@rpcbase/server 0.479.0 → 0.481.0

package/dist/applyRouteLoaders.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"applyRouteLoaders.d.ts","sourceRoot":"","sources":["../src/applyRouteLoaders.ts"],"names":[],"mappings":"AACA,OAAO,EAAC,OAAO,EAAC,MAAM,SAAS,CAAA;AAC/B,OAAO,EACL,oBAAoB,EAMrB,MAAM,iBAAiB,CAAA;AAuFxB,MAAM,MAAM,yBAAyB,GAAG,oBAAoB,GAAG;IAC7D,gBAAgB,CAAC,EAAE,QAAQ,CAAA;IAC3B,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IAC/B,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAClC,CAAA;AAED,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,OAAO,EACZ,UAAU,EAAE,GAAG,EAAE,GAChB,OAAO,CAAC,yBAAyB,CAAC,CA6KpC"}
+{"version":3,"file":"applyRouteLoaders.d.ts","sourceRoot":"","sources":["../src/applyRouteLoaders.ts"],"names":[],"mappings":"AACA,OAAO,EAAC,OAAO,EAAC,MAAM,SAAS,CAAA;AAC/B,OAAO,EACL,oBAAoB,EAMrB,MAAM,iBAAiB,CAAA;AA0GxB,MAAM,MAAM,yBAAyB,GAAG,oBAAoB,GAAG;IAC7D,gBAAgB,CAAC,EAAE,QAAQ,CAAA;IAC3B,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IAC/B,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAClC,CAAA;AAED,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,OAAO,EACZ,UAAU,EAAE,GAAG,EAAE,GAChB,OAAO,CAAC,yBAAyB,CAAC,CAwLpC"}

