@mzedstudio/uploadthingtrack 0.1.0

package/src/component/access.ts

@@ -0,0 +1,39 @@
+import type { AccessRule } from "./types";
+
+export function canAccess(params: {
+  ownerId: string;
+  viewerId?: string | null;
+  fileRule?: AccessRule;
+  folderRule?: AccessRule;
+}): boolean {
+  const { ownerId, viewerId } = params;
+  if (viewerId && viewerId === ownerId) return true;
+
+  const rule = params.fileRule ?? params.folderRule;
+  if (!rule) return false;
+
+  if (viewerId && rule.denyUserIds?.includes(viewerId)) return false;
+
+  if (rule.visibility === "public") return true;
+
+  if (!viewerId) return false;
+
+  if (rule.visibility === "private") return false;
+
+  if (rule.visibility === "restricted") {
+    return Boolean(rule.allowUserIds?.includes(viewerId));
+  }
+
+  return false;
+}
+
+export function sanitizeAccessRule(rule?: AccessRule): AccessRule | undefined {
+  if (!rule) return undefined;
+  const unique = (list?: string[]) =>
+    list ? Array.from(new Set(list.filter((value) => value.length > 0))) : undefined;
+  return {
+    visibility: rule.visibility,
+    allowUserIds: unique(rule.allowUserIds),
+    denyUserIds: unique(rule.denyUserIds),
+  };
+}

package/src/component/callbacks.ts

@@ -0,0 +1,173 @@
+import { action } from "./_generated/server";
+import { v } from "convex/values";
+import { internal } from "./_generated/api";
+
+function normalizeSignature(signature: string): string {
+  const trimmed = signature.trim();
+  if (trimmed.startsWith("hmac-sha256=")) {
+    return trimmed.slice("hmac-sha256=".length);
+  }
+  return trimmed;
+}
+
+function hexToBytes(hex: string): Uint8Array | null {
+  if (hex.length % 2 !== 0) return null;
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < bytes.length; i += 1) {
+    const chunk = hex.slice(i * 2, i * 2 + 2);
+    const value = Number.parseInt(chunk, 16);
+    if (Number.isNaN(value)) return null;
+    bytes[i] = value;
+  }
+  return bytes;
+}
+
+function timingSafeEqualBytes(a: Uint8Array, b: Uint8Array) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i += 1) {
+    diff |= a[i] ^ b[i];
+  }
+  return diff === 0;
+}
+
+async function hmacSha256Hex(key: string, message: string) {
+  if (!globalThis.crypto?.subtle) {
+    throw new Error("WebCrypto unavailable in this runtime.");
+  }
+  const encoder = new TextEncoder();
+  const cryptoKey = await globalThis.crypto.subtle.importKey(
+    "raw",
+    encoder.encode(key),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"],
+  );
+  const signature = await globalThis.crypto.subtle.sign(
+    "HMAC",
+    cryptoKey,
+    encoder.encode(message),
+  );
+  const bytes = new Uint8Array(signature);
+  return Array.from(bytes, (value) => value.toString(16).padStart(2, "0")).join("");
+}
+
+async function verifySignature(rawBody: string, signature: string, apiKey: string) {
+  const expected = await hmacSha256Hex(apiKey, rawBody);
+  const actual = normalizeSignature(signature);
+
+  const expectedBytes = hexToBytes(expected);
+  const actualBytes = hexToBytes(actual);
+  if (!expectedBytes || !actualBytes) return false;
+
+  return timingSafeEqualBytes(expectedBytes, actualBytes);
+}
+
+function extractUserId(metadata: any): string | undefined {
+  if (!metadata) return undefined;
+  return (
+    metadata.userId ??
+    metadata.ownerId ??
+    metadata.uploadedBy ??
+    metadata.user
+  );
+}
+
+function extractTags(metadata: any): string[] | undefined {
+  if (!metadata) return undefined;
+  if (Array.isArray(metadata.tags)) return metadata.tags;
+  if (typeof metadata.tags === "string") {
+    return metadata.tags
+      .split(",")
+      .map((tag: string) => tag.trim())
+      .filter(Boolean);
+  }
+  return undefined;
+}
+
+function toNumber(value: any): number | undefined {
+  if (typeof value === "number") return value;
+  if (typeof value === "string") {
+    const parsed = Number(value);
+    return Number.isNaN(parsed) ? undefined : parsed;
+  }
+  return undefined;
+}
+
+type CallbackResult =
+  | { ok: true; fileId: string; hook: string }
+  | { ok: false; error: string };
+
+export const handleUploadthingCallback = action({
+  args: {
+    rawBody: v.string(),
+    signature: v.string(),
+    hook: v.string(),
+    apiKey: v.optional(v.string()),
+  },
+  handler: async (ctx, args): Promise<CallbackResult> => {
+    const globals = await ctx.runQuery(internal.config.getGlobalsInternal, {});
+    const apiKey = args.apiKey ?? globals.uploadthingApiKey;
+    if (!apiKey) {
+      throw new Error("UploadThing API key not configured.");
+    }
+
+    const isValid = await verifySignature(args.rawBody, args.signature, apiKey);
+    if (!isValid) {
+      return { ok: false, error: "invalid_signature" };
+    }
+
+    let payload: any;
+    try {
+      payload = JSON.parse(args.rawBody);
+    } catch (error) {
+      return { ok: false, error: "invalid_json" };
+    }
+
+    const file = payload.file ?? payload;
+    const metadata = payload.metadata ?? file.metadata ?? {};
+
+    const key = file.key ?? file.fileKey ?? file.id;
+    const url = file.url ?? file.fileUrl;
+    const name = file.name ?? file.filename ?? file.fileName;
+    const size = toNumber(file.size ?? file.fileSize);
+    const mimeType = file.type ?? file.mimeType ?? file.contentType;
+    const customId = file.customId ?? file.customID;
+    const fileType = file.fileType ?? metadata.fileType;
+
+    if (!key || !url || !name || size === undefined || !mimeType) {
+      return { ok: false, error: "missing_file_fields" };
+    }
+
+    const userId = extractUserId(metadata) ?? payload.userId;
+    if (!userId) {
+      return { ok: false, error: "missing_user_id" };
+    }
+
+    const options = {
+      tags: extractTags(metadata),
+      folder: metadata.folder,
+      access: metadata.access,
+      metadata,
+      expiresAt: toNumber(metadata.expiresAt),
+      ttlMs: toNumber(metadata.ttlMs),
+      fileType,
+    };
+
+    const fileId: string = await ctx.runMutation(internal.files.internalUpsertFile, {
+      file: {
+        key,
+        url,
+        name,
+        size,
+        mimeType,
+        customId,
+        fileType,
+      },
+      userId,
+      options,
+    });
+
+    return { ok: true, fileId, hook: args.hook };
+  },
+});

