@momentumcms/server-express 0.2.0 → 0.3.0

package/index.js

@@ -1,3 +1,522 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// libs/storage/src/lib/storage.types.ts
+var init_storage_types = __esm({
+  "libs/storage/src/lib/storage.types.ts"() {
+    "use strict";
+  }
+});
+
+// libs/storage/src/lib/storage-local.ts
+import { existsSync, mkdirSync, writeFileSync, unlinkSync, readFileSync, lstatSync } from "node:fs";
+import { join, extname, resolve, normalize } from "node:path";
+import { randomUUID as randomUUID2 } from "node:crypto";
+function localStorageAdapter(options) {
+  const { directory, baseUrl } = options;
+  const resolvedRoot = resolve(directory);
+  if (!existsSync(resolvedRoot)) {
+    mkdirSync(resolvedRoot, { recursive: true });
+  }
+  function safePath(unsafePath) {
+    const normalized = normalize(unsafePath);
+    if (normalized.includes("..")) {
+      throw new Error("Invalid path: directory traversal not allowed");
+    }
+    const full = resolve(resolvedRoot, normalized);
+    if (!full.startsWith(resolvedRoot)) {
+      throw new Error("Invalid path: directory traversal not allowed");
+    }
+    if (existsSync(full) && lstatSync(full).isSymbolicLink()) {
+      throw new Error("Invalid path: symbolic links not allowed");
+    }
+    return full;
+  }
+  return {
+    async upload(file, uploadOptions) {
+      const ext = extname(file.originalName) || getExtensionFromMimeType(file.mimeType);
+      const filename = uploadOptions?.filename ? `${uploadOptions.filename}${ext}` : `${randomUUID2()}${ext}`;
+      const subdir = uploadOptions?.directory ?? "";
+      const targetDir = subdir ? safePath(subdir) : resolvedRoot;
+      if (subdir && !existsSync(targetDir)) {
+        mkdirSync(targetDir, { recursive: true });
+      }
+      const filePath = safePath(subdir ? join(subdir, filename) : filename);
+      const relativePath = subdir ? join(normalize(subdir), filename) : filename;
+      writeFileSync(filePath, file.buffer);
+      const url = baseUrl ? `${baseUrl}/${relativePath}` : `/api/media/file/${relativePath}`;
+      return {
+        path: relativePath,
+        url,
+        filename,
+        mimeType: file.mimeType,
+        size: file.size
+      };
+    },
+    async delete(path) {
+      const filePath = safePath(path);
+      if (existsSync(filePath)) {
+        unlinkSync(filePath);
+        return true;
+      }
+      return false;
+    },
+    getUrl(path) {
+      return baseUrl ? `${baseUrl}/${path}` : `/api/media/file/${path}`;
+    },
+    async exists(path) {
+      const filePath = safePath(path);
+      return existsSync(filePath);
+    },
+    async read(path) {
+      const filePath = safePath(path);
+      if (existsSync(filePath)) {
+        return readFileSync(filePath);
+      }
+      return null;
+    }
+  };
+}
+function getExtensionFromMimeType(mimeType) {
+  const mimeToExt = {
+    "image/jpeg": ".jpg",
+    "image/png": ".png",
+    "image/gif": ".gif",
+    "image/webp": ".webp",
+    "image/svg+xml": ".svg",
+    "application/pdf": ".pdf",
+    "application/json": ".json",
+    "text/plain": ".txt",
+    "text/html": ".html",
+    "text/css": ".css",
+    "application/javascript": ".js",
+    "video/mp4": ".mp4",
+    "video/webm": ".webm",
+    "audio/mpeg": ".mp3",
+    "audio/wav": ".wav",
+    "application/zip": ".zip"
+  };
+  return mimeToExt[mimeType] ?? "";
+}
+var init_storage_local = __esm({
+  "libs/storage/src/lib/storage-local.ts"() {
+    "use strict";
+  }
+});
+
+// libs/storage/src/lib/storage-s3.ts
+import { randomUUID as randomUUID3 } from "node:crypto";
+import { extname as extname2 } from "node:path";
+async function loadAwsSdk() {
+  if (S3Client)
+    return;
+  const s3Module = await import("@aws-sdk/client-s3");
+  const presignerModule = await import("@aws-sdk/s3-request-presigner");
+  S3Client = s3Module.S3Client;
+  PutObjectCommand = s3Module.PutObjectCommand;
+  DeleteObjectCommand = s3Module.DeleteObjectCommand;
+  HeadObjectCommand = s3Module.HeadObjectCommand;
+  GetObjectCommand = s3Module.GetObjectCommand;
+  getSignedUrl = presignerModule.getSignedUrl;
+}
+function s3StorageAdapter(options) {
+  const {
+    bucket,
+    region,
+    accessKeyId,
+    secretAccessKey,
+    endpoint,
+    baseUrl,
+    forcePathStyle = false,
+    acl = "private",
+    presignedUrlExpiry = 3600
+  } = options;
+  let client = null;
+  async function getClient() {
+    await loadAwsSdk();
+    if (!client) {
+      const clientConfig = {
+        region,
+        forcePathStyle
+      };
+      if (endpoint) {
+        clientConfig.endpoint = endpoint;
+      }
+      if (accessKeyId && secretAccessKey) {