package/dist/{handler-BOTZftAB.js → handler-BA2YiqnG.js}

@@ -1,8 +1,77 @@
 import { loadModel, getTenantFilesystemDb } from "@rpcbase/db";
 import { GridFSBucket, ObjectId } from "mongodb";
-import { g as getTenantId, a as getModelCtx, b as buildUploadsAbility, c as getUploadSessionAccessQuery, e as ensureUploadIndexes, d as getBucketName, f as getUserId, h as getChunkSizeBytes, i as getSessionTtlMs, j as computeSha256Hex, t as toBufferPayload, n as normalizeSha256Hex, k as getMaxClientUploadBytesPerSecond, l as getRawBodyLimitBytes } from "./shared-UGuDRAKK.js";
+import { JSDOM } from "jsdom";
+import createDOMPurify from "dompurify";
+import { g as getTenantId, a as getModelCtx, b as buildUploadsAbility, c as getUploadSessionAccessQuery, e as ensureUploadIndexes, d as getBucketName, f as getUserId, h as getChunkSizeBytes, i as getSessionTtlMs, j as computeSha256Hex, t as toBufferPayload, n as normalizeSha256Hex, k as getMaxClientUploadBytesPerSecond, l as getRawBodyLimitBytes } from "./shared-BJomDDWK.js";
 import { randomBytes } from "node:crypto";
-import { o as object, n as number, s as string, b as boolean, a as array, _ as _enum } from "./schemas-D5T9tDtI.js";
+import { o as object, n as number, b as boolean, s as string, a as array, _ as _enum } from "./schemas-D5T9tDtI.js";
+const MAX_SVG_BYTES = 128 * 1024;
+const window = new JSDOM("").window;
+const DOMPurify = createDOMPurify(window);
+const normalizeForSniff = (raw) => raw.replace(/^\uFEFF/, "").trimStart();
+const looksLikeSvgText = (text) => {
+  const normalized = normalizeForSniff(text);
+  if (!normalized.startsWith("<")) return false;
+  return /<svg(?:\s|>)/i.test(normalized);
+};
+const looksLikeSvg = (sniff) => looksLikeSvgText(sniff.toString("utf8"));
+const sanitizeSvg = (svg) => DOMPurify.sanitize(svg, {
+  USE_PROFILES: { svg: true, svgFilters: true }
+});
+const sanitizeSvgProcessor = {
+  id: "sanitize-svg",
+  maxBytes: MAX_SVG_BYTES,
+  match: ({ sniff }) => looksLikeSvg(sniff),
+  process: (data) => {
+    if (data.length > MAX_SVG_BYTES) {
+      throw new Error("svg_too_large");
+    }
+    const svgText = data.toString("utf8");
+    if (!looksLikeSvgText(svgText)) {
+      throw new Error("svg_invalid");
+    }
+    const sanitized = sanitizeSvg(svgText);
+    if (!sanitized.trim() || !looksLikeSvgText(sanitized)) {
+      throw new Error("svg_sanitize_failed");
+    }
+    const sanitizedBuffer = Buffer.from(sanitized, "utf8");
+    if (sanitizedBuffer.length > MAX_SVG_BYTES) {
+      throw new Error("svg_too_large");
+    }
+    return { data: sanitizedBuffer, mimeType: "image/svg+xml" };
+  }
+};
+const uploadProcessors = Object.freeze([sanitizeSvgProcessor]);
+const getMaxUploadProcessorBytes = () => uploadProcessors.reduce((max, processor) => Math.max(max, processor.maxBytes), 0);
+const selectUploadProcessors = (ctx) => uploadProcessors.filter((processor) => processor.match(ctx));
+const applyUploadProcessors = async (data, ctx) => {
+  let currentData = data;
+  let currentMimeType = ctx.clientMimeType;
+  const applied = [];
+  for (const processor of uploadProcessors) {
+    const processorCtx = {
+      filename: ctx.filename,
+      clientMimeType: currentMimeType,
+      totalSize: currentData.length,
+      sniff: currentData
+    };
+    if (!processor.match(processorCtx)) continue;
+    if (currentData.length > processor.maxBytes) {
+      throw new Error("processor_input_too_large");
+    }
+    const result = await processor.process(currentData, processorCtx);
+    currentData = result.data;
+    if (typeof result.mimeType === "string" && result.mimeType.trim()) {
+      currentMimeType = result.mimeType.trim();
+    }
+    applied.push(processor.id);
+  }
+  return {
+    data: currentData,
+    mimeType: currentMimeType,
+    applied
+  };
+};
 const waitForStreamFinished = async (stream) => new Promise((resolve, reject) => {
   stream.once("finish", resolve);
   stream.once("error", reject);
@@ -94,24 +163,70 @@ const completeUpload = async (_payload, ctx) => {
   const bucketName = getBucketName();
   const bucket = new GridFSBucket(nativeDb, { bucketName });
   const lockedUserId = typeof locked.userId === "string" ? locked.userId : void 0;
-  const uploadStream = bucket.openUploadStream(locked.filename, {
-    metadata: {
-      uploadId,
-      tenantId,
-      mimeType: locked.mimeType,
-      totalSize: locked.totalSize,
-      ...lockedUserId ? { userId: lockedUserId } : {}
-    }
-  });
+  const maxProcessorBytes = getMaxUploadProcessorBytes();
+  const shouldBufferForProcessing = locked.totalSize <= maxProcessorBytes;
+  const declaredMimeType = locked.mimeType.trim().toLowerCase();
+  const declaredSvg = declaredMimeType === "image/svg+xml" || locked.filename.trim().toLowerCase().endsWith(".svg");
+  let uploadStream = null;
   try {
+    if (!shouldBufferForProcessing && declaredSvg) {
+      throw new Error("svg_too_large");
+    }
     const cursor = UploadChunk.find({ uploadId }).sort({ index: 1 }).cursor();
     let expectedIndex = 0;
+    const chunks = [];
+    let bufferedBytes = 0;
+    const pendingChunks = [];
+    const sniffParts = [];
+    let sniffBytes = 0;
     try {
       for await (const chunkDoc of cursor) {
         if (chunkDoc.index !== expectedIndex) {
           throw new Error("missing_chunks");
         }
-        await writeToStream(uploadStream, chunkDoc.data);
+        const chunk = chunkDoc.data;
+        if (shouldBufferForProcessing) {
+          chunks.push(chunk);
+          bufferedBytes += chunk.length;
+        } else if (!uploadStream) {
+          pendingChunks.push(chunk);
+          if (sniffBytes < maxProcessorBytes) {
+            const slice = chunk.subarray(0, Math.min(chunk.length, maxProcessorBytes - sniffBytes));
+            if (slice.length) {
+              sniffParts.push(slice);
