npm - @btst/stack - Versions diffs - 2.8.1 → 2.9.1 - Mend

@btst/stack 2.8.1 → 2.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (196) hide show

package/dist/packages/stack/src/plugins/media/api/mutations.mjs ADDED Viewed

@@ -0,0 +1,82 @@
+async function createAsset(adapter, input) {
+  return adapter.create({
+    model: "mediaAsset",
+    data: {
+      filename: input.filename,
+      originalName: input.originalName,
+      mimeType: input.mimeType,
+      size: input.size,
+      url: input.url,
+      folderId: input.folderId,
+      alt: input.alt,
+      createdAt: /* @__PURE__ */ new Date()
+    }
+  });
+}
+async function updateAsset(adapter, id, input) {
+  const update = {};
+  if (input.alt !== void 0) {
+    update.alt = input.alt;
+  }
+  if ("folderId" in input) {
+    update.folderId = input.folderId;
+  }
+  return adapter.update({
+    model: "mediaAsset",
+    where: [{ field: "id", value: id, operator: "eq" }],
+    update
+  });
+}
+async function deleteAsset(adapter, id) {
+  await adapter.delete({
+    model: "mediaAsset",
+    where: [{ field: "id", value: id, operator: "eq" }]
+  });
+}
+async function createFolder(adapter, input) {
+  return adapter.create({
+    model: "mediaFolder",
+    data: {
+      name: input.name,
+      parentId: input.parentId,
+      createdAt: /* @__PURE__ */ new Date()
+    }
+  });
+}
+async function deleteFolder(adapter, id) {
+  const allFolderIds = [id];
+  const queue = [id];
+  while (queue.length > 0) {
+    const parentId = queue.shift();
+    const children = await adapter.findMany({
+      model: "mediaFolder",
+      where: [{ field: "parentId", value: parentId, operator: "eq" }]
+    });
+    for (const child of children) {
+      allFolderIds.push(child.id);
+      queue.push(child.id);
+    }
+  }
+  let totalAssets = 0;
+  for (const folderId of allFolderIds) {
+    totalAssets += await adapter.count({
+      model: "mediaAsset",
+      where: [{ field: "folderId", value: folderId, operator: "eq" }]
+    });
+  }
+  if (totalAssets > 0) {
+    throw new Error(
+      `Cannot delete folder: it or one of its subfolders contains ${totalAssets} asset(s). Move or delete them first.`
+    );
+  }
+  await adapter.transaction(async (tx) => {
+    for (const folderId of [...allFolderIds].reverse()) {
+      await tx.delete({
+        model: "mediaFolder",
+        where: [{ field: "id", value: folderId, operator: "eq" }]
+      });
+    }
+  });
+}
+export { createAsset, createFolder, deleteAsset, deleteFolder, updateAsset };

package/dist/packages/stack/src/plugins/media/api/plugin.cjs ADDED Viewed

@@ -0,0 +1,525 @@
+'use strict';
+const api = require('@btst/stack/plugins/api');
+const z = require('zod');
+const db = require('../db.cjs');
+const schemas = require('../schemas.cjs');
+const getters = require('./getters.cjs');
+const mutations = require('./mutations.cjs');
+const storageAdapter = require('./storage-adapter.cjs');
+const utils = require('../../utils.cjs');
+function sanitizeS3KeySegment(s) {
+  return s.replace(/[/\\]/g, "-").replace(/\.\./g, "_").trim() || "unknown";
+}
+function matchesUrlPrefix(url, prefix) {
+  const normalizedPrefix = `${prefix.replace(/\/+$/, "")}/`;
+  return url.startsWith(normalizedPrefix);
+}
+const mediaBackendPlugin = (config) => api.defineBackendPlugin({
+  name: "media",
+  dbPlugin: db.mediaSchema,
+  api: (adapter) => ({
+    listAssets: (params) => getters.listAssets(adapter, params),
+    getAssetById: (id) => getters.getAssetById(adapter, id),
+    listFolders: (params) => getters.listFolders(adapter, params),
+    getFolderById: (id) => getters.getFolderById(adapter, id)
+  }),
+  routes: (adapter) => {
+    const {
+      storageAdapter: storageAdapter$1,
+      maxFileSizeBytes = 10 * 1024 * 1024,
+      allowedMimeTypes,
+      allowedUrlPrefixes,
+      hooks
+    } = config;
+    function validateMimeType(mimeType, ctx) {
+      if (allowedMimeTypes && allowedMimeTypes.length > 0) {
+        const allowed = allowedMimeTypes.some((pattern) => {
+          if (pattern.endsWith("/*")) {
+            return mimeType.startsWith(pattern.slice(0, -1));
+          }
+          return mimeType === pattern;
+        });
+        if (!allowed) {
+          throw ctx.error(415, {
+            message: `MIME type '${mimeType}' is not allowed. Allowed: ${allowedMimeTypes.join(", ")}`
