod";
 import { storeClientKey } from "$lib/indexedDB";
 import type { ClientKeys } from "$lib/stores";
 
-const SerializedClientKeysSchema = z.intersection(
+const serializedClientKeysSchema = z.intersection(
   z.object({
     generator: z.literal("ArkVault"),
     exportedAt: z.iso.datetime(),
@@ -16,7 +16,7 @@ const SerializedClientKeysSchema = z.intersection(
   }),
 );
 
-type SerializedClientKeys = z.infer<typeof SerializedClientKeysSchema>;
+type SerializedClientKeys = z.infer<typeof serializedClientKeysSchema>;
 
 type DeserializedClientKeys = {
   encryptKeyBase64: string;
@@ -43,7 +43,7 @@ export const serializeClientKeys = ({
 };
 
 export const deserializeClientKeys = (serialized: string) => {
-  const zodRes = SerializedClientKeysSchema.safeParse(JSON.parse(serialized));
+  const zodRes = serializedClientKeysSchema.safeParse(JSON.parse(serialized));
   if (zodRes.success) {
     return {
       encryptKeyBase64: zodRes.data.encryptKey,

src/lib/modules/opfs.ts

@@ -1,5 +1,13 @@
+let rootHandle: FileSystemDirectoryHandle | null = null;
+
+export const prepareOpfs = async () => {
+  rootHandle = await navigator.storage.getDirectory();
+};
+
 const getFileHandle = async (path: string, create = true) => {
-  if (path[0] !== "/") {
+  if (!rootHandle) {
+    throw new Error("OPFS not prepared");
+  } else if (path[0] !== "/") {
     throw new Error("Path must be absolute");
   }
 
@@ -9,7 +17,7 @@ const getFileHandle = async (path: string, create = true) => {
   }
 
   try {
-    let directoryHandle = await navigator.storage.getDirectory();
+    let directoryHandle = rootHandle;
     for (const part of parts.slice(0, -1)) {
       if (!part) continue;
       directoryHandle = await directoryHandle.getDirectoryHandle(part, { create });
@@ -26,15 +34,12 @@ const getFileHandle = async (path: string, create = true) => {
   }
 };
 
-export const getFile = async (path: string) => {
+export const readFile = async (path: string) => {
   const { fileHandle } = await getFileHandle(path, false);
   if (!fileHandle) return null;
 
-  return await fileHandle.getFile();
-};
-
-export const readFile = async (path: string) => {
-  return (await getFile(path))?.arrayBuffer() ?? null;
+  const file = await fileHandle.getFile();
+  return await file.arrayBuffer();
 };
 
 export const writeFile = async (path: string, data: ArrayBuffer) => {
@@ -56,7 +61,9 @@ export const deleteFile = async (path: string) => {
 };
 
 const getDirectoryHandle = async (path: string) => {
-  if (path[0] !== "/") {
+  if (!rootHandle) {
+    throw new Error("OPFS not prepared");
+  } else if (path[0] !== "/") {
     throw new Error("Path must be absolute");
   }
 
@@ -66,7 +73,7 @@ const getDirectoryHandle = async (path: string) => {
   }
 
   try {
-    let directoryHandle = await navigator.storage.getDirectory();
+    let directoryHandle = rootHandle;
     let parentHandle;
     for (const part of parts.slice(1)) {
       if (!part) continue;

src/lib/modules/thumbnail.ts

@@ -52,6 +52,7 @@ const generateImageThumbnail = (imageUrl: string) => {
         .catch(reject);
     };
     image.onerror = reject;
+
     image.src = imageUrl;
   });
 };
@@ -84,27 +85,31 @@ const generateVideoThumbnail = (videoUrl: string, time = 0) => {
   });
 };
 
-export const generateThumbnail = async (blob: Blob) => {
+export const generateThumbnail = async (fileBuffer: ArrayBuffer, fileType: string) => {
   let url;
   try {
-    if (blob.type.startsWith("image/")) {
-      url = URL.createObjectURL(blob);
+    if (fileType.startsWith("image/")) {
+      const fileBlob = new Blob([fileBuffer], { type: fileType });
+      url = URL.createObjectURL(fileBlob);
+
       try {
         return await generateImageThumbnail(url);
       } catch {
         URL.revokeObjectURL(url);
         url = undefined;
 
-        if (blob.type === "image/heic") {
+        if (fileType === "image/heic") {
           const { default: heic2any } = await import("heic2any");
-          url = URL.createObjectURL((await heic2any({ blob, toType: "image/png" })) as Blob);
+          url = URL.createObjectURL(
+            (await heic2any({ blob: fileBlob, toType: "image/png" })) as Blob,
+          );
           return await generateImageThumbnail(url);
         } else {
           return null;
         }
       }
-    } else if (blob.type.startsWith("video/")) {
-      url = URL.createObjectURL(blob);
+    } else if (fileType.startsWith("video/")) {
+      url = URL.createObjectURL(new Blob([fileBuffer], { type: fileType }));
       return await generateVideoThumbnail(url);
     }
     return null;

src/lib/modules/upload.ts

@@ -1,183 +0,0 @@
-import axios from "axios";
-import pLimit from "p-limit";
-import { ENCRYPTION_OVERHEAD, CHUNK_SIZE } from "$lib/constants";
-import { encryptChunk, digestMessage, encodeToBase64 } from "$lib/modules/crypto";
-import { BoundedQueue } from "$lib/utils";
-
-interface UploadStats {
-  progress: number;
-  rate: number;
-}
-
-interface EncryptedChunk {
-  index: number;
-  data: ArrayBuffer;
-  hash: string;
-}
-
-const createSpeedMeter = (timeWindow = 3000, minInterval = 200, warmupPeriod = 500) => {
-  const samples: { t: number; b: number }[] = [];
-  let lastSpeed = 0;
-  let startTime: number | null = null;
-
-  return (bytesNow?: number) => {
-    if (bytesNow === undefined) return lastSpeed;
-
-    const now = performance.now();
-
-    // Initialize start time on first call
-    if (startTime === null) {
-      startTime = now;
-    }
-
-    // Check if enough time has passed since the last sample
-    const lastSample = samples[samples.length - 1];
-    if (lastSample && now - lastSample.t < minInterval) {
-      return lastSpeed;
-    }
-
-    samples.push({ t: now, b: bytesNow });
-
-    // Remove old samples outside the time window
-    const cutoff = now - timeWindow;
-    while (samples.length > 2 && samples[0]!.t < cutoff) samples.shift();
-
-    // Need at least 2 samples to calculate speed
-    if (samples.length < 2) {
-      return lastSpeed;
-    }
-
-    const first = samples[0]!;
-    const dt = now - first.t;
-    const db = bytesNow - first.b;
-
-    if (dt >= minInterval) {
-      const instantSpeed = (db / dt) * 1000;
-      // Apply EMA for smoother speed transitions
-      const alpha = 0.3;
-      const rawSpeed =
-        lastSpeed === 0 ? instantSpeed : alpha * instantSpeed + (1 - alpha) * lastSpeed;
-
-      // Apply warmup ramp to prevent initial overestimation
-      const elapsed = now - startTime;
-      const warmupWeight = Math.min(1, elapsed / warmupPeriod);
-      lastSpeed = rawSpeed * warmupWeight;
-    }
-
-    return lastSpeed;
-  };
-};
-
-const encryptChunkData = async (
-  chunk: Blob,
-  dataKey: CryptoKey,
-): Promise<{ data: ArrayBuffer; hash: string }> => {
-  const encrypted = await encryptChunk(await chunk.arrayBuffer(), dataKey);
-  const hash = encodeToBase64(await digestMessage(encrypted));
-  return { data: encrypted, hash };
-};
-
-const uploadEncryptedChunk = async (
-  uploadId: string,
-  chunkIndex: number,
-  encrypted: ArrayBuffer,
-  hash: string,
-  onChunkProgress: (chunkIndex: number, loaded: number) => void,
-) => {
-  await axios.post(`/api/upload/${uploadId}/chunks/${chunkIndex + 1}`, encrypted, {
-    headers: {
-      "Content-Type": "application/octet-stream",
-      "Content-Digest": `sha-256=:${hash}:`,
-    },
-    onUploadProgress(e) {
-      onChunkProgress(chunkIndex, e.loaded ?? 0);
-    },
-  });
-
-  onChunkProgress(chunkIndex, encrypted.byteLength);
-};
-
-export const uploadBlob = async (
-  uploadId: string,
-  blob: Blob,
-  dataKey: CryptoKey,
-  options?: { concurrency?: number; onProgress?: (s: UploadStats) => void },
-) => {
-  const onProgress = options?.onProgress;
-  const networkConcurrency = options?.concurrency ?? 4;
-  const maxQueueSize = 8;
-
-  const totalChunks = Math.ceil(blob.size / CHUNK_SIZE);
-  const totalBytes = blob.size + totalChunks * ENCRYPTION_OVERHEAD;
-
-  const uploadedByChunk = new Array<number>(totalChunks).fill(0);
-  const speedMeter = createSpeedMeter(3000, 200);
-
-  const emit = () => {
-    if (!onProgress) return;
-
-    const uploadedBytes = uploadedByChunk.reduce((a, b) => a + b, 0);
-    const rate = speedMeter(uploadedBytes);
-    const progress = Math.min(1, uploadedBytes / totalBytes);
-
-    onProgress({ progress, rate });
-  };
-
-  const onChunkProgress = (idx: number, loaded: number) => {
-    uploadedByChunk[idx] = loaded;
-    emit();
-  };
-
-  const queue = new BoundedQueue<EncryptedChunk>(maxQueueSize);
-  let encryptionError: Error | null = null;
-
-  // Producer: encrypt chunks and push to queue
-  const encryptionProducer = async () => {
-    try {
-      for (let i = 0; i < totalChunks; i++) {
-        const chunk = blob.slice(i * CHUNK_SIZE, (i + 1) * CHUNK_SIZE);
-        const { data, hash } = await encryptChunkData(chunk, dataKey);
-        await queue.push({ index: i, data, hash });
-      }
-    } catch (e) {
-      encryptionError = e instanceof Error ? e : new Error(String(e));
-    } finally {
-      queue.close();
-    }
-  };
-
-  // Consumer: upload chunks from queue with concurrency limit
-  const uploadConsumer = async () => {
-    const limit = pLimit(networkConcurrency);
-    const activeTasks = new Set<Promise<void>>();
-
-    while (true) {
-      const item = await queue.pop();
-      if (item === null) break;
-      if (encryptionError) throw encryptionError;
-
-      const task = limit(async () => {
-        try {
-          await uploadEncryptedChunk(uploadId, item.index, item.data, item.hash, onChunkProgress);
-        } finally {
-          // @ts-ignore
-          item.data = null;
-        }
-      });
-
-      activeTasks.add(task);
-      task.finally(() => activeTasks.delete(task));
-
-      if (activeTasks.size >= networkConcurrency) {
-        await Promise.race(activeTasks);
-      }
-    }
-
-    await Promise.all(activeTasks);
-  };
-
-  // Run producer and consumer concurrently
-  await Promise.all([encryptionProducer(), uploadConsumer()]);
-
-  onProgress?.({ progress: 1, rate: speedMeter() });
-};

src/lib/schemas/filesystem.ts

@@ -1,4 +0,0 @@
-import { z } from "zod";
-
-export const DirectoryIdSchema = z.union([z.literal("root"), z.int().positive()]);
-export const CategoryIdSchema = z.union([z.literal("root"), z.int().positive()]);

src/lib/schemas/index.ts

@@ -1 +0,0 @@
-export * from "./filesystem";

src/lib/server/db/error.ts

@@ -9,7 +9,6 @@ type IntegrityErrorMessages =
   // File
   | "Directory not found"
   | "File not found"
-  | "File is not legacy"
   | "File not found in category"
   | "File already added to category"
   | "Invalid DEK version"

src/lib/server/db/file.ts

@@ -15,6 +15,8 @@ interface Directory {
   encName: Ciphertext;
 }
 
+export type NewDirectory = Omit<Directory, "id">;
+
 interface File {
   id: number;
   parentId: DirectoryId;
@@ -26,13 +28,15 @@ interface File {
   hskVersion: number | null;
   contentHmac: string | null;
   contentType: string;
-  encContentIv: string | null;
+  encContentIv: string;
   encContentHash: string;
   encName: Ciphertext;
   encCreatedAt: Ciphertext | null;
   encLastModifiedAt: Ciphertext;
 }
 
+export type NewFile = Omit<File, "id">;
+
 interface FileCategory {
   id: number;
   parentId: CategoryId;
@@ -42,7 +46,7 @@ interface FileCategory {
   encName: Ciphertext;
 }
 
-export const registerDirectory = async (params: Omit<Directory, "id">) => {
+export const registerDirectory = async (params: NewDirectory) => {
   await db.transaction().execute(async (trx) => {
     const mek = await trx
       .selectFrom("master_encryption_key")
@@ -101,39 +105,6 @@ export const getAllDirectoriesByParent = async (userId: number, parentId: Direct
   );
 };
 
-export const getAllRecursiveDirectoriesByParent = async (userId: number, parentId: DirectoryId) => {
-  const directories = await db
-    .withRecursive("directory_tree", (db) =>
-      db
-        .selectFrom("directory")
-        .selectAll()
-        .$if(parentId === "root", (qb) => qb.where("parent_id", "is", null))
-        .$if(parentId !== "root", (qb) => qb.where("parent_id", "=", parentId as number))
-        .where("user_id", "=", userId)
-        .unionAll((db) =>
-          db
-            .selectFrom("directory")
-            .innerJoin("directory_tree", "directory.parent_id", "directory_tree.id")
-            .selectAll("directory"),
-        ),
-    )
-    .selectFrom("directory_tree")
-    .selectAll()
-    .execute();
-  return directories.map(
-    (directory) =>
-      ({
-        id: directory.id,
-        parentId: directory.parent_id ?? "root",
-        userId: directory.user_id,
-        mekVersion: directory.master_encryption_key_version,
-        encDek: directory.encrypted_data_encryption_key,
-        dekVersion: directory.data_encryption_key_version,
-        encName: directory.encrypted_name,
-      }) satisfies Directory,
-  );
-};
-
 export const getDirectory = async (userId: number, directoryId: number) => {
   const directory = await db
     .selectFrom("directory")
@@ -243,11 +214,38 @@ export const unregisterDirectory = async (userId: number, directoryId: number) =
     });
 };
 
