@gilhrpenner/convex-files-control 0.1.1 → 0.2.0

package/src/__tests__/download-core.test.ts

@@ -0,0 +1,70 @@
+import { beforeEach, describe, expect, test, vi } from "vitest";
+
+const findFileByStorageIdMock = vi.fn();
+
+vi.mock("../component/lib.js", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("../component/lib.js")>();
+  return {
+    ...actual,
+    findFileByStorageId: findFileByStorageIdMock,
+  };
+});
+
+function getHandler(fn: unknown) {
+  return (fn as { _handler: (...args: any[]) => any })._handler;
+}
+
+function makeCtx(grantOverrides: Record<string, unknown> = {}) {
+  return {
+    db: {
+      get: vi.fn(async () => ({
+        _id: "grant",
+        storageId: "storage",
+        maxUses: null,
+        useCount: 0,
+        shareableLink: true,
+        ...grantOverrides,
+      })),
+      delete: vi.fn(async () => undefined),
+    },
+  } as any;
+}
+
+describe("consumeDownloadGrantForUrl shareable link edge cases", () => {
+  beforeEach(() => {
+    findFileByStorageIdMock.mockReset();
+  });
+
+  test("deletes grant when shareable link file is missing", async () => {
+    const { consumeDownloadGrantForUrl } = await import("../component/download.js");
+    const ctx = makeCtx();
+    findFileByStorageIdMock.mockResolvedValueOnce(null);
+
+    const result = await getHandler(consumeDownloadGrantForUrl)(ctx, {
+      downloadToken: "grant",
+    });
+
+    expect(result).toEqual({ status: "file_missing" });
+    expect(ctx.db.delete).toHaveBeenCalledWith("grant");
+  });
+
+  test("handles missing file after initial shareable check", async () => {
+    const { consumeDownloadGrantForUrl } = await import("../component/download.js");
+    const ctx = makeCtx();
+    let calls = 0;
+    const thenable = {
+      then: (resolve: (value: any) => void) => {
+        calls += 1;
+        resolve(calls === 1 ? { storageProvider: "convex" } : null);
+      },
+    };
+    findFileByStorageIdMock.mockReturnValueOnce(thenable as any);
+
+    const result = await getHandler(consumeDownloadGrantForUrl)(ctx, {
+      downloadToken: "grant",
+    });
+
+    expect(result).toEqual({ status: "file_missing" });
+    expect(ctx.db.delete).toHaveBeenCalledWith("grant");
+  });
+});

package/src/__tests__/entrypoints.test.ts

@@ -0,0 +1,13 @@
+import { describe, expect, test } from "vitest";
+
+describe("entrypoint modules", () => {
+  test("shared entrypoint and schema load from source", async () => {
+    const shared = await import(new URL("../shared.ts", import.meta.url).href);
+    expect(shared.DEFAULT_PATH_PREFIX).toBe("/files");
+
+    const schemaModule = await import(
+      new URL("../component/schema.ts", import.meta.url).href
+    );
+    expect(schemaModule.default).toBeTruthy();
+  });
+});

package/src/__tests__/http.test.ts

@@ -0,0 +1,34 @@
+import { describe, expect, test } from "vitest";
+import { corsHeaders, parseJsonStringArray } from "../client/http.js";
+
+describe("http helpers", () => {
+  test("corsHeaders sets credentials for specific origins", () => {
+    const headers = corsHeaders("https://example.com");
+    expect(headers.get("Access-Control-Allow-Origin")).toBe("https://example.com");
+    expect(headers.get("Access-Control-Allow-Credentials")).toBe("true");
+  });
+
+  test("corsHeaders includes extra allow headers", () => {
+    const headers = corsHeaders(undefined, ["X-Extra"]);
+    expect(headers.get("Access-Control-Allow-Headers")).toContain("X-Extra");
+  });
+
+  test("corsHeaders trims and deduplicates allow headers", () => {
+    const headers = corsHeaders(undefined, ["", " Authorization ", "authorization"]);
+    const allow = headers.get("Access-Control-Allow-Headers") ?? "";
+    const matches = allow.split(", ").filter((value) => value === "Authorization");
+    expect(matches).toHaveLength(1);
+  });
+
+  test("parseJsonStringArray returns string arrays", () => {
+    expect(parseJsonStringArray('["a","b"]')).toEqual(["a", "b"]);
+  });
+
+  test("parseJsonStringArray rejects non-string arrays", () => {
+    expect(parseJsonStringArray('["a", 1]')).toBeNull();
+  });
+
+  test("parseJsonStringArray returns null for invalid JSON", () => {
+    expect(parseJsonStringArray("not-json")).toBeNull();
+  });
+});