+          });
+        }
+      }
+    }
+    const listAssetsEndpoint = api.createEndpoint(
+      "/media/assets",
+      {
+        method: "GET",
+        query: schemas.AssetListQuerySchema
+      },
+      async (ctx) => {
+        const { query, headers } = ctx;
+        const context = { query, headers };
+        if (hooks?.onBeforeListAssets) {
+          await utils.runHookWithShim(
+            () => hooks.onBeforeListAssets(query, context),
+            ctx.error,
+            "Unauthorized: Cannot list assets"
+          );
+        }
+        return getters.listAssets(adapter, query);
+      }
+    );
+    const createAssetEndpoint = api.createEndpoint(
+      "/media/assets",
+      {
+        method: "POST",
+        body: schemas.createAssetSchema
+      },
+      async (ctx) => {
+        const context = {
+          body: ctx.body,
+          headers: ctx.headers
+        };
+        if (hooks?.onBeforeUpload) {
+          await utils.runHookWithShim(
+            () => hooks.onBeforeUpload(
+              {
+                filename: ctx.body.filename,
+                mimeType: ctx.body.mimeType,
+                size: ctx.body.size
+              },
+              context
+            ),
+            ctx.error,
+            "Unauthorized: Cannot upload asset"
+          );
+        }
+        validateMimeType(ctx.body.mimeType, ctx);
+        if (ctx.body.size > maxFileSizeBytes) {
+          throw ctx.error(413, {
+            message: `File size ${ctx.body.size} bytes exceeds the limit of ${maxFileSizeBytes} bytes`
+          });
+        }
+        {
+          const url = ctx.body.url;
+          let urlAllowed = true;
+          let denialReason = "";
+          if (allowedUrlPrefixes && allowedUrlPrefixes.length > 0) {
+            urlAllowed = allowedUrlPrefixes.some(
+              (p) => matchesUrlPrefix(url, p)
+            );
+            denialReason = `URL must start with one of: ${allowedUrlPrefixes.join(", ")}`;
+          } else if (storageAdapter.isDirectAdapter(storageAdapter$1)) {
+            urlAllowed = false;
+            denialReason = "Client-supplied asset URLs are not allowed with localAdapter. Use POST /media/upload instead, or configure allowedUrlPrefixes to explicitly allow trusted URL prefixes.";
+          } else if (storageAdapter.isS3Adapter(storageAdapter$1)) {
+            urlAllowed = matchesUrlPrefix(url, storageAdapter$1.urlPrefix);
+            denialReason = `URL must start with the configured S3 publicBaseUrl: ${storageAdapter$1.urlPrefix}`;
+          } else if (storageAdapter.isVercelBlobAdapter(storageAdapter$1)) {
+            try {
+              const hostname = new URL(url).hostname;
+              urlAllowed = hostname.endsWith(
+                storageAdapter$1.urlHostnameSuffix
+              );
+            } catch {
+              urlAllowed = false;
+            }
+            denialReason = `URL hostname must end with ${storageAdapter$1.urlHostnameSuffix}`;
+          }
+          if (!urlAllowed) {
+            throw ctx.error(400, { message: denialReason });
+          }
+        }
+        if (ctx.body.folderId) {
+          const folder = await getters.getFolderById(adapter, ctx.body.folderId);
+          if (!folder) {
+            throw ctx.error(404, { message: "Folder not found" });
+          }
+        }
+        const asset = await mutations.createAsset(adapter, ctx.body);
+        if (hooks?.onAfterUpload) {
+          await hooks.onAfterUpload(asset, context);
+        }
+        return asset;
+      }
+    );
+    const updateAssetEndpoint = api.createEndpoint(
+      "/media/assets/:id",
+      {
+        method: "PATCH",
+        body: schemas.updateAssetSchema
+      },
+      async (ctx) => {
+        const existing = await getters.getAssetById(adapter, ctx.params.id);
+        if (!existing) {
+          throw ctx.error(404, { message: "Asset not found" });
+        }
+        const context = {
+          body: ctx.body,
+          params: ctx.params,
+          headers: ctx.headers
+        };
+        if (hooks?.onBeforeUpdateAsset) {
+          await utils.runHookWithShim(
+            () => hooks.onBeforeUpdateAsset(existing, ctx.body, context),
+            ctx.error,
+            "Unauthorized: Cannot update asset"
