@muhgholy/next-drive 4.23.8 → 4.23.10

package/dist/{chunk-RBSFEEJJ.js → chunk-XUPDNN2U.js}

@@ -36,6 +36,7 @@ var DriveSchema = new Schema(
     information: { type: informationSchema, required: true },
     status: { type: String, enum: ["READY", "PROCESSING", "UPLOADING", "FAILED"], default: "PROCESSING" },
     trashedAt: { type: Date, default: null },
+    expiresAt: { type: Date, default: null },
     meta: { type: Schema.Types.Mixed, default: {} },
     createdAt: { type: Date, default: Date.now }
   },
@@ -48,6 +49,7 @@ DriveSchema.index({ owner: 1, trashedAt: 1 });
 DriveSchema.index({ owner: 1, "information.hash": 1 });
 DriveSchema.index({ owner: 1, name: "text" });
 DriveSchema.index({ owner: 1, "provider.type": 1 });
+DriveSchema.index({ expiresAt: 1 });
 DriveSchema.method("toClient", async function() {
   const data = this.toJSON();
   return {
@@ -60,6 +62,7 @@ DriveSchema.method("toClient", async function() {
     information: data.information,
     status: data.status,
     trashedAt: data.trashedAt,
+    expiresAt: data.expiresAt,
     meta: data.meta,
     createdAt: data.createdAt
   };
@@ -246,7 +249,8 @@ var getGlobal = () => {
     globalThis[GLOBAL_KEY] = {
       config: null,
       migrationPromise: null,
-      initialized: false
+      initialized: false,
+      abuse: { ipHits: /* @__PURE__ */ new Map(), concurrent: 0 }
     };
   }
   return globalThis[GLOBAL_KEY];
@@ -275,7 +279,8 @@ var driveConfiguration = async (config) => {
         // 10GB default for ROOT
         allowedMimeTypes: config.security?.allowedMimeTypes ?? ["*/*"],
         signedUrls: config.security?.signedUrls,
-        trash: config.security?.trash
+        trash: config.security?.trash,
+        unauthenticated: config.security?.unauthenticated
       }
     };
   } else {
@@ -293,7 +298,8 @@ var driveConfiguration = async (config) => {
         maxUploadSizeInBytes: config.security?.maxUploadSizeInBytes ?? 10 * 1024 * 1024,
         allowedMimeTypes: config.security?.allowedMimeTypes ?? ["*/*"],
         signedUrls: config.security?.signedUrls,
-        trash: config.security?.trash
+        trash: config.security?.trash,
+        unauthenticated: config.security?.unauthenticated
       },
       information: config.information
     };
@@ -1527,7 +1533,8 @@ var uploadChunkSchema = z.object({
   fileName: nameSchema,
   fileSize: z.number().int().min(0).max(Number.MAX_SAFE_INTEGER),
   fileType: z.string().min(1).max(255),
-  folderId: z.string().optional()
+  folderId: z.string().optional(),
+  unauthenticated: z.coerce.boolean().optional()
 }).refine((data) => data.chunkIndex < data.totalChunks, {
   message: "Chunk index must be less than total chunks"
 });
@@ -2121,6 +2128,26 @@ var driveCleanup = async () => {
   }
   return { removed, totalFreedInBytes };
 };
+var driveConfirm = async (id) => {
+  const result = await drive_default.updateOne({ _id: id }, { $set: { expiresAt: null } });
+  return result.matchedCount > 0;
+};
+var drivePurgeExpired = async () => {
+  const expired = await drive_default.find({ expiresAt: { $ne: null, $lt: /* @__PURE__ */ new Date() } });
+  const removed = [];
+  let totalFreedInBytes = 0;
+  for (const drive of expired) {
+    const id = String(drive._id);
+    try {
+      await driveDelete(drive);
+      totalFreedInBytes += drive.information.type === "FILE" ? drive.information.sizeInBytes : 0;
+      removed.push(id);
+    } catch (e) {
+      console.error(`[next-drive] Failed to purge expired file ${id}:`, e);
+    }
+  }
+  return { removed, totalFreedInBytes };
+};
 
 // src/server/actions/shared.ts
 var resolveProvider = async (req, owner) => {
@@ -2235,36 +2262,83 @@ var handleDriveAction = async (ctx) => {
         cleanupTempFiles(files);
         return void res.status(400).json({ status: 400, message: uploadData.error.errors[0].message });
       }
-      const { chunkIndex, totalChunks, driveId, fileName, fileSize: fileSizeInBytes, fileType, folderId } = uploadData.data;
+      const { chunkIndex, totalChunks, driveId, fileName, fileSize: fileSizeInBytes, fileType, folderId, unauthenticated } = uploadData.data;
       let currentUploadId = driveId;
       const tempBaseDir = path.join(os2.tmpdir(), "next-drive-uploads");
       if (!currentUploadId) {
         if (chunkIndex !== 0) return void res.status(400).json({ message: "Could not upload: missing upload session for this chunk" });
-        if (fileType && config.security) {
-          if (!validateMimeType(fileType, config.security.allowedMimeTypes)) {
+        if (unauthenticated) {
+          const unauth = config.security?.unauthenticated;
