@ekrist1/vulse 0.1.6-alpha.3

package/dist/server/routes/form-submit.js

@@ -0,0 +1,155 @@
+import { FormsRepo, SubmissionsRepo, FormUploadDraftsRepo } from '../../core/repos/forms.js';
+import { compileForm } from '../../core/forms/compile.js';
+import { checkRateLimit, hashIp } from '../../core/forms/rate-limit.js';
+import { insertUniqueValues } from '../../core/forms/unique.js';
+import { NotFoundError, ValidationError } from '../../core/errors.js';
+import { fail, ok } from '../envelope.js';
+import { enqueueFormProcess } from '../forms/queue.js';
+import { runFormAfterSubmitHooks, runFormBeforeSubmitHooks } from '../plugins.js';
+export function formSubmitRoutes(db, options = {}) {
+    const forms = new FormsRepo(db);
+    const submissions = new SubmissionsRepo(db);
+    const drafts = new FormUploadDraftsRepo(db);
+    return {
+        public: async (request, rawParams) => {
+            try {
+                const handle = rawParams.handle;
+                if (!handle)
+                    throw new ValidationError('handle required');
+                const form = await forms.findByHandle(handle);
+                if (!form || !form.enabled)
+                    throw new NotFoundError('form not found');
+                const def = form.definition;
+                const honeypot = def.settings.honeypotField ?? '_hp';
+                const publicFields = def.fields
+                    .filter((f) => f.ui.kind !== 'honeypot')
+                    .map((f) => ({
+                    name: f.name,
+                    label: f.label,
+                    ui: f.ui,
+                    optional: f.optional,
+                    validation: f.validation,
+                }));
+                return ok({
+                    handle: form.handle,
+                    label: form.label,
+                    fields: publicFields,
+                    successMessage: def.settings.successMessage,
+                    redirectTo: def.settings.redirectTo,
+                    honeypotField: honeypot,
+                });
+            }
+            catch (err) {
+                return fail(err);
+            }
+        },
+        submit: async (request, rawParams) => {
+            try {
+                const handle = rawParams.handle;
+                if (!handle)
+                    throw new ValidationError('handle required');
+                const form = await forms.findByHandle(handle);
+                if (!form || !form.enabled || !form.definition.settings.enabled) {
+                    throw new NotFoundError('form not found');
+                }
+                const def = form.definition;
+                const honeypot = def.settings.honeypotField ?? '_hp';
+                let body = await request.json().catch(() => ({}));
+                const ip = request.headers.get('cf-connecting-ip')
+                    ?? request.headers.get('x-forwarded-for')?.split(',')[0]?.trim()
+                    ?? '0.0.0.0';
+                const beforeSubmit = await runFormBeforeSubmitHooks({
+                    request,
+                    form: def,
+                    payload: body,
+                    ip,
+                    headers: request.headers,
+                }, options.env);
+                if (beforeSubmit.action === 'drop') {
+                    return ok({
+                        ok: true,
+                        message: def.settings.successMessage ?? 'Thank you!',
+                    });
+                }
+                body = beforeSubmit.payload;
+                const hp = body[honeypot];
