@ditojs/server 2.92.0 → 2.94.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ditojs/server",
-  "version": "2.92.0",
+  "version": "2.94.1",
   "type": "module",
   "description": "Dito.js Server – Dito.js is a declarative and modern web framework, based on Objection.js, Koa.js and Vue.js",
   "repository": "https://github.com/ditojs/dito/tree/main/packages/server",
@@ -12,23 +12,20 @@
     "src/",
     "types/"
   ],
-  "scripts": {
-    "types": "tsc --noEmit --esModuleInterop ./types/index.d.ts"
-  },
   "bin": {
     "dito": "./src/cli/index.js"
   },
   "engines": {
-    "node": ">= 20.0.0"
+    "node": ">= 24.0.0"
   },
   "browserslist": [
     "node >= 18"
   ],
   "dependencies": {
-    "@ditojs/admin": "^2.92.0",
-    "@ditojs/build": "^2.92.0",
-    "@ditojs/router": "^2.92.0",
-    "@ditojs/utils": "^2.92.0",
+    "@ditojs/admin": "^2.94.1",
+    "@ditojs/build": "^2.94.0",
+    "@ditojs/router": "^2.94.0",
+    "@ditojs/utils": "^2.94.0",
     "@koa/cors": "^5.0.0",
     "@koa/etag": "^5.0.2",
     "@koa/multer": "^4.0.0",
@@ -39,9 +36,9 @@
     "bytes": "^3.1.2",
     "data-uri-to-buffer": "^7.0.0",
     "eventemitter2": "^6.4.9",
-    "file-type": "^21.3.3",
+    "file-type": "^22.0.0",
     "helmet": "^8.1.0",
-    "koa": "^3.1.2",
+    "koa": "^3.2.0",
     "koa-bodyparser": "^4.4.1",
     "koa-compose": "^4.1.0",
     "koa-compress": "^5.2.1",
@@ -61,12 +58,12 @@
     "passport-local": "^1.0.0",
     "passthrough-counter": "^1.0.0",
     "picocolors": "^1.1.1",
-    "picomatch": "^4.0.3",
+    "picomatch": "^4.0.4",
     "pino": "^10.3.1",
     "pino-pretty": "^13.1.3",
     "pluralize": "^8.0.0",
     "repl": "^0.1.3",
-    "type-fest": "^5.4.4",
+    "type-fest": "^5.5.0",
     "uuid": "^13.0.0"
   },
   "peerDependencies": {
@@ -86,9 +83,12 @@
     "@types/koa__cors": "^5.0.1",
     "@types/koa__multer": "^2.0.8",
     "@types/node": "^25.5.0",
-    "knex": "^3.1.0",
+    "knex": "^3.2.7",
     "objection": "^3.1.5",
-    "typescript": "^5.9.3"
+    "typescript": "^6.0.2"
   },
-  "gitHead": "7d2288aa487ec5c8607b2079a29e2d8793fbd07f"
-}
+  "gitHead": "7bb40e9e490632e20ceaf92907b4ff7b27484e26",
+  "scripts": {
+    "types": "tsc --noEmit --esModuleInterop ./types/index.d.ts"
+  }
+}

package/src/app/Application.js

@@ -833,9 +833,11 @@ export class Application extends Koa {
     this.server = await new Promise(resolve => {
       const server = this.listen(this.config.server, () => {
         const { address, port } = server.address()
-        console.info(
-          `Dito.js server started at http://${address}:${port}`
-        )
+        if (Object.keys(this.config.log).length > 0) {
+          console.info(
+            `Dito.js server started at http://${address}:${port}`
+          )
+        }
         resolve(server)
       })
     })
@@ -900,9 +902,13 @@ export class Application extends Koa {
   async createAssets(storage, files, count = 0, transaction = null) {
     const AssetModel = this.getModel('Asset')
     if (AssetModel) {
+      // Shallow-clone file objects to avoid mutating the originals, since
+      // $parseJson() → convertAssetFile() deletes the signature.
+      // The originals may still be needed (e.g. sent as upload response).
+      // Shallow clone is sufficient as file objects are flat (scalar values).
       const assets = files.map(file => ({
         key: file.key,
-        file,
+        file: { ...file },
         storage: storage.name,
         count
       }))
@@ -1007,6 +1013,9 @@ export class Application extends Koa {
                 }
               }
               const importedFile = await storage.addFile(file, data)
+              // Sign the imported foreign file so it passes verification when
+              // createAssets() triggers $parseJson() → convertAssetFile().
+              storage.signAssetFile(importedFile)
               await this.createAssets(storage, [importedFile], 0, transaction)
               importedFiles.push(importedFile)
               // Merge back the changed file properties into the actual file