+              sniffBytes += slice.length;
+            }
+          }
+          if (sniffBytes >= maxProcessorBytes) {
+            const sniff = Buffer.concat(sniffParts, sniffBytes);
+            const processors = selectUploadProcessors({
+              filename: locked.filename,
+              clientMimeType: locked.mimeType,
+              totalSize: locked.totalSize,
+              sniff
+            });
+            if (processors.length) {
+              throw new Error("svg_too_large");
+            }
+            uploadStream = bucket.openUploadStream(locked.filename, {
+              metadata: {
+                uploadId,
+                tenantId,
+                mimeType: locked.mimeType,
+                totalSize: locked.totalSize,
+                ...typeof locked.isPublic === "boolean" ? { isPublic: locked.isPublic } : {},
+                ...typeof locked.ownerKeyHash === "string" ? { ownerKeyHash: locked.ownerKeyHash } : {},
+                ...lockedUserId ? { userId: lockedUserId } : {}
+              }
+            });
+            for (const pending of pendingChunks) {
+              await writeToStream(uploadStream, pending);
+            }
+            pendingChunks.length = 0;
+          }
+        } else {
+          await writeToStream(uploadStream, chunk);
+        }
         expectedIndex += 1;
       }
     } finally {
@@ -123,9 +238,59 @@ const completeUpload = async (_payload, ctx) => {
     if (expectedIndex !== locked.chunksTotal) {
       throw new Error("missing_chunks");
     }
-    const finished = waitForStreamFinished(uploadStream);
-    uploadStream.end();
-    await finished;
+    if (shouldBufferForProcessing) {
+      const assembled = Buffer.concat(chunks, bufferedBytes);
+      const { data: processed, mimeType: processedMimeType, applied } = await applyUploadProcessors(assembled, {
+        filename: locked.filename,
+        clientMimeType: locked.mimeType
+      });
+      uploadStream = bucket.openUploadStream(locked.filename, {
+        metadata: {
+          uploadId,
+          tenantId,
+          mimeType: processedMimeType,
+          totalSize: locked.totalSize,
+          ...applied.length ? { processors: applied, processedSize: processed.length } : {},
+          ...typeof locked.isPublic === "boolean" ? { isPublic: locked.isPublic } : {},
+          ...typeof locked.ownerKeyHash === "string" ? { ownerKeyHash: locked.ownerKeyHash } : {},
+          ...lockedUserId ? { userId: lockedUserId } : {}
+        }
+      });
+      const finished = waitForStreamFinished(uploadStream);
+      uploadStream.end(processed);
+      await finished;
+    } else {
+      if (!uploadStream) {
+        const sniff = Buffer.concat(sniffParts, sniffBytes);
+        const processors = selectUploadProcessors({
+          filename: locked.filename,
+          clientMimeType: locked.mimeType,
+          totalSize: locked.totalSize,
+          sniff
+        });
+        if (processors.length) {
+          throw new Error("svg_too_large");
+        }
+        uploadStream = bucket.openUploadStream(locked.filename, {
+          metadata: {
+            uploadId,
+            tenantId,
+            mimeType: locked.mimeType,
+            totalSize: locked.totalSize,
+            ...typeof locked.isPublic === "boolean" ? { isPublic: locked.isPublic } : {},
+            ...typeof locked.ownerKeyHash === "string" ? { ownerKeyHash: locked.ownerKeyHash } : {},
+            ...lockedUserId ? { userId: lockedUserId } : {}
+          }
+        });
+        for (const pending of pendingChunks) {
+          await writeToStream(uploadStream, pending);
+        }
+        pendingChunks.length = 0;
+      }
+      const finished = waitForStreamFinished(uploadStream);
+      uploadStream.end();
+      await finished;
+    }
     const fileId = String(uploadStream.id ?? "");
     if (!fileId) {
       throw new Error("missing_file_id");
@@ -150,6 +315,22 @@ const completeUpload = async (_payload, ctx) => {
       ctx.res.status(409);
       return { ok: false, error: "missing_chunks" };
     }
+    if (message === "svg_too_large") {
+      await UploadSession.updateOne(
+        { $and: [{ _id: uploadId }, getUploadSessionAccessQuery(ability, "update")] },
+        { $set: { status: "error", error: message } }
+      );
+      ctx.res.status(413);
+      return { ok: false, error: message };
+    }
+    if (message === "svg_invalid" || message === "svg_sanitize_failed") {
+      await UploadSession.updateOne(
+        { $and: [{ _id: uploadId }, getUploadSessionAccessQuery(ability, "update")] },
+        { $set: { status: "error", error: message } }
+      );
+      ctx.res.status(400);
+      return { ok: false, error: message };
+    }
     await UploadSession.updateOne(
       { $and: [{ _id: uploadId }, getUploadSessionAccessQuery(ability, "update")] },
       { $set: { status: "error", error: message } }
@@ -205,6 +386,7 @@ const CompleteRoute = "/api/rb/file-uploads/:uploadId/complete";
 const initRequestSchema = object({
   filename: string().min(1),
   mimeType: string().min(1),
+  isPublic: boolean().optional(),
   totalSize: number().int().min(1)
 });
 object({
@@ -242,7 +424,7 @@ const initUpload = async (payload, ctx) => {
     return { ok: false, error: "invalid_payload" };
   }
   const chunkSize = getChunkSizeBytes();
-  const { filename, mimeType, totalSize } = parsed.data;
+  const { filename, mimeType, totalSize, isPublic } = parsed.data;
   const chunksTotal = Math.ceil(totalSize / chunkSize);
   const modelCtx = getModelCtx(ctx, tenantId);
   const [UploadSession, UploadChunk] = await Promise.all([
@@ -261,6 +443,7 @@ const initUpload = async (payload, ctx) => {
     ...ownerKeyHash ? { ownerKeyHash } : {},
     filename,
     mimeType,
+    ...typeof isPublic === "boolean" ? { isPublic } : {},
     totalSize,
     chunkSize,
     chunksTotal,

