@anteros/core 0.0.1 → 0.0.2

package/lib/files.ts

@@ -352,12 +352,43 @@ export async function handleDelete(
   tenant_id: string,
   collection: string,
   fileId: string,
-  filename: string,
 ): Promise<void> {
   const storage = getStorageForCollection(collection, tenant_id);
   const col = getFileCollection(collection, tenant_id);
+
+  // Look up the document to get the stored filename
+  let filename: string | undefined;
+  if (col?.trackMetaData !== false) {
+    try {
+      const rest = new useRest({ tenant_id, internal: true, useHook: false, useCustomApi: false });
+      const doc = await rest.findOne<any>(collection, fileId);
+      filename = doc?._file?.filename;
+    } catch {}
+  }
+
+  // Delete the physical file from storage
   const subpath = col?.storage?.path || undefined;
-  await storage.delete(tenant_id, collection, fileId, filename, subpath);
+  if (filename) {
+    await storage.delete(tenant_id, collection, fileId, filename, subpath);
+  } else {
+    // Fallback: try common extensions
+    for (const ext of ['.jpg', '.jpeg', '.png', '.webp', '.avif', '.gif', '.svg', '.pdf', '.mp4', '.webm', '.mp3', '.wav', '.json', '.csv', '.zip', '']) {
+      try {
+        await storage.delete(tenant_id, collection, fileId, fileId + ext, subpath);
+        break;
+      } catch {}
+    }
+  }
+
+  // Delete the metadata document from MongoDB
+  if (col?.trackMetaData !== false) {
+    try {
+      const rest = new useRest({ tenant_id, internal: true, useHook: false, useCustomApi: false });
+      await rest.deleteOne(collection, fileId);
+    } catch (err: any) {
+      console.error('Failed to delete file metadata:', err?.message || err);
+    }
+  }
 }
 
 // ─── Replication ──────────────────────────────────────────────────────────

package/package.json

@@ -1,13 +1,10 @@
 {
   "name": "@anteros/core",
   "module": "index.ts",
-  "version": "0.0.1",
+  "version": "0.0.2",
   "type": "module",
   "description": "Anteros Core",
   "private": false,
-  "bin": {
-    "datiox": "bin/d.ts"
-  },
   "engines": {
     "bun": ">=1.3.0"
   },
@@ -27,8 +24,7 @@
     "ioredis": "^5.11.1",
     "joi": "^18.2.1",
     "jose": "^6.2.3",
-    "mongodb": "^7.3.0",
-    "os": "^0.1.2",
+    "mongodb": "6.21.0",
     "socket.io": "^4.8.3",
     "ufo": "^1.6.4"
   }

package/server/api.ts

@@ -42,6 +42,59 @@ const ActionsValues = [
 
 
 
+// ─── File access helper ────────────────────────────────────────────────────
+
+async function checkFileAccess(
+    access: { [key: string]: boolean | ((ctx: any) => boolean | Promise<boolean>) | undefined } | undefined,
+    operation: string,
+    tenant_id: string,
+    c: any,
+): Promise<void> {
+    // No access config at all → deny (secure by default)
+    if (!access) {
+        throw new AppError('Access denied', { status: 401, code: 'ACCESS_DENIED' });
+    }
+
+    const hasWildcard = access['*'] !== undefined;
+    const hasSpecific = access[operation] !== undefined;
+
+    // No matching rule at all → deny
+    if (!hasWildcard && !hasSpecific) {
+        throw new AppError('Access denied', { status: 401, code: 'ACCESS_DENIED' });
+    }
+
+    // Specific rule takes precedence over wildcard
+    const rule = hasSpecific ? access[operation] : access['*'];
+    if (rule === undefined) {
+        throw new AppError('Access denied', { status: 401, code: 'ACCESS_DENIED' });
+    }
+
+    // Boolean `true` → allow without requiring a token
+    if (typeof rule === 'boolean') {
+        if (!rule) {
+            throw new AppError(`${operation} not allowed`, { status: 401, code: 'ACCESS_DENIED' });
+        }
+        return;
+    }
+
+    // Function → requires a valid token
+    const t = c.get('token');
+    const accessToken = { value: t?.value ?? null, decoded: t?.decoded ?? null, provided: t?.provided ?? false, expired: t?.expired ?? false };
+
+    if (accessToken.expired) {
+        throw new AppError('Token expired', { status: 401, code: 'TOKEN_EXPIRED' });
+    }
+    if (!accessToken.value) {
+        throw new AppError('Authentication required', { status: 401, code: 'AUTH_REQUIRED' });
+    }
+
+    const rest = new useRest({ internal: false, tenant_id });
+    const allowed = await (rule as Function)({ rest, error: fn.error, jwt: func.jwt, token: accessToken });
+    if (!allowed) {
+        throw new AppError(`${operation} not allowed`, { status: 401, code: 'ACCESS_DENIED' });
+    }
+}
+
 function initializeApi(app: Hono<{ Variables: HonoVariables }>) {
 