-export const registerFile = async (trx: typeof db, params: Omit<File, "id">) => {
+export const registerFile = async (params: NewFile) => {
   if ((params.hskVersion && !params.contentHmac) || (!params.hskVersion && params.contentHmac)) {
     throw new Error("Invalid arguments");
   }
 
+  return await db.transaction().execute(async (trx) => {
+    const mek = await trx
+      .selectFrom("master_encryption_key")
+      .select("version")
+      .where("user_id", "=", params.userId)
+      .where("state", "=", "active")
+      .limit(1)
+      .forUpdate()
+      .executeTakeFirst();
+    if (mek?.version !== params.mekVersion) {
+      throw new IntegrityError("Inactive MEK version");
+    }
+
+    if (params.hskVersion) {
+      const hsk = await trx
+        .selectFrom("hmac_secret_key")
+        .select("version")
+        .where("user_id", "=", params.userId)
+        .where("state", "=", "active")
+        .limit(1)
+        .forUpdate()
+        .executeTakeFirst();
+      if (hsk?.version !== params.hskVersion) {
+        throw new IntegrityError("Inactive HSK version");
+      }
+    }
+
     const { fileId } = await trx
       .insertInto("file")
       .values({
@@ -278,6 +276,7 @@ export const registerFile = async (trx: typeof db, params: Omit<File, "id">) =>
       })
       .execute();
     return { id: fileId };
+  });
 };
 
 export const getAllFilesByParent = async (userId: number, parentId: DirectoryId) => {
@@ -367,79 +366,6 @@ export const getAllFileIds = async (userId: number) => {
   return files.map(({ id }) => id);
 };
 
-export const getLegacyFiles = async (userId: number, limit: number = 100) => {
-  const files = await db
-    .selectFrom("file")
-    .selectAll()
-    .where("user_id", "=", userId)
-    .where("encrypted_content_iv", "is not", null)
-    .limit(limit)
-    .execute();
-  return files.map(
-    (file) =>
-      ({
-        id: file.id,
-        parentId: file.parent_id ?? "root",
-        userId: file.user_id,
-        path: file.path,
-        mekVersion: file.master_encryption_key_version,
-        encDek: file.encrypted_data_encryption_key,
-        dekVersion: file.data_encryption_key_version,
-        hskVersion: file.hmac_secret_key_version,
-        contentHmac: file.content_hmac,
-        contentType: file.content_type,
-        encContentIv: file.encrypted_content_iv,
-        encContentHash: file.encrypted_content_hash,
-        encName: file.encrypted_name,
-        encCreatedAt: file.encrypted_created_at,
-        encLastModifiedAt: file.encrypted_last_modified_at,
-      }) satisfies File,
-  );
-};
-
-export const getFilesWithoutThumbnail = async (userId: number, limit: number = 100) => {
-  const files = await db
-    .selectFrom("file")
-    .selectAll()
-    .where("user_id", "=", userId)
-    .where((eb) =>
-      eb.or([eb("content_type", "like", "image/%"), eb("content_type", "like", "video/%")]),
-    )
-    .where((eb) =>
-      eb.not(
-        eb.exists(
-          eb
-            .selectFrom("thumbnail")
-            .select("thumbnail.id")
-            .whereRef("thumbnail.file_id", "=", "file.id")
-            .limit(1),
-        ),
-      ),
-    )
-    .limit(limit)
-    .execute();
-  return files.map(
-    (file) =>
-      ({
-        id: file.id,
-        parentId: file.parent_id ?? "root",
-        userId: file.user_id,
-        path: file.path,
-        mekVersion: file.master_encryption_key_version,
-        encDek: file.encrypted_data_encryption_key,
-        dekVersion: file.data_encryption_key_version,
-        hskVersion: file.hmac_secret_key_version,
-        contentHmac: file.content_hmac,
-        contentType: file.content_type,
-        encContentIv: file.encrypted_content_iv,
-        encContentHash: file.encrypted_content_hash,
-        encName: file.encrypted_name,
-        encCreatedAt: file.encrypted_created_at,
-        encLastModifiedAt: file.encrypted_last_modified_at,
-      }) satisfies File,
-  );
-};
-
 export const getAllFileIdsByContentHmac = async (
   userId: number,
   hskVersion: number,
@@ -530,109 +456,6 @@ export const getFilesWithCategories = async (userId: number, fileIds: number[])
   );
 };
 
-export const searchFiles = async (
-  userId: number,
-  filters: {
-    parentId: DirectoryId;
-    includeCategoryIds: number[];
-    excludeCategoryIds: number[];
-  },
-) => {
-  const baseQuery = db
-    .withRecursive("directory_tree", (db) =>
-      db
-        .selectFrom("directory")
-        .select("id")
-        .where("user_id", "=", userId)
-        .where((eb) => eb.val(filters.parentId !== "root")) // directory_tree will be empty if parentId is "root"
-        .$if(filters.parentId !== "root", (qb) => qb.where("id", "=", filters.parentId as number))
-        .unionAll(
-          db
-            .selectFrom("directory as d")
-            .innerJoin("directory_tree as dt", "d.parent_id", "dt.id")
-            .select("d.id"),
-        ),
-    )
-    .withRecursive("include_category_tree", (db) =>
-      db
-        .selectFrom("category")
-        .select(["id", "id as root_id"])
-        .where("id", "=", (eb) => eb.fn.any(eb.val(filters.includeCategoryIds)))
-        .where("user_id", "=", userId)
-        .unionAll(
-          db
-            .selectFrom("category as c")
-            .innerJoin("include_category_tree as ct", "c.parent_id", "ct.id")
-            .select(["c.id", "ct.root_id"]),
-        ),
-    )
-    .withRecursive("exclude_category_tree", (db) =>
-      db
-        .selectFrom("category")
-        .select("id")
-        .where("id", "=", (eb) => eb.fn.any(eb.val(filters.excludeCategoryIds)))
-        .where("user_id", "=", userId)
-        .unionAll((db) =>
-          db
-            .selectFrom("category as c")
-            .innerJoin("exclude_category_tree as ct", "c.parent_id", "ct.id")
-            .select("c.id"),
-        ),
-    )
-    .selectFrom("file")
-    .selectAll("file")
-    .$if(filters.parentId === "root", (qb) => qb.where("user_id", "=", userId)) // directory_tree isn't used if parentId is "root"
-    .$if(filters.parentId !== "root", (qb) =>
-      qb.where("parent_id", "in", (eb) => eb.selectFrom("directory_tree").select("id")),
-    )
-    .where((eb) =>
-      eb.not(
-        eb.exists(
-          eb
-            .selectFrom("file_category")
-            .whereRef("file_id", "=", "file.id")
-            .where("category_id", "in", (eb) =>
-              eb.selectFrom("exclude_category_tree").select("id"),
-            ),
-        ),
-      ),
-    );
-  const files =
-    filters.includeCategoryIds.length > 0
-      ? await baseQuery
-          .innerJoin("file_category", "file.id", "file_category.file_id")
-          .innerJoin(
-            "include_category_tree",
-            "file_category.category_id",
-            "include_category_tree.id",
-          )
-          .groupBy("file.id")
-          .having(
-            (eb) => eb.fn.count("include_category_tree.root_id").distinct(),
-            "=",
-            filters.includeCategoryIds.length,
-          )
-          .execute()
-      : await baseQuery.execute();
-  return files.map((file) => ({
-    id: file.id,
-    parentId: file.parent_id ?? ("root" as const),
-    userId: file.user_id,
-    path: file.path,
-    mekVersion: file.master_encryption_key_version,
-    encDek: file.encrypted_data_encryption_key,
-    dekVersion: file.data_encryption_key_version,
-    hskVersion: file.hmac_secret_key_version,
-    contentHmac: file.content_hmac,
-    contentType: file.content_type,
-    encContentIv: file.encrypted_content_iv,
-    encContentHash: file.encrypted_content_hash,
-    encName: file.encrypted_name,
-    encCreatedAt: file.encrypted_created_at,
-    encLastModifiedAt: file.encrypted_last_modified_at,
-  }));
-};
-
 export const setFileEncName = async (
   userId: number,
   fileId: number,
@@ -691,51 +514,6 @@ export const unregisterFile = async (userId: number, fileId: number) => {
   });
 };
 
-export const migrateFileContent = async (
-  trx: typeof db,
-  userId: number,
-  fileId: number,
-  newPath: string,
-  dekVersion: Date,
-  encContentHash: string,
-) => {
-  const file = await trx
-    .selectFrom("file")
-    .select(["path", "data_encryption_key_version", "encrypted_content_iv"])
-    .where("id", "=", fileId)
-    .where("user_id", "=", userId)
-    .limit(1)
-    .forUpdate()
-    .executeTakeFirst();
-  if (!file) {
-    throw new IntegrityError("File not found");
-  } else if (file.data_encryption_key_version.getTime() !== dekVersion.getTime()) {
-    throw new IntegrityError("Invalid DEK version");
-  } else if (!file.encrypted_content_iv) {
-    throw new IntegrityError("File is not legacy");
-  }
-
-  await trx
-    .updateTable("file")
-    .set({
-      path: newPath,
-      encrypted_content_iv: null,
-      encrypted_content_hash: encContentHash,
-    })
-    .where("id", "=", fileId)
-    .where("user_id", "=", userId)
-    .execute();
-  await trx
-    .insertInto("file_log")
-    .values({
-      file_id: fileId,
-      timestamp: new Date(),
-      action: "migrate",
-    })
-    .execute();
-  return { oldPath: file.path };
-};
-
 export const addFileToCategory = async (fileId: number, categoryId: number) => {
   await db.transaction().execute(async (trx) => {
     try {

src/lib/server/db/index.ts

@@ -5,7 +5,6 @@ export * as HskRepo from "./hsk";
 export * as MediaRepo from "./media";
 export * as MekRepo from "./mek";
 export * as SessionRepo from "./session";
-export * as UploadRepo from "./upload";
 export * as UserRepo from "./user";
 
 export * from "./error";

src/lib/server/db/media.ts

@@ -6,7 +6,7 @@ interface Thumbnail {
   id: number;
   path: string;
   updatedAt: Date;
-  encContentIv: string | null;
+  encContentIv: string;
 }
 
 interface FileThumbnail extends Thumbnail {
@@ -14,13 +14,13 @@ interface FileThumbnail extends Thumbnail {
 }
 
 export const updateFileThumbnail = async (
-  trx: typeof db,
   userId: number,
   fileId: number,
   dekVersion: Date,
   path: string,
-  encContentIv: string | null,
+  encContentIv: string,
 ) => {
+  return await db.transaction().execute(async (trx) => {
     const file = await trx
       .selectFrom("file")
       .select("data_encryption_key_version")
@@ -61,6 +61,7 @@ export const updateFileThumbnail = async (
       )
       .execute();
     return thumbnail?.oldPath ?? null;
+  });
 };
 
 export const getFileThumbnail = async (userId: number, fileId: number) => {
@@ -83,3 +84,27 @@ export const getFileThumbnail = async (userId: number, fileId: number) => {
       } satisfies FileThumbnail)
     : null;
 };
+
+export const getMissingFileThumbnails = async (userId: number, limit: number = 100) => {
+  const files = await db
+    .selectFrom("file")
+    .select("id")
+    .where("user_id", "=", userId)
+    .where((eb) =>
+      eb.or([eb("content_type", "like", "image/%"), eb("content_type", "like", "video/%")]),
+    )
+    .where((eb) =>
+      eb.not(
+        eb.exists(
+          eb
+            .selectFrom("thumbnail")
+            .select("thumbnail.id")
+            .whereRef("thumbnail.file_id", "=", "file.id")
+            .limit(1),
+        ),
+      ),
+    )
+    .limit(limit)
+    .execute();
+  return files.map(({ id }) => id);
+};