package/dist/{handler-Cl-0-832.js → handler-Cohj3cz3.js}

@@ -1,6 +1,11 @@
 import { getTenantFilesystemDb } from "@rpcbase/db";
 import { ObjectId, GridFSBucket } from "mongodb";
-import { g as getTenantId, d as getBucketName } from "./shared-UGuDRAKK.js";
+import { g as getTenantId, d as getBucketName, f as getUserId, m as getUploadKeyHash } from "./shared-BJomDDWK.js";
+const resolveHeaderString$1 = (value) => {
+  if (typeof value !== "string") return null;
+  const normalized = value.trim();
+  return normalized ? normalized : null;
+};
 const deleteFile = async (_payload, ctx) => {
   const tenantId = getTenantId(ctx);
   if (!tenantId) {
@@ -23,6 +28,25 @@ const deleteFile = async (_payload, ctx) => {
   }
   const bucketName = getBucketName();
   const bucket = new GridFSBucket(nativeDb, { bucketName });
+  const userId = getUserId(ctx);
+  const uploadKeyHash = getUploadKeyHash(ctx);
+  if (!userId && !uploadKeyHash) {
+    ctx.res.status(401);
+    return { ok: false, error: "unauthorized" };
+  }
+  const [file] = await bucket.find({ _id: fileObjectId }).limit(1).toArray();
+  if (!file) {
+    ctx.res.status(204);
+    return { ok: true };
+  }
+  const metadataUserId = resolveHeaderString$1(file?.metadata?.userId);
+  const ownerKeyHash = resolveHeaderString$1(file?.metadata?.ownerKeyHash);
+  const authorizedByUser = Boolean(userId && metadataUserId && userId === metadataUserId);
+  const authorizedByKey = Boolean(uploadKeyHash && ownerKeyHash && uploadKeyHash === ownerKeyHash);
+  if (!authorizedByUser && !authorizedByKey) {
+    ctx.res.status(401);
+    return { ok: false, error: "unauthorized" };
+  }
   try {
     await bucket.delete(fileObjectId);
   } catch (error) {
@@ -40,6 +64,15 @@ const resolveHeaderString = (value) => {
   const normalized = value.trim();
   return normalized ? normalized : null;
 };
+const resolveHeaderBoolean = (value) => {
+  if (typeof value === "boolean") return value;
+  if (typeof value !== "string") return null;
+  const normalized = value.trim().toLowerCase();
+  if (!normalized) return null;
+  if (normalized === "true") return true;
+  if (normalized === "false") return false;
+  return null;
+};
 const escapeHeaderFilename = (filename) => filename.replace(/[\\"]/g, "_");
 const getFile = async (_payload, ctx) => {
   const tenantId = getTenantId(ctx);
@@ -68,6 +101,19 @@ const getFile = async (_payload, ctx) => {
     ctx.res.status(404).end();
     return {};
   }
+  const isPublic = resolveHeaderBoolean(file?.metadata?.isPublic) ?? false;
+  if (!isPublic) {
+    const userId = getUserId(ctx);
+    const uploadKeyHash = getUploadKeyHash(ctx);
+    const metadataUserId = resolveHeaderString(file?.metadata?.userId);
+    const ownerKeyHash = resolveHeaderString(file?.metadata?.ownerKeyHash);
+    const authorizedByUser = Boolean(userId && metadataUserId && userId === metadataUserId);
+    const authorizedByKey = Boolean(uploadKeyHash && ownerKeyHash && uploadKeyHash === ownerKeyHash);
+    if (!authorizedByUser && !authorizedByKey) {
+      ctx.res.status(401).end();
+      return {};
+    }
+  }
   const mimeTypeFromMetadata = resolveHeaderString(file?.metadata?.mimeType);
   const mimeType = mimeTypeFromMetadata ?? "application/octet-stream";
   const filenameFromDb = resolveHeaderString(file?.filename);
@@ -95,6 +141,13 @@ const getFile = async (_payload, ctx) => {
   ctx.res.setHeader("Content-Disposition", `inline; filename="${filenameSafe}"`);
   ctx.res.setHeader("Cache-Control", cacheControl);
   ctx.res.setHeader("ETag", etag);
+  ctx.res.setHeader("X-Content-Type-Options", "nosniff");
+  if (mimeType === "image/svg+xml") {
+    ctx.res.setHeader(
+      "Content-Security-Policy",
+      "default-src 'none'; style-src 'unsafe-inline'; sandbox; base-uri 'none'; form-action 'none'"
+    );
+  }
   ctx.res.flushHeaders();
   if (ctx.req.method === "HEAD") {
     ctx.res.end();