+        clientConfig.credentials = {
+          accessKeyId,
+          secretAccessKey
+        };
+      }
+      client = new S3Client(clientConfig);
+    }
+    return client;
+  }
+  function getPublicUrl(key) {
+    if (baseUrl) {
+      return `${baseUrl}/${key}`;
+    }
+    if (endpoint) {
+      return `${endpoint}/${bucket}/${key}`;
+    }
+    return `https://${bucket}.s3.${region}.amazonaws.com/${key}`;
+  }
+  return {
+    async upload(file, uploadOptions) {
+      const s3 = await getClient();
+      const ext = extname2(file.originalName) || getExtensionFromMimeType2(file.mimeType);
+      const filename = uploadOptions?.filename ? `${uploadOptions.filename}${ext}` : `${randomUUID3()}${ext}`;
+      const key = uploadOptions?.directory ? `${uploadOptions.directory}/${filename}` : filename;
+      await s3.send(
+        new PutObjectCommand({
+          Bucket: bucket,
+          Key: key,
+          Body: file.buffer,
+          ContentType: file.mimeType,
+          ACL: acl
+        })
+      );
+      return {
+        path: key,
+        url: acl === "public-read" ? getPublicUrl(key) : `/api/media/file/${key}`,
+        filename,
+        mimeType: file.mimeType,
+        size: file.size
+      };
+    },
+    async delete(path) {
+      const s3 = await getClient();
+      try {
+        await s3.send(
+          new DeleteObjectCommand({
+            Bucket: bucket,
+            Key: path
+          })
+        );
+        return true;
+      } catch {
+        return false;
+      }
+    },
+    getUrl(path) {
+      if (acl === "public-read") {
+        return getPublicUrl(path);
+      }
+      return `/api/media/file/${path}`;
+    },
+    async exists(path) {
+      const s3 = await getClient();
+      try {
+        await s3.send(
+          new HeadObjectCommand({
+            Bucket: bucket,
+            Key: path
+          })
+        );
+        return true;
+      } catch {
+        return false;
+      }
+    },
+    async getSignedUrl(path, expiresIn) {
+      const s3 = await getClient();
+      await loadAwsSdk();
+      const command = new GetObjectCommand({
+        Bucket: bucket,
+        Key: path
+      });
+      return getSignedUrl(s3, command, {
+        expiresIn: expiresIn ?? presignedUrlExpiry
+      });
+    },
+    async read(path) {
+      const s3 = await getClient();
+      try {
+        const response = await s3.send(
+          new GetObjectCommand({
+            Bucket: bucket,
+            Key: path
+          })
+        );
+        if (!response.Body) {
+          return null;
+        }
+        const chunks = [];
+        const body = response.Body;
+        for await (const chunk of body) {
+          chunks.push(chunk);
+        }
+        return Buffer.concat(chunks);
+      } catch {
+        return null;
+      }
+    }
+  };
+}
+function getExtensionFromMimeType2(mimeType) {
+  const mimeToExt = {
+    "image/jpeg": ".jpg",
+    "image/png": ".png",
+    "image/gif": ".gif",
+    "image/webp": ".webp",
+    "image/svg+xml": ".svg",
+    "application/pdf": ".pdf",
+    "application/json": ".json",
+    "text/plain": ".txt",
+    "text/html": ".html",
+    "text/css": ".css",
+    "application/javascript": ".js",
+    "video/mp4": ".mp4",
+    "video/webm": ".webm",
+    "audio/mpeg": ".mp3",
+    "audio/wav": ".wav",
+    "application/zip": ".zip"
+  };
+  return mimeToExt[mimeType] ?? "";
+}
+var S3Client, PutObjectCommand, DeleteObjectCommand, HeadObjectCommand, GetObjectCommand, getSignedUrl;
+var init_storage_s3 = __esm({
+  "libs/storage/src/lib/storage-s3.ts"() {
+    "use strict";
+  }
+});
+
+// libs/storage/src/lib/mime-validator.ts
+function detectMimeType(buffer) {
+  for (const sig of FILE_SIGNATURES) {
+    const offset = sig.offset ?? 0;
+    if (buffer.length < offset + sig.bytes.length) {
+      continue;
+    }
+    let match = true;
+    for (let i = 0; i < sig.bytes.length; i++) {
+      if (buffer[offset + i] !== sig.bytes[i]) {
+        match = false;
+        break;
+      }
+    }
+    if (match) {
+      if (sig.bytes[0] === 82 && sig.bytes[1] === 73) {
+        if (buffer.length >= 12) {
+          const formatId = buffer.slice(8, 12).toString("ascii");
+          if (formatId === "WEBP") {
+            return "image/webp";
+          }
+          if (formatId === "WAVE") {
+            return "audio/wav";
+          }
+          if (formatId === "AVI ") {
+            return "video/avi";
+          }
+        }
+      }
+      if (sig.mimeType === "video/mp4" && buffer.length >= 8) {
+        const boxType = buffer.slice(4, 8).toString("ascii");
+        if (boxType === "ftyp") {