+          );
+        }
+        if (ctx.body.folderId != null) {
+          const folder = await getters.getFolderById(adapter, ctx.body.folderId);
+          if (!folder) {
+            throw ctx.error(404, { message: "Folder not found" });
+          }
+        }
+        const updated = await mutations.updateAsset(adapter, ctx.params.id, ctx.body);
+        if (!updated) {
+          throw ctx.error(404, { message: "Asset not found" });
+        }
+        return updated;
+      }
+    );
+    const deleteAssetEndpoint = api.createEndpoint(
+      "/media/assets/:id",
+      {
+        method: "DELETE"
+      },
+      async (ctx) => {
+        const context = {
+          params: ctx.params,
+          headers: ctx.headers
+        };
+        const asset = await getters.getAssetById(adapter, ctx.params.id);
+        if (!asset) {
+          throw ctx.error(404, { message: "Asset not found" });
+        }
+        if (hooks?.onBeforeDelete) {
+          await utils.runHookWithShim(
+            () => hooks.onBeforeDelete(asset, context),
+            ctx.error,
+            "Unauthorized: Cannot delete asset"
+          );
+        }
+        try {
+          await storageAdapter$1.delete(asset.url);
+        } catch (err) {
+          console.error(
+            `[btst/media] Failed to delete file from storage: ${asset.url}`,
+            err
+          );
+          throw ctx.error(500, {
+            message: "Failed to delete file from storage"
+          });
+        }
+        await mutations.deleteAsset(adapter, ctx.params.id);
+        if (hooks?.onAfterDelete) {
+          await hooks.onAfterDelete(ctx.params.id, context);
+        }
+        return { success: true };
+      }
+    );
+    const listFoldersEndpoint = api.createEndpoint(
+      "/media/folders",
+      {
+        method: "GET",
+        query: z.z.object({
+          parentId: z.z.string().optional()
+        })
+      },
+      async (ctx) => {
+        const filter = { parentId: ctx.query.parentId };
+        const context = {
+          query: ctx.query,
+          headers: ctx.headers
+        };
+        if (hooks?.onBeforeListFolders) {
+          await utils.runHookWithShim(
+            () => hooks.onBeforeListFolders(filter, context),
+            ctx.error,
+            "Unauthorized: Cannot list folders"
+          );
+        }
+        return getters.listFolders(adapter, filter);
+      }
+    );
+    const createFolderEndpoint = api.createEndpoint(
+      "/media/folders",
+      {
+        method: "POST",
+        body: schemas.createFolderSchema
+      },
+      async (ctx) => {
+        const context = {
+          body: ctx.body,
+          headers: ctx.headers
+        };
+        if (hooks?.onBeforeCreateFolder) {
+          await utils.runHookWithShim(
+            () => hooks.onBeforeCreateFolder(ctx.body, context),
+            ctx.error,
+            "Unauthorized: Cannot create folder"
+          );
+        }
+        return mutations.createFolder(adapter, ctx.body);
+      }
+    );
+    const deleteFolderEndpoint = api.createEndpoint(
+      "/media/folders/:id",
+      {
+        method: "DELETE"
+      },
+      async (ctx) => {
+        const folder = await getters.getFolderById(adapter, ctx.params.id);
+        if (!folder) {
+          throw ctx.error(404, { message: "Folder not found" });
+        }
+        const context = {
+          params: ctx.params,
+          headers: ctx.headers
+        };
+        if (hooks?.onBeforeDeleteFolder) {
+          await utils.runHookWithShim(
+            () => hooks.onBeforeDeleteFolder(folder, context),
+            ctx.error,
+            "Unauthorized: Cannot delete folder"
+          );
+        }
+        try {
+          await mutations.deleteFolder(adapter, ctx.params.id);
+        } catch (err) {
+          throw ctx.error(409, {
+            message: err instanceof Error ? err.message : "Cannot delete folder"
+          });
+        }
+        return { success: true };
+      }
+    );
+    const uploadDirectEndpoint = api.createEndpoint(
+      "/media/upload",
+      {
+        method: "POST",
+        metadata: {
+          // Tell Better Call this endpoint accepts multipart/form-data so it
+          // parses the body into a FormData object and exposes it as ctx.body.