package/src/__tests__/react.test.ts

@@ -48,7 +48,6 @@ describe("useUploadFile", () => {
     const file = new File(["data"], "file.txt", { type: "text/plain" });
     const result = await uploadViaPresignedUrl({
       file,
-      accessKeys: ["a"],
       expiresAt: 123,
     });
 
@@ -57,8 +56,8 @@ describe("useUploadFile", () => {
     expect(finalizeUpload).toHaveBeenCalledWith({
       uploadToken,
       storageId: "storage",
-      accessKeys: ["a"],
       expiresAt: 123,
+      fileName: "file.txt",
     });
     expect(fetchMock).toHaveBeenCalledWith(
       uploadUrl,
@@ -94,7 +93,6 @@ describe("useUploadFile", () => {
     const file = new File(["data"], "file.bin");
     const result = await uploadViaPresignedUrl({
       file,
-      accessKeys: ["a"],
       provider: "r2",
     });
 
@@ -129,7 +127,6 @@ describe("useUploadFile", () => {
     await expect(
       uploadViaPresignedUrl({
         file: new File(["data"], "file.txt"),
-        accessKeys: ["a"],
       }),
     ).rejects.toThrow("Upload failed: bad");
 
@@ -146,7 +143,6 @@ describe("useUploadFile", () => {
     await expect(
       uploadViaPresignedUrl({
         file: new File(["data"], "file.txt"),
-        accessKeys: ["a"],
       }),
     ).rejects.toThrow("Upload did not return a storageId.");
   });
@@ -162,14 +158,12 @@ describe("useUploadFile", () => {
     await expect(
       uploadViaHttpAction({
         file: new File(["data"], "file.txt"),
-        accessKeys: ["a"],
       }),
     ).rejects.toThrow("Missing HTTP upload URL");
 
     await expect(
       uploadViaHttpAction({
         file: new File(["data"], "file.txt"),
-        accessKeys: ["a"],
         http: {},
       }),
     ).rejects.toThrow("Missing HTTP upload URL");
@@ -182,7 +176,6 @@ describe("useUploadFile", () => {
     await expect(
       uploadViaHttpAction({
         file: new File(["data"], "file.txt"),
-        accessKeys: ["a"],
         http: { uploadUrl: "https://upload.example.com" },
       }),
     ).rejects.toThrow("Bad request");
@@ -195,7 +188,6 @@ describe("useUploadFile", () => {
     await expect(
       uploadViaHttpAction({
         file: new File(["data"], "file.txt"),
-        accessKeys: ["a"],
         http: { uploadUrl: "https://upload.example.com" },
       }),
     ).rejects.toThrow("HTTP upload failed.");
@@ -219,18 +211,24 @@ describe("useUploadFile", () => {
     const fetchMock = vi.fn(async (_url: string, init?: any) => {
       expect(init?.body).toBeInstanceOf(FormData);
       const form = init?.body as FormData;
-      expect(form.get(uploadFormFields.accessKeys)).toBe("[\"a\"]");
+      // Note: accessKeys is NOT in form - it's added server-side via checkUploadRequest hook
       expect(form.get(uploadFormFields.provider)).toBe("convex");
       expect(form.get(uploadFormFields.expiresAt)).toBe("null");
+      expect(init?.headers).toEqual({
+        Authorization: "Bearer token",
+      });
       return new Response(JSON.stringify(responsePayload), { status: 200 });
     });
     vi.stubGlobal("fetch", fetchMock);
 