src/lib/server/db/migrations/1768062380-AddChunkedUpload.ts

@@ -1,74 +0,0 @@
-import { Kysely, sql } from "kysely";
-
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-export const up = async (db: Kysely<any>) => {
-  // file.ts
-  await db.schema
-    .alterTable("file")
-    .alterColumn("encrypted_content_iv", (col) => col.dropNotNull())
-    .execute();
-
-  // media.ts
-  await db.schema
-    .alterTable("thumbnail")
-    .alterColumn("encrypted_content_iv", (col) => col.dropNotNull())
-    .execute();
-
-  // upload.ts
-  await db.schema
-    .createTable("upload_session")
-    .addColumn("id", "uuid", (col) => col.primaryKey())
-    .addColumn("type", "text", (col) => col.notNull())
-    .addColumn("user_id", "integer", (col) => col.references("user.id").notNull())
-    .addColumn("path", "text", (col) => col.notNull())
-    .addColumn("bitmap", "bytea", (col) => col.notNull())
-    .addColumn("total_chunks", "integer", (col) => col.notNull())
-    .addColumn("uploaded_chunks", "integer", (col) =>
-      col
-        .generatedAlwaysAs(sql`bit_count(bitmap)`)
-        .stored()
-        .notNull(),
-    )
-    .addColumn("expires_at", "timestamp(3)", (col) => col.notNull())
-    .addColumn("parent_id", "integer", (col) => col.references("directory.id"))
-    .addColumn("master_encryption_key_version", "integer")
-    .addColumn("encrypted_data_encryption_key", "text")
-    .addColumn("data_encryption_key_version", "timestamp(3)")
-    .addColumn("hmac_secret_key_version", "integer")
-    .addColumn("content_type", "text")
-    .addColumn("encrypted_name", "json")
-    .addColumn("encrypted_created_at", "json")
-    .addColumn("encrypted_last_modified_at", "json")
-    .addColumn("file_id", "integer", (col) => col.references("file.id"))
-    .addForeignKeyConstraint(
-      "upload_session_fk01",
-      ["user_id", "master_encryption_key_version"],
-      "master_encryption_key",
-      ["user_id", "version"],
-    )
-    .addForeignKeyConstraint(
-      "upload_session_fk02",
-      ["user_id", "hmac_secret_key_version"],
-      "hmac_secret_key",
-      ["user_id", "version"],
-    )
-    .addCheckConstraint(
-      "upload_session_ck01",
-      sql`length(bitmap) = ceil(total_chunks / 8.0)::integer`,
-    )
-    .addCheckConstraint("upload_session_ck02", sql`uploaded_chunks <= total_chunks`)
-    .execute();
-};
-
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-export const down = async (db: Kysely<any>) => {
-  await db.schema.dropTable("upload_session").execute();
-  await db.schema
-    .alterTable("thumbnail")
-    .alterColumn("encrypted_content_iv", (col) => col.setNotNull())
-    .execute();
-  await db.schema
-    .alterTable("file")
-    .alterColumn("encrypted_content_iv", (col) => col.setNotNull())
-    .execute();
-};

src/lib/server/db/migrations/index.ts

@@ -1,11 +1,9 @@
 import * as Initial1737357000 from "./1737357000-Initial";
 import * as AddFileCategory1737422340 from "./1737422340-AddFileCategory";
 import * as AddThumbnail1738409340 from "./1738409340-AddThumbnail";
-import * as AddChunkedUpload1768062380 from "./1768062380-AddChunkedUpload";
 
 export default {
   "1737357000-Initial": Initial1737357000,
   "1737422340-AddFileCategory": AddFileCategory1737422340,
   "1738409340-AddThumbnail": AddThumbnail1738409340,
-  "1768062380-AddChunkedUpload": AddChunkedUpload1768062380,
 };

src/lib/server/db/schema/category.ts

@@ -1,5 +1,5 @@
 import type { Generated } from "kysely";
-import type { Ciphertext } from "./utils";
+import type { Ciphertext } from "./util";
 
 interface CategoryTable {
   id: Generated<number>;

src/lib/server/db/schema/file.ts

@@ -1,5 +1,5 @@
 import type { ColumnType, Generated } from "kysely";
-import type { Ciphertext } from "./utils";
+import type { Ciphertext } from "./util";
 
 interface DirectoryTable {
   id: Generated<number>;
@@ -30,7 +30,7 @@ interface FileTable {
   hmac_secret_key_version: number | null;
   content_hmac: string | null; // Base64
   content_type: string;
-  encrypted_content_iv: string | null; // Base64
+  encrypted_content_iv: string; // Base64
   encrypted_content_hash: string; // Base64
   encrypted_name: Ciphertext;
   encrypted_created_at: Ciphertext | null;
@@ -41,7 +41,7 @@ interface FileLogTable {
   id: Generated<number>;
   file_id: number;
   timestamp: ColumnType<Date, Date, never>;
-  action: "create" | "rename" | "migrate" | "add-to-category" | "remove-from-category";
+  action: "create" | "rename" | "add-to-category" | "remove-from-category";
   new_name: Ciphertext | null;
   category_id: number | null;
 }

src/lib/server/db/schema/index.ts

@@ -5,9 +5,8 @@ export * from "./hsk";
 export * from "./media";
 export * from "./mek";
 export * from "./session";
-export * from "./upload";
 export * from "./user";
-export * from "./utils";
+export * from "./util";
 
 // eslint-disable-next-line @typescript-eslint/no-empty-object-type
 export interface Database {}

src/lib/server/db/schema/media.ts

@@ -7,7 +7,7 @@ interface ThumbnailTable {
   category_id: number | null;
   path: string;
   updated_at: Date;
-  encrypted_content_iv: string | null; // Base64
+  encrypted_content_iv: string; // Base64
 }
 
 declare module "./index" {

src/lib/server/db/schema/upload.ts

@@ -1,30 +0,0 @@
-import type { Generated } from "kysely";
-import type { Ciphertext } from "./utils";
-
-interface UploadSessionTable {
-  id: string;
-  type: "file" | "thumbnail" | "migration";
-  user_id: number;
-  path: string;
-  bitmap: Buffer;
-  total_chunks: number;
-  uploaded_chunks: Generated<number>;
-  expires_at: Date;
-
-  parent_id: number | null;
-  master_encryption_key_version: number | null;
-  encrypted_data_encryption_key: string | null; // Base64
-  data_encryption_key_version: Date | null;
-  hmac_secret_key_version: number | null;
-  content_type: string | null;
-  encrypted_name: Ciphertext | null;
-  encrypted_created_at: Ciphertext | null;
-  encrypted_last_modified_at: Ciphertext | null;
-  file_id: number | null;
-}
-
-declare module "./index" {
-  interface Database {
-    upload_session: UploadSessionTable;
-  }
-}

src/lib/server/db/upload.ts

@@ -1,192 +0,0 @@
-import { sql } from "kysely";
-import { IntegrityError } from "./error";
-import db from "./kysely";
-import type { Ciphertext } from "./schema";
-
-interface BaseUploadSession {
-  id: string;
-  userId: number;
-  path: string;
-  bitmap: Buffer;
-  totalChunks: number;
-  uploadedChunks: number;
-  expiresAt: Date;
-}
-
-interface FileUploadSession extends BaseUploadSession {
-  type: "file";
-  parentId: DirectoryId;
-  mekVersion: number;
-  encDek: string;
-  dekVersion: Date;
-  hskVersion: number | null;
-  contentType: string;
-  encName: Ciphertext;
-  encCreatedAt: Ciphertext | null;
-  encLastModifiedAt: Ciphertext;
-}
-
-interface ThumbnailOrMigrationUploadSession extends BaseUploadSession {
-  type: "thumbnail" | "migration";
-  fileId: number;
-  dekVersion: Date;
-}
-
-export const createFileUploadSession = async (
-  params: Omit<FileUploadSession, "type" | "bitmap" | "uploadedChunks">,
-) => {
-  await db.transaction().execute(async (trx) => {
-    const mek = await trx
-      .selectFrom("master_encryption_key")
-      .select("version")
-      .where("user_id", "=", params.userId)
-      .where("state", "=", "active")
-      .limit(1)
-      .forUpdate()
-      .executeTakeFirst();
-    if (mek?.version !== params.mekVersion) {
-      throw new IntegrityError("Inactive MEK version");
-    }
-
-    if (params.hskVersion) {
-      const hsk = await trx
-        .selectFrom("hmac_secret_key")
-        .select("version")
-        .where("user_id", "=", params.userId)
-        .where("state", "=", "active")
-        .limit(1)
-        .forUpdate()
-        .executeTakeFirst();
-      if (hsk?.version !== params.hskVersion) {
-        throw new IntegrityError("Inactive HSK version");
-      }
-    }
-
-    await trx
-      .insertInto("upload_session")
-      .values({
-        id: params.id,
-        type: "file",
-        user_id: params.userId,
-        path: params.path,
-        bitmap: Buffer.alloc(Math.ceil(params.totalChunks / 8)),
-        total_chunks: params.totalChunks,
-        expires_at: params.expiresAt,
-        parent_id: params.parentId !== "root" ? params.parentId : null,
-        master_encryption_key_version: params.mekVersion,
-        encrypted_data_encryption_key: params.encDek,
-        data_encryption_key_version: params.dekVersion,
-        hmac_secret_key_version: params.hskVersion,
-        content_type: params.contentType,
-        encrypted_name: params.encName,
-        encrypted_created_at: params.encCreatedAt,
-        encrypted_last_modified_at: params.encLastModifiedAt,
-      })
-      .execute();
-  });
-};
-
-export const createThumbnailOrMigrationUploadSession = async (
-  params: Omit<ThumbnailOrMigrationUploadSession, "bitmap" | "uploadedChunks">,
-) => {
-  await db.transaction().execute(async (trx) => {
-    const file = await trx
-      .selectFrom("file")
-      .select("data_encryption_key_version")
-      .where("id", "=", params.fileId)
-      .where("user_id", "=", params.userId)
-      .limit(1)
-      .forUpdate()
-      .executeTakeFirst();
-    if (!file) {
-      throw new IntegrityError("File not found");
-    } else if (file.data_encryption_key_version.getTime() !== params.dekVersion.getTime()) {
-      throw new IntegrityError("Invalid DEK version");
-    }
-
-    await trx
-      .insertInto("upload_session")
-      .values({
-        id: params.id,
-        type: params.type,
-        user_id: params.userId,
-        path: params.path,
-        bitmap: Buffer.alloc(Math.ceil(params.totalChunks / 8)),
-        total_chunks: params.totalChunks,
-        expires_at: params.expiresAt,
-        file_id: params.fileId,
-        data_encryption_key_version: params.dekVersion,
-      })
-      .execute();
-  });
-};
-
-export const getUploadSession = async (sessionId: string, userId: number) => {
-  const session = await db
-    .selectFrom("upload_session")
-    .selectAll()
-    .where("id", "=", sessionId)
-    .where("user_id", "=", userId)
-    .where("expires_at", ">", new Date())
-    .limit(1)
-    .executeTakeFirst();
-  if (!session) {
-    return null;
-  } else if (session.type === "file") {
-    return {
-      type: "file",
-      id: session.id,
-      userId: session.user_id,
-      path: session.path,
-      bitmap: session.bitmap,
-      totalChunks: session.total_chunks,
-      uploadedChunks: session.uploaded_chunks,
-      expiresAt: session.expires_at,
-      parentId: session.parent_id ?? "root",
-      mekVersion: session.master_encryption_key_version!,
-      encDek: session.encrypted_data_encryption_key!,
-      dekVersion: session.data_encryption_key_version!,
-      hskVersion: session.hmac_secret_key_version,
-      contentType: session.content_type!,
-      encName: session.encrypted_name!,
-      encCreatedAt: session.encrypted_created_at,
-      encLastModifiedAt: session.encrypted_last_modified_at!,
-    } satisfies FileUploadSession;
-  } else {
-    return {
-      type: session.type,
-      id: session.id,
-      userId: session.user_id,
-      path: session.path,
-      bitmap: session.bitmap,
-      totalChunks: session.total_chunks,
-      uploadedChunks: session.uploaded_chunks,
-      expiresAt: session.expires_at,
-      fileId: session.file_id!,
-      dekVersion: session.data_encryption_key_version!,
-    } satisfies ThumbnailOrMigrationUploadSession;
-  }
-};
-
-export const markChunkAsUploaded = async (sessionId: string, chunkIndex: number) => {
-  await db
-    .updateTable("upload_session")
-    .set({
-      bitmap: sql`set_bit(${sql.ref("bitmap")}, ${chunkIndex - 1}, 1)`,
-    })
-    .where("id", "=", sessionId)
-    .execute();
-};
-
-export const deleteUploadSession = async (trx: typeof db, sessionId: string) => {
-  await trx.deleteFrom("upload_session").where("id", "=", sessionId).execute();
-};
-
-export const cleanupExpiredUploadSessions = async () => {
-  const sessions = await db
-    .deleteFrom("upload_session")
-    .where("expires_at", "<=", new Date())
-    .returning("path")
-    .execute();
-  return sessions.map(({ path }) => path);
-};

src/lib/server/loadenv.ts

@@ -26,5 +26,4 @@ export default {
   },
   libraryPath: env.LIBRARY_PATH || "library",
   thumbnailsPath: env.THUMBNAILS_PATH || "thumbnails",
-  uploadsPath: env.UPLOADS_PATH || "uploads",
 };

src/lib/server/modules/filesystem.ts

@@ -1,10 +1,4 @@
-import { rm, unlink } from "fs/promises";
-
-export const safeRecursiveRm = async (path: string | null | undefined) => {
-  if (path) {
-    await rm(path, { recursive: true }).catch(console.error);
-  }
-};
+import { unlink } from "fs/promises";
 
 export const safeUnlink = async (path: string | null | undefined) => {
   if (path) {

src/lib/server/schemas/category.ts

@@ -0,0 +1,3 @@
+import { z } from "zod";
+
+export const categoryIdSchema = z.union([z.literal("root"), z.int().positive()]);

src/lib/server/schemas/directory.ts

@@ -0,0 +1,3 @@
+import { z } from "zod";
+
+export const directoryIdSchema = z.union([z.literal("root"), z.int().positive()]);

src/lib/server/schemas/file.ts

@@ -0,0 +1,36 @@
+import mime from "mime";
+import { z } from "zod";
+import { directoryIdSchema } from "./directory";
+
+export const fileThumbnailUploadRequest = z.object({
+  dekVersion: z.iso.datetime(),
+  contentIv: z.base64().nonempty(),
+});
+export type FileThumbnailUploadRequest = z.input<typeof fileThumbnailUploadRequest>;
+
+export const fileUploadRequest = z.object({
+  parent: directoryIdSchema,
+  mekVersion: z.int().positive(),
+  dek: z.base64().nonempty(),
+  dekVersion: z.iso.datetime(),
+  hskVersion: z.int().positive(),
+  contentHmac: z.base64().nonempty(),
+  contentType: z
+    .string()
+    .trim()
+    .nonempty()
+    .refine((value) => mime.getExtension(value) !== null), // MIME type
+  contentIv: z.base64().nonempty(),
+  name: z.base64().nonempty(),
+  nameIv: z.base64().nonempty(),
+  createdAt: z.base64().nonempty().optional(),
+  createdAtIv: z.base64().nonempty().optional(),
+  lastModifiedAt: z.base64().nonempty(),
+  lastModifiedAtIv: z.base64().nonempty(),
+});
+export type FileUploadRequest = z.input<typeof fileUploadRequest>;
+
+export const fileUploadResponse = z.object({
+  file: z.int().positive(),
+});
+export type FileUploadResponse = z.output<typeof fileUploadResponse>;

src/lib/server/schemas/index.ts

@@ -0,0 +1,3 @@
+export * from "./category";
+export * from "./directory";
+export * from "./file";

src/lib/server/services/file.ts

@@ -1,74 +1,126 @@
 import { error } from "@sveltejs/kit";
-import { createReadStream } from "fs";
-import { stat } from "fs/promises";
+import { createHash } from "crypto";
+import { createReadStream, createWriteStream } from "fs";
+import { mkdir, stat } from "fs/promises";
+import { dirname } from "path";
 import { Readable } from "stream";
-import { FileRepo, MediaRepo } from "$lib/server/db";
+import { pipeline } from "stream/promises";
+import { v4 as uuidv4 } from "uuid";
+import { FileRepo, MediaRepo, IntegrityError } from "$lib/server/db";
+import env from "$lib/server/loadenv";
+import { safeUnlink } from "$lib/server/modules/filesystem";
 
