@rpcbase/server 0.537.0 → 0.539.0

package/dist/handler-ClQF4MOn.js

@@ -0,0 +1,931 @@
+import { models, getTenantFilesystemDb } from "@rpcbase/db";
+import { GridFSBucket, ObjectId } from "mongodb";
+import { enqueueUploadPostProcessors } from "./uploads.js";
+import { JSDOM } from "jsdom";
+import createDOMPurify from "dompurify";
+import { g as getTenantId, b as buildUploadsAbility, a as getUploadSessionAccessQuery, e as ensureUploadIndexes, c as getBucketName, d as getModelCtx, f as getUserId, h as getChunkSizeBytes, i as getSessionTtlMs, j as computeSha256Hex, t as toBufferPayload, n as normalizeSha256Hex, k as getMaxClientUploadBytesPerSecond, l as getRawBodyLimitBytes } from "./shared-nE84Or5W.js";
+import { randomBytes } from "node:crypto";
+import { o as object, n as number, b as boolean, s as string, a as array, _ as _enum } from "./schemas-Cjdjgehl.js";
+const MAX_SVG_BYTES = 128 * 1024;
+const window = new JSDOM("").window;
+const DOMPurify = createDOMPurify(window);
+const normalizeForSniff = (raw) => raw.replace(/^\uFEFF/, "").trimStart();
+const looksLikeSvgText = (text) => {
+  const normalized = normalizeForSniff(text);
+  if (!normalized.startsWith("<")) return false;
+  return /<svg(?:\s|>)/i.test(normalized);
+};
+const looksLikeSvg = (sniff) => looksLikeSvgText(sniff.toString("utf8"));
+const sanitizeSvg = (svg) => DOMPurify.sanitize(svg, {
+  USE_PROFILES: {
+    svg: true,
+    svgFilters: true
+  }
+});
+const sanitizeSvgProcessor = {
+  id: "sanitize-svg",
+  maxBytes: MAX_SVG_BYTES,
+  match: ({
+    sniff
+  }) => looksLikeSvg(sniff),
+  process: (data) => {
+    if (data.length > MAX_SVG_BYTES) {
+      throw new Error("svg_too_large");
+    }
+    const svgText = data.toString("utf8");
+    if (!looksLikeSvgText(svgText)) {
+      throw new Error("svg_invalid");
+    }
+    const sanitized = sanitizeSvg(svgText);
+    if (!sanitized.trim() || !looksLikeSvgText(sanitized)) {
+      throw new Error("svg_sanitize_failed");
+    }
+    const sanitizedBuffer = Buffer.from(sanitized, "utf8");
+    if (sanitizedBuffer.length > MAX_SVG_BYTES) {
+      throw new Error("svg_too_large");
+    }
+    return {
+      data: sanitizedBuffer,
+      mimeType: "image/svg+xml"
+    };
+  }
+};
+const uploadProcessors = Object.freeze([sanitizeSvgProcessor]);
+const getMaxUploadProcessorBytes = () => uploadProcessors.reduce((max, processor) => Math.max(max, processor.maxBytes), 0);
+const selectUploadProcessors = (ctx) => uploadProcessors.filter((processor) => processor.match(ctx));
+const applyUploadProcessors = async (data, ctx) => {
+  let currentData = data;
+  let currentMimeType = ctx.clientMimeType;
+  const applied = [];
+  for (const processor of uploadProcessors) {
+    const processorCtx = {
+      filename: ctx.filename,
+      clientMimeType: currentMimeType,
+      totalSize: currentData.length,
+      sniff: currentData
+    };
+    if (!processor.match(processorCtx)) continue;
+    if (currentData.length > processor.maxBytes) {
+      throw new Error("processor_input_too_large");
+    }
+    const result = await processor.process(currentData, processorCtx);
+    currentData = result.data;
+    if (typeof result.mimeType === "string" && result.mimeType.trim()) {
+      currentMimeType = result.mimeType.trim();
+    }
+    applied.push(processor.id);
+  }
+  return {
+    data: currentData,
+    mimeType: currentMimeType,
+    applied
+  };
+};
+const waitForStreamFinished = async (stream) => new Promise((resolve, reject) => {
+  stream.once("finish", resolve);
+  stream.once("error", reject);
+});
+const writeToStream = async (stream, chunk) => {
+  const ok = stream.write(chunk);
+  if (ok) return;
+  await new Promise((resolve, reject) => {
+    const onDrain = () => {
+      cleanup();
+      resolve();
+    };
+    const onError = (error) => {
+      cleanup();
+      reject(error);
+    };
+    const cleanup = () => {
+      stream.off("drain", onDrain);