     const result = await uploadViaHttpAction({
       file: new File(["data"], "file.txt"),
-      accessKeys: ["a"],
       expiresAt: null,
-      http: { baseUrl: "https://example.com", pathPrefix: "/files" },
+      http: {
+        baseUrl: "https://example.com",
+        pathPrefix: "/files",
+        authToken: "token",
+      },
     });
 
     expect(fetchMock).toHaveBeenCalledWith(
@@ -265,7 +263,6 @@ describe("useUploadFile", () => {
 
     await uploadViaHttpAction({
       file: new File(["data"], "file.txt"),
-      accessKeys: ["a"],
       expiresAt: 123,
       http: { baseUrl: "https://example.com" },
     });
@@ -310,14 +307,12 @@ describe("useUploadFile", () => {
 
     await uploadFile({
       file: new File(["data"], "file.txt"),
-      accessKeys: ["a"],
     });
 
     expect(fetchMock).toHaveBeenCalled();
 
     await uploadFile({
       file: new File(["data"], "file.txt"),
-      accessKeys: ["a"],
       method: "presigned",
     });
 
@@ -355,7 +350,6 @@ describe("useUploadFile", () => {
 
     await uploadFile({
       file: new File(["data"], "file.txt"),
-      accessKeys: ["a"],
     });
 
     expect(generateUploadUrl).toHaveBeenCalled();

package/src/__tests__/shared.test.ts

@@ -66,9 +66,4 @@ describe("test helpers", () => {
     expect(testHelpers.modules).toBeTypeOf("object");
   });
 
-  test("shared exports are available", () => {
-    expect(shared.DEFAULT_PATH_PREFIX).toBe("/files");
-    expect(__ignore).toBe(true);
-  });
-
 });

package/src/__tests__/transfer.test.ts

@@ -198,6 +198,48 @@ describe("transferFile", () => {
     expect(ctx.runMutation).toHaveBeenCalled();
   });
 
+  test("transferFile uses r2 download url for r2 sources", async () => {
+    const getUrl = vi.fn();
+    const ctx = {
+      runQuery: vi.fn(async () => ({
+        _id: "file",
+        storageId: "storage",
+        storageProvider: "r2",
+      })),
+      runMutation: vi.fn(async () => ({
+        storageId: "new-storage",
+        storageProvider: "convex",
+      })),
+      storage: {
+        getUrl,
+        store: vi.fn(async () => "new-storage"),
+      },
+    } as any;
+
+    const downloadSpy = vi
+      .spyOn(r2, "getR2DownloadUrl")
+      .mockResolvedValue("https://r2-download.example.com");
+
+    vi.stubGlobal(
+      "fetch",
+      vi.fn(async () =>
+        new Response("data", {
+          status: 200,
+          headers: { "Content-Type": "text/plain" },
+        }),
+      ),
+    );
+
+    await getHandler(transferFile)(ctx, {
+      storageId: "storage",
+      targetProvider: "convex",
+      r2Config,
+    });
+
+    expect(downloadSpy).toHaveBeenCalledWith(r2Config, "storage");
+    expect(getUrl).not.toHaveBeenCalled();
+  });
+
   test("transfers convex source to r2 target", async () => {
     const send = vi.fn(async () => ({}));
     vi.spyOn(r2, "createR2Client").mockReturnValue({ send } as any);
@@ -241,6 +283,26 @@ describe("transferFile", () => {
     expect(send.mock.calls[0]?.[0]).toBeInstanceOf(PutObjectCommand);
   });
 
+  test("throws when source provider is unrecognized", async () => {
+    const ctx = {
+      runQuery: vi.fn(async () => ({
+        _id: "file",
+        storageId: "storage",
+        storageProvider: "unknown",
+      })),
+      storage: {
+        getUrl: vi.fn(),
+      },
+    } as any;
+
+    await expect(
+      getHandler(transferFile)(ctx, {
+        storageId: "storage",
+        targetProvider: "convex",
+      }),
+    ).rejects.toThrow("File not found.");
+  });
+
   test("transfers with needsR2 false uses undefined r2Config", async () => {
     let providerReads = 0;
     const file = {
@@ -372,6 +434,47 @@ describe("commitTransfer", () => {
     expect(ctx.storage.delete).toHaveBeenCalled();
   });
 