package/src/component/cleanup.ts

@@ -0,0 +1,40 @@
+import { action } from "./_generated/server";
+import { v } from "convex/values";
+import { internal } from "./_generated/api";
+
+export const cleanupExpired = action({
+  args: {
+    batchSize: v.optional(v.number()),
+    dryRun: v.optional(v.boolean()),
+  },
+  returns: v.object({
+    deletedCount: v.number(),
+    keys: v.array(v.string()),
+    hasMore: v.boolean(),
+  }),
+  handler: async (ctx, args): Promise<{
+    deletedCount: number;
+    keys: string[];
+    hasMore: boolean;
+  }> => {
+    const globals = await ctx.runQuery(internal.config.getGlobalsInternal, {});
+    const limit = args.batchSize ?? (globals as any).deleteBatchSize ?? 100;
+
+    const expired = (await ctx.runQuery(internal.queries.expiredBatch, {
+      now: Date.now(),
+      limit,
+    })) as { key: string; _id: string }[];
+
+    const keys = expired.map((item) => item.key);
+
+    if (!args.dryRun && keys.length > 0) {
+      await ctx.runMutation(internal.files.deleteFilesByKey, { keys });
+    }
+
+    return {
+      deletedCount: args.dryRun ? 0 : keys.length,
+      keys,
+      hasMore: expired.length >= limit,
+    };
+  },
+});