+                if (hp !== undefined && hp !== null && String(hp).length > 0) {
+                    return ok({
+                        ok: true,
+                        message: def.settings.successMessage ?? 'Thank you!',
+                    });
+                }
+                const rate = def.settings.rateLimit ?? { maxPerIp: 10, windowSec: 3600 };
+                const rl = await checkRateLimit(db, handle, hashIp(ip), rate);
+                if (!rl.allowed) {
+                    return new Response(JSON.stringify({
+                        ok: false,
+                        error: { code: 'RATE_LIMIT', message: 'Too many submissions' },
+                    }), {
+                        status: 429,
+                        headers: {
+                            'content-type': 'application/json',
+                            ...(rl.retryAfterSec ? { 'retry-after': String(rl.retryAfterSec) } : {}),
+                        },
+                    });
+                }
+                const { schema, uniqueFields, inputFields } = compileForm(def);
+                const parsed = schema.safeParse(body);
+                if (!parsed.success) {
+                    throw new ValidationError('Invalid submission', { issues: parsed.error.issues });
+                }
+                const payload = parsed.data;
+                const fileRefs = [];
+                for (const field of inputFields) {
+                    if (field.ui.kind !== 'file')
+                        continue;
+                    const mediaId = payload[field.name];
+                    if (typeof mediaId !== 'string')
+                        continue;
+                    const draft = await drafts.findValid(handle, field.name, mediaId);
+                    if (!draft)
+                        throw new ValidationError(`Invalid or expired file for field "${field.name}"`);
+                    fileRefs.push({ field: field.name, mediaId });
+                    await drafts.attachToSubmission(draft.id);
+                }
+                const submission = await submissions.create({
+                    formHandle: handle,
+                    payload,
+                    fileRefs,
+                    meta: {
+                        ip,
+                        ...(request.headers.get('user-agent') ? { userAgent: request.headers.get('user-agent') } : {}),
+                        ...(request.headers.get('referer') ? { referer: request.headers.get('referer') } : {}),
+                    },
+                });
+                try {
+                    await insertUniqueValues(db, handle, submission.id, payload, uniqueFields);
+                }
+                catch (err) {
+                    await submissions.delete(submission.id);
+                    throw err;
+                }
+                await enqueueFormProcess(options.queue, submission.id);
+                await runFormAfterSubmitHooks({
+                    request,
+                    form: def,
+                    payload,
+                    submission,
+                    ip,
+                    headers: request.headers,
+                }, options.env);
+                if (def.settings.redirectTo) {
+                    return ok({ ok: true, redirect: def.settings.redirectTo });
+                }
+                return ok({
+                    ok: true,
+                    message: def.settings.successMessage ?? 'Thank you!',
+                    submissionId: submission.id,
+                });
+            }
+            catch (err) {
+                return fail(err);
+            }
+        },
+    };
+}