+  test("commitTransfer invokes index callbacks for access and grants", async () => {
+    const file = {
+      _id: "file",
+      storageId: "storage",
+      storageProvider: "convex",
+    };
+    const queryObj = {
+      eq: vi.fn(() => queryObj),
+    };
+
+    const ctx = {
+      db: {
+        query: (table: string) => ({
+          withIndex: (_index: string, cb?: (q: typeof queryObj) => void) => {
+            if (cb) {
+              cb(queryObj);
+            }
+            return {
+              first: async () => (table === "files" ? file : null),
+              collect: async () => [],
+            };
+          },
+        }),
+        patch: vi.fn(async () => undefined),
+      },
+      storage: {
+        delete: vi.fn(async () => undefined),
+      },
+    } as any;
+
+    await getHandler(commitTransfer)(ctx, {
+      storageId: "storage",
+      newStorageId: "new",
+      targetProvider: "convex",
+      sourceProvider: "convex",
+    });
+
+    expect(queryObj.eq).toHaveBeenCalledWith("fileId", "file");
+    expect(queryObj.eq).toHaveBeenCalledWith("storageId", "storage");
+  });
+
   test("updates records and deletes r2 storage", async () => {
     const deleteSpy = vi
       .spyOn(r2, "deleteR2Object")

package/src/client/http.ts

@@ -1,24 +1,65 @@
-export function corsHeaders(): Headers {
-  return new Headers({
-    "Access-Control-Allow-Origin": "*",
+const DEFAULT_ALLOW_HEADERS = ["Content-Type", "Authorization"];
+
+function buildAllowHeaders(extra?: string[]): string {
+  const headers: string[] = [];
+  const seen = new Set<string>();
+
+  const addHeader = (value: string) => {
+    const trimmed = value.trim();
+    if (!trimmed) return;
+    const key = trimmed.toLowerCase();
+    if (seen.has(key)) return;
+    seen.add(key);
+    headers.push(trimmed);
+  };
+
+  for (const header of DEFAULT_ALLOW_HEADERS) {
+    addHeader(header);
+  }
+  for (const header of extra ?? []) {
+    addHeader(header);
+  }
+
+  return headers.join(", ");
+}
+
+export function corsHeaders(origin?: string, allowHeaders?: string[]): Headers {
+  const headers = new Headers({
+    "Access-Control-Allow-Origin": origin || "*",
     "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type",
+    "Access-Control-Allow-Headers": buildAllowHeaders(allowHeaders),
   });
+  if (origin) {
+    headers.set("Access-Control-Allow-Credentials", "true");
+  }
+  return headers;
 }
 
-export function corsResponse(): Response {
-  return new Response(null, { status: 204, headers: corsHeaders() });
+export function corsResponse(origin?: string, allowHeaders?: string[]): Response {
+  return new Response(null, {
+    status: 204,
+    headers: corsHeaders(origin, allowHeaders),
+  });
 }
 
-export function jsonSuccess(data: unknown): Response {
-  const headers = corsHeaders();
+export function jsonSuccess(
+  data: unknown,
+  origin?: string,
+  allowHeaders?: string[],
+): Response {
+  const headers = corsHeaders(origin, allowHeaders);
   headers.set("Content-Type", "application/json");
 
   return new Response(JSON.stringify(data), { status: 200, headers });
 }
 
-export function jsonError(message: string, status: number): Response {
-  const headers = corsHeaders();
+export function jsonError(
+  message: string,
+  status: number,
+  origin?: string,
+  allowHeaders?: string[],
+): Response {
+  const headers = corsHeaders(origin, allowHeaders);
   headers.set("Content-Type", "application/json");
 
   return new Response(JSON.stringify({ error: message }), { status, headers });