package/dist/index.js

@@ -3429,8 +3429,11 @@ const getMongoUrl = (serverEnv) => {
   }
   if (serverEnv.DB_PORT) {
     const host = serverEnv.DB_HOST ?? "localhost";
-    const dbName = serverEnv.APP_NAME ?? "rb";
-    return `mongodb://${host}:${serverEnv.DB_PORT}/${dbName}-sessions`;
+    const appName = serverEnv.APP_NAME?.trim();
+    if (!appName) {
+      throw new Error("Missing APP_NAME (required to build MongoDB session store DB name)");
+    }
+    return `mongodb://${host}:${serverEnv.DB_PORT}/${appName}-sessions`;
   }
   return void 0;
 };
@@ -3781,6 +3784,22 @@ const isRedirectResponse = (value) => {
   if (!isResponseLike(value)) return false;
   return value.status >= 300 && value.status < 400 && Boolean(value.headers.get("Location"));
 };
+const getRouteHandleStatusCode = (route) => {
+  if (!route) return void 0;
+  const handle = route.handle;
+  if (!handle) return void 0;
+  const candidate = handle.statusCode ?? handle.status ?? handle.httpStatus;
+  if (typeof candidate === "number") return candidate;
+  return void 0;
+};
+const isNotFoundFallbackRoute = (route) => {
+  if (!route) return false;
+  if (route.path !== "*") return false;
+  if (route.loader) return false;
+  if (route.action) return false;
+  if (route.children?.length) return false;
+  return true;
+};
 async function applyRouteLoaders(req, dataRoutes) {
   const baseUrl = `${req.protocol}://${req.get("host")}`;
   const url = new URL(req.originalUrl, baseUrl);
@@ -3792,8 +3811,8 @@ async function applyRouteLoaders(req, dataRoutes) {
     loaderHeaders: {},
     actionHeaders: {}
   };
-  const matches = matchRoutes(dataRoutes, location) || [];
-  if (!matches) {
+  const matches = matchRoutes(dataRoutes, location);
+  if (!matches || matches.length === 0) {
     const error = {
       status: 404,
       message: `No route matches URL: ${req.originalUrl}`
@@ -3920,6 +3939,15 @@ async function applyRouteLoaders(req, dataRoutes) {
       statusCode = 500;
     }
   }
+  if (!errors && statusCode === 200) {
+    const leafRoute = matches.at(-1)?.route;
+    const handleStatusCode = getRouteHandleStatusCode(leafRoute);
+    if (typeof handleStatusCode === "number") {
+      statusCode = handleStatusCode;
+    } else if (isNotFoundFallbackRoute(leafRoute)) {
+      statusCode = NOT_FOUND_STATUS;
+    }
+  }
   return {
     ...baseContext,
     matches,