package/dist/server/routes/form-upload.d.ts

@@ -0,0 +1,11 @@
+import type { VulseDb } from '../../core/db.js';
+export interface FormUploadEnv {
+    bucket: R2Bucket;
+}
+export declare function formUploadRoutes(db: VulseDb, mediaEnv: FormUploadEnv): {
+    upload: (request: Request, rawParams: Record<string, string>) => Promise<Response>;
+};
+export declare function purgeExpiredFormUploadDrafts(db: VulseDb, bucket: R2Bucket): Promise<{
+    purged: number;
+}>;
+//# sourceMappingURL=form-upload.d.ts.map

package/dist/server/routes/form-upload.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"form-upload.d.ts","sourceRoot":"","sources":["../../../src/server/routes/form-upload.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAA;AAc/C,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,QAAQ,CAAA;CACjB;AAED,wBAAgB,gBAAgB,CAAC,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,aAAa;sBAMzC,OAAO,aAAa,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAG,OAAO,CAAC,QAAQ,CAAC;EAsDzF;AAED,wBAAsB,4BAA4B,CAChD,EAAE,EAAE,OAAO,EACX,MAAM,EAAE,QAAQ,GACf,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAgB7B"}

package/dist/server/routes/form-upload.js

@@ -0,0 +1,87 @@
+import { FormsRepo, FormUploadDraftsRepo } from '../../core/repos/forms.js';
+import { MediaRepo } from '../../core/repos/media.js';
+import { NotFoundError, ValidationError } from '../../core/errors.js';
+import { fail, ok } from '../envelope.js';
+import { putToR2 } from '../r2.js';
+const DEFAULT_MAX_BYTES = 10 * 1024 * 1024;
+const BLOCKED_MIME = new Set([
+    'application/x-msdownload',
+    'application/x-executable',
+    'application/vnd.microsoft.portable-executable',
+]);
+export function formUploadRoutes(db, mediaEnv) {
+    const forms = new FormsRepo(db);
+    const drafts = new FormUploadDraftsRepo(db);
+    const media = new MediaRepo(db);
+    return {
+        upload: async (request, rawParams) => {
+            try {
+                const handle = rawParams.handle;
+                if (!handle)
+                    throw new ValidationError('handle required');
+                const form = await forms.findByHandle(handle);
+                if (!form || !form.enabled)
+                    throw new NotFoundError('form not found');
+                const formData = await request.formData();
+                const field = formData.get('field');
+                const fileEntry = formData.get('file');
+                if (typeof field !== 'string' || !field)
+                    throw new ValidationError('field required');
+                if (!fileEntry || typeof fileEntry === 'string')
+                    throw new ValidationError('file required');
+                const file = fileEntry;
+                const fieldDef = form.definition.fields.find((f) => f.name === field);
+                if (!fieldDef || fieldDef.ui.kind !== 'file') {
+                    throw new ValidationError(`Unknown file field "${field}"`);
+                }
+                const maxBytes = fieldDef.ui.maxBytes ?? DEFAULT_MAX_BYTES;
+                if (file.size > maxBytes)
+                    throw new ValidationError(`File too large (max ${maxBytes} bytes)`);
+                if (BLOCKED_MIME.has(file.type))
+                    throw new ValidationError(`File type not allowed: ${file.type}`);
+                if (fieldDef.ui.accept?.length) {
+                    const okMime = fieldDef.ui.accept.some((a) => a.endsWith('/*') ? file.type.startsWith(a.slice(0, -1)) : file.type === a);
+                    if (!okMime)
+                        throw new ValidationError(`File type not allowed: ${file.type}`);
+                }
+                const buf = await file.arrayBuffer();
+                const { key } = await putToR2({ bucket: mediaEnv.bucket }, buf, file.type || 'application/octet-stream');
+                const row = await media.create({
+                    r2Key: key,
+                    mime: file.type || 'application/octet-stream',
+                    size: file.size,
+                    uploadedBy: null,
+                });
+                const ttlHours = form.definition.settings.uploadDraftTtlHours ?? 24;
+                const expiresAt = new Date(Date.now() + ttlHours * 3600_000);
+                const draft = await drafts.create({
+                    formHandle: handle,
+                    fieldName: field,
+                    mediaId: row.id,
+                    expiresAt,
+                });
+                return ok({ mediaId: row.id, draftId: draft.id, expiresAt: expiresAt.toISOString() });
+            }
+            catch (err) {
+                return fail(err);
+            }
+        },
+    };
+}
+export async function purgeExpiredFormUploadDrafts(db, bucket) {
+    const drafts = new FormUploadDraftsRepo(db);
+    const media = new MediaRepo(db);
+    const { deleteFromR2 } = await import('../r2.js');
+    const expired = await drafts.listExpired(new Date());
+    let purged = 0;
+    for (const draft of expired) {
+        const row = await media.findById(draft.mediaId);
+        if (row) {
+            await deleteFromR2({ bucket }, row.r2Key);
+            await media.hardDelete(row.id);
+        }
+        await drafts.delete(draft.id);
+        purged++;
+    }
+    return { purged };
+}

package/dist/server/routes/forms.d.ts

@@ -0,0 +1,14 @@
+import type { Auth } from '../better-auth.js';
+import type { VulseDb } from '../../core/db.js';
+export declare function formsRoutes(db: VulseDb, auth: Auth): {
+    list: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+    create: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+    get: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+    update: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+    delete: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+    listSubmissions: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+    getSubmission: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+    deleteSubmission: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+    bulkDeleteSubmissions: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+};
+//# sourceMappingURL=forms.d.ts.map

package/dist/server/routes/forms.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"forms.d.ts","sourceRoot":"","sources":["../../../src/server/routes/forms.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAA;AAC7C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAA;AAS/C,wBAAgB,WAAW,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI;;;;;;;;;;EA4ElD"}