+          return "video/mp4";
+        }
+      }
+      return sig.mimeType;
+    }
+  }
+  if (isTextContent(buffer)) {
+    const text2 = buffer.toString("utf8", 0, Math.min(buffer.length, 1e3));
+    if (text2.trim().startsWith("{") || text2.trim().startsWith("[")) {
+      return "application/json";
+    }
+    if (text2.trim().startsWith("<")) {
+      if (text2.includes("<svg")) {
+        return "image/svg+xml";
+      }
+      if (text2.includes("<!DOCTYPE html") || text2.includes("<html")) {
+        return "text/html";
+      }
+      return "application/xml";
+    }
+    return "text/plain";
+  }
+  return null;
+}
+function isTextContent(buffer) {
+  const checkLength = Math.min(buffer.length, 512);
+  for (let i = 0; i < checkLength; i++) {
+    const byte = buffer[i];
+    if (byte < 9 || // Control chars before tab
+    byte > 13 && byte < 32 || // Control chars between CR and space
+    byte === 127) {
+      if (byte >= 128 && byte <= 191) {
+        continue;
+      }
+      if (byte >= 192 && byte <= 247) {
+        continue;
+      }
+      return false;
+    }
+  }
+  return true;
+}
+function mimeTypeMatches(mimeType, pattern) {
+  if (pattern === "*" || pattern === "*/*") {
+    return true;
+  }
+  if (pattern.endsWith("/*")) {
+    const category = pattern.slice(0, -2);
+    return mimeType.startsWith(`${category}/`);
+  }
+  return mimeType === pattern;
+}
+function isMimeTypeAllowed(mimeType, allowedTypes) {
+  if (allowedTypes.length === 0) {
+    return true;
+  }
+  return allowedTypes.some((pattern) => mimeTypeMatches(mimeType, pattern));
+}
+function validateMimeType(buffer, claimedType, allowedTypes) {
+  const detectedType = detectMimeType(buffer);
+  if (allowedTypes && allowedTypes.length > 0) {
+    const typeToCheck = detectedType ?? claimedType;
+    if (!isMimeTypeAllowed(typeToCheck, allowedTypes)) {
+      return {
+        valid: false,
+        detectedType,
+        claimedType,
+        error: `File type '${typeToCheck}' is not allowed. Allowed types: ${allowedTypes.join(", ")}`
+      };
+    }
+  }
+  if (!detectedType) {
+    return {
+      valid: true,
+      detectedType: null,
+      claimedType
+    };
+  }
+  const compatible = areMimeTypesCompatible(detectedType, claimedType);
+  if (!compatible) {
+    return {
+      valid: false,
+      detectedType,
+      claimedType,
+      error: `File appears to be '${detectedType}' but was uploaded as '${claimedType}'`
+    };
+  }
+  return {
+    valid: true,
+    detectedType,
+    claimedType
+  };
+}
+function areMimeTypesCompatible(detected, claimed) {
+  if (detected === claimed) {
+    return true;
+  }
+  const [detectedCategory] = detected.split("/");
+  const [claimedCategory] = claimed.split("/");
+  if (detectedCategory !== claimedCategory) {
+    return false;
+  }
+  const variations = {
+    "image/jpeg": ["image/jpg", "image/pjpeg"],
+    "text/plain": ["text/x-plain"],
+    "application/json": ["text/json"],
+    "application/javascript": ["text/javascript", "application/x-javascript"]
+  };
+  const allowedVariations = variations[detected];
+  if (allowedVariations && allowedVariations.includes(claimed)) {
+    return true;
+  }
+  for (const [canonical, variants] of Object.entries(variations)) {
+    if (variants.includes(detected) && (canonical === claimed || variants.includes(claimed))) {
+      return true;
+    }
+  }
+  return false;
+}
+var FILE_SIGNATURES;
+var init_mime_validator = __esm({
+  "libs/storage/src/lib/mime-validator.ts"() {
+    "use strict";
+    FILE_SIGNATURES = [
+      // Images
+      { mimeType: "image/jpeg", bytes: [255, 216, 255] },
+      { mimeType: "image/png", bytes: [137, 80, 78, 71, 13, 10, 26, 10] },
+      { mimeType: "image/gif", bytes: [71, 73, 70, 56] },
+      // GIF8
+      { mimeType: "image/webp", bytes: [82, 73, 70, 70], offset: 0 },
+      // RIFF (need to check for WEBP at offset 8)
+      { mimeType: "image/bmp", bytes: [66, 77] },
+      // BM
+      { mimeType: "image/tiff", bytes: [73, 73, 42, 0] },
+      // Little-endian TIFF
+      { mimeType: "image/tiff", bytes: [77, 77, 0, 42] },
+      // Big-endian TIFF
+      { mimeType: "image/x-icon", bytes: [0, 0, 1, 0] },
+      // ICO
+      { mimeType: "image/svg+xml", bytes: [60, 115, 118, 103] },
+      // <svg (partial match)
+      // Documents
+      { mimeType: "application/pdf", bytes: [37, 80, 68, 70] },
+      // %PDF
+      // Archives
+      { mimeType: "application/zip", bytes: [80, 75, 3, 4] },
+      // PK
+      { mimeType: "application/gzip", bytes: [31, 139] },
+      { mimeType: "application/x-rar-compressed", bytes: [82, 97, 114, 33] },
+      // Rar!
