activestorage 6.0.0

data/app/controllers/active_storage/base_controller.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+# The base class for all Active Storage controllers.
+class ActiveStorage::BaseController < ActionController::Base
+  include ActiveStorage::SetCurrent
+
+  protect_from_forgery with: :exception
+end

data/app/controllers/active_storage/blobs_controller.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+# Take a signed permanent reference for a blob and turn it into an expiring service URL for download.
+# Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
+# security-through-obscurity factor of the signed blob references, you'll need to implement your own
+# authenticated redirection controller.
+class ActiveStorage::BlobsController < ActiveStorage::BaseController
+  include ActiveStorage::SetBlob
+
+  def show
+    expires_in ActiveStorage.service_urls_expire_in
+    redirect_to @blob.service_url(disposition: params[:disposition])
+  end
+end

data/app/controllers/active_storage/direct_uploads_controller.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+# Creates a new blob on the server side in anticipation of a direct-to-service upload from the client side.
+# When the client-side upload is completed, the signed_blob_id can be submitted as part of the form to reference
+# the blob that was created up front.
+class ActiveStorage::DirectUploadsController < ActiveStorage::BaseController
+  def create
+    blob = ActiveStorage::Blob.create_before_direct_upload!(blob_args)
+    render json: direct_upload_json(blob)
+  end
+
+  private
+    def blob_args
+      params.require(:blob).permit(:filename, :byte_size, :checksum, :content_type, :metadata).to_h.symbolize_keys
+    end
+
+    def direct_upload_json(blob)
+      blob.as_json(root: false, methods: :signed_id).merge(direct_upload: {
+        url: blob.service_url_for_direct_upload,
+        headers: blob.service_headers_for_direct_upload
+      })
+    end
+end

data/app/controllers/active_storage/disk_controller.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+# Serves files stored with the disk service in the same way that the cloud services do.
+# This means using expiring, signed URLs that are meant for immediate access, not permanent linking.
+# Always go through the BlobsController, or your own authenticated controller, rather than directly
+# to the service URL.
+class ActiveStorage::DiskController < ActiveStorage::BaseController
+  skip_forgery_protection
+
+  def show
+    if key = decode_verified_key
+      serve_file disk_service.path_for(key[:key]), content_type: key[:content_type], disposition: key[:disposition]
+    else
+      head :not_found
+    end
+  rescue Errno::ENOENT
+    head :not_found
+  end
+
+  def update
+    if token = decode_verified_token
+      if acceptable_content?(token)
+        disk_service.upload token[:key], request.body, checksum: token[:checksum]
+      else
+        head :unprocessable_entity
+      end
+    else
+      head :not_found
+    end
+  rescue ActiveStorage::IntegrityError
+    head :unprocessable_entity
+  end
+
+  private
+    def disk_service
+      ActiveStorage::Blob.service
+    end
+
+
+    def decode_verified_key
+      ActiveStorage.verifier.verified(params[:encoded_key], purpose: :blob_key)
+    end
+
+    def serve_file(path, content_type:, disposition:)
+      Rack::File.new(nil).serving(request, path).tap do |(status, headers, body)|
+        self.status = status
+        self.response_body = body
+
+        headers.each do |name, value|
+          response.headers[name] = value
+        end
+
+        response.headers["Content-Type"] = content_type || DEFAULT_SEND_FILE_TYPE
+        response.headers["Content-Disposition"] = disposition || DEFAULT_SEND_FILE_DISPOSITION
+      end
+    end
+
+
+    def decode_verified_token
+      ActiveStorage.verifier.verified(params[:encoded_token], purpose: :blob_token)
+    end
+
+    def acceptable_content?(token)
+      token[:content_type] == request.content_mime_type && token[:content_length] == request.content_length
+    end
+end

data/app/controllers/active_storage/representations_controller.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+# Take a signed permanent reference for a blob representation and turn it into an expiring service URL for download.
+# Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
+# security-through-obscurity factor of the signed blob and variation reference, you'll need to implement your own
+# authenticated redirection controller.
+class ActiveStorage::RepresentationsController < ActiveStorage::BaseController
+  include ActiveStorage::SetBlob
+
+  def show
+    expires_in ActiveStorage.service_urls_expire_in
+    redirect_to @blob.representation(params[:variation_key]).processed.service_url(disposition: params[:disposition])
+  end
+end

data/app/controllers/concerns/active_storage/set_blob.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module ActiveStorage::SetBlob #:nodoc:
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :set_blob
+  end
+
+  private
+    def set_blob
+      @blob = ActiveStorage::Blob.find_signed(params[:signed_blob_id] || params[:signed_id])
+    rescue ActiveSupport::MessageVerifier::InvalidSignature
+      head :not_found
+    end
+end

data/app/controllers/concerns/active_storage/set_current.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+# Sets the <tt>ActiveStorage::Current.host</tt> attribute, which the disk service uses to generate URLs.
+# Include this concern in custom controllers that call ActiveStorage::Blob#service_url,
+# ActiveStorage::Variant#service_url, or ActiveStorage::Preview#service_url so the disk service can
+# generate URLs using the same host, protocol, and base path as the current request.
+module ActiveStorage::SetCurrent
+  extend ActiveSupport::Concern
+
+  included do
+    before_action do
+      ActiveStorage::Current.host = request.base_url
+    end
+  end
+end