package/dist/server/routes/forms.js

@@ -0,0 +1,78 @@
+import { z } from 'astro/zod';
+import { FormsRepo, SubmissionsRepo } from '../../core/repos/forms.js';
+import { FormDefinitionSchema } from '../../core/forms/definition.js';
+import { NotFoundError } from '../../core/errors.js';
+import { defineHandler } from '../handler.js';
+const paramsHandle = z.object({ handle: z.string() });
+const paramsHandleId = z.object({ handle: z.string(), id: z.string() });
+export function formsRoutes(db, auth) {
+    const forms = new FormsRepo(db);
+    const submissions = new SubmissionsRepo(db);
+    return {
+        list: defineHandler(auth, { requireRole: ['admin', 'editor'] }, async () => forms.list()),
+        create: defineHandler(auth, {
+            body: FormDefinitionSchema,
+            requireRole: ['admin'],
+        }, async ({ body }) => forms.create(body)),
+        get: defineHandler(auth, {
+            params: paramsHandle,
+            requireRole: ['admin', 'editor'],
+        }, async ({ params }) => {
+            const row = await forms.findByHandle(params.handle);
+            if (!row)
+                throw new NotFoundError('form not found');
+            return row;
+        }),
+        update: defineHandler(auth, {
+            params: paramsHandle,
+            body: FormDefinitionSchema,
+            requireRole: ['admin'],
+        }, async ({ params, body }) => forms.update(params.handle, body)),
+        delete: defineHandler(auth, {
+            params: paramsHandle,
+            requireRole: ['admin'],
+        }, async ({ params }) => {
+            await forms.delete(params.handle);
+            return null;
+        }),
+        listSubmissions: defineHandler(auth, {
+            params: paramsHandle,
+            requireRole: ['admin', 'editor'],
+        }, async ({ params, url }) => {
+            const limit = Number(url.searchParams.get('limit') ?? '50');
+            const offset = Number(url.searchParams.get('offset') ?? '0');
+            return submissions.list({
+                formHandle: params.handle,
+                limit: Number.isFinite(limit) ? limit : 50,
+                offset: Number.isFinite(offset) ? offset : 0,
+            });
+        }),
+        getSubmission: defineHandler(auth, {
+            params: paramsHandleId,
+            requireRole: ['admin', 'editor'],
+        }, async ({ params }) => {
+            const row = await submissions.findById(params.id);
+            if (!row || row.formHandle !== params.handle)
+                throw new NotFoundError('submission not found');
+            return row;
+        }),
+        deleteSubmission: defineHandler(auth, {
+            params: paramsHandleId,
+            requireRole: ['admin', 'editor'],
+        }, async ({ params }) => {
+            const row = await submissions.findById(params.id);
+            if (!row || row.formHandle !== params.handle)
+                throw new NotFoundError('submission not found');
+            await submissions.delete(params.id);
+            return null;
+        }),
+        bulkDeleteSubmissions: defineHandler(auth, {
+            params: paramsHandle,
+            body: z.object({ ids: z.array(z.string()).min(1) }),
+            requireRole: ['admin', 'editor'],
+        }, async ({ params, body }) => {
+            const deleted = await submissions.deleteMany(body.ids);
+            return { deleted };
+        }),
+    };
+}

package/dist/server/routes/globals-public.d.ts

@@ -0,0 +1,6 @@
+import type { VulseDb } from '../../core/db.js';
+export declare function globalsPublicRoutes(db: VulseDb): {
+    list: () => Promise<Response>;
+    get: (_request: Request, rawParams: Record<string, string>) => Promise<Response>;
+};
+//# sourceMappingURL=globals-public.d.ts.map

package/dist/server/routes/globals-public.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"globals-public.d.ts","sourceRoot":"","sources":["../../../src/server/routes/globals-public.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAA;AAK/C,wBAAgB,mBAAmB,CAAC,EAAE,EAAE,OAAO;gBAI3B,OAAO,CAAC,QAAQ,CAAC;oBAQX,OAAO,aAAa,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAG,OAAO,CAAC,QAAQ,CAAC;EAYvF"}

