@anteros/core 0.0.1 → 0.0.2-alpha.0

package/lib/files.ts

@@ -6,7 +6,7 @@ import type { FileCollection } from "../types/file";
 import path from "path";
 import fs from "fs/promises";
 import { createReadStream, existsSync, mkdirSync } from "fs";
-import crypto from "crypto";
+import { ObjectId } from "mongodb";
 
 // ─── Storage Interface ──────────────────────────────────────────────────────
 
@@ -257,38 +257,50 @@ export async function handleUpload(options: UploadOptions): Promise<FileResult>
     });
   }
 
-  const id = crypto.randomUUID();
-  const storage = getStorageForCollection(collection, tenant_id);
-  const subpath = col.storage?.path || undefined;
-  const { path: filepath, size } = await storage.save(tenant_id, collection, file, { id, mimetype, subpath });
+  // Insert metadata first to get the MongoDB auto-generated ObjectId
+  let _id: string;
+  try {
+    const rest = new useRest({ tenant_id, internal: false, useHook: false, useCustomApi: false });
+    const result = await rest.db.collection(collection).insertOne({
+      _file: {
+        filename: '',
+        name: file.name,
+        mimetype,
+        size: 0,
+        url: '',
+      },
+      ...(data || {}),
+    });
+    _id = String(result.insertedId);
+  } catch (err) {
+    throw new AppError('Failed to save file metadata', {
+      code: 'FILE_METADATA_ERROR', status: 500,
+    });
+  }
 
+  // Save the physical file to storage
   const ext = path.extname(file.name);
-  const filename = `${id}${ext}`;
-
-  // Enregistrer les métadonnées en base si trackMetaData est activé
-  if (col.trackMetaData !== false) {
-    try {
-      const rest = new useRest({ tenant_id, internal: false, useHook: false, useCustomApi: false });
-      await rest.insertOne(collection, {
-        _id: id,
-        _file: {
-          filename,
-          name: file.name,
-          mimetype,
-          size,
-          url: `/files/${tenant_id}/${collection}/${filename}`,
-        },
-        ...(data || {}),
-      });
-    } catch (err) {
-      await storage.delete(tenant_id, collection, id, filename).catch(() => {});
-      throw new AppError('Failed to save file metadata', {
-        code: 'FILE_METADATA_ERROR', status: 500,
-      });
-    }
+  const filename = `${_id}${ext}`;
+  const storage = getStorageForCollection(collection, tenant_id);
+  const subpath = col.storage?.path || undefined;
+  const { path: filepath, size } = await storage.save(tenant_id, collection, file, { id: _id, mimetype, subpath });
+
+  // Update MongoDB with actual file info
+  const url = `/files/${tenant_id}/${collection}/${filename}`;
+  try {
+    const rest = new useRest({ tenant_id, internal: true, useHook: false, useCustomApi: false });
+    await rest.db.collection(collection).updateOne(
+      { _id: new ObjectId(_id) },
+      { $set: { '_file.filename': filename, '_file.size': size, '_file.url': url } },
+    );
+  } catch (err) {
+    await storage.delete(tenant_id, collection, _id, filename, subpath).catch(() => {});
+    throw new AppError('Failed to update file metadata', {
+      code: 'FILE_METADATA_ERROR', status: 500,
+    });
   }
 
-  // Réplication vers les destinations configurées
+  // Replicate to configured destinations
   if (col.replicate?.length) {
     replicateFile(filepath, filename, col.replicate).catch(err => {
       console.error('Replication failed:', err?.message || err);
@@ -296,13 +308,13 @@ export async function handleUpload(options: UploadOptions): Promise<FileResult>
   }
 
   return {
-    _id: id,
+    _id,
     _file: {
       filename,
       name: file.name,
       mimetype,
       size,
-      url: `/files/${tenant_id}/${collection}/${filename}`,
+      url,
     },
     ...(data || {}),
   };
@@ -352,12 +364,44 @@ export async function handleDelete(
   tenant_id: string,
   collection: string,
   fileId: string,
-  filename: string,
 ): Promise<void> {
   const storage = getStorageForCollection(collection, tenant_id);
   const col = getFileCollection(collection, tenant_id);
   const subpath = col?.storage?.path || undefined;
-  await storage.delete(tenant_id, collection, fileId, filename, subpath);
+
+  // Look up the document in MongoDB to get the stored filename
+  let filename: string | undefined;
+  try {
+    const rest = new useRest({ tenant_id, internal: true, useHook: false, useCustomApi: false });
+    const doc = await rest.db.collection(collection).findOne(
+      { _id: ObjectId.isValid(fileId) ? new ObjectId(fileId) : fileId },
+      { projection: { '_file.filename': 1 } },
+    );
+    filename = doc?._file?.filename;
+  } catch {}
+
+  // Delete the physical file from storage
+  if (filename) {
+    await storage.delete(tenant_id, collection, fileId, filename, subpath);
+  } else {
+    // Fallback: try common extensions using the fileId as base name
+    for (const ext of ['.jpg', '.jpeg', '.png', '.webp', '.avif', '.gif', '.svg', '.pdf', '.mp4', '.webm', '.mp3', '.wav', '.json', '.csv', '.zip', '']) {
+      try {
+        await storage.delete(tenant_id, collection, fileId, fileId + ext, subpath);
+        break;
+      } catch {}
+    }
+  }
+
+  // Delete the document from MongoDB
+  try {
+    const rest = new useRest({ tenant_id, internal: true, useHook: false, useCustomApi: false });
+    await rest.db.collection(collection).deleteOne({
+      _id: ObjectId.isValid(fileId) ? new ObjectId(fileId) : fileId,
+    });
+  } catch (err: any) {
+    console.error('Failed to delete file metadata:', err?.message || err);
+  }
 }
 