package/src/component/config.ts

@@ -0,0 +1,115 @@
+import { internalQuery, mutation, query } from "./_generated/server";
+import { v } from "convex/values";
+import { configUpdateValidator } from "./types";
+
+const GLOBALS_ID = "globals" as const;
+
+export type Globals = {
+  uploadthingApiKey?: string;
+  defaultTtlMs?: number;
+  ttlByMimeType?: Record<string, number>;
+  ttlByFileType?: Record<string, number>;
+  deleteRemoteOnExpire?: boolean;
+  deleteBatchSize?: number;
+};
+
+async function readGlobals(db: any): Promise<Globals> {
+  const record = await db
+    .query("globals")
+    .withIndex("by_singleton", (q: any) => q.eq("singleton", GLOBALS_ID))
+    .unique();
+
+  if (!record) return {};
+
+  return {
+    uploadthingApiKey: record.uploadthingApiKey,
+    defaultTtlMs: record.defaultTtlMs,
+    ttlByMimeType: record.ttlByMimeType,
+    ttlByFileType: record.ttlByFileType,
+    deleteRemoteOnExpire: record.deleteRemoteOnExpire,
+    deleteBatchSize: record.deleteBatchSize,
+  };
+}
+
+export async function loadGlobals(ctx: { db: any }): Promise<Globals> {
+  return await readGlobals(ctx.db);
+}
+
+export const getGlobalsInternal = internalQuery({
+  args: {},
+  handler: async (ctx) => {
+    return await readGlobals(ctx.db);
+  },
+});
+
+export function computeExpiresAt(params: {
+  now: number;
+  mimeType?: string;
+  fileType?: string;
+  expiresAt?: number;
+  ttlMs?: number;
+  globals?: Globals;
+}): number | undefined {
+  if (params.expiresAt !== undefined) return params.expiresAt;
+  if (params.ttlMs !== undefined) return params.now + params.ttlMs;
+
+  const globals = params.globals;
+  if (!globals) return undefined;
+
+  if (params.fileType && globals.ttlByFileType?.[params.fileType] !== undefined) {
+    return params.now + globals.ttlByFileType[params.fileType];
+  }
+
+  if (params.mimeType && globals.ttlByMimeType?.[params.mimeType] !== undefined) {
+    return params.now + globals.ttlByMimeType[params.mimeType];
+  }
+
+  if (globals.defaultTtlMs !== undefined) {
+    return params.now + globals.defaultTtlMs;
+  }
+
+  return undefined;
+}
+
+export const setConfig = mutation({
+  args: {
+    config: configUpdateValidator,
+    replace: v.optional(v.boolean()),
+  },
+  handler: async (ctx, args) => {
+    const existing = await ctx.db
+      .query("globals")
+      .withIndex("by_singleton", (q) => q.eq("singleton", GLOBALS_ID))
+      .unique();
+
+    if (!existing) {
+      const record = { singleton: GLOBALS_ID, ...args.config };
+      await ctx.db.insert("globals", record);
+      return { created: true };
+    }
+
+    const update = args.replace
+      ? { singleton: GLOBALS_ID, ...args.config }
+      : { ...existing, ...args.config };
+    delete (update as any)._id;
+    delete (update as any)._creationTime;
+
+    await ctx.db.patch(existing._id, update);
+    return { created: false };
+  },
+});
+
+export const getConfig = query({
+  args: {},
+  handler: async (ctx) => {
+    const globals = await loadGlobals(ctx);
+    return {
+      defaultTtlMs: globals.defaultTtlMs,
+      ttlByMimeType: globals.ttlByMimeType,
+      ttlByFileType: globals.ttlByFileType,
+      deleteRemoteOnExpire: globals.deleteRemoteOnExpire,
+      deleteBatchSize: globals.deleteBatchSize,
+      hasApiKey: Boolean(globals.uploadthingApiKey),
+    };
+  },
+});

package/src/component/convex.config.ts

@@ -0,0 +1,2 @@
+import { defineComponent } from "convex/server";
+export default defineComponent("uploadthing_file_tracker");