     // Crud API
@@ -567,29 +620,7 @@ function initializeApi(app: Hono<{ Variables: HonoVariables }>) {
       if (!colUpload) {
         throw new AppError('File collection `' + collection + '` not found', { status: 400, code: 'FILE_COLLECTION_NOT_FOUND' });
       }
-      if (colUpload?.api?.access?.upload) {
-        const t = c.get('token');
-        const accessToken = { value: t?.value ?? null, decoded: t?.decoded ?? null, provided: t?.provided ?? false, expired: t?.expired ?? false };
-
-        if (accessToken.expired) {
-          throw new AppError('Token expired', { status: 401, code: 'TOKEN_EXPIRED' });
-        }
-        if (!accessToken.value) {
-          throw new AppError('Authentication required', { status: 401, code: 'AUTH_REQUIRED' });
-        }
-
-        const accessCheck = colUpload.api.access.upload;
-        let allowed: boolean;
-        if (typeof accessCheck === 'function') {
-          const rest = new useRest({ internal: false, tenant_id });
-          allowed = await accessCheck({ rest, error: fn.error, jwt: func.jwt, token: accessToken });
-        } else {
-          allowed = accessCheck;
-        }
-        if (!allowed) {
-          throw new AppError('Upload not allowed', { status: 401, code: 'ACCESS_DENIED' });
-        }
-      }
+      await checkFileAccess(colUpload?.api?.access as any, 'upload', tenant_id, c);
 
       const contentType = c.req.header('Content-Type') || '';
       if (!contentType.includes('multipart/form-data')) {
@@ -646,29 +677,7 @@ function initializeApi(app: Hono<{ Variables: HonoVariables }>) {
       if (!colServe) {
         throw new AppError('File collection `' + collection + '` not found', { status: 400, code: 'FILE_COLLECTION_NOT_FOUND' });
       }
-      if (colServe?.api?.access?.read) {
-        const t = c.get('token');
-        const accessToken = { value: t?.value ?? null, decoded: t?.decoded ?? null, provided: t?.provided ?? false, expired: t?.expired ?? false };
-
-        if (accessToken.expired) {
-          throw new AppError('Token expired', { status: 401, code: 'TOKEN_EXPIRED' });
-        }
-        if (!accessToken.value) {
-          throw new AppError('Authentication required', { status: 401, code: 'AUTH_REQUIRED' });
-        }
-
-        const accessCheck = colServe.api.access.read;
-        let allowed: boolean;
-        if (typeof accessCheck === 'function') {
-          const rest = new useRest({ internal: false, tenant_id });
-          allowed = await accessCheck({ rest, error: fn.error, jwt: func.jwt, token: accessToken });
-        } else {
-          allowed = accessCheck;
-        }
-        if (!allowed) {
-          throw new AppError('Access denied', { status: 401, code: 'ACCESS_DENIED' });
-        }
-      }
+      await checkFileAccess(colServe?.api?.access as any, 'read', tenant_id, c);
 
       const filename = basename(c.req.param('file') as string);
       if (!filename || filename.startsWith('.') || filename.includes('..') || filename.includes('/')) {
@@ -721,37 +730,14 @@ function initializeApi(app: Hono<{ Variables: HonoVariables }>) {
       if (!colDelete) {
         throw new AppError('File collection `' + collection + '` not found', { status: 400, code: 'FILE_COLLECTION_NOT_FOUND' });
       }
-      if (colDelete?.api?.access?.delete) {
-        const t = c.get('token');
-        const accessToken = { value: t?.value ?? null, decoded: t?.decoded ?? null, provided: t?.provided ?? false, expired: t?.expired ?? false };
+      await checkFileAccess(colDelete?.api?.access as any, 'delete', tenant_id, c);
 
-        if (accessToken.expired) {
-          throw new AppError('Token expired', { status: 401, code: 'TOKEN_EXPIRED' });
-        }
-        if (!accessToken.value) {
-          throw new AppError('Authentication required', { status: 401, code: 'AUTH_REQUIRED' });
-        }
-
-        const accessCheck = colDelete.api.access.delete;
-        let allowed: boolean;
-        if (typeof accessCheck === 'function') {
-          const rest = new useRest({ internal: false, tenant_id });
-          allowed = await accessCheck({ rest, error: fn.error, jwt: func.jwt, token: accessToken });
-        } else {
-          allowed = accessCheck;
-        }
-        if (!allowed) {
-          throw new AppError('Access denied', { status: 401, code: 'ACCESS_DENIED' });
-        }
-      }
-
-      const filename = basename(c.req.param('file') as string);
-      if (!filename || filename.startsWith('.') || filename.includes('..') || filename.includes('/')) {
-        throw new AppError('Invalid filename', { status: 400, code: 'INVALID_FILENAME' });
+      const fileId = c.req.param('file') as string;
+      if (!fileId || fileId.startsWith('.') || fileId.includes('..') || fileId.includes('/')) {
+        throw new AppError('Invalid file id', { status: 400, code: 'INVALID_FILE_ID' });
       }
-      const fileId = filename.replace(/\.[^.]+$/, '');
 
-      await handleDelete(tenant_id, collection, fileId, filename);
+      await handleDelete(tenant_id, collection, fileId);
 
       return c.json({ message: 'File deleted', ok: true });
     } catch (err: any) {

package/types/file.d.ts

@@ -13,6 +13,8 @@ type FileAccessHandler = (ctx: {
 }) => boolean | Promise<boolean>;
 
 type FileApiAccess = {
+    /** Default access rule applied when no per-operation rule is set */
+    '*'?: boolean | FileAccessHandler;
     /** Access control for POST /upload/:tenant_id/:slug */
     upload?: boolean | FileAccessHandler;
     /** Access control for GET /files/:tenant_id/:slug/:file */