+      // Audio
+      { mimeType: "audio/mpeg", bytes: [73, 68, 51] },
+      // ID3 (MP3)
+      { mimeType: "audio/mpeg", bytes: [255, 251] },
+      // MP3 frame sync
+      { mimeType: "audio/wav", bytes: [82, 73, 70, 70] },
+      // RIFF (need to check for WAVE)
+      { mimeType: "audio/ogg", bytes: [79, 103, 103, 83] },
+      // OggS
+      { mimeType: "audio/flac", bytes: [102, 76, 97, 67] },
+      // fLaC
+      // Video
+      { mimeType: "video/mp4", bytes: [0, 0, 0], offset: 0 },
+      // Need to check for ftyp at offset 4
+      { mimeType: "video/webm", bytes: [26, 69, 223, 163] },
+      // EBML header
+      { mimeType: "video/avi", bytes: [82, 73, 70, 70] },
+      // RIFF (need to check for AVI)
+      // Executables (for blocking)
+      { mimeType: "application/x-executable", bytes: [127, 69, 76, 70] },
+      // ELF
+      { mimeType: "application/x-msdownload", bytes: [77, 90] }
+      // MZ (Windows EXE)
+    ];
+  }
+});
+
+// libs/storage/src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  detectMimeType: () => detectMimeType,
+  isMimeTypeAllowed: () => isMimeTypeAllowed,
+  localStorageAdapter: () => localStorageAdapter,
+  mimeTypeMatches: () => mimeTypeMatches,
+  s3StorageAdapter: () => s3StorageAdapter,
+  validateMimeType: () => validateMimeType
+});
+var init_src = __esm({
+  "libs/storage/src/index.ts"() {
+    "use strict";
+    init_storage_types();
+    init_storage_local();
+    init_storage_s3();
+    init_mime_validator();
+  }
+});
+
 // libs/server-express/src/lib/server-express.ts
 import { Router, json as jsonParser } from "express";
 import multer from "multer";
@@ -261,6 +780,9 @@ function getSoftDeleteField(config) {
   const sdConfig = config.softDelete;
   return sdConfig.field ?? "deletedAt";
 }
+function isUploadCollection(config) {
+  return config.upload != null;
+}
 
 // libs/core/src/lib/fields/field.types.ts
 var ReferentialIntegrityError = class extends Error {
@@ -478,6 +1000,9 @@ var MediaCollection = defineCollection({
     singular: "Media",
     plural: "Media"
   },
+  upload: {
+    mimeTypes: ["image/*", "application/pdf", "video/*", "audio/*"]
+  },
   admin: {
     useAsTitle: "filename",
     defaultColumns: ["filename", "mimeType", "filesize", "createdAt"]
@@ -498,7 +1023,6 @@ var MediaCollection = defineCollection({
       description: "File size in bytes"
     }),
     text("path", {
-      required: true,
       label: "Storage Path",
       description: "Path/key where the file is stored",
       admin: {
@@ -802,6 +1326,7 @@ async function runFieldHooks(hookType, fields, data, req, operation) {
     }
     const hooks = field.hooks?.[hookType];
     if (hooks && hooks.length > 0) {
+      const fieldExistsInData = field.name in processedData;
       let value = processedData[field.name];
       for (const hook of hooks) {
         const result = await Promise.resolve(
@@ -816,7 +1341,9 @@ async function runFieldHooks(hookType, fields, data, req, operation) {
           value = result;
         }
       }
-      processedData[field.name] = value;
+      if (fieldExistsInData || value !== void 0) {
+        processedData[field.name] = value;
+      }
     }
     if (field.type === "group" && processedData[field.name] && typeof processedData[field.name] === "object" && !Array.isArray(processedData[field.name])) {
       processedData[field.name] = await runFieldHooks(
@@ -2911,7 +3438,7 @@ async function sendWebhook(webhook, payload, attempt = 0) {
     });
     if (!response.ok && attempt < maxRetries) {
       const delay = Math.pow(2, attempt) * 1e3;
-      await new Promise((resolve) => setTimeout(resolve, delay));
+      await new Promise((resolve2) => setTimeout(resolve2, delay));
       return sendWebhook(webhook, payload, attempt + 1);
     }
     if (!response.ok) {
@@ -2922,7 +3449,7 @@ async function sendWebhook(webhook, payload, attempt = 0) {
   } catch (error) {
     if (attempt < maxRetries) {
       const delay = Math.pow(2, attempt) * 1e3;
-      await new Promise((resolve) => setTimeout(resolve, delay));
+      await new Promise((resolve2) => setTimeout(resolve2, delay));
       return sendWebhook(webhook, payload, attempt + 1);
     }
     const message = error instanceof Error ? error.message : "Unknown error";