+          if (!unauth?.enabled) {
             cleanupTempFiles(files);
-            return void res.status(400).json({ status: 400, message: `Could not upload: file type "${fileType}" is not allowed` });
+            return void res.status(403).json({ status: 403, message: "Anonymous uploads are not enabled" });
           }
-        }
-        if (!isRootMode) {
-          const quota = await provider.getQuota(owner, accountId, information.storage.quotaInBytes);
-          if (quota.usedInBytes + fileSizeInBytes > quota.quotaInBytes) {
+          if (fileSizeInBytes > unauth.maxUploadSizeInBytes) {
             cleanupTempFiles(files);
-            return void res.status(413).json({ status: 413, message: "Could not upload: you have run out of storage space" });
+            return void res.status(413).json({ status: 413, message: "Could not upload: file exceeds the maximum allowed size" });
+          }
+          if (fileType && !validateMimeType(fileType, unauth.allowedMimeTypes)) {
+            cleanupTempFiles(files);
+            return void res.status(400).json({ status: 400, message: `Could not upload: file type "${fileType}" is not allowed` });
+          }
+          const abuse = unauth.abuse;
+          if (abuse) {
+            const store = globalThis.__nextDrive.abuse;
+            const now = Date.now();
+            const ip = abuse.clientId?.(req) ?? (abuse.trustedHeaders ?? ["cf-connecting-ip", "x-forwarded-for"]).map((h) => req.headers[h]).find(Boolean)?.split(",")[0].trim() ?? req.socket.remoteAddress ?? "unknown";
+            const hits = (store.ipHits.get(ip) ?? []).filter((t) => now - t < 36e5);
+            const perIp = abuse.perIp;
+            if (perIp && hits.filter((t) => now - t < perIp.windowMinutes * 6e4).length >= perIp.max) {
+              cleanupTempFiles(files);
+              return void res.status(429).json({ status: 429, message: "Too many uploads, please try again later" });
+            }
+            if (abuse.hourlyPerIp && hits.length >= abuse.hourlyPerIp) {
+              cleanupTempFiles(files);
+              return void res.status(429).json({ status: 429, message: "Hourly upload limit reached, please try again later" });
+            }
+            if (abuse.maxConcurrent && store.concurrent >= abuse.maxConcurrent) {
+              cleanupTempFiles(files);
+              return void res.status(429).json({ status: 429, message: "Server is busy with uploads, please try again later" });
+            }
+            if (abuse.maxLiveBytes) {
+              const [agg] = await drive_default.aggregate([{ $match: { expiresAt: { $ne: null } } }, { $group: { _id: null, total: { $sum: "$information.sizeInBytes" } } }]);
+              if ((agg?.total ?? 0) + fileSizeInBytes > abuse.maxLiveBytes) {
+                cleanupTempFiles(files);
+                return void res.status(429).json({ status: 429, message: "Temporary storage is full, please try again later" });
+              }
+            }
+            hits.push(now);
+            store.ipHits.set(ip, hits);
+            store.concurrent++;
+          }
+        } else {
+          if (fileType && config.security) {
+            if (!validateMimeType(fileType, config.security.allowedMimeTypes)) {
+              cleanupTempFiles(files);
+              return void res.status(400).json({ status: 400, message: `Could not upload: file type "${fileType}" is not allowed` });
+            }
+          }
+          if (!isRootMode) {
+            const quota = await provider.getQuota(owner, accountId, information.storage.quotaInBytes);
+            if (quota.usedInBytes + fileSizeInBytes > quota.quotaInBytes) {
+              cleanupTempFiles(files);
+              return void res.status(413).json({ status: 413, message: "Could not upload: you have run out of storage space" });
+            }
           }
         }
         currentUploadId = crypto3.randomUUID();
         const uploadDir2 = path.join(tempBaseDir, currentUploadId);
         fs.mkdirSync(uploadDir2, { recursive: true });
         const metadata = {
-          owner,
-          accountId,
+          owner: unauthenticated ? null : owner,
+          accountId: unauthenticated ? null : accountId,
           providerName: provider.name,
           name: fileName,
-          parentId: folderId === "root" || !folderId ? null : folderId,
+          parentId: unauthenticated || folderId === "root" || !folderId ? null : folderId,
           fileSize: fileSizeInBytes,
           mimeType: fileType,
-          totalChunks
+          totalChunks,
+          unauthenticated: !!unauthenticated
         };