package/src/mixins/AssetMixin.js

@@ -66,11 +66,13 @@ export const AssetMixin = mixin(
       }
 
       // @override
-      $parseJson(json) {
+      $parseJson(json, { trusted = false } = {}) {
         const { file, storage } = json
         // Convert `AssetMixin#file` to an `AssetFile` instance:
         if (file && storage) {
-          this.constructor.app.getStorage(storage)?.convertAssetFile(file)
+          this.constructor.app
+            .getStorage(storage)
+            ?.convertAssetFile(file, { trusted })
         }
         return json
       }

package/src/models/Model.js

@@ -12,6 +12,7 @@ import {
   parseDataPath,
   normalizeDataPath,
   getValueAtDataPath,
+  setValueAtDataPath,
   mapConcurrently,
   assignDeeply,
   deprecate
@@ -609,11 +610,11 @@ export class Model extends objection.Model {
     }
     // Also run through normal $parseJson(), for handling of `Date` and
     // `AssetFile`.
-    return this.$parseJson(json)
+    return this.$parseJson(json, { trusted: true })
   }
 
   // @override
-  $parseJson(json) {
+  $parseJson(json, { trusted = false } = {}) {
     const { constructor } = this
     for (const key of constructor.dateAttributes) {
       const date = json[key]
@@ -623,25 +624,9 @@ export class Model extends objection.Model {
     }
     // Convert plain asset files objects to AssetFile instances with references
     // to the linked storage.
-    const { assets } = constructor.definition
-    if (assets) {
-      for (const dataPath in assets) {
-        const storage = constructor.app.getStorage(assets[dataPath].storage)
-        const data = getValueAtDataPath(json, dataPath, () => null)
-        if (data) {
-          const convertToAssetFiles = data => {
-            if (data) {
-              if (isArray(data)) {
-                data.forEach(convertToAssetFiles)
-              } else {
-                storage.convertAssetFile(data)
-              }
-            }
-          }
-          convertToAssetFiles(data)
-        }
-      }
-    }
+    this.constructor._forEachAssetFile(json, (file, storage) => {
+      storage.convertAssetFile(file, { trusted })
+    })
     return json
   }
 
@@ -651,6 +636,9 @@ export class Model extends objection.Model {
     for (const key of this.constructor.hiddenAttributes) {
       delete json[key]
     }
+    // Sign asset files so clients can send them back with valid signatures.
+    // Clone file objects to avoid mutating the model's internals.
+    this.constructor._signAssetFiles(json)
     return json
   }
 
@@ -1014,6 +1002,42 @@ export class Model extends objection.Model {
 
   // Assets handling
 
+  static _forEachAssetFile(json, callback) {
+    const { assets } = this.definition
+    if (assets) {
+      for (const dataPath in assets) {
+        const data = getValueAtDataPath(json, dataPath, noop)
+        if (!data) continue
+        const storage = this.app.getStorage(assets[dataPath].storage)
+        forEachAssetFile(data, storage, callback)
+      }
+    }
+  }
+
+  static _mapAssetFiles(json, callback) {
+    const { assets } = this.definition
+    if (assets) {
+      for (const dataPath in assets) {
+        const data = getValueAtDataPath(json, dataPath, noop)
+        if (!data) continue
+        const storage = this.app.getStorage(assets[dataPath].storage)
+        setValueAtDataPath(
+          json,
+          dataPath,
+          mapAssetFiles(data, storage, callback)
+        )
+      }
+    }
+  }
+
+  static _signAssetFiles(json) {
+    this._mapAssetFiles(json, (file, storage) => {
+      const signed = { ...file }
+      storage.signAssetFile(signed)
+      return signed
+    })
+  }
+
   static _configureAssetsHooks(assets) {
     const assetDataPaths = Object.keys(assets)
 