-const createEncContentStream = async (
-  path: string,
-  iv?: Buffer,
-  range?: { start?: number; end?: number },
-) => {
-  const { size: fileSize } = await stat(path);
-  const ivSize = iv?.byteLength ?? 0;
-  const totalSize = fileSize + ivSize;
-
-  const start = range?.start ?? 0;
-  const end = range?.end ?? totalSize - 1;
-  if (start > end || start < 0 || end >= totalSize) {
-    error(416, "Invalid range");
-  }
-
-  return {
-    encContentStream: Readable.toWeb(
-      Readable.from(
-        (async function* () {
-          if (start < ivSize) {
-            yield iv!.subarray(start, Math.min(end + 1, ivSize));
-          }
-          if (end >= ivSize) {
-            yield* createReadStream(path, {
-              start: Math.max(0, start - ivSize),
-              end: end - ivSize,
-            });
-          }
-        })(),
-      ),
-    ),
-    range: { start, end, total: totalSize },
-  };
-};
-
-export const getFileStream = async (
-  userId: number,
-  fileId: number,
-  range?: { start?: number; end?: number },
-) => {
+export const getFileStream = async (userId: number, fileId: number) => {
   const file = await FileRepo.getFile(userId, fileId);
   if (!file) {
     error(404, "Invalid file id");
   }
 
-  return createEncContentStream(
-    file.path,
-    file.encContentIv ? Buffer.from(file.encContentIv, "base64") : undefined,
-    range,
-  );
+  const { size } = await stat(file.path);
+  return {
+    encContentStream: Readable.toWeb(createReadStream(file.path)),
+    encContentSize: size,
+  };
 };
 
-export const getFileThumbnailStream = async (
-  userId: number,
-  fileId: number,
-  range?: { start?: number; end?: number },
-) => {
+export const getFileThumbnailStream = async (userId: number, fileId: number) => {
   const thumbnail = await MediaRepo.getFileThumbnail(userId, fileId);
   if (!thumbnail) {
     error(404, "File or its thumbnail not found");
   }
 
-  return createEncContentStream(
-    thumbnail.path,
-    thumbnail.encContentIv ? Buffer.from(thumbnail.encContentIv, "base64") : undefined,
-    range,
-  );
+  const { size } = await stat(thumbnail.path);
+  return {
+    encContentStream: Readable.toWeb(createReadStream(thumbnail.path)),
+    encContentSize: size,
+  };
+};
+
+export const uploadFileThumbnail = async (
+  userId: number,
+  fileId: number,
+  dekVersion: Date,
+  encContentIv: string,
+  encContentStream: Readable,
+) => {
+  const path = `${env.thumbnailsPath}/${userId}/${uuidv4()}`;
+  await mkdir(dirname(path), { recursive: true });
+
+  try {
+    await pipeline(encContentStream, createWriteStream(path, { flags: "wx", mode: 0o600 }));
+
+    const oldPath = await MediaRepo.updateFileThumbnail(
+      userId,
+      fileId,
+      dekVersion,
+      path,
+      encContentIv,
+    );
+    safeUnlink(oldPath); // Intended
+  } catch (e) {
+    await safeUnlink(path);
+
+    if (e instanceof IntegrityError) {
+      if (e.message === "File not found") {
+        error(404, "File not found");
+      } else if (e.message === "Invalid DEK version") {
+        error(400, "Mismatched DEK version");
+      }
+    }
+    throw e;
+  }
+};
+
+export const uploadFile = async (
+  params: Omit<FileRepo.NewFile, "path" | "encContentHash">,
+  encContentStream: Readable,
+  encContentHash: Promise<string>,
+) => {
+  const oneDayAgo = new Date(Date.now() - 24 * 60 * 60 * 1000);
+  const oneMinuteLater = new Date(Date.now() + 60 * 1000);
+  if (params.dekVersion <= oneDayAgo || params.dekVersion >= oneMinuteLater) {
+    error(400, "Invalid DEK version");
+  }
+
+  const path = `${env.libraryPath}/${params.userId}/${uuidv4()}`;
+  await mkdir(dirname(path), { recursive: true });
+
+  try {
+    const hashStream = createHash("sha256");
+    const [, hash] = await Promise.all([
+      pipeline(
+        encContentStream,
+        async function* (source) {
+          for await (const chunk of source) {
+            hashStream.update(chunk);
+            yield chunk;
+          }
+        },
+        createWriteStream(path, { flags: "wx", mode: 0o600 }),
+      ),
+      encContentHash,
+    ]);
+    if (hashStream.digest("base64") !== hash) {
+      throw new Error("Invalid checksum");
+    }
+
+    const { id: fileId } = await FileRepo.registerFile({
+      ...params,
+      path,
+      encContentHash: hash,
+    });
+    return { fileId };
+  } catch (e) {
+    await safeUnlink(path);
+
+    if (e instanceof IntegrityError && e.message === "Inactive MEK version") {
+      error(400, "Invalid MEK version");
+    } else if (
+      e instanceof Error &&
+      (e.message === "Invalid request body" || e.message === "Invalid checksum")
+    ) {
+      error(400, "Invalid request body");
+    }
+    throw e;
+  }
 };

src/lib/server/services/upload.ts

@@ -1,88 +0,0 @@
-import { error } from "@sveltejs/kit";
-import { createHash } from "crypto";
-import { createWriteStream } from "fs";
-import { Readable } from "stream";
-import { ENCRYPTION_OVERHEAD, ENCRYPTED_CHUNK_SIZE } from "$lib/constants";
-import { UploadRepo } from "$lib/server/db";
-import { safeRecursiveRm, safeUnlink } from "$lib/server/modules/filesystem";
-
-const chunkLocks = new Set<string>();
-
-const isChunkUploaded = (bitmap: Buffer, chunkIndex: number) => {
-  chunkIndex -= 1;
-  const byte = bitmap[Math.floor(chunkIndex / 8)];
-  return !!byte && (byte & (1 << (chunkIndex % 8))) !== 0; // Postgres sucks
-};
-
-export const uploadChunk = async (
-  userId: number,
-  sessionId: string,
-  chunkIndex: number,
-  encChunkStream: Readable,
-  encChunkHash: string,
-) => {
-  const lockKey = `${sessionId}/${chunkIndex}`;
-  if (chunkLocks.has(lockKey)) {
-    error(409, "Chunk upload already in progress");
-  } else {
-    chunkLocks.add(lockKey);
-  }
-
-  let filePath;
-
-  try {
-    const session = await UploadRepo.getUploadSession(sessionId, userId);
-    if (!session) {
-      error(404, "Invalid upload id");
-    } else if (chunkIndex > session.totalChunks) {
-      error(400, "Invalid chunk index");
-    } else if (isChunkUploaded(session.bitmap, chunkIndex)) {
-      error(409, "Chunk already uploaded");
-    }
-
-    const isLastChunk = chunkIndex === session.totalChunks;
-    filePath = `${session.path}/${chunkIndex}`;
-
-    const hashStream = createHash("sha256");
-    const writeStream = createWriteStream(filePath, { flags: "wx", mode: 0o600 });
-    let writtenBytes = 0;
-
-    for await (const chunk of encChunkStream) {
-      hashStream.update(chunk);
-      writeStream.write(chunk);
-      writtenBytes += chunk.length;
-    }
-
-    await new Promise<void>((resolve, reject) => {
-      writeStream.end((e: any) => (e ? reject(e) : resolve()));
-    });
-
-    if (hashStream.digest("base64") !== encChunkHash) {
-      throw new Error("Invalid checksum");
-    } else if (
-      (!isLastChunk && writtenBytes !== ENCRYPTED_CHUNK_SIZE) ||
-      (isLastChunk && (writtenBytes <= ENCRYPTION_OVERHEAD || writtenBytes > ENCRYPTED_CHUNK_SIZE))
-    ) {
-      throw new Error("Invalid chunk size");
-    }
-
-    await UploadRepo.markChunkAsUploaded(sessionId, chunkIndex);
-  } catch (e) {
-    await safeUnlink(filePath);
-
-    if (
-      e instanceof Error &&
-      (e.message === "Invalid checksum" || e.message === "Invalid chunk size")
-    ) {
-      error(400, "Invalid request body");
-    }
-    throw e;
-  } finally {
-    chunkLocks.delete(lockKey);
-  }
-};
-
-export const cleanupExpiredUploadSessions = async () => {
-  const paths = await UploadRepo.cleanupExpiredUploadSessions();
-  await Promise.all(paths.map(safeRecursiveRm));
-};

src/lib/serviceWorker/client.ts

@@ -1,39 +0,0 @@
-import { DECRYPTED_FILE_URL_PREFIX } from "$lib/constants";
-import type { FileMetadata, ServiceWorkerMessage, ServiceWorkerResponse } from "./types";
-
-const PREPARE_TIMEOUT_MS = 5000;
-
-const getServiceWorker = async () => {
-  const registration = await navigator.serviceWorker.ready;
-  const sw = registration.active;
-  if (!sw) {
-    throw new Error("Service worker not activated");
-  }
-  return sw;
-};
-
-export const prepareFileDecryption = async (id: number, metadata: FileMetadata) => {
-  const sw = await getServiceWorker();
-  return new Promise<void>((resolve, reject) => {
-    const timeout = setTimeout(
-      () => reject(new Error("Service worker timeout")),
-      PREPARE_TIMEOUT_MS,
-    );
-    const handler = (event: MessageEvent<ServiceWorkerResponse>) => {
-      if (event.data.type === "decryption-ready" && event.data.fileId === id) {
-        clearTimeout(timeout);
-        navigator.serviceWorker.removeEventListener("message", handler);
-        resolve();
-      }
-    };
-    navigator.serviceWorker.addEventListener("message", handler);
-
-    sw.postMessage({
-      type: "decryption-prepare",
-      fileId: id,
-      ...metadata,
-    } satisfies ServiceWorkerMessage);
-  });
-};
-
-export const getDecryptedFileUrl = (id: number) => `${DECRYPTED_FILE_URL_PREFIX}${id}`;

src/lib/serviceWorker/index.ts

@@ -1,2 +0,0 @@
-export * from "./client";
-export * from "./types";

src/lib/serviceWorker/types.ts

@@ -1,19 +0,0 @@
-export interface FileMetadata {
-  isLegacy: boolean;
-  dataKey: CryptoKey;
-  encContentSize: number;
-  contentType: string;
-}
-
-export interface DecryptionPrepareMessage extends FileMetadata {
-  type: "decryption-prepare";
-  fileId: number;
-}
-
-export interface DecryptionReadyMessage {
-  type: "decryption-ready";
-  fileId: number;
-}
-
-export type ServiceWorkerMessage = DecryptionPrepareMessage;
-export type ServiceWorkerResponse = DecryptionReadyMessage;

src/lib/services/file.ts

@@ -6,42 +6,38 @@ import {
   downloadFile,
   deleteFileThumbnailCache,
 } from "$lib/modules/file";
-import { uploadBlob } from "$lib/modules/upload";
+import type { FileThumbnailUploadRequest } from "$lib/server/schemas";
 import { trpc } from "$trpc/client";
 
 export const requestFileDownload = async (
   fileId: number,
+  fileEncryptedIv: string,
   dataKey: CryptoKey,
-  isLegacy: boolean,
 ) => {
   const cache = await getFileCache(fileId);
   if (cache) return cache;
 
-  const fileBuffer = await downloadFile(fileId, dataKey, isLegacy);
+  const fileBuffer = await downloadFile(fileId, fileEncryptedIv, dataKey);
   storeFileCache(fileId, fileBuffer); // Intended
   return fileBuffer;
 };
 
 export const requestFileThumbnailUpload = async (
   fileId: number,
-  thumbnail: Blob,
-  dataKey: CryptoKey,
   dataKeyVersion: Date,
+  thumbnailEncrypted: { ciphertext: ArrayBuffer; iv: string },
 ) => {
-  try {
-    const { uploadId } = await trpc().upload.startFileThumbnailUpload.mutate({
-      file: fileId,
-      dekVersion: dataKeyVersion,
-    });
+  const form = new FormData();
+  form.set(
+    "metadata",
+    JSON.stringify({
+      dekVersion: dataKeyVersion.toISOString(),
+      contentIv: thumbnailEncrypted.iv,
+    } satisfies FileThumbnailUploadRequest),
+  );
+  form.set("content", new Blob([thumbnailEncrypted.ciphertext]));
 