+          // Without this, Better Call may pre-read the body stream and calling
+          // ctx.request.formData() afterwards fails with "Body already read".
+          allowedMediaTypes: ["multipart/form-data"]
+        }
+      },
+      async (ctx) => {
+        if (!storageAdapter.isDirectAdapter(storageAdapter$1)) {
+          throw ctx.error(400, {
+            message: "Direct upload is only supported with the local storage adapter"
+          });
+        }
+        const body = ctx.body;
+        if (!body || typeof body !== "object") {
+          throw ctx.error(400, {
+            message: "Expected multipart/form-data request body"
+          });
+        }
+        const fileRaw = body.file;
+        if (!fileRaw || typeof fileRaw !== "object" || typeof fileRaw.arrayBuffer !== "function") {
+          throw ctx.error(400, {
+            message: "Missing 'file' field in form data"
+          });
+        }
+        if (typeof fileRaw.size !== "number" || fileRaw.size < 0) {
+          throw ctx.error(400, {
+            message: "File 'size' is missing or invalid"
+          });
+        }
+        if (typeof fileRaw.name !== "string" || !fileRaw.name) {
+          throw ctx.error(400, {
+            message: "File 'name' is missing or invalid"
+          });
+        }
+        if (typeof fileRaw.type !== "string") {
+          throw ctx.error(400, {
+            message: "File 'type' is missing or invalid"
+          });
+        }
+        const file = fileRaw;
+        const context = { headers: ctx.headers };
+        if (hooks?.onBeforeUpload) {
+          await utils.runHookWithShim(
+            () => hooks.onBeforeUpload(
+              {
+                filename: file.name,
+                mimeType: file.type,
+                size: file.size
+              },
+              context
+            ),
+            ctx.error,
+            "Unauthorized: Cannot upload asset"
+          );
+        }
+        validateMimeType(file.type, ctx);
+        if (file.size > maxFileSizeBytes) {
+          throw ctx.error(413, {
+            message: `File size ${file.size} bytes exceeds the limit of ${maxFileSizeBytes} bytes`
+          });
+        }
+        const buffer = Buffer.from(await file.arrayBuffer());
+        const folderId = typeof body.folderId === "string" && body.folderId ? body.folderId : void 0;
+        if (folderId) {
+          const folder = await getters.getFolderById(adapter, folderId);
+          if (!folder) {
+            throw ctx.error(404, { message: "Folder not found" });
+          }
+        }
+        const { url } = await storageAdapter$1.upload(buffer, {
+          filename: file.name,
+          mimeType: file.type,
+          size: file.size,
+          folderId
+        });
+        let asset;
+        try {
+          asset = await mutations.createAsset(adapter, {
+            filename: url.split("/").pop() ?? file.name,
+            originalName: file.name,
+            mimeType: file.type,
+            size: file.size,
+            url,
+            folderId
+          });
+        } catch (err) {
+          try {
+            await storageAdapter$1.delete(url);
+          } catch (cleanupErr) {
+            console.error(
+              `[btst/media] Failed to clean up orphaned storage file after DB error: ${url}`,
+              cleanupErr
+            );
+          }
+          throw err;
+        }
+        if (hooks?.onAfterUpload) {
+          await hooks.onAfterUpload(asset, context);
+        }
+        return asset;
+      }
+    );
+    const uploadTokenEndpoint = api.createEndpoint(
+      "/media/upload/token",
+      {
+        method: "POST",
+        body: schemas.uploadTokenRequestSchema
+      },
+      async (ctx) => {
+        if (!storageAdapter.isS3Adapter(storageAdapter$1)) {
+          throw ctx.error(400, {