@@ -1171,8 +1195,27 @@ function loadAssetDataPaths(query, dataPaths) {
   )
 }
 
+const noop = () => {}
+
+function forEachAssetFile(data, storage, callback) {
+  if (isArray(data)) {
+    for (const item of data) {
+      forEachAssetFile(item, storage, callback)
+    }
+  } else if (data) {
+    callback(data, storage)
+  }
+}
+
+function mapAssetFiles(data, storage, callback) {
+  if (isArray(data)) {
+    return data.map(item => mapAssetFiles(item, storage, callback))
+  }
+  return data ? callback(data, storage) : data
+}
+
 function getValueAtAssetDataPath(item, path) {
-  return getValueAtDataPath(item, path, () => undefined)
+  return getValueAtDataPath(item, path, noop)
 }
 
 function getFilesPerAssetDataPath(items, dataPaths) {

package/src/storage/DiskStorage.js

@@ -2,6 +2,7 @@ import fs from 'fs/promises'
 import path from 'path'
 import multer from '@koa/multer'
 import { mapConcurrently } from '@ditojs/utils'
+import { removeIfEmpty } from '../utils/fs.js'
 import { Storage } from './Storage.js'
 
 export class DiskStorage extends Storage {
@@ -11,6 +12,7 @@ export class DiskStorage extends Storage {
     if (!this.path) {
       throw new Error(`Missing configuration (path) for storage ${this.name}`)
     }
+    this.nestedFolders = this.config.nestedFolders ?? true
     this.storage = multer.diskStorage({
       destination: (req, storageFile, cb) => {
         // Add `storageFile.key` property to internal storage file object.
@@ -50,24 +52,13 @@ export class DiskStorage extends Storage {
   async _removeFile(file) {
     const filePath = this._getFilePath(file)
     await fs.unlink(filePath)
-    const removeIfEmpty = async dir => {
-      if ((await fs.readdir(dir)).length === 0) {
-        try {
-          await fs.rmdir(dir)
-        } catch (err) {
-          // The directory may already have been deleted by another async call,
-          // fail silently here in this case.
-          if (err.code !== 'ENOENT') {
-            throw err
-          }
-        }
+    if (this.nestedFolders) {
+      // Clean up nested folders created with first two chars of `file.key`:
+      const dir = path.dirname(filePath)
+      if (await removeIfEmpty(dir)) {
+        await removeIfEmpty(path.dirname(dir))
       }
     }
-    // Clean up nested folders created with first two chars of `file.key` also:
-    const dir = path.dirname(filePath)
-    const parentDir = path.dirname(dir)
-    await removeIfEmpty(dir)
-    await removeIfEmpty(parentDir)
   }
 
   // @override
@@ -77,6 +68,16 @@ export class DiskStorage extends Storage {
 
   // @override
   async _listKeys() {
+    if (!this.nestedFolders) {
+      const files = []
+      for (const file of await fs.readdir(this._getPath())) {
+        if (!file.startsWith('.')) {
+          files.push(file)
+        }
+      }
+      return files
+    }
+
     const readDir = (...parts) =>
       fs.readdir(this._getPath(...parts), { withFileTypes: true })
 
@@ -109,6 +110,8 @@ export class DiskStorage extends Storage {
   _getNestedFolder(key, posix = false) {
     // Store files in nested folders created with the first two chars of the
     // key, for faster access & management with large amounts of files.
-    return (posix ? path.posix : path).join(key[0], key[1])
+    return this.nestedFolders
+      ? (posix ? path.posix : path).join(key[0], key[1])
+      : ''
   }
 }

package/src/storage/Storage.js

@@ -1,11 +1,13 @@
 import path from 'path'
 import { URL } from 'url'
+import crypto from 'crypto'
 import multer from '@koa/multer'
 import picomatch from 'picomatch'
 import { PassThrough } from 'stream'
 import { readMediaAttributes } from 'leather'
 import { hyphenate, toPromiseCallback } from '@ditojs/utils'
 import { AssetFile } from './AssetFile.js'
+import { AssetError } from '../errors/AssetError.js'
 import { resolveFileUrl } from '../utils/asset.js'
 
 const storageClasses = {}
@@ -80,7 +82,21 @@ export class Storage {
     )
   }
 
-  convertAssetFile(file) {
+  convertAssetFile(file, { trusted = false } = {}) {
+    if (
+      !trusted &&
+      !(file instanceof AssetFile) &&
+      !this.isImportSourceAllowed(file.url) &&
+      !this.verifyAssetFile(file)
+    ) {
+      throw new AssetError(
+        `Invalid asset signature for file '${
+          file.name ?? file.key
+        }'`
+      )
+    }
+    // Remove signature once the data made it to here.
+    delete file.signature
     AssetFile.convert(file, this)
   }
 
@@ -94,7 +110,8 @@ export class Storage {
       url: this._getFileUrl(storageFile),
       // In case `config.readDimensions` is set:
       width: storageFile.width,
-      height: storageFile.height
+      height: storageFile.height,
+      signature: this._signAssetKey(storageFile.key)
     }
   }
 