package/dist/initServer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"initServer.d.ts","sourceRoot":"","sources":["../src/initServer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AAyBrC,KAAK,SAAS,GAAG;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAA;CAAE,CAAA;AAuFtD,eAAO,MAAM,UAAU,GAAU,KAAK,WAAW,EAAE,WAAW,SAAS,kBAsEtE,CAAA"}
+{"version":3,"file":"initServer.d.ts","sourceRoot":"","sources":["../src/initServer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AAyBrC,KAAK,SAAS,GAAG;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAA;CAAE,CAAA;AA0FtD,eAAO,MAAM,UAAU,GAAU,KAAK,WAAW,EAAE,WAAW,SAAS,kBAsEtE,CAAA"}

package/dist/{shared-UGuDRAKK.js → shared-BJomDDWK.js}

@@ -100,6 +100,7 @@ export {
   computeSha256Hex as j,
   getMaxClientUploadBytesPerSecond as k,
   getRawBodyLimitBytes as l,
+  getUploadKeyHash as m,
   normalizeSha256Hex as n,
   toBufferPayload as t
 };

package/dist/uploads/api/file-uploads/handlers/completeUpload.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"completeUpload.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/file-uploads/handlers/completeUpload.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAKzC,OAAO,KAAK,OAAO,MAAM,UAAU,CAAA;AACnC,OAAO,EACL,KAAK,WAAW,EASjB,MAAM,WAAW,CAAA;AAiDlB,eAAO,MAAM,cAAc,EAAE,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,CAAC,uBAAuB,EAAE,WAAW,CAoJ1G,CAAA"}
+{"version":3,"file":"completeUpload.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/file-uploads/handlers/completeUpload.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAKzC,OAAO,KAAK,OAAO,MAAM,UAAU,CAAA;AAEnC,OAAO,EACL,KAAK,WAAW,EASjB,MAAM,WAAW,CAAA;AAiDlB,eAAO,MAAM,cAAc,EAAE,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,CAAC,uBAAuB,EAAE,WAAW,CAqR1G,CAAA"}

package/dist/uploads/api/file-uploads/handlers/initUpload.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"initUpload.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/file-uploads/handlers/initUpload.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAKzC,OAAO,KAAK,OAAO,MAAM,UAAU,CAAA;AACnC,OAAO,EACL,KAAK,WAAW,EAUjB,MAAM,WAAW,CAAA;AAGlB,eAAO,MAAM,UAAU,EAAE,UAAU,CAAC,OAAO,CAAC,kBAAkB,EAAE,OAAO,CAAC,mBAAmB,EAAE,WAAW,CA2DvG,CAAA"}
+{"version":3,"file":"initUpload.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/file-uploads/handlers/initUpload.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAKzC,OAAO,KAAK,OAAO,MAAM,UAAU,CAAA;AACnC,OAAO,EACL,KAAK,WAAW,EAUjB,MAAM,WAAW,CAAA;AAGlB,eAAO,MAAM,UAAU,EAAE,UAAU,CAAC,OAAO,CAAC,kBAAkB,EAAE,OAAO,CAAC,mBAAmB,EAAE,WAAW,CA4DvG,CAAA"}

package/dist/uploads/api/file-uploads/index.d.ts

@@ -6,6 +6,7 @@ export declare const CompleteRoute = "/api/rb/file-uploads/:uploadId/complete";
 export declare const initRequestSchema: z.ZodObject<{
     filename: z.ZodString;
     mimeType: z.ZodString;
+    isPublic: z.ZodOptional<z.ZodBoolean>;
     totalSize: z.ZodNumber;
 }, z.core.$strip>;
 export type InitRequestPayload = z.infer<typeof initRequestSchema>;