+      stream.off("error", onError);
+    };
+    stream.on("drain", onDrain);
+    stream.on("error", onError);
+  });
+};
+const abortUploadStream = async (stream) => {
+  if (!stream) return;
+  if (typeof stream.abort === "function") {
+    try {
+      await stream.abort();
+      return;
+    } catch {
+    }
+  }
+  try {
+    ;
+    stream.destroy?.();
+  } catch {
+  }
+};
+const completeUpload = async (_payload, ctx) => {
+  const tenantId = getTenantId(ctx);
+  if (!tenantId) {
+    ctx.res.status(400);
+    return {
+      ok: false,
+      error: "tenant_missing"
+    };
+  }
+  const uploadId = String(ctx.req.params?.uploadId ?? "").trim();
+  if (!uploadId) {
+    ctx.res.status(400);
+    return {
+      ok: false,
+      error: "invalid_upload_id"
+    };
+  }
+  const ability = buildUploadsAbility(ctx, tenantId);
+  const modelCtx = getModelCtx(ctx, tenantId, ability);
+  const [UploadSession, UploadChunk] = await Promise.all([models.get("RBUploadSession", modelCtx), models.get("RBUploadChunk", modelCtx)]);
+  if (!ability.can("update", "RBUploadSession")) {
+    ctx.res.status(401);
+    return {
+      ok: false,
+      error: "unauthorized"
+    };
+  }
+  const existing = await UploadSession.findOne({
+    $and: [{
+      _id: uploadId
+    }, getUploadSessionAccessQuery(ability, "read")]
+  }).lean();
+  if (!existing) {
+    ctx.res.status(404);
+    return {
+      ok: false,
+      error: "not_found"
+    };
+  }
+  if (existing.status === "done" && existing.fileId) {
+    return {
+      ok: true,
+      fileId: existing.fileId
+    };
+  }
+  const locked = await UploadSession.findOneAndUpdate({
+    $and: [{
+      _id: uploadId
+    }, {
+      status: "uploading"
+    }, getUploadSessionAccessQuery(ability, "update")]
+  }, {
+    $set: {
+      status: "assembling"
+    },
+    $unset: {
+      error: ""
+    }
+  }, {
+    returnDocument: "after"
+  }).lean();
+  if (!locked) {
+    ctx.res.status(409);
+    return {
+      ok: false,
+      error: "not_uploading"
+    };
+  }
+  await ensureUploadIndexes(UploadSession, UploadChunk);
+  const fsDb = await getTenantFilesystemDb(tenantId);
+  const nativeDb = fsDb.db;
+  if (!nativeDb) {
+    await UploadSession.updateOne({
+      $and: [{
+        _id: uploadId
+      }, getUploadSessionAccessQuery(ability, "update")]
+    }, {
+      $set: {
+        status: "error",
+        error: "filesystem_db_unavailable"
+      }
+    });
+    ctx.res.status(500);
+    return {
+      ok: false,
+      error: "assembly_failed"
+    };
+  }
+  const bucketName = getBucketName();
+  const bucket = new GridFSBucket(nativeDb, {
+    bucketName
+  });
+  const lockedUserId = typeof locked.userId === "string" ? locked.userId : void 0;
+  const maxProcessorBytes = getMaxUploadProcessorBytes();
+  const shouldBufferForProcessing = locked.totalSize <= maxProcessorBytes;
+  const declaredMimeType = locked.mimeType.trim().toLowerCase();
+  const declaredSvg = declaredMimeType === "image/svg+xml" || locked.filename.trim().toLowerCase().endsWith(".svg");
+  let uploadStream = null;
+  let finalMimeType = locked.mimeType;
+  let inlineProcessors = [];
+  let finalMetadata = {
+    uploadId,
+    tenantId,
+    mimeType: locked.mimeType,
+    totalSize: locked.totalSize,
+    ...typeof locked.isPublic === "boolean" ? {
+      isPublic: locked.isPublic
+    } : {},
+    ...typeof locked.ownerKeyHash === "string" ? {
+      ownerKeyHash: locked.ownerKeyHash
+    } : {},
+    ...lockedUserId ? {
+      userId: lockedUserId
+    } : {}
+  };
+  try {
+    if (!shouldBufferForProcessing && declaredSvg) {
+      throw new Error("svg_too_large");
+    }
+    const cursor = UploadChunk.find({
+      uploadId
+    }).sort({
+      index: 1
+    }).cursor();
+    let expectedIndex = 0;
+    const chunks = [];
+    let bufferedBytes = 0;
+    const pendingChunks = [];
+    const sniffParts = [];
+    let sniffBytes = 0;
+    try {