package/src/component/files.ts

@@ -0,0 +1,186 @@
+import { mutation, internalMutation } from "./_generated/server";
+import { v } from "convex/values";
+import { computeExpiresAt, loadGlobals } from "./config";
+import { accessRuleValidator, fileInfoValidator, fileUpsertOptionsValidator } from "./types";
+import { sanitizeAccessRule } from "./access";
+
+async function upsertFileRecord(ctx: any, params: {
+  file: {
+    key: string;
+    url: string;
+    name: string;
+    size: number;
+    mimeType: string;
+    uploadedAt?: number;
+    fileType?: string;
+    customId?: string;
+  };
+  userId: string;
+  options?: {
+    tags?: string[];
+    folder?: string;
+    access?: any;
+    metadata?: any;
+    expiresAt?: number;
+    ttlMs?: number;
+    fileType?: string;
+  };
+}) {
+  const now = Date.now();
+  const globals = await loadGlobals(ctx);
+  const uploadedAt = params.file.uploadedAt ?? now;
+  const fileType = params.options?.fileType ?? params.file.fileType;
+  const expiresAt = computeExpiresAt({
+    now: uploadedAt,
+    mimeType: params.file.mimeType,
+    fileType,
+    expiresAt: params.options?.expiresAt,
+    ttlMs: params.options?.ttlMs,
+    globals,
+  });
+
+  const existing = await ctx.db
+    .query("files")
+    .withIndex("by_key", (q: any) => q.eq("key", params.file.key))
+    .unique();
+
+  const patch: any = {
+    url: params.file.url,
+    name: params.file.name,
+    size: params.file.size,
+    mimeType: params.file.mimeType,
+    uploadedAt,
+    userId: params.userId,
+  };
+
+  if (params.file.customId !== undefined) patch.customId = params.file.customId;
+  if (fileType !== undefined) patch.fileType = fileType;
+
+  if (params.options?.tags !== undefined) patch.tags = params.options.tags;
+  if (params.options?.folder !== undefined) patch.folder = params.options.folder;
+  if (params.options?.metadata !== undefined) patch.metadata = params.options.metadata;
+  if (params.options?.access !== undefined) {
+    patch.access = sanitizeAccessRule(params.options.access);
+  }
+  if (expiresAt !== undefined) patch.expiresAt = expiresAt;
+
+  if (existing) {
+    patch.replacedAt = now;
+    await ctx.db.patch(existing._id, patch);
+    return existing._id;
+  }
+
+  return await ctx.db.insert("files", {
+    key: params.file.key,
+    ...patch,
+  });
+}
+
+export const upsertFile = mutation({
+  args: {
+    file: fileInfoValidator,
+    userId: v.string(),
+    options: v.optional(fileUpsertOptionsValidator),
+  },
+  handler: async (ctx, args) => {
+    return await upsertFileRecord(ctx, {
+      file: args.file,
+      userId: args.userId,
+      options: args.options,
+    });
+  },
+});
+
+export const internalUpsertFile = internalMutation({
+  args: {
+    file: fileInfoValidator,
+    userId: v.string(),
+    options: v.optional(fileUpsertOptionsValidator),
+  },
+  handler: async (ctx, args) => {
+    return await upsertFileRecord(ctx, {
+      file: args.file,
+      userId: args.userId,
+      options: args.options,
+    });
+  },
+});
+
+export const setFileAccess = mutation({
+  args: {
+    key: v.string(),
+    access: v.optional(v.union(accessRuleValidator, v.null())),
+  },
+  handler: async (ctx, args) => {
+    const existing = await ctx.db
+      .query("files")
+      .withIndex("by_key", (q) => q.eq("key", args.key))
+      .unique();
+
+    if (!existing) return null;
+
+    await ctx.db.patch(existing._id, {
+      access: args.access === null ? undefined : sanitizeAccessRule(args.access),
+    });
+
+    return existing._id;
+  },
+});
+
+export const setFolderAccess = mutation({
+  args: {
+    folder: v.string(),
+    access: v.optional(v.union(accessRuleValidator, v.null())),
+  },
+  handler: async (ctx, args) => {
+    const existing = await ctx.db
+      .query("folderRules")
+      .withIndex("by_folder", (q) => q.eq("folder", args.folder))
+      .unique();
+
+    if (args.access === null) {
+      if (existing) {
+        await ctx.db.delete(existing._id);
+      }
+      return null;
+    }
+
+    const access = sanitizeAccessRule(args.access);
+    if (!access) {
+      return null;
+    }
+
+    const updatedAt = Date.now();
+
+    if (existing) {
+      await ctx.db.patch(existing._id, {
+        access,
+        updatedAt,
+      });
+      return existing._id;
+    }
+
+    return await ctx.db.insert("folderRules", {
+      folder: args.folder,
+      access,
+      updatedAt,
+    });
+  },
+});
+
+export const deleteFilesByKey = internalMutation({
+  args: {
+    keys: v.array(v.string()),
+  },
+  handler: async (ctx, args) => {
+    for (const key of args.keys) {
+      const existing = await ctx.db
+        .query("files")
+        .withIndex("by_key", (q) => q.eq("key", key))
+        .unique();
+      if (existing) {
+        await ctx.db.delete(existing._id);
+      }
+    }
+  },
+});