@@ -3640,210 +4167,8 @@ function createAdapterApiKeyStore(adapter) {
   };
 }
 
-// libs/storage/src/lib/mime-validator.ts
-var FILE_SIGNATURES = [
-  // Images
-  { mimeType: "image/jpeg", bytes: [255, 216, 255] },
-  { mimeType: "image/png", bytes: [137, 80, 78, 71, 13, 10, 26, 10] },
-  { mimeType: "image/gif", bytes: [71, 73, 70, 56] },
-  // GIF8
-  { mimeType: "image/webp", bytes: [82, 73, 70, 70], offset: 0 },
-  // RIFF (need to check for WEBP at offset 8)
-  { mimeType: "image/bmp", bytes: [66, 77] },
-  // BM
-  { mimeType: "image/tiff", bytes: [73, 73, 42, 0] },
-  // Little-endian TIFF
-  { mimeType: "image/tiff", bytes: [77, 77, 0, 42] },
-  // Big-endian TIFF
-  { mimeType: "image/x-icon", bytes: [0, 0, 1, 0] },
-  // ICO
-  { mimeType: "image/svg+xml", bytes: [60, 115, 118, 103] },
-  // <svg (partial match)
-  // Documents
-  { mimeType: "application/pdf", bytes: [37, 80, 68, 70] },
-  // %PDF
-  // Archives
-  { mimeType: "application/zip", bytes: [80, 75, 3, 4] },
-  // PK
-  { mimeType: "application/gzip", bytes: [31, 139] },
-  { mimeType: "application/x-rar-compressed", bytes: [82, 97, 114, 33] },
-  // Rar!
-  // Audio
-  { mimeType: "audio/mpeg", bytes: [73, 68, 51] },
-  // ID3 (MP3)
-  { mimeType: "audio/mpeg", bytes: [255, 251] },
-  // MP3 frame sync
-  { mimeType: "audio/wav", bytes: [82, 73, 70, 70] },
-  // RIFF (need to check for WAVE)
-  { mimeType: "audio/ogg", bytes: [79, 103, 103, 83] },
-  // OggS
-  { mimeType: "audio/flac", bytes: [102, 76, 97, 67] },
-  // fLaC
-  // Video
-  { mimeType: "video/mp4", bytes: [0, 0, 0], offset: 0 },
-  // Need to check for ftyp at offset 4
-  { mimeType: "video/webm", bytes: [26, 69, 223, 163] },
-  // EBML header
-  { mimeType: "video/avi", bytes: [82, 73, 70, 70] },
-  // RIFF (need to check for AVI)
-  // Executables (for blocking)
-  { mimeType: "application/x-executable", bytes: [127, 69, 76, 70] },
-  // ELF
-  { mimeType: "application/x-msdownload", bytes: [77, 90] }
-  // MZ (Windows EXE)
-];
-function detectMimeType(buffer) {
-  for (const sig of FILE_SIGNATURES) {
-    const offset = sig.offset ?? 0;
-    if (buffer.length < offset + sig.bytes.length) {
-      continue;
-    }
-    let match = true;
-    for (let i = 0; i < sig.bytes.length; i++) {
-      if (buffer[offset + i] !== sig.bytes[i]) {
-        match = false;
-        break;
-      }
-    }
-    if (match) {
-      if (sig.bytes[0] === 82 && sig.bytes[1] === 73) {
-        if (buffer.length >= 12) {
-          const formatId = buffer.slice(8, 12).toString("ascii");
-          if (formatId === "WEBP") {
-            return "image/webp";
-          }
-          if (formatId === "WAVE") {
-            return "audio/wav";
-          }
-          if (formatId === "AVI ") {
-            return "video/avi";
-          }
-        }
-      }
-      if (sig.mimeType === "video/mp4" && buffer.length >= 8) {
-        const boxType = buffer.slice(4, 8).toString("ascii");
-        if (boxType === "ftyp") {
-          return "video/mp4";
-        }
-      }
-      return sig.mimeType;
-    }
-  }
-  if (isTextContent(buffer)) {
-    const text2 = buffer.toString("utf8", 0, Math.min(buffer.length, 1e3));
-    if (text2.trim().startsWith("{") || text2.trim().startsWith("[")) {
-      return "application/json";
-    }
-    if (text2.trim().startsWith("<")) {
-      if (text2.includes("<svg")) {
-        return "image/svg+xml";
-      }
-      if (text2.includes("<!DOCTYPE html") || text2.includes("<html")) {
-        return "text/html";
-      }
-      return "application/xml";
-    }
-    return "text/plain";
-  }
-  return null;
-}
-function isTextContent(buffer) {
-  const checkLength = Math.min(buffer.length, 512);
-  for (let i = 0; i < checkLength; i++) {
-    const byte = buffer[i];
-    if (byte < 9 || // Control chars before tab
-    byte > 13 && byte < 32 || // Control chars between CR and space
-    byte === 127) {
-      if (byte >= 128 && byte <= 191) {
-        continue;
-      }
-      if (byte >= 192 && byte <= 247) {
-        continue;
-      }
-      return false;
-    }
-  }
-  return true;
-}
-function mimeTypeMatches(mimeType, pattern) {
-  if (pattern === "*" || pattern === "*/*") {
-    return true;
-  }
-  if (pattern.endsWith("/*")) {
-    const category = pattern.slice(0, -2);