+      for await (const chunkDoc of cursor) {
+        if (chunkDoc.index !== expectedIndex) {
+          throw new Error("missing_chunks");
+        }
+        const chunk = chunkDoc.data;
+        if (shouldBufferForProcessing) {
+          chunks.push(chunk);
+          bufferedBytes += chunk.length;
+        } else if (!uploadStream) {
+          pendingChunks.push(chunk);
+          if (sniffBytes < maxProcessorBytes) {
+            const slice = chunk.subarray(0, Math.min(chunk.length, maxProcessorBytes - sniffBytes));
+            if (slice.length) {
+              sniffParts.push(slice);
+              sniffBytes += slice.length;
+            }
+          }
+          if (sniffBytes >= maxProcessorBytes) {
+            const sniff = Buffer.concat(sniffParts, sniffBytes);
+            const processors = selectUploadProcessors({
+              filename: locked.filename,
+              clientMimeType: locked.mimeType,
+              totalSize: locked.totalSize,
+              sniff
+            });
+            if (processors.length) {
+              throw new Error("svg_too_large");
+            }
+            finalMetadata = {
+              uploadId,
+              tenantId,
+              mimeType: locked.mimeType,
+              totalSize: locked.totalSize,
+              ...typeof locked.isPublic === "boolean" ? {
+                isPublic: locked.isPublic
+              } : {},
+              ...typeof locked.ownerKeyHash === "string" ? {
+                ownerKeyHash: locked.ownerKeyHash
+              } : {},
+              ...lockedUserId ? {
+                userId: lockedUserId
+              } : {}
+            };
+            uploadStream = bucket.openUploadStream(locked.filename, {
+              metadata: finalMetadata
+            });
+            for (const pending of pendingChunks) {
+              await writeToStream(uploadStream, pending);
+            }
+            pendingChunks.length = 0;
+          }
+        } else {
+          await writeToStream(uploadStream, chunk);
+        }
+        expectedIndex += 1;
+      }
+    } finally {
+      try {
+        await cursor.close();
+      } catch {
+      }
+    }
+    if (expectedIndex !== locked.chunksTotal) {
+      throw new Error("missing_chunks");
+    }
+    if (shouldBufferForProcessing) {
+      const assembled = Buffer.concat(chunks, bufferedBytes);
+      const {
+        data: processed,
+        mimeType: processedMimeType,
+        applied
+      } = await applyUploadProcessors(assembled, {
+        filename: locked.filename,
+        clientMimeType: locked.mimeType
+      });
+      finalMimeType = processedMimeType;
+      inlineProcessors = applied;
+      finalMetadata = {
+        uploadId,
+        tenantId,
+        mimeType: processedMimeType,
+        totalSize: locked.totalSize,
+        ...applied.length ? {
+          processors: applied,
+          processedSize: processed.length
+        } : {},
+        ...typeof locked.isPublic === "boolean" ? {
+          isPublic: locked.isPublic
+        } : {},
+        ...typeof locked.ownerKeyHash === "string" ? {
+          ownerKeyHash: locked.ownerKeyHash
+        } : {},
+        ...lockedUserId ? {
+          userId: lockedUserId
+        } : {}
+      };
+      uploadStream = bucket.openUploadStream(locked.filename, {
+        metadata: finalMetadata
+      });
+      const finished = waitForStreamFinished(uploadStream);
+      uploadStream.end(processed);
+      await finished;
+    } else {
+      if (!uploadStream) {
+        const sniff = Buffer.concat(sniffParts, sniffBytes);
+        const processors = selectUploadProcessors({
+          filename: locked.filename,
+          clientMimeType: locked.mimeType,
+          totalSize: locked.totalSize,
+          sniff
+        });
+        if (processors.length) {
+          throw new Error("svg_too_large");
+        }
+        finalMetadata = {
+          uploadId,
+          tenantId,
+          mimeType: locked.mimeType,