-    await uploadBlob(uploadId, thumbnail, dataKey);
-
-    await trpc().upload.completeFileThumbnailUpload.mutate({ uploadId });
-    return true;
-  } catch {
-    // TODO: Error Handling
-    return false;
-  }
+  return await fetch(`/api/file/${fileId}/thumbnail/upload`, { method: "POST", body: form });
 };
 
 export const requestDeletedFilesCleanup = async () => {

src/lib/utils/HybridPromise.ts

@@ -90,42 +90,4 @@ export class HybridPromise<T> implements PromiseLike<T> {
       return HybridPromise.reject(e);
     }
   }
-
-  static all<T extends readonly unknown[] | []>(
-    maybePromises: T,
-  ): HybridPromise<{ -readonly [P in keyof T]: HybridAwaited<T[P]> }> {
-    const length = maybePromises.length;
-    if (length === 0) {
-      return HybridPromise.resolve([] as any);
 }
-
-    const hps = Array.from(maybePromises).map((p) => HybridPromise.resolve(p));
-    if (hps.some((hp) => !hp.isSync())) {
-      return new HybridPromise({
-        mode: "async",
-        promise: Promise.all(hps.map((hp) => hp.toPromise())) as any,
-      });
-    }
-
-    try {
-      return HybridPromise.resolve(
-        Array.from(
-          hps.map((hp) => {
-            if (hp.state.mode === "sync") {
-              if (hp.state.status === "fulfilled") {
-                return hp.state.value;
-              } else {
-                throw hp.state.reason;
-              }
-            }
-          }),
-        ) as any,
-      );
-    } catch (e) {
-      return HybridPromise.reject(e);
-    }
-  }
-}
-
-export type HybridAwaited<T> =
-  T extends HybridPromise<infer U> ? U : T extends Promise<infer U> ? U : T;

src/lib/utils/concurrency/BoundedQueue.ts

@@ -1,44 +0,0 @@
-export class BoundedQueue<T> {
-  private isClosed = false;
-  private reservedCount = 0;
-  private items: T[] = [];
-
-  private waitersNotFull: (() => void)[] = [];
-  private waitersNotEmpty: (() => void)[] = [];
-
-  constructor(private readonly maxSize: number) {}
-
-  async push(item: T) {
-    if (this.isClosed) {
-      throw new Error("Queue closed");
-    }
-
-    while (this.reservedCount >= this.maxSize) {
-      await new Promise<void>((resolve) => this.waitersNotFull.push(resolve));
-      if (this.isClosed) throw new Error("Queue closed");
-    }
-
-    this.reservedCount++;
-    this.items.push(item);
-    this.waitersNotEmpty.shift()?.();
-  }
-
-  async pop() {
-    while (this.items.length === 0) {
-      if (this.isClosed) return null;
-      await new Promise<void>((resolve) => this.waitersNotEmpty.push(resolve));
-    }
-
-    const item = this.items.shift()!;
-    this.reservedCount--;
-    this.waitersNotFull.shift()?.();
-
-    return item;
-  }
-
-  close() {
-    this.isClosed = true;
-    while (this.waitersNotEmpty.length > 0) this.waitersNotEmpty.shift()!();
-    while (this.waitersNotFull.length > 0) this.waitersNotFull.shift()!();
-  }
-}

src/lib/utils/concurrency/index.ts

@@ -1,3 +0,0 @@
-export * from "./BoundedQueue";
-export * from "./HybridPromise";
-export * from "./Scheduler";

src/lib/utils/index.ts

@@ -1,5 +1,4 @@
-export * from "./concurrency";
 export * from "./format";
 export * from "./gotoStateful";
-export * from "./search";
+export * from "./HybridPromise";
 export * from "./sort";

src/lib/utils/search.ts

@@ -1,28 +0,0 @@
-import { disassemble, getChoseong } from "es-hangul";
-
-const normalize = (s: string) => {
-  return s.normalize("NFC").toLowerCase().replace(/\s/g, "");
-};
-
-const extractHangul = (s: string) => {
-  return s.replace(/[^가-힣ㄱ-ㅎㅏ-ㅣ]/g, "");
-};
-
-const hangulSearch = (original: string, query: string) => {
-  original = extractHangul(original);
-  query = extractHangul(query);
-  if (!original || !query) return false;
-
-  return (
-    disassemble(original).includes(disassemble(query)) ||
-    getChoseong(original).includes(getChoseong(query))
-  );
-};
-
-export const searchString = (original: string, query: string) => {
-  original = normalize(original);
-  query = normalize(query);
-  if (!original || !query) return false;
-
-  return original.includes(query) || hangulSearch(original, query);
-};

src/params/thumbnail.ts

@@ -1,5 +0,0 @@
-import type { ParamMatcher } from "@sveltejs/kit";
-
-export const match: ParamMatcher = (param) => {
-  return param === "thumbnail";
-};

src/routes/(fullscreen)/file/[id]/+page.svelte

@@ -5,7 +5,7 @@
   import { page } from "$app/state";
   import { FullscreenDiv } from "$lib/components/atoms";
   import { Categories, IconEntryButton, TopBar } from "$lib/components/molecules";
-  import { getFileInfo, type MaybeFileInfo } from "$lib/modules/filesystem";
+  import { getFileInfo, type FileInfo, type MaybeFileInfo } from "$lib/modules/filesystem";
   import { captureVideoThumbnail } from "$lib/modules/thumbnail";
   import { getFileDownloadState } from "$lib/modules/file";
   import { masterKeyStore } from "$lib/stores";
@@ -17,7 +17,6 @@
     requestFileDownload,
     requestThumbnailUpload,
     requestFileAdditionToCategory,
-    requestVideoStream,
   } from "./service";
   import TopBarMenu from "./TopBarMenu.svelte";
 
@@ -38,7 +37,6 @@
   let viewerType: "image" | "video" | undefined = $state();
   let fileBlob: Blob | undefined = $state();
   let fileBlobUrl: string | undefined = $state();
-  let videoStreamUrl: string | undefined = $state();
   let videoElement: HTMLVideoElement | undefined = $state();
 
   const updateViewer = async (buffer: ArrayBuffer, contentType: string) => {
@@ -97,19 +95,7 @@
       untrack(() => {
         if (!downloadState && !isDownloadRequested) {
           isDownloadRequested = true;
-
-          if (viewerType === "video" && !info!.isLegacy) {
-            requestVideoStream(data.id, info!.dataKey!.key, contentType).then((streamUrl) => {
-              if (streamUrl) {
-                videoStreamUrl = streamUrl;
-              } else {
-                requestFileDownload(data.id, info!.dataKey!.key, info!.isLegacy!).then((buffer) =>
-                  updateViewer(buffer, contentType),
-                );
-              }
-            });
-          } else {
-            requestFileDownload(data.id, info!.dataKey!.key, info!.isLegacy!).then(
+          requestFileDownload(data.id, info!.contentIv!, info!.dataKey!.key).then(
             async (buffer) => {
               const blob = await updateViewer(buffer, contentType);
               if (!viewerType) {
@@ -118,16 +104,13 @@
             },
           );
         }
-        }
       });
     }
   });
 
   $effect(() => {
     if (info?.exists && downloadState?.status === "decrypted") {
-      untrack(
-        () => !isDownloadRequested && updateViewer(downloadState.result!, info!.contentType!),
-      );
+      untrack(() => !isDownloadRequested && updateViewer(downloadState.result!, info!.contentIv!));
     }
   });
 
@@ -150,13 +133,10 @@
     </button>
     <TopBarMenu
       bind:isOpen={isMenuOpen}
-      directoryId={["category", "gallery", "search"].includes(
-        page.url.searchParams.get("from") ?? "",
-      )
+      directoryId={["category", "gallery"].includes(page.url.searchParams.get("from") ?? "")
         ? info?.parentId
         : undefined}
       {fileBlob}
-      downloadUrl={videoStreamUrl}
       filename={info?.name}
     />
   </div>
@@ -179,10 +159,9 @@
             {@render viewerLoading("이미지를 불러오고 있어요.")}
           {/if}
         {:else if viewerType === "video"}
-          {#if videoStreamUrl || fileBlobUrl}
+          {#if fileBlobUrl}
             <div class="flex flex-col space-y-2">
-              <video bind:this={videoElement} src={videoStreamUrl ?? fileBlobUrl} controls muted
-              ></video>
+              <video bind:this={videoElement} src={fileBlobUrl} controls muted></video>
               <IconEntryButton
                 icon={IconCamera}
                 onclick={() => updateThumbnail(info?.dataKey?.key!, info?.dataKey?.version!)}

src/routes/(fullscreen)/file/[id]/TopBarMenu.svelte

@@ -10,29 +10,17 @@
 
   interface Props {
     directoryId?: "root" | number;
-    downloadUrl?: string;
     fileBlob?: Blob;
     filename?: string;
     isOpen: boolean;
   }
 
-  let { directoryId, downloadUrl, fileBlob, filename, isOpen = $bindable() }: Props = $props();
-
-  const handleDownload = () => {
-    if (fileBlob && filename) {
-      FileSaver.saveAs(fileBlob, filename);
-    } else if (downloadUrl && filename) {
-      // Use streaming download via Content-Disposition header
-      const url = new URL(downloadUrl, window.location.origin);
-      url.searchParams.set("download", filename);
-      window.open(url.toString(), "_blank");
-    }
-  };
+  let { directoryId, fileBlob, filename, isOpen = $bindable() }: Props = $props();
 </script>
 
 <svelte:window onclick={() => (isOpen = false)} />
 
-{#if isOpen && (directoryId || downloadUrl || fileBlob)}
+{#if isOpen && (directoryId || fileBlob)}
   <div
     class="absolute right-2 top-full z-20 space-y-1 rounded-lg bg-white px-1 py-2 shadow-2xl"
     transition:fly={{ y: -8, duration: 200 }}
@@ -61,8 +49,10 @@
           ),
         )}
       {/if}
-      {#if fileBlob || downloadUrl}
-        {@render menuButton(IconCloudDownload, "다운로드", handleDownload)}
+      {#if fileBlob}
+        {@render menuButton(IconCloudDownload, "다운로드", () => {
+          FileSaver.saveAs(fileBlob, filename);
+        })}
       {/if}
     </div>
   </div>

src/routes/(fullscreen)/file/[id]/service.ts

@@ -1,41 +1,23 @@
+import { encryptData } from "$lib/modules/crypto";
 import { storeFileThumbnailCache } from "$lib/modules/file";
-import { prepareFileDecryption, getDecryptedFileUrl } from "$lib/serviceWorker";
 import { requestFileThumbnailUpload } from "$lib/services/file";
 import { trpc } from "$trpc/client";
 
 export { requestCategoryCreation, requestFileRemovalFromCategory } from "$lib/services/category";
 export { requestFileDownload } from "$lib/services/file";
 
-export const requestVideoStream = async (
-  fileId: number,
-  dataKey: CryptoKey,
-  contentType: string,
-) => {
-  const res = await fetch(`/api/file/${fileId}/download`, { method: "HEAD" });
-  if (!res.ok) return null;
-
-  const encContentSize = parseInt(res.headers.get("Content-Length") ?? "0", 10);
-  if (encContentSize <= 0) return null;
-
-  try {
-    await prepareFileDecryption(fileId, { isLegacy: false, dataKey, encContentSize, contentType });
-    return getDecryptedFileUrl(fileId);
-  } catch {
-    // TODO: Error Handling
-    return null;
-  }
-};
-
 export const requestThumbnailUpload = async (
   fileId: number,
   thumbnail: Blob,
   dataKey: CryptoKey,
   dataKeyVersion: Date,
 ) => {
-  const res = await requestFileThumbnailUpload(fileId, thumbnail, dataKey, dataKeyVersion);
-  if (!res) return false;
+  const thumbnailBuffer = await thumbnail.arrayBuffer();
+  const thumbnailEncrypted = await encryptData(thumbnailBuffer, dataKey);
+  const res = await requestFileThumbnailUpload(fileId, dataKeyVersion, thumbnailEncrypted);
+  if (!res.ok) return false;
 