         fs.writeFileSync(path.join(uploadDir2, "metadata.json"), JSON.stringify(metadata));
       }
@@ -2350,7 +2424,8 @@ var handleDriveAction = async (ctx) => {
             information: { type: "FILE", sizeInBytes: meta.fileSize, mime: meta.mimeType, path: "" },
             status: "UPLOADING",
             currentChunk: totalChunks,
-            totalChunks
+            totalChunks,
+            expiresAt: meta.unauthenticated ? new Date(Date.now() + (config.security?.unauthenticated?.ttlMinutes ?? 60) * 6e4) : null
           });
           if (meta.providerName === "LOCAL" && drive.information.type === "FILE") {
             drive.information.path = path.join("file", String(drive._id), "data.bin");
@@ -2359,10 +2434,12 @@ var handleDriveAction = async (ctx) => {
           try {
             const item = await provider.uploadFile(drive, finalTempPath, meta.accountId);
             fs.rmSync(uploadDir, { recursive: true, force: true });
+            if (meta.unauthenticated) globalThis.__nextDrive.abuse.concurrent = Math.max(0, globalThis.__nextDrive.abuse.concurrent - 1);
             const newQuota = await provider.getQuota(meta.owner, meta.accountId, information.storage.quotaInBytes);
             res.status(200).json({ status: 200, message: "Upload complete", data: { type: "UPLOAD_COMPLETE", driveId: String(drive._id), item: withSignedUrl(item, config) }, statistic: { storage: newQuota } });
           } catch (err) {
             await drive_default.deleteOne({ _id: drive._id });
+            if (meta.unauthenticated) globalThis.__nextDrive.abuse.concurrent = Math.max(0, globalThis.__nextDrive.abuse.concurrent - 1);
             throw err;
           }
         } else {
@@ -2386,6 +2463,10 @@ var handleDriveAction = async (ctx) => {
       const tempUploadDir = path.join(os2.tmpdir(), "next-drive-uploads", id);
       if (fs.existsSync(tempUploadDir)) {
         try {
+          const metaPath = path.join(tempUploadDir, "metadata.json");
+          if (fs.existsSync(metaPath) && JSON.parse(fs.readFileSync(metaPath, "utf-8")).unauthenticated) {
+            globalThis.__nextDrive.abuse.concurrent = Math.max(0, globalThis.__nextDrive.abuse.concurrent - 1);
+          }
           fs.rmSync(tempUploadDir, { recursive: true, force: true });
         } catch (e) {
           console.error("Failed to cleanup temp upload:", e);
@@ -2592,12 +2673,16 @@ var driveAPIHandler = async (req, res) => {
   if (wasPublicHandled) return;
   try {
     const mode = config.mode || "NORMAL";
-    const information = await getDriveInformation({ method: "REQUEST", req });
-    const { key: owner } = information;
-    const isRootMode = mode === "ROOT";
     if (action === "information") {
       const { clientId, clientSecret, redirectUri } = config.storage?.google || {};
       const googleConfigured = !!(clientId && clientSecret && redirectUri);
+      let authenticated = false;
+      try {
+        await getDriveInformation({ method: "REQUEST", req });
+        authenticated = true;
+      } catch {
+        authenticated = false;
+      }
       res.status(200).json({
         status: 200,
         message: "Information retrieved",
@@ -2605,11 +2690,16 @@ var driveAPIHandler = async (req, res) => {
           providers: {
             google: googleConfigured
           },
-          mode
+          mode,
+          authenticated,
+          unauthenticatedUploads: !!config.security?.unauthenticated?.enabled
         }
       });
       return;
     }
+    const information = await getDriveInformation({ method: "REQUEST", req });
+    const { key: owner } = information;
+    const isRootMode = mode === "ROOT";
     const wasAuthHandled = await handleAuthAction(req, res, action, config, owner);
     if (wasAuthHandled) return;
     const { provider, accountId } = await resolveProvider(req, owner);
@@ -2631,6 +2721,6 @@ var driveAPIHandler = async (req, res) => {
   }
 };
 
-export { driveAPIHandler, driveCleanup, driveConfiguration, driveDelete, driveFilePath, driveFileSchemaZod, driveGetUrl, driveInfo, driveList, driveListFiles, driveReadFile, driveUpload, drive_default, getDriveConfig, getDriveInformation };
-//# sourceMappingURL=chunk-RBSFEEJJ.js.map
-//# sourceMappingURL=chunk-RBSFEEJJ.js.map
+export { driveAPIHandler, driveCleanup, driveConfiguration, driveConfirm, driveDelete, driveFilePath, driveFileSchemaZod, driveGetUrl, driveInfo, driveList, driveListFiles, drivePurgeExpired, driveReadFile, driveUpload, drive_default, getDriveConfig, getDriveInformation };
+//# sourceMappingURL=chunk-XUPDNN2U.js.map
+//# sourceMappingURL=chunk-XUPDNN2U.js.map