+          totalSize: locked.totalSize,
+          ...typeof locked.isPublic === "boolean" ? {
+            isPublic: locked.isPublic
+          } : {},
+          ...typeof locked.ownerKeyHash === "string" ? {
+            ownerKeyHash: locked.ownerKeyHash
+          } : {},
+          ...lockedUserId ? {
+            userId: lockedUserId
+          } : {}
+        };
+        uploadStream = bucket.openUploadStream(locked.filename, {
+          metadata: finalMetadata
+        });
+        for (const pending of pendingChunks) {
+          await writeToStream(uploadStream, pending);
+        }
+        pendingChunks.length = 0;
+      }
+      const finished = waitForStreamFinished(uploadStream);
+      uploadStream.end();
+      await finished;
+    }
+    const fileId = String(uploadStream.id ?? "");
+    if (!fileId) {
+      throw new Error("missing_file_id");
+    }
+    await UploadSession.updateOne({
+      $and: [{
+        _id: uploadId
+      }, getUploadSessionAccessQuery(ability, "update")]
+    }, {
+      $set: {
+        status: "done",
+        fileId
+      },
+      $unset: {
+        error: ""
+      }
+    });
+    await enqueueUploadPostProcessors({
+      tenantId,
+      uploadId,
+      fileId,
+      filename: locked.filename,
+      mimeType: finalMimeType,
+      clientMimeType: locked.mimeType,
+      totalSize: locked.totalSize,
+      ...typeof locked.isPublic === "boolean" ? {
+        isPublic: locked.isPublic
+      } : {},
+      ...typeof locked.ownerKeyHash === "string" ? {
+        ownerKeyHash: locked.ownerKeyHash
+      } : {},
+      ...lockedUserId ? {
+        userId: lockedUserId
+      } : {},
+      inlineProcessors,
+      metadata: finalMetadata
+    }).catch((error) => {
+      console.error("Upload post processor enqueue failed", {
+        tenantId,
+        uploadId,
+        fileId,
+        error
+      });
+    });
+    try {
+      await UploadChunk.deleteMany({
+        uploadId
+      });
+    } catch {
+    }
+    return {
+      ok: true,
+      fileId
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    await abortUploadStream(uploadStream);
+    if (message === "missing_chunks") {
+      await UploadSession.updateOne({
+        $and: [{
+          _id: uploadId
+        }, getUploadSessionAccessQuery(ability, "update")]
+      }, {
+        $set: {
+          status: "uploading"
+        }
+      });
+      ctx.res.status(409);
+      return {
+        ok: false,
+        error: "missing_chunks"
+      };
+    }
+    if (message === "svg_too_large") {
+      await UploadSession.updateOne({
+        $and: [{
+          _id: uploadId
+        }, getUploadSessionAccessQuery(ability, "update")]
+      }, {
+        $set: {
+          status: "error",
+          error: message
+        }
+      });
+      ctx.res.status(413);
+      return {
+        ok: false,
+        error: message
+      };
+    }
+    if (message === "svg_invalid" || message === "svg_sanitize_failed") {
+      await UploadSession.updateOne({
+        $and: [{
+          _id: uploadId
+        }, getUploadSessionAccessQuery(ability, "update")]
+      }, {
+        $set: {
+          status: "error",
+          error: message
+        }
+      });
+      ctx.res.status(400);
+      return {
+        ok: false,
+        error: message
+      };
+    }
+    await UploadSession.updateOne({
+      $and: [{
+        _id: uploadId
+      }, getUploadSessionAccessQuery(ability, "update")]
+    }, {
+      $set: {
+        status: "error",
+        error: message
+      }
+    });
+    ctx.res.status(500);
+    return {
+      ok: false,
+      error: "assembly_failed"
+    };
+  }
+};
+const getStatus = async (_payload, ctx) => {
+  const tenantId = getTenantId(ctx);
+  if (!tenantId) {
+    ctx.res.status(400);
+    return {
+      ok: false,
+      error: "tenant_missing"
+    };
+  }
+  const uploadId = String(ctx.req.params?.uploadId ?? "").trim();