-  void thumbnail.arrayBuffer().then((buffer) => storeFileThumbnailCache(fileId, buffer));
+  storeFileThumbnailCache(fileId, thumbnailBuffer); // Intended
   return true;
 };
 

src/routes/(fullscreen)/file/uploads/+page.svelte

@@ -16,7 +16,7 @@
 <TopBar />
 <FullscreenDiv>
   <div class="space-y-2 pb-4">
-    {#each uploadingFiles as file (file.id)}
+    {#each uploadingFiles as file}
       <File state={file} />
     {/each}
   </div>

src/routes/(fullscreen)/gallery/+page.svelte

@@ -63,7 +63,7 @@
 <FullscreenDiv>
   <RowVirtualizer
     count={rows.length}
-    estimateItemHeight={(index) =>
+    itemHeight={(index) =>
       rows[index]!.type === "header" ? 28 : 181 + (rows[index]!.isLast ? 16 : 4)}
     class="flex flex-grow flex-col"
   >

src/routes/(fullscreen)/search/+page.svelte

@@ -1,240 +0,0 @@
-<script lang="ts">
-  import type { Snapshot } from "@sveltejs/kit";
-  import superjson, { type SuperJSONResult } from "superjson";
-  import { untrack } from "svelte";
-  import { slide } from "svelte/transition";
-  import { goto } from "$app/navigation";
-  import { Chip, FullscreenDiv, RowVirtualizer } from "$lib/components/atoms";
-  import {
-    getDirectoryInfo,
-    type LocalCategoryInfo,
-    type MaybeDirectoryInfo,
-  } from "$lib/modules/filesystem";
-  import { masterKeyStore } from "$lib/stores";
-  import { HybridPromise, searchString, sortEntries } from "$lib/utils";
-  import Directory from "./Directory.svelte";
-  import File from "./File.svelte";
-  import SearchBar from "./SearchBar.svelte";
-  import SelectCategoryBottomSheet from "./SelectCategoryBottomSheet.svelte";
-  import { requestSearch, type SearchFilter, type SearchResult } from "./service";
-
-  let { data } = $props();
-
-  interface SearchFilters {
-    name: string;
-    includeImages: boolean;
-    includeVideos: boolean;
-    includeDirectories: boolean;
-    searchInDirectory: boolean;
-    categories: SearchFilter["categories"];
-  }
-
-  let directoryInfo: MaybeDirectoryInfo | undefined = $state();
-
-  let filters: SearchFilters = $state({
-    name: "",
-    includeImages: false,
-    includeVideos: false,
-    includeDirectories: false,
-    searchInDirectory: false,
-    categories: [],
-  });
-  let hasCategoryFilter = $derived(filters.categories.length > 0);
-  let hasAnyFilter = $derived(
-    hasCategoryFilter ||
-      filters.includeImages ||
-      filters.includeVideos ||
-      filters.includeDirectories ||
-      filters.name.trim().length > 0,
-  );
-
-  let isRestoredFromSnapshot = $state(false);
-  let serverResult: SearchResult | undefined = $state();
-  let result = $derived.by(() => {
-    if (!serverResult) return [];
-
-    const nameFilter = filters.name.trim();
-    const hasTypeFilter =
-      filters.includeImages || filters.includeVideos || filters.includeDirectories;
-
-    const directories =
-      !hasTypeFilter || filters.includeDirectories
-        ? serverResult.directories.map((directory) => ({
-            type: "directory" as const,
-            ...directory,
-          }))
-        : [];
-    const files =
-      !hasTypeFilter || filters.includeImages || filters.includeVideos
-        ? serverResult.files
-            .filter(
-              ({ contentType }) =>
-                !hasTypeFilter ||
-                (filters.includeImages && contentType.startsWith("image/")) ||
-                (filters.includeVideos && contentType.startsWith("video/")),
-            )
-            .map((file) => ({
-              type: "file" as const,
-              ...file,
-            }))
-        : [];
-
-    return sortEntries(
-      [...directories, ...files].filter(
-        ({ name }) => !nameFilter || searchString(name, nameFilter),
-      ),
-    );
-  });
-
-  let isSelectCategoryBottomSheetOpen = $state(false);
-  let categorySelectMode: "include" | "exclude" = $state("include");
-
-  const openSelectCategoryBottomSheet = (mode: "include" | "exclude") => {
-    categorySelectMode = mode;
-    isSelectCategoryBottomSheetOpen = true;
-  };
-
-  const addCategoryFilter = (category: LocalCategoryInfo) => {
-    if (!filters.categories.some(({ info }) => info.id === category.id)) {
-      filters.categories.push({
-        info: category,
-        type: categorySelectMode,
-      });
-      isSelectCategoryBottomSheetOpen = false;
-    }
-  };
-
-  export const snapshot: Snapshot<{
-    filters: SearchFilters;
-    serverResult: SuperJSONResult;
-  }> = {
-    capture() {
-      return { filters, serverResult: superjson.serialize(serverResult) };
-    },
-    restore(value) {
-      filters = value.filters;
-      serverResult = superjson.deserialize(value.serverResult, { inPlace: true });
-      isRestoredFromSnapshot = true;
-    },
-  };
-
-  $effect(() => {
-    if (data.directoryId) {
-      HybridPromise.resolve(getDirectoryInfo(data.directoryId, $masterKeyStore?.get(1)?.key!)).then(
-        (res) => {
-          directoryInfo = res;
-          filters.searchInDirectory = res.exists;
-        },
-      );
-    } else {
-      directoryInfo = undefined;
-      filters.searchInDirectory = false;
-    }
-  });
-
-  $effect(() => {
-    // Svelte sucks
-    hasAnyFilter;
-    filters.searchInDirectory;
-    filters.categories.length;
-
-    if (untrack(() => isRestoredFromSnapshot)) {
-      isRestoredFromSnapshot = false;
-      return;
-    }
-
-    if (hasAnyFilter) {
-      requestSearch(
-        {
-          ancestorId: filters.searchInDirectory ? data.directoryId! : "root",
-          categories: filters.categories,
-        },
-        $masterKeyStore?.get(1)?.key!,
-      ).then((res) => {
-        serverResult = res;
-      });
-    }
-  });
-</script>
-
-<svelte:head>
-  <title>검색</title>
-</svelte:head>
-
-<SearchBar bind:value={filters.name} />
-<FullscreenDiv class="bg-gray-100 !px-0">
-  <div class="flex flex-grow flex-col space-y-4">
-    <div class="space-y-2 bg-white p-4 !pt-0">
-      <div class="space-y-3">
-        <div class="flex flex-wrap gap-2">
-          <Chip bind:selected={filters.includeImages}>사진</Chip>
-          <Chip bind:selected={filters.includeVideos}>동영상</Chip>
-          {#if !hasCategoryFilter}
-            <Chip bind:selected={filters.includeDirectories}>폴더</Chip>
-          {/if}
-          {#if directoryInfo?.exists}
-            <Chip bind:selected={filters.searchInDirectory}>
-              위치: {directoryInfo.name}
-            </Chip>
-          {/if}
-        </div>
-        {#if !filters.includeDirectories}
-          <div class="space-y-2" transition:slide={{ duration: 300 }}>
-            <p class="text-sm font-medium text-gray-600">카테고리</p>
-            <div class="flex flex-wrap gap-2">
-              {#each filters.categories as { info, type }, i (info.id)}
-                <Chip
-                  selected
-                  removable
-                  onclick={() => {}}
-                  onRemoveClick={() => filters.categories.splice(i, 1)}
-                >
-                  {#if type === "include"}
-                    포함:
-                  {:else}
-                    제외:
-                  {/if}
-                  {info.name}
-                </Chip>
-              {/each}
-              <Chip onclick={() => openSelectCategoryBottomSheet("include")}>+ 포함</Chip>
-              <Chip onclick={() => openSelectCategoryBottomSheet("exclude")}>- 제외</Chip>
-            </div>
-          </div>
-        {/if}
-      </div>
-    </div>
-    {#if hasAnyFilter}
-      <div class="flex flex-grow flex-col space-y-2 bg-white p-4">
-        <p class="text-lg font-bold text-gray-800">검색 결과</p>
-        {#if result.length > 0}
-          <RowVirtualizer
-            count={result.length}
-            getItemKey={(index) => `${result[index]!.type}-${result[index]!.id}`}
-            estimateItemHeight={() => 56}
-            itemGap={4}
-          >
-            {#snippet item(index)}
-              {@const info = result[index]!}
-              {#if info.type === "directory"}
-                <Directory {info} onclick={() => goto(`/directory/${info.id}?from=search`)} />
-              {:else}
-                <File {info} onclick={() => goto(`/file/${info.id}?from=search`)} />
-              {/if}
-            {/snippet}
-          </RowVirtualizer>
-        {:else}
-          <div class="flex flex-grow items-center justify-center py-8">
-            <p class="text-gray-500">검색 결과가 없어요.</p>
-          </div>
-        {/if}
-      </div>
-    {/if}
-  </div>
-</FullscreenDiv>
-
-<SelectCategoryBottomSheet
-  bind:isOpen={isSelectCategoryBottomSheetOpen}
-  mode={categorySelectMode}
-  onSelectCategoryClick={addCategoryFilter}
-/>

src/routes/(fullscreen)/search/+page.ts

@@ -1,18 +0,0 @@
-import { error } from "@sveltejs/kit";
-import { z } from "zod";
-import type { PageLoad } from "./$types";
-
-export const load: PageLoad = ({ url }) => {
-  const directoryId = url.searchParams.get("directoryId");
-
-  const zodRes = z
-    .object({
-      directoryId: z.coerce.number().int().positive().nullable(),
-    })
-    .safeParse({ directoryId });
-  if (!zodRes.success) error(400, "Invalid query parameters");
-
-  return {
-    directoryId: zodRes.data.directoryId,
-  };
-};

src/routes/(fullscreen)/search/Directory.svelte

@@ -1,16 +0,0 @@
-<script lang="ts">
-  import { ActionEntryButton } from "$lib/components/atoms";
-  import { DirectoryEntryLabel } from "$lib/components/molecules";
-  import type { SubDirectoryInfo } from "$lib/modules/filesystem";
-
-  interface Props {
-    info: SubDirectoryInfo;
-    onclick: () => void;
-  }
-
-  let { info, onclick }: Props = $props();
-</script>
-
-<ActionEntryButton class="h-14" {onclick}>
-  <DirectoryEntryLabel type="directory" name={info.name} />
-</ActionEntryButton>

src/routes/(fullscreen)/search/File.svelte

@@ -1,25 +0,0 @@
-<script lang="ts">
-  import { ActionEntryButton } from "$lib/components/atoms";
-  import { DirectoryEntryLabel } from "$lib/components/molecules";
-  import { getFileThumbnail } from "$lib/modules/file";
-  import type { SummarizedFileInfo } from "$lib/modules/filesystem";
-  import { formatDateTime } from "$lib/utils";
-
-  interface Props {
-    info: SummarizedFileInfo;
-    onclick: () => void;
-  }
-
-  let { info, onclick }: Props = $props();
-
-  let thumbnail = $derived(getFileThumbnail(info));
-</script>
-
-<ActionEntryButton class="h-14" {onclick}>
-  <DirectoryEntryLabel
-    type="file"
-    thumbnail={$thumbnail}
-    name={info.name}
-    subtext={formatDateTime(info.createdAt ?? info.lastModifiedAt)}
-  />
-</ActionEntryButton>

src/routes/(fullscreen)/search/SearchBar.svelte

@@ -1,27 +0,0 @@
-<script lang="ts">
-  import type { ClassValue } from "svelte/elements";
-
-  import IconArrowBack from "~icons/material-symbols/arrow-back";
-
-  interface Props {
-    class?: ClassValue;
-    value: string;
-  }
-
-  let { class: className, value = $bindable() }: Props = $props();
-</script>
-
-<div class={["sticky top-0 z-10 flex items-center gap-x-2 px-2 py-3 backdrop-blur-2xl", className]}>
-  <button
-    onclick={() => history.back()}
-    class="w-[2.3rem] flex-shrink-0 rounded-full p-1 active:bg-black active:bg-opacity-[0.04]"
-  >
-    <IconArrowBack class="text-2xl" />
-  </button>
-  <input
-    bind:value
-    type="text"
-    placeholder="검색"
-    class="mr-1 h-[2.3rem] flex-grow rounded-lg bg-gray-100 px-3 py-1.5 placeholder-gray-600 focus:outline-none"
-  />
-</div>

src/routes/(fullscreen)/search/SelectCategoryBottomSheet.svelte

@@ -1,54 +0,0 @@
-<script lang="ts">
-  import { BottomDiv, BottomSheet, Button, FullscreenDiv } from "$lib/components/atoms";
-  import { SubCategories } from "$lib/components/molecules";
-  import {
-    getCategoryInfo,
-    type LocalCategoryInfo,
-    type MaybeCategoryInfo,
-  } from "$lib/modules/filesystem";
-  import { masterKeyStore } from "$lib/stores";
-  import { HybridPromise } from "$lib/utils";
-
-  interface Props {
-    isOpen: boolean;
-    mode: "include" | "exclude";
-    onSelectCategoryClick: (category: LocalCategoryInfo) => void;
-  }
-
-  let { isOpen = $bindable(), mode, onSelectCategoryClick }: Props = $props();
-
-  let categoryInfo: MaybeCategoryInfo | undefined = $state();
-
-  $effect(() => {
-    if (isOpen) {
-      HybridPromise.resolve(getCategoryInfo("root", $masterKeyStore?.get(1)?.key!)).then(
-        (result) => (categoryInfo = result),
-      );
-    }
-  });
-</script>
-
-{#if categoryInfo?.exists}
-  <BottomSheet bind:isOpen class="flex flex-col">
-    <FullscreenDiv>
-      <SubCategories
-        class="py-4"
-        info={categoryInfo}
-        onSubCategoryClick={({ id }) =>
-          HybridPromise.resolve(getCategoryInfo(id, $masterKeyStore?.get(1)?.key!)).then(
-            (result) => (categoryInfo = result),
-          )}
-      />
-      {#if categoryInfo.id !== "root"}
-        <BottomDiv>
-          <Button
-            onclick={() => onSelectCategoryClick(categoryInfo as LocalCategoryInfo)}
-            class="w-full"
-          >
-            {categoryInfo.name} 카테고리 {mode === "include" ? "꼭 포함하기" : "제외하기"}
-          </Button>
-        </BottomDiv>
-      {/if}
-    </FullscreenDiv>
-  </BottomSheet>
-{/if}