@@ -108,7 +125,7 @@ export class Storage {
     file.url = this._getFileUrl(file)
     // TODO: Support `config.readDimensions`, but this can only be done once
     // there are separate storage instances per model assets config!
-    this.convertAssetFile(file)
+    this.convertAssetFile(file, { trusted: true })
     return file
   }
 
@@ -132,6 +149,48 @@ export class Storage {
     return this._getFileUrl(file)
   }
 
+  signAssetFile(file) {
+    file.signature = this._signAssetKey(file.key)
+  }
+
+  verifyAssetFile(file) {
+    if (file) {
+      const expected = this._signAssetKey(file.key)
+      try {
+        return crypto.timingSafeEqual(
+          Buffer.from(expected, 'hex'),
+          Buffer.from(file.signature, 'hex')
+        )
+      } catch {
+        // Catches missing or malformed signatures.
+        // Fall through to return false below.
+      }
+    }
+    return false
+  }
+
+  _signAssetKey(key) {
+    const secret = (
+      this.app.keys?.[0] ??
+      (Storage._fallbackSecret ??= this._createFallbackSecret())
+    )
+    return crypto
+      .createHmac('sha256', secret)
+      .update(key)
+      .digest('hex')
+  }
+
+  _createFallbackSecret() {
+    console.warn(
+      'No app.keys configured for asset signatures. ' +
+      'Please note that signatures will not survive ' +
+      'process restarts, and users will be unable to ' +
+      'update records with asset properties until they ' +
+      'reload the page.'
+    )
+    return crypto.randomBytes(32)
+  }
+
   _getUrl(...parts) {
     return this.url
       ? new URL(path.posix.join(...parts), this.url).toString()

package/src/storage/Storage.test.js

@@ -0,0 +1,58 @@
+import { Storage } from './Storage.js'
+
+function createStorage(keys = ['test-secret']) {
+  const app = { keys }
+  return new Storage(app, { name: 'test' })
+}
+
+function simulateUpload(storage, key, originalname) {
+  return storage.convertStorageFile({
+    key,
+    originalname,
+    mimetype: 'image/png',
+    size: 2048
+  })
+}
+
+describe('Storage: asset key signature verification', () => {
+  it('preserves the key through a full upload-then-save cycle', () => {
+    const storage = createStorage()
+    const uploaded = simulateUpload(storage, 'real-key.png', 'photo.png')
+    const fromClient = { ...uploaded }
+    storage.convertAssetFile(fromClient, { trusted: false })
+    expect(fromClient.key).toBe('real-key.png')
+  })
+
+  it('throws when a forged key is submitted', () => {
+    const storage = createStorage()
+    const file = { key: 'victim-key.png', name: 'photo.png' }
+    expect(() => {
+      storage.convertAssetFile(file, { trusted: false })
+    }).toThrow('Invalid asset signature')
+  })
+
+  it('throws when a valid signature is paired with a swapped key', () => {
+    const storage = createStorage()
+    const uploaded = simulateUpload(storage, 'legit.png', 'legit.png')
+    const forged = { ...uploaded, key: 'victim-file.png' }
+    expect(() => {
+      storage.convertAssetFile(forged, { trusted: false })
+    }).toThrow('Invalid asset signature')
+  })
+
+  it('does not throw when addFile() converts a server-created file', async () => {
+    const storage = createStorage()
+    const file = { key: 'imported.png', name: 'import.png' }
+    const data = Buffer.from('fake-image-data')
+    await storage.addFile(file, data)
+    expect(file.key).toBe('imported.png')
+  })
+
+  it('strips signature after conversion', () => {
+    const storage = createStorage()
+    const uploaded = simulateUpload(storage, 'upload.png', 'photo.png')
+    const fromClient = { ...uploaded }
+    storage.convertAssetFile(fromClient, { trusted: false })
+    expect('signature' in fromClient).toBe(false)
+  })
+})

package/src/utils/fs.js

@@ -8,3 +8,19 @@ export async function exists(path) {
     return false
   }
 }
+
+export async function removeIfEmpty(dir) {
+  try {
+    if ((await fs.readdir(dir)).length === 0) {
+      await fs.rmdir(dir)
+      return true
+    }
+  } catch (err) {
+    // The directory may already have been deleted by another async call,
+    // fail silently here in this case.
+    if (err.code !== 'ENOENT') {
+      throw err
+    }
+  }
+  return false
+}