package/dist/server/routes/globals-public.js

@@ -0,0 +1,30 @@
+import { GlobalsRepo } from '../../core/repos/globals.js';
+import { NotFoundError } from '../../core/errors.js';
+import { fail, ok } from '../envelope.js';
+export function globalsPublicRoutes(db) {
+    const globals = new GlobalsRepo(db);
+    return {
+        list: async () => {
+            try {
+                return ok(await globals.publicValues());
+            }
+            catch (err) {
+                return fail(err);
+            }
+        },
+        get: async (_request, rawParams) => {
+            try {
+                const handle = rawParams.handle;
+                if (!handle)
+                    throw new NotFoundError('global set not found');
+                const content = await globals.publicValue(handle);
+                if (content === null)
+                    throw new NotFoundError('global set not found');
+                return ok(content);
+            }
+            catch (err) {
+                return fail(err);
+            }
+        },
+    };
+}

package/dist/server/routes/globals.d.ts

@@ -0,0 +1,11 @@
+import type { Auth } from '../better-auth.js';
+import type { VulseDb } from '../../core/db.js';
+export declare function globalsRoutes(db: VulseDb, auth: Auth): {
+    list: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+    get: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+    create: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+    update: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+    updateValue: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+    delete: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+};
+//# sourceMappingURL=globals.d.ts.map

package/dist/server/routes/globals.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"globals.d.ts","sourceRoot":"","sources":["../../../src/server/routes/globals.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAA;AAC7C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAA;AAQ/C,wBAAgB,aAAa,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI;;;;;;;EAkFpD"}

package/dist/server/routes/globals.js

@@ -0,0 +1,84 @@
+import { z } from 'astro/zod';
+import { GlobalsRepo } from '../../core/repos/globals.js';
+import { GlobalSetDefinitionSchema } from '../../core/globals/definition.js';
+import { NotFoundError } from '../../core/errors.js';
+import { defineHandler } from '../handler.js';
+const paramsHandle = z.object({ handle: z.string() });
+export function globalsRoutes(db, auth) {
+    const globals = new GlobalsRepo(db);
+    return {
+        list: defineHandler(auth, { requireRole: ['admin', 'editor'] }, async () => {
+            const rows = await globals.listSets();
+            return rows.map((row) => ({
+                handle: row.handle,
+                label: row.label,
+                fieldCount: row.definition.fields.length,
+                createdAt: row.createdAt,
+                updatedAt: row.updatedAt,
+            }));
+        }),
+        get: defineHandler(auth, {
+            params: paramsHandle,
+            requireRole: ['admin', 'editor'],
+        }, async ({ params }) => {
+            const set = await globals.findSetByHandle(params.handle);
+            if (!set)
+                throw new NotFoundError('global set not found');
+            const value = await globals.getValue(params.handle);
+            return {
+                set: {
+                    handle: set.handle,
+                    label: set.label,
+                    fields: set.definition.fields,
+                    createdAt: set.createdAt,
+                    updatedAt: set.updatedAt,
+                },
+                value: value ? {
+                    handle: value.handle,
+                    content: value.content,
+                    createdAt: value.createdAt,
+                    updatedAt: value.updatedAt,
+                } : null,
+            };
+        }),
+        create: defineHandler(auth, {
+            body: GlobalSetDefinitionSchema,
+            requireRole: ['admin'],
+        }, async ({ body }) => {
+            const row = await globals.createSet(body);
+            return {
+                handle: row.handle,
+                label: row.label,
+                fields: row.definition.fields,
+                createdAt: row.createdAt,
+                updatedAt: row.updatedAt,
+            };
+        }),
+        update: defineHandler(auth, {
+            params: paramsHandle,
+            body: GlobalSetDefinitionSchema,
+            requireRole: ['admin'],
+        }, async ({ params, body }) => {
+            const row = await globals.updateSet(params.handle, body);
+            return {
+                handle: row.handle,
+                label: row.label,
+                fields: row.definition.fields,
+                createdAt: row.createdAt,
+                updatedAt: row.updatedAt,
+            };
+        }),
+        updateValue: defineHandler(auth, {
+            params: paramsHandle,
+            body: z.record(z.string(), z.unknown()),
+            requireRole: ['admin'],
+        }, async ({ params, body }) => globals.updateValue(params.handle, body)),
+        delete: defineHandler(auth, {
+            params: paramsHandle,
+            requireRole: ['admin'],
+        }, async ({ params }) => {
+            await globals.deleteSet(params.handle);
+            return null;
+        }),
+    };
+}