-    return mimeType.startsWith(`${category}/`);
-  }
-  return mimeType === pattern;
-}
-function isMimeTypeAllowed(mimeType, allowedTypes) {
-  if (allowedTypes.length === 0) {
-    return true;
-  }
-  return allowedTypes.some((pattern) => mimeTypeMatches(mimeType, pattern));
-}
-function validateMimeType(buffer, claimedType, allowedTypes) {
-  const detectedType = detectMimeType(buffer);
-  if (allowedTypes && allowedTypes.length > 0) {
-    const typeToCheck = detectedType ?? claimedType;
-    if (!isMimeTypeAllowed(typeToCheck, allowedTypes)) {
-      return {
-        valid: false,
-        detectedType,
-        claimedType,
-        error: `File type '${typeToCheck}' is not allowed. Allowed types: ${allowedTypes.join(", ")}`
-      };
-    }
-  }
-  if (!detectedType) {
-    return {
-      valid: true,
-      detectedType: null,
-      claimedType
-    };
-  }
-  const compatible = areMimeTypesCompatible(detectedType, claimedType);
-  if (!compatible) {
-    return {
-      valid: false,
-      detectedType,
-      claimedType,
-      error: `File appears to be '${detectedType}' but was uploaded as '${claimedType}'`
-    };
-  }
-  return {
-    valid: true,
-    detectedType,
-    claimedType
-  };
-}
-function areMimeTypesCompatible(detected, claimed) {
-  if (detected === claimed) {
-    return true;
-  }
-  const [detectedCategory] = detected.split("/");
-  const [claimedCategory] = claimed.split("/");
-  if (detectedCategory !== claimedCategory) {
-    return false;
-  }
-  const variations = {
-    "image/jpeg": ["image/jpg", "image/pjpeg"],
-    "text/plain": ["text/x-plain"],
-    "application/json": ["text/json"],
-    "application/javascript": ["text/javascript", "application/x-javascript"]
-  };
-  const allowedVariations = variations[detected];
-  if (allowedVariations && allowedVariations.includes(claimed)) {
-    return true;
-  }
-  for (const [canonical, variants] of Object.entries(variations)) {
-    if (variants.includes(detected) && (canonical === claimed || variants.includes(claimed))) {
-      return true;
-    }
-  }
-  return false;
-}
-
 // libs/server-core/src/lib/upload-handler.ts
+init_src();
 function getUploadConfig(config) {
   if (!config.storage?.adapter) {
     return null;
@@ -3958,6 +4283,64 @@ async function handleUpload(config, request) {
     };
   }
 }
+async function handleCollectionUpload(globalConfig, request) {
+  const { adapter } = globalConfig;
+  const { file, user, fields, collectionSlug, collectionUpload } = request;
+  const maxFileSize = collectionUpload.maxFileSize ?? globalConfig.maxFileSize ?? 10 * 1024 * 1024;
+  const allowedMimeTypes = collectionUpload.mimeTypes ?? globalConfig.allowedMimeTypes ?? [];
+  try {
+    if (!user) {
+      return {
+        status: 401,
+        error: "Authentication required to upload files"
+      };
+    }
+    const sizeError = validateFileSize(file, maxFileSize);
+    if (sizeError) {
+      return { status: 400, error: sizeError };
+    }
+    const mimeError = validateMimeType2(file.mimeType, allowedMimeTypes);
+    if (mimeError) {
+      return { status: 400, error: mimeError };
+    }
+    if (file.buffer && file.buffer.length > 0) {
+      const magicByteResult = validateMimeType(
+        file.buffer,
+        file.mimeType,
+        allowedMimeTypes
+      );
+      if (!magicByteResult.valid) {
+        return {
+          status: 400,
+          error: magicByteResult.error ?? "File content does not match claimed type"
+        };
+      }
+    }
+    const storedFile = await adapter.upload(file);
+    const docData = {
+      ...fields,
+      filename: file.originalName,
+      mimeType: file.mimeType,
+      filesize: file.size,
+      path: storedFile.path,
+      url: storedFile.url
+    };
+    const api = getMomentumAPI().setContext({ user });
+    const doc = await api.collection(collectionSlug).create(docData);
+    return {
+      status: 201,
+      doc
+    };
+  } catch (error) {
+    if (error instanceof Error) {
+      if (error.message.includes("Access denied")) {
+        return { status: 403, error: error.message };
+      }
+      return { status: 500, error: `Upload failed: ${error.message}` };
+    }
+    return { status: 500, error: "Upload failed: Unknown error" };
+  }
+}