 // ─── Replication ──────────────────────────────────────────────────────────

package/package.json

@@ -1,13 +1,10 @@
 {
   "name": "@anteros/core",
   "module": "index.ts",
-  "version": "0.0.1",
+  "version": "0.0.2-alpha.0",
   "type": "module",
   "description": "Anteros Core",
   "private": false,
-  "bin": {
-    "datiox": "bin/d.ts"
-  },
   "engines": {
     "bun": ">=1.3.0"
   },
@@ -27,8 +24,7 @@
     "ioredis": "^5.11.1",
     "joi": "^18.2.1",
     "jose": "^6.2.3",
-    "mongodb": "^7.3.0",
-    "os": "^0.1.2",
+    "mongodb": "6.21.0",
     "socket.io": "^4.8.3",
     "ufo": "^1.6.4"
   }

package/server/api.ts

@@ -42,6 +42,59 @@ const ActionsValues = [
 
 
 
+// ─── File access helper ────────────────────────────────────────────────────
+
+async function checkFileAccess(
+    access: { [key: string]: boolean | ((ctx: any) => boolean | Promise<boolean>) | undefined } | undefined,
+    operation: string,
+    tenant_id: string,
+    c: any,
+): Promise<void> {
+    // No access config at all → deny (secure by default)
+    if (!access) {
+        throw new AppError('Access denied', { status: 401, code: 'ACCESS_DENIED' });
+    }
+
+    const hasWildcard = access['*'] !== undefined;
+    const hasSpecific = access[operation] !== undefined;
+
+    // No matching rule at all → deny
+    if (!hasWildcard && !hasSpecific) {
+        throw new AppError('Access denied', { status: 401, code: 'ACCESS_DENIED' });
+    }
+
+    // Specific rule takes precedence over wildcard
+    const rule = hasSpecific ? access[operation] : access['*'];
+    if (rule === undefined) {
+        throw new AppError('Access denied', { status: 401, code: 'ACCESS_DENIED' });
+    }
+
+    // Boolean `true` → allow without requiring a token
+    if (typeof rule === 'boolean') {
+        if (!rule) {
+            throw new AppError(`${operation} not allowed`, { status: 401, code: 'ACCESS_DENIED' });
+        }
+        return;
+    }
+
+    // Function → requires a valid token
+    const t = c.get('token');
+    const accessToken = { value: t?.value ?? null, decoded: t?.decoded ?? null, provided: t?.provided ?? false, expired: t?.expired ?? false };
+
+    if (accessToken.expired) {
+        throw new AppError('Token expired', { status: 401, code: 'TOKEN_EXPIRED' });
+    }
+    if (!accessToken.value) {
+        throw new AppError('Authentication required', { status: 401, code: 'AUTH_REQUIRED' });
+    }
+
+    const rest = new useRest({ internal: false, tenant_id });
+    const allowed = await (rule as Function)({ rest, error: fn.error, jwt: func.jwt, token: accessToken });
+    if (!allowed) {
+        throw new AppError(`${operation} not allowed`, { status: 401, code: 'ACCESS_DENIED' });
+    }
+}
+
 function initializeApi(app: Hono<{ Variables: HonoVariables }>) {
 
     // Crud API
@@ -567,29 +620,7 @@ function initializeApi(app: Hono<{ Variables: HonoVariables }>) {
       if (!colUpload) {
         throw new AppError('File collection `' + collection + '` not found', { status: 400, code: 'FILE_COLLECTION_NOT_FOUND' });
       }
-      if (colUpload?.api?.access?.upload) {
-        const t = c.get('token');
-        const accessToken = { value: t?.value ?? null, decoded: t?.decoded ?? null, provided: t?.provided ?? false, expired: t?.expired ?? false };
-
-        if (accessToken.expired) {
-          throw new AppError('Token expired', { status: 401, code: 'TOKEN_EXPIRED' });
-        }
-        if (!accessToken.value) {
-          throw new AppError('Authentication required', { status: 401, code: 'AUTH_REQUIRED' });
-        }
-
-        const accessCheck = colUpload.api.access.upload;
-        let allowed: boolean;
-        if (typeof accessCheck === 'function') {
-          const rest = new useRest({ internal: false, tenant_id });
-          allowed = await accessCheck({ rest, error: fn.error, jwt: func.jwt, token: accessToken });
-        } else {
-          allowed = accessCheck;
-        }
-        if (!allowed) {
-          throw new AppError('Upload not allowed', { status: 401, code: 'ACCESS_DENIED' });
-        }
-      }
+      await checkFileAccess(colUpload?.api?.access as any, 'upload', tenant_id, c);
 