data/app/javascript/activestorage/blob_record.js

@@ -0,0 +1,73 @@
+import { getMetaValue } from "./helpers"
+
+export class BlobRecord {
+  constructor(file, checksum, url) {
+    this.file = file
+
+    this.attributes = {
+      filename: file.name,
+      content_type: file.type,
+      byte_size: file.size,
+      checksum: checksum
+    }
+
+    this.xhr = new XMLHttpRequest
+    this.xhr.open("POST", url, true)
+    this.xhr.responseType = "json"
+    this.xhr.setRequestHeader("Content-Type", "application/json")
+    this.xhr.setRequestHeader("Accept", "application/json")
+    this.xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest")
+
+    const csrfToken = getMetaValue("csrf-token")
+    if (csrfToken != undefined) {
+      this.xhr.setRequestHeader("X-CSRF-Token", csrfToken)
+    }
+
+    this.xhr.addEventListener("load", event => this.requestDidLoad(event))
+    this.xhr.addEventListener("error", event => this.requestDidError(event))
+  }
+
+  get status() {
+    return this.xhr.status
+  }
+
+  get response() {
+    const { responseType, response } = this.xhr
+    if (responseType == "json") {
+      return response
+    } else {
+      // Shim for IE 11: https://connect.microsoft.com/IE/feedback/details/794808
+      return JSON.parse(response)
+    }
+  }
+
+  create(callback) {
+    this.callback = callback
+    this.xhr.send(JSON.stringify({ blob: this.attributes }))
+  }
+
+  requestDidLoad(event) {
+    if (this.status >= 200 && this.status < 300) {
+      const { response } = this
+      const { direct_upload } = response
+      delete response.direct_upload
+      this.attributes = response
+      this.directUploadData = direct_upload
+      this.callback(null, this.toJSON())
+    } else {
+      this.requestDidError(event)
+    }
+  }
+
+  requestDidError(event) {
+    this.callback(`Error creating Blob for "${this.file.name}". Status: ${this.status}`)
+  }
+
+  toJSON() {
+    const result = {}
+    for (const key in this.attributes) {
+      result[key] = this.attributes[key]
+    }
+    return result
+  }
+}

data/app/javascript/activestorage/blob_upload.js

@@ -0,0 +1,35 @@
+export class BlobUpload {
+  constructor(blob) {
+    this.blob = blob
+    this.file = blob.file
+
+    const { url, headers } = blob.directUploadData
+
+    this.xhr = new XMLHttpRequest
+    this.xhr.open("PUT", url, true)
+    this.xhr.responseType = "text"
+    for (const key in headers) {
+      this.xhr.setRequestHeader(key, headers[key])
+    }
+    this.xhr.addEventListener("load", event => this.requestDidLoad(event))
+    this.xhr.addEventListener("error", event => this.requestDidError(event))
+  }
+
+  create(callback) {
+    this.callback = callback
+    this.xhr.send(this.file.slice())
+  }
+
+  requestDidLoad(event) {
+    const { status, response } = this.xhr
+    if (status >= 200 && status < 300) {
+      this.callback(null, response)
+    } else {
+      this.requestDidError(event)
+    }
+  }
+
+  requestDidError(event) {
+    this.callback(`Error storing "${this.file.name}". Status: ${this.xhr.status}`)
+  }
+}

data/app/javascript/activestorage/direct_upload.js

@@ -0,0 +1,48 @@
+import { FileChecksum } from "./file_checksum"
+import { BlobRecord } from "./blob_record"
+import { BlobUpload } from "./blob_upload"
+
+let id = 0
+
+export class DirectUpload {
+  constructor(file, url, delegate) {
+    this.id = ++id
+    this.file = file
+    this.url = url
+    this.delegate = delegate
+  }
+
+  create(callback) {
+    FileChecksum.create(this.file, (error, checksum) => {
+      if (error) {
+        callback(error)
+        return
+      }
+
+      const blob = new BlobRecord(this.file, checksum, this.url)
+      notify(this.delegate, "directUploadWillCreateBlobWithXHR", blob.xhr)
+
+      blob.create(error => {
+        if (error) {
+          callback(error)
+        } else {
+          const upload = new BlobUpload(blob)
+          notify(this.delegate, "directUploadWillStoreFileWithXHR", upload.xhr)
+          upload.create(error => {
+            if (error) {
+              callback(error)
+            } else {
+              callback(null, blob.toJSON())
+            }
+          })
+        }
+      })
+    })
+  }
+}
+
+function notify(object, methodName, ...messages) {
+  if (object && typeof object[methodName] == "function") {
+    return object[methodName](...messages)
+  }
+}