package/dist/uploads/api/file-uploads/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/uploads/api/file-uploads/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,eAAO,MAAM,SAAS,yBAAyB,CAAA;AAC/C,eAAO,MAAM,UAAU,iDAAiD,CAAA;AACxE,eAAO,MAAM,WAAW,0CAA0C,CAAA;AAClE,eAAO,MAAM,aAAa,4CAA4C,CAAA;AAEtE,eAAO,MAAM,iBAAiB;;;;iBAI5B,CAAA;AAEF,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA;AAElE,eAAO,MAAM,kBAAkB;;;;;;;iBAO7B,CAAA;AAEF,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAEpE,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;iBAQ/B,CAAA;AAEF,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AAExE,eAAO,MAAM,sBAAsB;;;;iBAIjC,CAAA;AAEF,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/uploads/api/file-uploads/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,eAAO,MAAM,SAAS,yBAAyB,CAAA;AAC/C,eAAO,MAAM,UAAU,iDAAiD,CAAA;AACxE,eAAO,MAAM,WAAW,0CAA0C,CAAA;AAClE,eAAO,MAAM,aAAa,4CAA4C,CAAA;AAEtE,eAAO,MAAM,iBAAiB;;;;;iBAK5B,CAAA;AAEF,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA;AAElE,eAAO,MAAM,kBAAkB;;;;;;;iBAO7B,CAAA;AAEF,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAEpE,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;iBAQ/B,CAAA;AAEF,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AAExE,eAAO,MAAM,sBAAsB;;;;iBAIjC,CAAA;AAEF,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAA"}

package/dist/uploads/api/file-uploads/processors/index.d.ts

@@ -0,0 +1,25 @@
+export type UploadFileProcessorContext = {
+    filename: string;
+    clientMimeType: string;
+    totalSize: number;
+    sniff: Buffer;
+};
+export type UploadFileProcessorResult = {
+    data: Buffer;
+    mimeType?: string;
+};
+export type UploadFileProcessor = {
+    id: string;
+    maxBytes: number;
+    match: (ctx: UploadFileProcessorContext) => boolean;
+    process: (data: Buffer, ctx: UploadFileProcessorContext) => Promise<UploadFileProcessorResult> | UploadFileProcessorResult;
+};
+export declare const uploadProcessors: readonly UploadFileProcessor[];
+export declare const getMaxUploadProcessorBytes: () => number;
+export declare const selectUploadProcessors: (ctx: UploadFileProcessorContext) => UploadFileProcessor[];
+export declare const applyUploadProcessors: (data: Buffer, ctx: Omit<UploadFileProcessorContext, "sniff" | "totalSize">) => Promise<{
+    data: Buffer;
+    mimeType: string;
+    applied: string[];
+}>;
+//# sourceMappingURL=index.d.ts.map

package/dist/uploads/api/file-uploads/processors/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/file-uploads/processors/index.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,0BAA0B,GAAG;IACvC,QAAQ,EAAE,MAAM,CAAA;IAChB,cAAc,EAAE,MAAM,CAAA;IACtB,SAAS,EAAE,MAAM,CAAA;IACjB,KAAK,EAAE,MAAM,CAAA;CACd,CAAA;AAED,MAAM,MAAM,yBAAyB,GAAG;IACtC,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,MAAM,MAAM,mBAAmB,GAAG;IAChC,EAAE,EAAE,MAAM,CAAA;IACV,QAAQ,EAAE,MAAM,CAAA;IAChB,KAAK,EAAE,CAAC,GAAG,EAAE,0BAA0B,KAAK,OAAO,CAAA;IACnD,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,0BAA0B,KAAK,OAAO,CAAC,yBAAyB,CAAC,GAAG,yBAAyB,CAAA;CAC3H,CAAA;AAED,eAAO,MAAM,gBAAgB,gCAAwE,CAAA;AAErG,eAAO,MAAM,0BAA0B,QAAO,MACqC,CAAA;AAEnF,eAAO,MAAM,sBAAsB,GAAI,KAAK,0BAA0B,KAAG,mBAAmB,EAC9B,CAAA;AAE9D,eAAO,MAAM,qBAAqB,GAChC,MAAM,MAAM,EACZ,KAAK,IAAI,CAAC,0BAA0B,EAAE,OAAO,GAAG,WAAW,CAAC,KAC3D,OAAO,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,EAAE,CAAA;CAAE,CAgC/D,CAAA"}

package/dist/uploads/api/file-uploads/processors/sanitizeSvg.d.ts

@@ -0,0 +1,5 @@
+import { UploadFileProcessor } from './index';
+export declare const looksLikeSvg: (sniff: Buffer) => boolean;
+export declare const sanitizeSvg: (svg: string) => string;
+export declare const sanitizeSvgProcessor: UploadFileProcessor;
+//# sourceMappingURL=sanitizeSvg.d.ts.map