+            message: "Upload token endpoint is only supported with the S3 storage adapter"
+          });
+        }
+        const context = {
+          body: ctx.body,
+          headers: ctx.headers
+        };
+        if (hooks?.onBeforeUpload) {
+          await utils.runHookWithShim(
+            () => hooks.onBeforeUpload(
+              {
+                filename: ctx.body.filename,
+                mimeType: ctx.body.mimeType,
+                size: ctx.body.size
+              },
+              context
+            ),
+            ctx.error,
+            "Unauthorized: Cannot upload asset"
+          );
+        }
+        validateMimeType(ctx.body.mimeType, ctx);
+        if (ctx.body.size > maxFileSizeBytes) {
+          throw ctx.error(413, {
+            message: `File size ${ctx.body.size} bytes exceeds the limit of ${maxFileSizeBytes} bytes`
+          });
+        }
+        let folderId = ctx.body.folderId;
+        if (folderId) {
+          const folder = await getters.getFolderById(adapter, folderId);
+          if (!folder) {
+            throw ctx.error(404, {
+              message: "Folder not found"
+            });
+          }
+          folderId = folder.id;
+        }
+        const filename = sanitizeS3KeySegment(ctx.body.filename);
+        return storageAdapter$1.generateUploadToken({
+          filename,
+          mimeType: ctx.body.mimeType,
+          size: ctx.body.size,
+          folderId
+        });
+      }
+    );
+    const uploadVercelBlobEndpoint = api.createEndpoint(
+      "/media/upload/vercel-blob",
+      {
+        method: "POST"
+      },
+      async (ctx) => {
+        if (!storageAdapter.isVercelBlobAdapter(storageAdapter$1)) {
+          throw ctx.error(400, {
+            message: "Vercel Blob endpoint is only supported with the vercelBlobAdapter"
+          });
+        }
+        const context = { headers: ctx.headers };
+        if (!ctx.request) {
+          throw ctx.error(400, {
+            message: "Request object is not available"
+          });
+        }
+        return storageAdapter$1.handleRequest(ctx.request, {
+          onBeforeGenerateToken: async (pathname, clientPayload) => {
+            const filename = pathname.split("/").pop() ?? pathname;
+            let parsed = {};
+            try {
+              parsed = clientPayload ? JSON.parse(clientPayload) : {};
+            } catch {
+            }
+            const mimeType = parsed.mimeType ?? "application/octet-stream";
+            const size = parsed.size;
+            if (hooks?.onBeforeUpload) {
+              await utils.runHookWithShim(
+                () => hooks.onBeforeUpload(
+                  { filename, mimeType, size },
+                  context
+                ),
+                ctx.error,
+                "Unauthorized: Cannot upload asset"
+              );
+            }
+            validateMimeType(mimeType, ctx);
+            if (size != null && size > maxFileSizeBytes) {
+              throw ctx.error(413, {
+                message: `File size ${size} bytes exceeds the limit of ${maxFileSizeBytes} bytes`
+              });
+            }
+            return {
+              addRandomSuffix: true,
+              allowedContentTypes: allowedMimeTypes && allowedMimeTypes.length > 0 ? allowedMimeTypes : void 0,
+              maximumSizeInBytes: maxFileSizeBytes
+            };
+          }
+        });
+      }
+    );
+    return {
+      listAssets: listAssetsEndpoint,
+      createAsset: createAssetEndpoint,
+      updateAsset: updateAssetEndpoint,
+      deleteAsset: deleteAssetEndpoint,
+      listFolders: listFoldersEndpoint,
+      createFolder: createFolderEndpoint,
+      deleteFolder: deleteFolderEndpoint,
+      uploadDirect: uploadDirectEndpoint,
+      uploadToken: uploadTokenEndpoint,
+      uploadVercelBlob: uploadVercelBlobEndpoint
+    };
+  }
+});
+exports.mediaBackendPlugin = mediaBackendPlugin;