       const contentType = c.req.header('Content-Type') || '';
       if (!contentType.includes('multipart/form-data')) {
@@ -646,29 +677,7 @@ function initializeApi(app: Hono<{ Variables: HonoVariables }>) {
       if (!colServe) {
         throw new AppError('File collection `' + collection + '` not found', { status: 400, code: 'FILE_COLLECTION_NOT_FOUND' });
       }
-      if (colServe?.api?.access?.read) {
-        const t = c.get('token');
-        const accessToken = { value: t?.value ?? null, decoded: t?.decoded ?? null, provided: t?.provided ?? false, expired: t?.expired ?? false };
-
-        if (accessToken.expired) {
-          throw new AppError('Token expired', { status: 401, code: 'TOKEN_EXPIRED' });
-        }
-        if (!accessToken.value) {
-          throw new AppError('Authentication required', { status: 401, code: 'AUTH_REQUIRED' });
-        }
-
-        const accessCheck = colServe.api.access.read;
-        let allowed: boolean;
-        if (typeof accessCheck === 'function') {
-          const rest = new useRest({ internal: false, tenant_id });
-          allowed = await accessCheck({ rest, error: fn.error, jwt: func.jwt, token: accessToken });
-        } else {
-          allowed = accessCheck;
-        }
-        if (!allowed) {
-          throw new AppError('Access denied', { status: 401, code: 'ACCESS_DENIED' });
-        }
-      }
+      await checkFileAccess(colServe?.api?.access as any, 'read', tenant_id, c);
 
       const filename = basename(c.req.param('file') as string);
       if (!filename || filename.startsWith('.') || filename.includes('..') || filename.includes('/')) {
@@ -721,37 +730,14 @@ function initializeApi(app: Hono<{ Variables: HonoVariables }>) {
       if (!colDelete) {
         throw new AppError('File collection `' + collection + '` not found', { status: 400, code: 'FILE_COLLECTION_NOT_FOUND' });
       }
-      if (colDelete?.api?.access?.delete) {
-        const t = c.get('token');
-        const accessToken = { value: t?.value ?? null, decoded: t?.decoded ?? null, provided: t?.provided ?? false, expired: t?.expired ?? false };
+      await checkFileAccess(colDelete?.api?.access as any, 'delete', tenant_id, c);
 
-        if (accessToken.expired) {
-          throw new AppError('Token expired', { status: 401, code: 'TOKEN_EXPIRED' });
-        }
-        if (!accessToken.value) {
-          throw new AppError('Authentication required', { status: 401, code: 'AUTH_REQUIRED' });
-        }
-
-        const accessCheck = colDelete.api.access.delete;
-        let allowed: boolean;
-        if (typeof accessCheck === 'function') {
-          const rest = new useRest({ internal: false, tenant_id });
-          allowed = await accessCheck({ rest, error: fn.error, jwt: func.jwt, token: accessToken });
-        } else {
-          allowed = accessCheck;
-        }
-        if (!allowed) {
-          throw new AppError('Access denied', { status: 401, code: 'ACCESS_DENIED' });
-        }
-      }
-
-      const filename = basename(c.req.param('file') as string);
-      if (!filename || filename.startsWith('.') || filename.includes('..') || filename.includes('/')) {
-        throw new AppError('Invalid filename', { status: 400, code: 'INVALID_FILENAME' });
+      const fileId = c.req.param('file') as string;
+      if (!fileId || fileId.startsWith('.') || fileId.includes('..') || fileId.includes('/')) {
+        throw new AppError('Invalid file id', { status: 400, code: 'INVALID_FILE_ID' });
       }
-      const fileId = filename.replace(/\.[^.]+$/, '');
 
-      await handleDelete(tenant_id, collection, fileId, filename);
+      await handleDelete(tenant_id, collection, fileId);
 
       return c.json({ message: 'File deleted', ok: true });
     } catch (err: any) {

package/types/file.d.ts

@@ -13,6 +13,8 @@ type FileAccessHandler = (ctx: {
 }) => boolean | Promise<boolean>;
 
 type FileApiAccess = {
+    /** Default access rule applied when no per-operation rule is set */
+    '*'?: boolean | FileAccessHandler;
     /** Access control for POST /upload/:tenant_id/:slug */
     upload?: boolean | FileAccessHandler;
     /** Access control for GET /files/:tenant_id/:slug/:file */