src/routes/(fullscreen)/search/service.ts

@@ -1,77 +0,0 @@
-import {
-  decryptDirectoryMetadata,
-  decryptFileMetadata,
-  getDirectoryInfo,
-  getFileInfo,
-  type LocalDirectoryInfo,
-  type FileInfo,
-  type LocalCategoryInfo,
-} from "$lib/modules/filesystem";
-import { HybridPromise } from "$lib/utils";
-import { trpc } from "$trpc/client";
-
-export interface SearchFilter {
-  ancestorId: DirectoryId;
-  categories: { info: LocalCategoryInfo; type: "include" | "exclude" }[];
-}
-
-export interface SearchResult {
-  directories: LocalDirectoryInfo[];
-  files: FileInfo[];
-}
-
-export const requestSearch = async (filter: SearchFilter, masterKey: CryptoKey) => {
-  const { directories: directoriesRaw, files: filesRaw } = await trpc().search.search.query({
-    ancestor: filter.ancestorId,
-    includeCategories: filter.categories
-      .filter(({ type }) => type === "include")
-      .map(({ info }) => info.id),
-    excludeCategories: filter.categories
-      .filter(({ type }) => type === "exclude")
-      .map(({ info }) => info.id),
-  });
-
-  const [directories, files] = await HybridPromise.all([
-    HybridPromise.all(
-      directoriesRaw.map((directory) =>
-        HybridPromise.resolve(
-          getDirectoryInfo(directory.id, masterKey, {
-            async fetchFromServer(id, cachedInfo, masterKey) {
-              const metadata = await decryptDirectoryMetadata(directory, masterKey);
-              return {
-                subDirectories: [],
-                files: [],
-                ...cachedInfo,
-                id: id as number,
-                exists: true,
-                parentId: directory.parent,
-                ...metadata,
-              };
-            },
-          }),
-        ),
-      ),
-    ),
-    HybridPromise.all(
-      filesRaw.map((file) =>
-        HybridPromise.resolve(
-          getFileInfo(file.id, masterKey, {
-            async fetchFromServer(id, cachedInfo, masterKey) {
-              const metadata = await decryptFileMetadata(file, masterKey);
-              return {
-                categories: [],
-                ...cachedInfo,
-                id: id as number,
-                exists: true,
-                parentId: file.parent,
-                contentType: file.contentType,
-                ...metadata,
-              };
-            },
-          }),
-        ),
-      ),
-    ),
-  ]);
-  return { directories, files } as SearchResult;
-};

src/routes/(fullscreen)/settings/migration/+page.server.ts

@@ -1,7 +0,0 @@
-import { createCaller } from "$trpc/router.server";
-import type { PageServerLoad } from "./$types";
-
-export const load: PageServerLoad = async (event) => {
-  const files = await createCaller(event).file.listLegacy();
-  return { files };
-};

src/routes/(fullscreen)/settings/migration/+page.svelte

@@ -1,82 +0,0 @@
-<script lang="ts">
-  import { onMount } from "svelte";
-  import { goto } from "$app/navigation";
-  import { BottomDiv, Button, FullscreenDiv } from "$lib/components/atoms";
-  import { TopBar } from "$lib/components/molecules";
-  import type { MaybeFileInfo } from "$lib/modules/filesystem";
-  import { masterKeyStore } from "$lib/stores";
-  import { sortEntries } from "$lib/utils";
-  import File from "./File.svelte";
-  import {
-    getMigrationState,
-    clearMigrationStates,
-    requestLegacyFiles,
-    requestFileMigration,
-  } from "./service.svelte";
-
-  let { data } = $props();
-
-  let fileInfos: MaybeFileInfo[] = $state([]);
-  let files = $derived(
-    fileInfos
-      .map((info) => ({
-        info,
-        state: getMigrationState(info.id),
-      }))
-      .filter((file) => file.state?.status !== "uploaded"),
-  );
-
-  const migrateAllFiles = () => {
-    files.forEach(({ info }) => {
-      if (info.exists) {
-        requestFileMigration(info);
-      }
-    });
-  };
-
-  onMount(async () => {
-    fileInfos = sortEntries(await requestLegacyFiles(data.files, $masterKeyStore?.get(1)?.key!));
-  });
-
-  $effect(() => clearMigrationStates);
-</script>
-
-<svelte:head>
-  <title>암호화 마이그레이션</title>
-</svelte:head>
-
-<TopBar title="암호화 마이그레이션" />
-<FullscreenDiv>
-  {#if files.length > 0}
-    <div class="space-y-4 pb-4">
-      <p class="break-keep text-gray-800">
-        이전 버전의 ArkVault에서 업로드된 {files.length}개 파일을 다시 암호화할 수 있어요.
-      </p>
-      <div class="space-y-2">
-        {#each files as { info, state } (info.id)}
-          {#if info.exists}
-            <File
-              {info}
-              {state}
-              onclick={({ id }) => goto(`/file/${id}`)}
-              onMigrateClick={requestFileMigration}
-            />
-          {/if}
-        {/each}
-      </div>
-    </div>
-    <BottomDiv>
-      <Button onclick={migrateAllFiles} class="w-full">모두 다시 암호화하기</Button>
-    </BottomDiv>
-  {:else}
-    <div class="flex flex-grow items-center justify-center">
-      <p class="text-gray-500">
-        {#if data.files.length === 0}
-          마이그레이션할 파일이 없어요.
-        {:else}
-          파일 목록을 불러오고 있어요.
-        {/if}
-      </p>
-    </div>
-  {/if}
-</FullscreenDiv>

src/routes/(fullscreen)/settings/migration/File.svelte

@@ -1,52 +0,0 @@
-<script module lang="ts">
-  const subtexts = {
-    queued: "대기 중",
-    downloading: "다운로드하는 중",
-    "upload-pending": "업로드를 기다리는 중",
-    uploaded: "",
-    error: "실패",
-  } as const;
-</script>
-
-<script lang="ts">
-  import { ActionEntryButton } from "$lib/components/atoms";
-  import { DirectoryEntryLabel } from "$lib/components/molecules";
-  import type { FileInfo } from "$lib/modules/filesystem";
-  import { formatDateTime, formatNetworkSpeed } from "$lib/utils";
-  import type { MigrationState } from "./service.svelte";
-
-  import IconSync from "~icons/material-symbols/sync";
-
-  type FileInfoWithExists = FileInfo & { exists: true };
-
-  interface Props {
-    info: FileInfoWithExists;
-    onclick: (file: FileInfo) => void;
-    onMigrateClick: (file: FileInfoWithExists) => void;
-    state: MigrationState | undefined;
-  }
-
-  let { info, onclick, onMigrateClick, state }: Props = $props();
-
-  let subtext = $derived.by(() => {
-    if (!state) {
-      return formatDateTime(info.createdAt ?? info.lastModifiedAt);
-    }
-    if (state.status === "uploading") {
-      const progress = Math.floor((state.progress ?? 0) * 100);
-      const speed = formatNetworkSpeed((state.rate ?? 0) * 8);
-      return `전송됨 ${progress}% · ${speed}`;
-    }
-    return subtexts[state.status] ?? state.status;
-  });
-</script>
-
-<ActionEntryButton
-  class="h-14"
-  onclick={() => onclick(info)}
-  actionButtonIcon={!state || state.status === "error" ? IconSync : undefined}
-  onActionButtonClick={() => onMigrateClick(info)}
-  actionButtonClass="text-gray-800"
->
-  <DirectoryEntryLabel type="file" name={info.name} {subtext} />
-</ActionEntryButton>

src/routes/(fullscreen)/settings/migration/service.svelte.ts

@@ -1,140 +0,0 @@
-import { limitFunction } from "p-limit";
-import { SvelteMap } from "svelte/reactivity";
-import { CHUNK_SIZE } from "$lib/constants";
-import {
-  decryptFileMetadata,
-  getFileInfo,
-  type FileInfo,
-  type MaybeFileInfo,
-} from "$lib/modules/filesystem";
-import { uploadBlob } from "$lib/modules/upload";
-import { requestFileDownload } from "$lib/services/file";
-import { HybridPromise, Scheduler } from "$lib/utils";
-import { trpc } from "$trpc/client";
-import type { RouterOutputs } from "$trpc/router.server";
-
-export type MigrationStatus =
-  | "queued"
-  | "downloading"
-  | "upload-pending"
-  | "uploading"
-  | "uploaded"
-  | "error";
-
-export interface MigrationState {
-  status: MigrationStatus;
-  progress?: number;
-  rate?: number;
-}
-
-const scheduler = new Scheduler();
-const states = new SvelteMap<number, MigrationState>();
-
-export const requestLegacyFiles = async (
-  filesRaw: RouterOutputs["file"]["listLegacy"],
-  masterKey: CryptoKey,
-) => {
-  const files = await HybridPromise.all(
-    filesRaw.map((file) =>
-      HybridPromise.resolve(
-        getFileInfo(file.id, masterKey, {
-          async fetchFromServer(id, cachedInfo, masterKey) {
-            const metadata = await decryptFileMetadata(file, masterKey);
-            return {
-              categories: [],
-              ...cachedInfo,
-              id: id as number,
-              exists: true,
-              isLegacy: file.isLegacy,
-              parentId: file.parent,
-              contentType: file.contentType,
-              ...metadata,
-            };
-          },
-        }),
-      ),
-    ),
-  );
-
-  return files as MaybeFileInfo[];
-};
-
-const createState = (status: MigrationStatus): MigrationState => {
-  const state = $state({ status });
-  return state;
-};
-
-export const getMigrationState = (fileId: number) => {
-  return states.get(fileId);
-};
-
-export const clearMigrationStates = () => {
-  for (const [id, state] of states) {
-    if (state.status === "uploaded" || state.status === "error") {
-      states.delete(id);
-    }
-  }
-};
-
-const requestFileUpload = limitFunction(
-  async (
-    state: MigrationState,
-    fileId: number,
-    fileBuffer: ArrayBuffer,
-    dataKey: CryptoKey,
-    dataKeyVersion: Date,
-  ) => {
-    state.status = "uploading";
-
-    const { uploadId } = await trpc().upload.startMigrationUpload.mutate({
-      file: fileId,
-      chunks: Math.ceil(fileBuffer.byteLength / CHUNK_SIZE),
-      dekVersion: dataKeyVersion,
-    });
-
-    await uploadBlob(uploadId, new Blob([fileBuffer]), dataKey, {
-      onProgress(s) {
-        state.progress = s.progress;
-        state.rate = s.rate;
-      },
-    });
-
-    await trpc().upload.completeMigrationUpload.mutate({ uploadId });
-    state.status = "uploaded";
-  },
-  { concurrency: 1 },
-);
-
-export const requestFileMigration = async (fileInfo: FileInfo) => {
-  let state = states.get(fileInfo.id);
-  if (state) {
-    if (state.status !== "error") return;
-    state.status = "queued";
-    state.progress = undefined;
-    state.rate = undefined;
-  } else {
-    state = createState("queued");
-    states.set(fileInfo.id, state);
-  }
-
-  try {
-    const dataKey = fileInfo.dataKey;
-    if (!dataKey) {
-      throw new Error("Data key not available");
-    }
-
-    let fileBuffer: ArrayBuffer | undefined;
-
-    await scheduler.schedule(
-      async () => {
-        state.status = "downloading";
-        fileBuffer = await requestFileDownload(fileInfo.id, dataKey.key, true);
-        return fileBuffer.byteLength;
-      },
-      () => requestFileUpload(state, fileInfo.id, fileBuffer!, dataKey.key, dataKey.version),
-    );
-  } catch (e) {
-    state.status = "error";
-    throw e;
-  }
-};

src/routes/(fullscreen)/settings/thumbnail/+page.svelte

@@ -4,14 +4,13 @@
   import { BottomDiv, Button, FullscreenDiv } from "$lib/components/atoms";
   import { IconEntryButton, TopBar } from "$lib/components/molecules";
   import { deleteAllFileThumbnailCaches } from "$lib/modules/file";
-  import type { MaybeFileInfo } from "$lib/modules/filesystem";
+  import { bulkGetFileInfo, type MaybeFileInfo } from "$lib/modules/filesystem";
   import { masterKeyStore } from "$lib/stores";
   import { sortEntries } from "$lib/utils";
   import File from "./File.svelte";
   import {
     getThumbnailGenerationStatus,
     clearThumbnailGenerationStatuses,
-    requestMissingThumbnailFiles,
     requestThumbnailGeneration,
     type GenerationStatus,
   } from "./service";
@@ -43,7 +42,7 @@
 
   onMount(async () => {
     fileInfos = sortEntries(
-      await requestMissingThumbnailFiles(data.files, $masterKeyStore?.get(1)?.key!),
+      Array.from((await bulkGetFileInfo(data.files, $masterKeyStore?.get(1)?.key!)).values()),
     );
   });
 

src/routes/(fullscreen)/settings/thumbnail/File.svelte

@@ -3,6 +3,7 @@
     queued: "대기 중",
     "generation-pending": "준비 중",
     generating: "생성하는 중",
+    "upload-pending": "업로드를 기다리는 중",
     uploading: "업로드하는 중",
     error: "실패",
   } as const;

src/routes/(fullscreen)/settings/thumbnail/service.ts

@@ -1,21 +1,17 @@
 import { limitFunction } from "p-limit";
 import { SvelteMap } from "svelte/reactivity";
+import { encryptData } from "$lib/modules/crypto";
 import { storeFileThumbnailCache } from "$lib/modules/file";
-import {
-  decryptFileMetadata,
-  getFileInfo,
-  type FileInfo,
-  type MaybeFileInfo,
-} from "$lib/modules/filesystem";
-import { generateThumbnail } from "$lib/modules/thumbnail";
+import type { FileInfo } from "$lib/modules/filesystem";
+import { Scheduler } from "$lib/modules/scheduler";
+import { generateThumbnail as doGenerateThumbnail } from "$lib/modules/thumbnail";
 import { requestFileDownload, requestFileThumbnailUpload } from "$lib/services/file";
-import { HybridPromise, Scheduler } from "$lib/utils";
-import type { RouterOutputs } from "$trpc/router.server";
 
 export type GenerationStatus =
   | "queued"
   | "generation-pending"
   | "generating"
+  | "upload-pending"
   | "uploading"
   | "uploaded"
   | "error";
@@ -35,56 +31,33 @@ export const clearThumbnailGenerationStatuses = () => {
   }
 };
 