package/dist/server/routes/media.d.ts

@@ -0,0 +1,23 @@
+import type { VulseDb } from '../../core/db.js';
+import type { Auth } from '../better-auth.js';
+import { type MediaRow } from '../../core/repos/media.js';
+import { type CfImagesConfig } from '../cf-images.js';
+export interface MediaEnv {
+    bucket: R2Bucket;
+    cfImages: CfImagesConfig;
+}
+export interface MediaItem extends MediaRow {
+    deliveryUrl: string | null;
+    previewUrl: string;
+}
+export declare function mediaRoutes(db: VulseDb, auth: Auth, mediaEnv: MediaEnv): {
+    list: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+    upload: (request: Request) => Promise<Response>;
+    updateAlt: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+    delete: (request: Request, rawParams?: Record<string, string>) => Promise<Response>;
+    file: (request: Request, rawParams: Record<string, string>) => Promise<Response>;
+    purge: () => Promise<{
+        purged: number;
+    }>;
+};
+//# sourceMappingURL=media.d.ts.map

package/dist/server/routes/media.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"media.d.ts","sourceRoot":"","sources":["../../../src/server/routes/media.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAA;AAC/C,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAA;AAE7C,OAAO,EAAa,KAAK,QAAQ,EAAE,MAAM,2BAA2B,CAAA;AAIpE,OAAO,EAAoB,KAAK,cAAc,EAAE,MAAM,iBAAiB,CAAA;AAIvE,MAAM,WAAW,QAAQ;IACvB,MAAM,EAAE,QAAQ,CAAA;IAChB,QAAQ,EAAE,cAAc,CAAA;CACzB;AAED,MAAM,WAAW,SAAU,SAAQ,QAAQ;IACzC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAA;IAC1B,UAAU,EAAE,MAAM,CAAA;CACnB;AAcD,wBAAgB,WAAW,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ;;sBAiC3C,OAAO,KAAG,OAAO,CAAC,QAAQ,CAAC;;;oBAkD7B,OAAO,aAAa,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAG,OAAO,CAAC,QAAQ,CAAC;iBAkBnE,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;EAS/C"}