 async function handleFileGet(adapter, path) {
   if (!adapter.read) {
     return null;
@@ -5508,6 +5891,51 @@ function momentumApiMiddleware(config) {
       // Default 10MB
     }
   });
+  const uploadCollectionSlugs = new Set(
+    config.collections.filter((c) => isUploadCollection(c)).map((c) => c.slug)
+  );
+  async function handleUploadCollectionPost(req, res) {
+    const slug2 = req.params["collection"];
+    const collectionConfig = config.collections.find((c) => c.slug === slug2);
+    if (!collectionConfig?.upload) {
+      res.status(400).json({ error: "Not an upload collection" });
+      return;
+    }
+    const uploadConfig = getUploadConfig(config);
+    if (!uploadConfig) {
+      res.status(500).json({ error: "Storage not configured" });
+      return;
+    }
+    const multerFile = req.file;
+    if (!multerFile) {
+      res.status(400).json({ error: "No file provided" });
+      return;
+    }
+    const file = {
+      originalName: multerFile.originalname,
+      mimeType: multerFile.mimetype,
+      size: multerFile.size,
+      buffer: multerFile.buffer
+    };
+    const fields = {};
+    if (typeof req.body === "object" && req.body !== null) {
+      for (const [key, value] of Object.entries(
+        req.body
+      )) {
+        if (key !== "file") {
+          fields[key] = value;
+        }
+      }
+    }
+    const response = await handleCollectionUpload(uploadConfig, {
+      file,
+      user: extractUserFromRequest(req),
+      fields,
+      collectionSlug: slug2,
+      collectionUpload: collectionConfig.upload
+    });
+    res.status(response.status).json(response);
+  }
   router.post(
     "/media/upload",
     (req, res, next) => {
@@ -5557,7 +5985,7 @@ function momentumApiMiddleware(config) {
       res.status(400).json({ error: "File path required" });
       return;
     }
-    const { normalize, isAbsolute, resolve, sep } = await import("node:path");
+    const { normalize: normalize2, isAbsolute, resolve: resolve2, sep } = await import("node:path");
     let decodedPath;
     try {
       decodedPath = decodeURIComponent(rawPath);
@@ -5565,13 +5993,13 @@ function momentumApiMiddleware(config) {
       res.status(400).json({ error: "Invalid path encoding" });
       return;
     }
-    const filePath = normalize(decodedPath).replace(/^(\.\.(\/|\\|$))+/, "");
+    const filePath = normalize2(decodedPath);
     if (isAbsolute(filePath) || filePath.includes("..") || filePath.includes(`${sep}..`)) {
       res.status(403).json({ error: "Invalid file path" });
       return;
     }
-    const fakeRoot = resolve("/safe-root");
-    const resolved = resolve(fakeRoot, filePath);
+    const fakeRoot = resolve2("/safe-root");
+    const resolved = resolve2(fakeRoot, filePath);
     if (!resolved.startsWith(fakeRoot + sep) && resolved !== fakeRoot) {
       res.status(403).json({ error: "Invalid file path" });
       return;
@@ -5891,6 +6319,28 @@ function momentumApiMiddleware(config) {
     const response = await handlers.routeRequest(request);
     res.status(response.status ?? 200).json(response);
   });
+  router.post("/:collection", (req, res, next) => {
+    const slug2 = req.params["collection"];
+    if (uploadCollectionSlugs.has(slug2)) {
+      const user = extractUserFromRequest(req);
+      if (!user) {
+        res.status(401).json({ error: "Authentication required to upload files" });
+        return;
+      }
+      upload2.single("file")(req, res, (err) => {
+        if (err) {
+          res.status(400).json({ error: err.message });
+          return;
+        }
+        handleUploadCollectionPost(req, res).catch((e) => {
+          const message = sanitizeErrorMessage(e, "Upload failed");
+          res.status(500).json({ error: message });
+        });
+      });
+    } else {
+      next();
+    }
+  });
   router.post("/:collection", async (req, res) => {
     if (isManagedCollection(req.params["collection"])) {
       res.status(403).json({ error: "Managed collection is read-only" });
@@ -5905,6 +6355,111 @@ function momentumApiMiddleware(config) {
     const response = await handlers.routeRequest(request);
     res.status(response.status ?? 200).json(response);
   });
+  router.patch("/:collection/:id", (req, res, next) => {
+    const slug2 = req.params["collection"];