data/app/javascript/activestorage/direct_upload_controller.js

@@ -0,0 +1,67 @@
+import { DirectUpload } from "./direct_upload"
+import { dispatchEvent } from "./helpers"
+
+export class DirectUploadController {
+  constructor(input, file) {
+    this.input = input
+    this.file = file
+    this.directUpload = new DirectUpload(this.file, this.url, this)
+    this.dispatch("initialize")
+  }
+
+  start(callback) {
+    const hiddenInput = document.createElement("input")
+    hiddenInput.type = "hidden"
+    hiddenInput.name = this.input.name
+    this.input.insertAdjacentElement("beforebegin", hiddenInput)
+
+    this.dispatch("start")
+
+    this.directUpload.create((error, attributes) => {
+      if (error) {
+        hiddenInput.parentNode.removeChild(hiddenInput)
+        this.dispatchError(error)
+      } else {
+        hiddenInput.value = attributes.signed_id
+      }
+
+      this.dispatch("end")
+      callback(error)
+    })
+  }
+
+  uploadRequestDidProgress(event) {
+    const progress = event.loaded / event.total * 100
+    if (progress) {
+      this.dispatch("progress", { progress })
+    }
+  }
+
+  get url() {
+    return this.input.getAttribute("data-direct-upload-url")
+  }
+
+  dispatch(name, detail = {}) {
+    detail.file = this.file
+    detail.id = this.directUpload.id
+    return dispatchEvent(this.input, `direct-upload:${name}`, { detail })
+  }
+
+  dispatchError(error) {
+    const event = this.dispatch("error", { error })
+    if (!event.defaultPrevented) {
+      alert(error)
+    }
+  }
+
+  // DirectUpload delegate
+
+  directUploadWillCreateBlobWithXHR(xhr) {
+    this.dispatch("before-blob-request", { xhr })
+  }
+
+  directUploadWillStoreFileWithXHR(xhr) {
+    this.dispatch("before-storage-request", { xhr })
+    xhr.upload.addEventListener("progress", event => this.uploadRequestDidProgress(event))
+  }
+}

data/app/javascript/activestorage/direct_uploads_controller.js

@@ -0,0 +1,50 @@
+import { DirectUploadController } from "./direct_upload_controller"
+import { findElements, dispatchEvent, toArray } from "./helpers"
+
+const inputSelector = "input[type=file][data-direct-upload-url]:not([disabled])"
+
+export class DirectUploadsController {
+  constructor(form) {
+    this.form = form
+    this.inputs = findElements(form, inputSelector).filter(input => input.files.length)
+  }
+
+  start(callback) {
+    const controllers = this.createDirectUploadControllers()
+
+    const startNextController = () => {
+      const controller = controllers.shift()
+      if (controller) {
+        controller.start(error => {
+          if (error) {
+            callback(error)
+            this.dispatch("end")
+          } else {
+            startNextController()
+          }
+        })
+      } else {
+        callback()
+        this.dispatch("end")
+      }
+    }
+
+    this.dispatch("start")
+    startNextController()
+  }
+
+  createDirectUploadControllers() {
+    const controllers = []
+    this.inputs.forEach(input => {
+      toArray(input.files).forEach(file => {
+        const controller = new DirectUploadController(input, file)
+        controllers.push(controller)
+      })
+    })
+    return controllers
+  }
+
+  dispatch(name, detail = {}) {
+    return dispatchEvent(this.form, `direct-uploads:${name}`, { detail })
+  }
+}

data/app/javascript/activestorage/file_checksum.js

@@ -0,0 +1,53 @@
+import SparkMD5 from "spark-md5"
+
+const fileSlice = File.prototype.slice || File.prototype.mozSlice || File.prototype.webkitSlice
+
+export class FileChecksum {
+  static create(file, callback) {
+    const instance = new FileChecksum(file)
+    instance.create(callback)
+  }
+
+  constructor(file) {
+    this.file = file
+    this.chunkSize = 2097152 // 2MB
+    this.chunkCount = Math.ceil(this.file.size / this.chunkSize)
+    this.chunkIndex = 0
+  }
+
+  create(callback) {
+    this.callback = callback
+    this.md5Buffer = new SparkMD5.ArrayBuffer
+    this.fileReader = new FileReader
+    this.fileReader.addEventListener("load", event => this.fileReaderDidLoad(event))
+    this.fileReader.addEventListener("error", event => this.fileReaderDidError(event))
+    this.readNextChunk()
+  }
+
+  fileReaderDidLoad(event) {
+    this.md5Buffer.append(event.target.result)
+
+    if (!this.readNextChunk()) {
+      const binaryDigest = this.md5Buffer.end(true)
+      const base64digest = btoa(binaryDigest)
+      this.callback(null, base64digest)
+    }
+  }
+
+  fileReaderDidError(event) {
+    this.callback(`Error reading ${this.file.name}`)
+  }
+
+  readNextChunk() {
+    if (this.chunkIndex < this.chunkCount || (this.chunkIndex == 0 && this.chunkCount == 0)) {
+      const start = this.chunkIndex * this.chunkSize
+      const end = Math.min(start + this.chunkSize, this.file.size)
+      const bytes = fileSlice.call(this.file, start, end)
+      this.fileReader.readAsArrayBuffer(bytes)
+      this.chunkIndex++
+      return true
+    } else {
+      return false
+    }
+  }
+}