package/dist/server/routes/media.js

@@ -0,0 +1,129 @@
+import { z } from 'astro/zod';
+import { MediaRepo } from '../../core/repos/media.js';
+import { defineHandler } from '../handler.js';
+import { putToR2, deleteFromR2 } from '../r2.js';
+import { probeDimensions } from '../image-probe.js';
+import { buildDeliveryUrl } from '../cf-images.js';
+import { AccessDeniedError, NotFoundError, ValidationError } from '../../core/errors.js';
+import { fail, ok } from '../envelope.js';
+const paramsId = z.object({ id: z.string() });
+const ALLOWED_MIME = new Set([
+    'image/jpeg',
+    'image/png',
+    'image/gif',
+    'image/webp',
+    'image/avif',
+    'image/svg+xml',
+]);
+const MAX_UPLOAD_BYTES = 25 * 1024 * 1024; // 25 MB
+export function mediaRoutes(db, auth, mediaEnv) {
+    const repo = new MediaRepo(db);
+    function withUrls(row) {
+        const deliveryUrl = buildDeliveryUrl(mediaEnv.cfImages, row.id);
+        return {
+            ...row,
+            deliveryUrl,
+            previewUrl: deliveryUrl ?? `/api/vulse/media/${row.id}/file`,
+        };
+    }
+    async function requireRole(request, roles) {
+        const session = await auth.api.getSession({ headers: request.headers });
+        const authCtx = session ? {
+            user: {
+                id: session.user.id,
+                email: session.user.email,
+                role: session.user.role ?? 'member',
+            },
+        } : { user: null };
+        if (!authCtx.user)
+            throw new AccessDeniedError('Authentication required');
+        if (!roles.includes(authCtx.user.role)) {
+            throw new AccessDeniedError(`Requires role: ${roles.join(' or ')}`);
+        }
+        return authCtx;
+    }
+    return {
+        list: defineHandler(auth, { requireRole: ['admin', 'editor'] }, async () => {
+            return (await repo.list({})).map(withUrls);
+        }),
+        upload: async (request) => {
+            try {
+                const authCtx = await requireRole(request, ['admin', 'editor']);
+                const form = await request.formData();
+                const entry = form.get('file');
+                if (!entry || typeof entry === 'string')
+                    throw new ValidationError('file required');
+                const file = entry;
+                if (!ALLOWED_MIME.has(file.type)) {
+                    throw new ValidationError(`Unsupported file type: ${file.type || 'unknown'}`);
+                }
+                if (file.size > MAX_UPLOAD_BYTES) {
+                    throw new ValidationError(`File too large (max ${MAX_UPLOAD_BYTES} bytes)`);
+                }
+                const buf = await file.arrayBuffer();
+                if (buf.byteLength > MAX_UPLOAD_BYTES) {
+                    throw new ValidationError(`File too large (max ${MAX_UPLOAD_BYTES} bytes)`);
+                }
+                const dims = probeDimensions(buf, file.type);
+                const { key } = await putToR2({ bucket: mediaEnv.bucket }, buf, file.type);
+                const row = await repo.create({
+                    r2Key: key,
+                    mime: file.type,
+                    size: file.size,
+                    ...(dims?.width !== undefined ? { width: dims.width } : {}),
+                    ...(dims?.height !== undefined ? { height: dims.height } : {}),
+                    uploadedBy: authCtx.user.id,
+                });
+                return ok(withUrls(row));
+            }
+            catch (err) {
+                return fail(err);
+            }
+        },
+        updateAlt: defineHandler(auth, {
+            params: paramsId,
+            body: z.object({ alt: z.string() }),
+            requireRole: ['admin', 'editor'],
+        }, async ({ params, body }) => {
+            await repo.updateAlt(params.id, body.alt);
+            return { ok: true };
+        }),
+        delete: defineHandler(auth, {
+            params: paramsId,
+            requireRole: ['admin', 'editor'],
+        }, async ({ params }) => {
+            await repo.softDelete(params.id);
+            return { ok: true };
+        }),
+        file: async (request, rawParams) => {
+            try {
+                await requireRole(request, ['admin', 'editor']);
+                const id = rawParams.id;
+                if (!id)
+                    throw new ValidationError('id required');
+                const row = await repo.findById(id);
+                if (!row || row.deletedAt)
+                    throw new NotFoundError(`Media ${id} not found`);
+                const obj = await mediaEnv.bucket.get(row.r2Key);
+                if (!obj)
+                    throw new NotFoundError(`Media file ${id} not found`);
+                const headers = new Headers();
+                if (obj.httpMetadata?.contentType)
+                    headers.set('content-type', obj.httpMetadata.contentType);
+                headers.set('cache-control', 'private, max-age=3600');
+                return new Response(obj.body, { headers });
+            }
+            catch (err) {
+                return fail(err);
+            }
+        },
+        purge: async () => {
+            const rows = await repo.listPurgeable(7);
+            for (const r of rows) {
+                await deleteFromR2({ bucket: mediaEnv.bucket }, r.r2Key);
+                await repo.hardDelete(r.id);
+            }
+            return { purged: rows.length };
+        },
+    };
+}