package/src/component/queries.ts

@@ -0,0 +1,121 @@
+import { query, internalQuery } from "./_generated/server";
+import { v } from "convex/values";
+import { canAccess } from "./access";
+
+async function getFolderRule(ctx: any, folder?: string) {
+  if (!folder) return undefined;
+  const rule = await ctx.db
+    .query("folderRules")
+    .withIndex("by_folder", (q: any) => q.eq("folder", folder))
+    .unique();
+  return rule?.access;
+}
+
+export const getFileByKey = query({
+  args: {
+    key: v.string(),
+    viewerUserId: v.optional(v.string()),
+  },
+  handler: async (ctx, args) => {
+    const file = await ctx.db
+      .query("files")
+      .withIndex("by_key", (q) => q.eq("key", args.key))
+      .unique();
+
+    if (!file) return null;
+
+    const folderRule = await getFolderRule(ctx, file.folder);
+    const allowed = canAccess({
+      ownerId: file.userId,
+      viewerId: args.viewerUserId,
+      fileRule: file.access,
+      folderRule,
+    });
+
+    if (!allowed) return null;
+
+    return file;
+  },
+});
+
+export const listFiles = query({
+  args: {
+    ownerUserId: v.string(),
+    viewerUserId: v.optional(v.string()),
+    mimeType: v.optional(v.string()),
+    tag: v.optional(v.string()),
+    folder: v.optional(v.string()),
+    includeExpired: v.optional(v.boolean()),
+    limit: v.optional(v.number()),
+  },
+  handler: async (ctx, args) => {
+    const query = ctx.db
+      .query("files")
+      .withIndex("by_user_uploadedAt", (q: any) => q.eq("userId", args.ownerUserId))
+      .order("desc");
+
+    const results = [] as any[];
+    const now = Date.now();
+    const limit = args.limit ?? 50;
+    const folderCache = new Map<string, any>();
+
+    for await (const file of query) {
+      if (!args.includeExpired && file.expiresAt !== undefined && file.expiresAt <= now) {
+        continue;
+      }
+      if (args.mimeType && file.mimeType !== args.mimeType) {
+        continue;
+      }
+      if (args.tag && !file.tags?.includes(args.tag)) {
+        continue;
+      }
+      if (args.folder && file.folder !== args.folder) {
+        continue;
+      }
+
+      let folderRule;
+      if (file.folder) {
+        if (folderCache.has(file.folder)) {
+          folderRule = folderCache.get(file.folder);
+        } else {
+          folderRule = await getFolderRule(ctx, file.folder);
+          folderCache.set(file.folder, folderRule);
+        }
+      }
+      const allowed = canAccess({
+        ownerId: file.userId,
+        viewerId: args.viewerUserId,
+        fileRule: file.access,
+        folderRule,
+      });
+
+      if (!allowed) continue;
+
+      results.push(file);
+      if (results.length >= limit) break;
+    }
+
+    return results;
+  },
+});
+
+export const expiredBatch = internalQuery({
+  args: {
+    now: v.number(),
+    limit: v.number(),
+  },
+  handler: async (ctx, args) => {
+    const query = ctx.db
+      .query("files")
+      .withIndex("by_expiresAt", (q: any) => q.lte("expiresAt", args.now))
+      .order("asc");
+
+    const expired = [] as { key: string; _id: string }[];
+    for await (const file of query) {
+      expired.push({ key: file.key, _id: file._id });
+      if (expired.length >= args.limit) break;
+    }
+
+    return expired;
+  },
+});