-export const requestMissingThumbnailFiles = async (
-  filesRaw: RouterOutputs["file"]["listWithoutThumbnail"],
-  masterKey: CryptoKey,
-) => {
-  const files = await HybridPromise.all(
-    filesRaw.map((file) =>
-      HybridPromise.resolve(
-        getFileInfo(file.id, masterKey, {
-          async fetchFromServer(id, cachedInfo, masterKey) {
-            const metadata = await decryptFileMetadata(file, masterKey);
-            return {
-              categories: [],
-              ...cachedInfo,
-              id: id as number,
-              exists: true,
-              isLegacy: file.isLegacy,
-              parentId: file.parent,
-              contentType: file.contentType,
-              ...metadata,
-            };
-          },
-        }),
-      ),
-    ),
-  );
+const generateThumbnail = limitFunction(
+  async (fileId: number, fileBuffer: ArrayBuffer, fileType: string, dataKey: CryptoKey) => {
+    statuses.set(fileId, "generating");
 
-  return files as MaybeFileInfo[];
-};
+    const thumbnail = await doGenerateThumbnail(fileBuffer, fileType);
+    if (!thumbnail) return null;
+
+    const thumbnailBuffer = await thumbnail.arrayBuffer();
+    const thumbnailEncrypted = await encryptData(thumbnailBuffer, dataKey);
+    statuses.set(fileId, "upload-pending");
+    return { plaintext: thumbnailBuffer, ...thumbnailEncrypted };
+  },
+  { concurrency: 4 },
+);
 
 const requestThumbnailUpload = limitFunction(
-  async (fileInfo: FileInfo, fileBuffer: ArrayBuffer) => {
-    statuses.set(fileInfo.id, "generating");
+  async (
+    fileId: number,
+    dataKeyVersion: Date,
+    thumbnail: { plaintext: ArrayBuffer; ciphertext: ArrayBuffer; iv: string },
+  ) => {
+    statuses.set(fileId, "uploading");
 
-    const thumbnail = await generateThumbnail(
-      new Blob([fileBuffer], { type: fileInfo.contentType }),
-    );
-    if (!thumbnail) return false;
-
-    statuses.set(fileInfo.id, "uploading");
-
-    const res = await requestFileThumbnailUpload(
-      fileInfo.id,
-      thumbnail,
-      fileInfo.dataKey?.key!,
-      fileInfo.dataKey?.version!,
-    );
-    if (!res) return false;
-
-    statuses.set(fileInfo.id, "uploaded");
-    void thumbnail.arrayBuffer().then((buffer) => storeFileThumbnailCache(fileInfo.id, buffer));
+    const res = await requestFileThumbnailUpload(fileId, dataKeyVersion, thumbnail);
+    if (!res.ok) return false;
+    statuses.set(fileId, "uploaded");
+    storeFileThumbnailCache(fileId, thumbnail.plaintext); // Intended
     return true;
   },
   { concurrency: 4 },
@@ -104,11 +77,20 @@ export const requestThumbnailGeneration = async (fileInfo: FileInfo) => {
     await scheduler.schedule(
       async () => {
         statuses.set(fileInfo.id, "generation-pending");
-        file = await requestFileDownload(fileInfo.id, fileInfo.dataKey?.key!, fileInfo.isLegacy!);
+        file = await requestFileDownload(fileInfo.id, fileInfo.contentIv!, fileInfo.dataKey?.key!);
         return file.byteLength;
       },
       async () => {
-        if (!(await requestThumbnailUpload(fileInfo, file!))) {
+        const thumbnail = await generateThumbnail(
+          fileInfo.id,
+          file!,
+          fileInfo.contentType,
+          fileInfo.dataKey?.key!,
+        );
+        if (
+          !thumbnail ||
+          !(await requestThumbnailUpload(fileInfo.id, fileInfo.dataKey?.version!, thumbnail))
+        ) {
           statuses.set(fileInfo.id, "error");
         }
       },

src/routes/(main)/category/[[id]]/+page.svelte

@@ -76,7 +76,7 @@
 <div class="min-h-full bg-gray-100 pb-[5.5em]">
   {#if info?.exists}
     <div class="space-y-4">
-      <div class="space-y-2 bg-white p-4">
+      <div class="space-y-4 bg-white p-4">
         {#if info.id !== "root"}
           <p class="text-lg font-bold text-gray-800">하위 카테고리</p>
         {/if}
@@ -84,7 +84,6 @@
           {info}
           onSubCategoryClick={({ id }) => goto(`/category/${id}`)}
           onSubCategoryCreateClick={() => (isCategoryCreateModalOpen = true)}
-          subCategoryCreatePosition="bottom"
           onSubCategoryMenuClick={(subCategory) => {
             context.selectedCategory = subCategory;
             isCategoryMenuBottomSheetOpen = true;
@@ -93,19 +92,14 @@
         />
       </div>
       {#if info.id !== "root"}
-        <div class="space-y-2 bg-white p-4">
+        <div class="space-y-4 bg-white p-4">
           <div class="flex items-center justify-between">
             <p class="text-lg font-bold text-gray-800">파일</p>
             <CheckBox bind:checked={info.isFileRecursive}>
               <p class="font-medium">하위 카테고리의 파일</p>
             </CheckBox>
           </div>
-          <RowVirtualizer
-            count={files.length}
-            getItemKey={(index) => files[index]!.details.id}
-            estimateItemHeight={() => 48}
-            itemGap={4}
-          >
+          <RowVirtualizer count={files.length} itemHeight={() => 48} itemGap={4}>
             {#snippet item(index)}
               {@const { details } = files[index]!}
               <File

src/routes/(main)/directory/[[id]]/+page.svelte

@@ -25,7 +25,6 @@
     requestEntryDeletion,
   } from "./service.svelte";
 
-  import IconSearch from "~icons/material-symbols/search";
   import IconAdd from "~icons/material-symbols/add";
 
   let { data } = $props();
@@ -44,26 +43,15 @@
   let isEntryRenameModalOpen = $state(false);
   let isEntryDeleteModalOpen = $state(false);
 
-  let showParentEntry = $derived(
-    ["file", "search"].includes(page.url.searchParams.get("from") ?? ""),
-  );
-  let showBackButton = $derived(data.id !== "root" || showParentEntry);
-
-  const onSearchClick = async () => {
-    const params = new URLSearchParams();
-    if (data.id !== "root") {
-      params.set("directoryId", data.id.toString());
-    }
-    const query = params.toString();
-    await goto(`/search${query ? `?${query}` : ""}`);
-  };
+  let isFromFilePage = $derived(page.url.searchParams.get("from") === "file");
+  let showTopBar = $derived(data.id !== "root" || isFromFilePage);
 
   const uploadFile = () => {
     const files = fileInput?.files;
     if (!files || files.length === 0) return;
 
     for (const file of files) {
-      requestFileUpload(file, data.id, $masterKeyStore?.get(1)!, $hmacSecretStore?.get(1)!, () => {
+      requestFileUpload(file, data.id, $hmacSecretStore?.get(1)!, $masterKeyStore?.get(1)!, () => {
         return new Promise((resolve) => {
           duplicatedFile = file;
           resolveForDuplicateFileModal = resolve;
@@ -108,16 +96,11 @@
 <input bind:this={fileInput} onchange={uploadFile} type="file" multiple class="hidden" />
 
 <div class="flex h-full flex-col">
-  <TopBar title={info?.name ?? "내 파일"} {showBackButton} class="flex-shrink-0">
-    <button
-      onclick={onSearchClick}
-      class="w-[2.3rem] flex-shrink-0 rounded-full p-1 active:bg-black active:bg-opacity-[0.04]"
-    >
-      <IconSearch class="text-2xl" />
-    </button>
-  </TopBar>
+  {#if showTopBar}
+    <TopBar title={info?.name} class="flex-shrink-0" />
+  {/if}
   {#if info?.exists}
-    <div class="flex flex-grow flex-col px-4 pb-4">
+    <div class={["flex flex-grow flex-col px-4 pb-4", !showTopBar && "pt-4"]}>
       <div class="flex gap-x-2">
         <UploadStatusCard onclick={() => goto("/file/uploads")} />
         <DownloadStatusCard onclick={() => goto("/file/downloads")} />
@@ -130,12 +113,12 @@
             context.selectedEntry = entry;
             isEntryMenuBottomSheetOpen = true;
           }}
-          showParentEntry={showParentEntry && data.id !== "root"}
+          showParentEntry={isFromFilePage && info.parentId !== undefined}
           onParentClick={() =>
             goto(
               info!.parentId === "root"
-                ? `/directory?from=${page.url.searchParams.get("from")}`
-                : `/directory/${info!.parentId}?from=${page.url.searchParams.get("from")}`,
+                ? "/directory?from=file"
+                : `/directory/${info!.parentId}?from=file`,
             )}
         />
       {/key}

src/routes/(main)/directory/[[id]]/DirectoryEntries/DirectoryEntries.svelte

@@ -46,16 +46,7 @@
 </script>
 
 {#if entries.length > 0}
-  <RowVirtualizer
-    count={entries.length}
-    getItemKey={(index) =>
-      entries[index]!.type !== "parent"
-        ? `${entries[index]!.type}-${entries[index]!.details.id}`
-        : entries[index]!.type!}
-    estimateItemHeight={() => 56}
-    itemGap={4}
-    class="pb-[4.5rem]"
-  >
+  <RowVirtualizer count={entries.length} itemHeight={() => 56} itemGap={4} class="pb-[4.5rem]">
     {#snippet item(index)}
       {@const entry = entries[index]!}
       {#if entry.type === "parent"}

src/routes/(main)/directory/[[id]]/service.svelte.ts

@@ -81,16 +81,14 @@ export const requestDirectoryCreation = async (
 export const requestFileUpload = async (
   file: File,
   parentId: "root" | number,
-  masterKey: MasterKey,
   hmacSecret: HmacSecret,
+  masterKey: MasterKey,
   onDuplicate: () => Promise<boolean>,
 ) => {
-  const res = await uploadFile(file, parentId, masterKey, hmacSecret, onDuplicate);
+  const res = await uploadFile(file, parentId, hmacSecret, masterKey, onDuplicate);
   if (!res) return false;
 
-  if (res.fileBuffer) {
   storeFileCache(res.fileId, res.fileBuffer); // Intended
-  }
   if (res.thumbnailBuffer) {
     storeFileThumbnailCache(res.fileId, res.thumbnailBuffer); // Intended
   }

src/routes/(main)/menu/+page.svelte

@@ -5,7 +5,6 @@
 
   import IconStorage from "~icons/material-symbols/storage";
   import IconImage from "~icons/material-symbols/image";
-  import IconLockReset from "~icons/material-symbols/lock-reset";
   import IconPassword from "~icons/material-symbols/password";
   import IconLogout from "~icons/material-symbols/logout";
 
@@ -42,13 +41,6 @@
     >
       썸네일
     </MenuEntryButton>
-    <MenuEntryButton
-      onclick={() => goto("/settings/migration")}
-      icon={IconLockReset}
-      iconColor="text-teal-500"
-    >
-      암호화 마이그레이션
-    </MenuEntryButton>
   </div>
   <div class="space-y-2">
     <p class="font-semibold">보안</p>

src/routes/api/file/[id]/[[thumbnail=thumbnail]]/download/+server.ts

@@ -1,44 +0,0 @@
-import { error } from "@sveltejs/kit";
-import { z } from "zod";
-import { parseRangeHeader, getContentRangeHeader } from "$lib/modules/http";
-import { authorize } from "$lib/server/modules/auth";
-import { getFileStream, getFileThumbnailStream } from "$lib/server/services/file";
-import type { RequestHandler, RouteParams } from "./$types";
-
-const downloadHandler = async (locals: App.Locals, params: RouteParams, request: Request) => {
-  const { userId } = await authorize(locals, "activeClient");
-
-  const zodRes = z
-    .object({
-      id: z.coerce.number().int().positive(),
-    })
-    .safeParse(params);
-  if (!zodRes.success) error(400, "Invalid path parameters");
-  const { id } = zodRes.data;
-
-  const getStream = params.thumbnail ? getFileThumbnailStream : getFileStream;
-  const { encContentStream, range } = await getStream(
-    userId,
-    id,
-    parseRangeHeader(request.headers.get("Range")),
-  );
-  return {
-    stream: encContentStream,
-    status: range ? 206 : 200,
-    headers: {
-      "Accept-Ranges": "bytes",
-      "Content-Length": String(range.end - range.start + 1),
-      "Content-Type": "application/octet-stream",
-      ...getContentRangeHeader(range),
-    },
-  };
-};
-
-export const GET: RequestHandler = async ({ locals, params, request }) => {
-  const { stream, ...init } = await downloadHandler(locals, params, request);
-  return new Response(stream as ReadableStream, init);
-};
-
-export const HEAD: RequestHandler = async ({ locals, params, request }) => {
-  return new Response(null, await downloadHandler(locals, params, request));
-};

src/routes/api/file/[id]/download/+server.ts

@@ -0,0 +1,25 @@
+import { error } from "@sveltejs/kit";
+import { z } from "zod";
+import { authorize } from "$lib/server/modules/auth";
+import { getFileStream } from "$lib/server/services/file";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async ({ locals, params }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const zodRes = z
+    .object({
+      id: z.coerce.number().int().positive(),
+    })
+    .safeParse(params);
+  if (!zodRes.success) error(400, "Invalid path parameters");
+  const { id } = zodRes.data;
+
+  const { encContentStream, encContentSize } = await getFileStream(userId, id);
+  return new Response(encContentStream as ReadableStream, {
+    headers: {
+      "Content-Type": "application/octet-stream",
+      "Content-Length": encContentSize.toString(),
+    },
+  });
+};