+    if (uploadCollectionSlugs.has(slug2)) {
+      const user = extractUserFromRequest(req);
+      if (!user) {
+        res.status(401).json({ error: "Authentication required to upload files" });
+        return;
+      }
+      upload2.single("file")(req, res, async (err) => {
+        if (err) {
+          res.status(400).json({ error: err.message });
+          return;
+        }
+        if (req.file) {
+          const collectionConfig = config.collections.find((c) => c.slug === slug2);
+          if (!collectionConfig?.upload) {
+            res.status(400).json({ error: "Not an upload collection" });
+            return;
+          }
+          const uploadConfig = getUploadConfig(config);
+          if (!uploadConfig) {
+            res.status(500).json({ error: "Storage not configured" });
+            return;
+          }
+          const file = {
+            originalName: req.file.originalname,
+            mimeType: req.file.mimetype,
+            size: req.file.size,
+            buffer: req.file.buffer
+          };
+          const fields = {};
+          if (typeof req.body === "object" && req.body !== null) {
+            for (const [key, value] of Object.entries(
+              req.body
+            )) {
+              if (key !== "file") {
+                fields[key] = value;
+              }
+            }
+          }
+          try {
+            const { validateMimeType: validateMimeByMagicBytes } = await Promise.resolve().then(() => (init_src(), src_exports));
+            const maxFileSize = collectionConfig.upload.maxFileSize ?? uploadConfig.maxFileSize ?? 10 * 1024 * 1024;
+            const allowedMimeTypes = collectionConfig.upload.mimeTypes ?? uploadConfig.allowedMimeTypes ?? [];
+            if (file.size > maxFileSize) {
+              const maxMB = (maxFileSize / (1024 * 1024)).toFixed(1);
+              const fileMB = (file.size / (1024 * 1024)).toFixed(1);
+              res.status(400).json({
+                error: `File size ${fileMB}MB exceeds maximum allowed size of ${maxMB}MB`
+              });
+              return;
+            }
+            const mimeError = validateMimeType2(file.mimeType, allowedMimeTypes);
+            if (mimeError) {
+              res.status(400).json({ error: mimeError });
+              return;
+            }
+            if (file.buffer && file.buffer.length > 0) {
+              const magicByteResult = validateMimeByMagicBytes(
+                file.buffer,
+                file.mimeType,
+                allowedMimeTypes
+              );
+              if (!magicByteResult.valid) {
+                res.status(400).json({
+                  error: magicByteResult.error ?? "File content does not match claimed type"
+                });
+                return;
+              }
+            }
+            const storedFile = await uploadConfig.adapter.upload(file);
+            const updateData = {
+              ...fields,
+              filename: file.originalName,
+              mimeType: file.mimeType,
+              filesize: file.size,
+              path: storedFile.path,
+              url: storedFile.url
+            };
+            const api = getMomentumAPI();
+            const contextApi = api.setContext({ user });
+            const doc = await contextApi.collection(slug2).update(req.params["id"], updateData);
+            res.json({ doc });
+          } catch (error) {
+            const message = sanitizeErrorMessage(error, "Upload update failed");
+            res.status(500).json({ error: message });
+          }
+        } else {
+          const body = typeof req.body === "object" && req.body !== null ? req.body : {};
+          const request = {
+            method: "PATCH",
+            collectionSlug: slug2,
+            id: req.params["id"],
+            body,
+            user
+            // already extracted and validated before multer
+          };
+          const response = await handlers.routeRequest(request);
+          res.status(response.status ?? 200).json(response);
+        }
+      });
+    } else {
+      next();
+    }
+  });
   router.patch("/:collection/:id", async (req, res) => {
     if (isManagedCollection(req.params["collection"])) {
       res.status(403).json({ error: "Managed collection is read-only" });