package/dist/uploads/api/file-uploads/processors/sanitizeSvg.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitizeSvg.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/file-uploads/processors/sanitizeSvg.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAA;AAgBlD,eAAO,MAAM,YAAY,GAAI,OAAO,MAAM,KAAG,OAAmD,CAAA;AAEhG,eAAO,MAAM,WAAW,GAAI,KAAK,MAAM,KAAG,MAGtC,CAAA;AAEJ,eAAO,MAAM,oBAAoB,EAAE,mBA0BlC,CAAA"}

package/dist/uploads/api/files/handlers/deleteFile.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"deleteFile.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/files/handlers/deleteFile.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAIzC,OAAO,EAA8B,KAAK,WAAW,EAAE,MAAM,2BAA2B,CAAA;AAGxF,KAAK,qBAAqB,GAAG;IAC3B,EAAE,EAAE,OAAO,CAAA;IACX,KAAK,CAAC,EAAE,MAAM,CAAA;CACf,CAAA;AAED,eAAO,MAAM,UAAU,EAAE,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,qBAAqB,EAAE,WAAW,CAyC5F,CAAA"}
+{"version":3,"file":"deleteFile.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/files/handlers/deleteFile.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAIzC,OAAO,EAA2D,KAAK,WAAW,EAAE,MAAM,2BAA2B,CAAA;AAGrH,KAAK,qBAAqB,GAAG;IAC3B,EAAE,EAAE,OAAO,CAAA;IACX,KAAK,CAAC,EAAE,MAAM,CAAA;CACf,CAAA;AAQD,eAAO,MAAM,UAAU,EAAE,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,qBAAqB,EAAE,WAAW,CAiE5F,CAAA"}

package/dist/uploads/api/files/handlers/getFile.d.ts

@@ -1,3 +1,4 @@
 import { ApiHandler } from '../../../../../../api/src';
-export declare const getFile: ApiHandler<Record<string, never>, Record<string, never>>;
+import { SessionUser } from '../../file-uploads/shared';
+export declare const getFile: ApiHandler<Record<string, never>, Record<string, never>, SessionUser>;
 //# sourceMappingURL=getFile.d.ts.map

package/dist/uploads/api/files/handlers/getFile.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"getFile.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/files/handlers/getFile.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAezC,eAAO,MAAM,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAmF5E,CAAA"}
+{"version":3,"file":"getFile.d.ts","sourceRoot":"","sources":["../../../../../src/uploads/api/files/handlers/getFile.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAIzC,OAAO,EAA2D,KAAK,WAAW,EAAE,MAAM,2BAA2B,CAAA;AAqBrH,eAAO,MAAM,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,WAAW,CA0GzF,CAAA"}

package/dist/uploads.js

@@ -1,5 +1,5 @@
 const routes = Object.entries({
-  .../* @__PURE__ */ Object.assign({ "./api/file-uploads/handler.ts": () => import("./handler-BOTZftAB.js"), "./api/files/handler.ts": () => import("./handler-Cl-0-832.js") })
+  .../* @__PURE__ */ Object.assign({ "./api/file-uploads/handler.ts": () => import("./handler-BA2YiqnG.js"), "./api/files/handler.ts": () => import("./handler-Cohj3cz3.js") })
 }).reduce((acc, [path, mod]) => {
   acc[path.replace("./api/", "@rpcbase/server/uploads/api/")] = mod;
   return acc;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rpcbase/server",
-  "version": "0.479.0",
+  "version": "0.481.0",
   "type": "module",
   "files": [
     "dist"
@@ -85,13 +85,16 @@
   "dependencies": {
     "connect-mongo": "6.0.0",
     "connect-redis": "9.0.0",
+    "dompurify": "3.3.1",
     "express-session": "1.18.2",
-    "mongodb": "7.0.0",
     "http-proxy-3": "1.23.2",
+    "jsdom": "27.4.0",
+    "mongodb": "7.0.0",
     "redis": "5.10.0",
     "ws": "8.18.3"
   },
   "devDependencies": {
+    "@types/jsdom": "27.0.0",
     "@types/ws": "8.18.1",
     "request-ip": "3.3.0",
     "resend": "6.6.0"