+  if (!uploadId) {
+    ctx.res.status(400);
+    return {
+      ok: false,
+      error: "invalid_upload_id"
+    };
+  }
+  const ability = buildUploadsAbility(ctx, tenantId);
+  const modelCtx = getModelCtx(ctx, tenantId, ability);
+  const [UploadSession, UploadChunk] = await Promise.all([models.get("RBUploadSession", modelCtx), models.get("RBUploadChunk", modelCtx)]);
+  if (!ability.can("read", "RBUploadSession")) {
+    ctx.res.status(401);
+    return {
+      ok: false,
+      error: "unauthorized"
+    };
+  }
+  const session = await UploadSession.findOne({
+    $and: [{
+      _id: uploadId
+    }, getUploadSessionAccessQuery(ability, "read")]
+  }).lean();
+  if (!session) {
+    ctx.res.status(404);
+    return {
+      ok: false,
+      error: "not_found"
+    };
+  }
+  const receivedDocs = await UploadChunk.find({
+    uploadId
+  }, {
+    index: 1,
+    _id: 0
+  }).sort({
+    index: 1
+  }).lean();
+  const received = receivedDocs.map((doc) => typeof doc.index === "number" ? doc.index : -1).filter((n) => Number.isInteger(n) && n >= 0);
+  return {
+    ok: true,
+    status: session.status,
+    chunkSize: session.chunkSize,
+    chunksTotal: session.chunksTotal,
+    received,
+    ...session.fileId ? {
+      fileId: session.fileId
+    } : {}
+  };
+};
+const InitRoute = "/api/rb/file-uploads";
+const ChunkRoute = "/api/rb/file-uploads/:uploadId/chunks/:index";
+const StatusRoute = "/api/rb/file-uploads/:uploadId/status";
+const CompleteRoute = "/api/rb/file-uploads/:uploadId/complete";
+const initRequestSchema = object({
+  filename: string().min(1),
+  mimeType: string().min(1),
+  isPublic: boolean().optional(),
+  totalSize: number().int().min(1)
+});
+object({
+  ok: boolean(),
+  error: string().optional(),
+  uploadId: string().optional(),
+  uploadKey: string().optional(),
+  chunkSize: number().int().optional(),
+  chunksTotal: number().int().optional()
+});
+object({
+  ok: boolean(),
+  error: string().optional(),
+  status: _enum(["uploading", "assembling", "done", "error"]).optional(),
+  chunkSize: number().int().optional(),
+  chunksTotal: number().int().optional(),
+  received: array(number().int().min(0)).optional(),
+  fileId: string().optional()
+});
+object({
+  ok: boolean(),
+  error: string().optional(),
+  fileId: string().optional()
+});
+const initUpload = async (payload, ctx) => {
+  const tenantId = getTenantId(ctx);
+  if (!tenantId) {
+    ctx.res.status(400);
+    return {
+      ok: false,
+      error: "tenant_missing"
+    };
+  }
+  const userId = getUserId(ctx);
+  const parsed = initRequestSchema.safeParse(payload ?? {});
+  if (!parsed.success) {
+    ctx.res.status(400);
+    return {
+      ok: false,
+      error: "invalid_payload"
+    };
+  }
+  const chunkSize = getChunkSizeBytes();
+  const {
+    filename,
+    mimeType,
+    totalSize,
+    isPublic
+  } = parsed.data;
+  const chunksTotal = Math.ceil(totalSize / chunkSize);
+  const ability = buildUploadsAbility(ctx, tenantId);
+  const modelCtx = getModelCtx(ctx, tenantId, ability);
+  const [UploadSession, UploadChunk] = await Promise.all([models.get("RBUploadSession", modelCtx), models.get("RBUploadChunk", modelCtx)]);
+  await ensureUploadIndexes(UploadSession, UploadChunk);
+  const uploadId = new ObjectId().toString();
+  const now = Date.now();
+  const expiresAt = new Date(now + getSessionTtlMs());
+  const uploadKey = userId ? null : randomBytes(32).toString("base64url");
+  const ownerKeyHash = uploadKey ? computeSha256Hex(Buffer.from(uploadKey)) : void 0;
+  await UploadSession.create({
+    _id: uploadId,
+    ...userId ? {
+      userId
+    } : {},
+    ...ownerKeyHash ? {
+      ownerKeyHash
+    } : {},
+    filename,
+    mimeType,
+    ...typeof isPublic === "boolean" ? {
+      isPublic
+    } : {},
+    totalSize,
+    chunkSize,
+    chunksTotal,
+    status: "uploading",
+    createdAt: new Date(now),
+    expiresAt
+  });
+  return {
+    ok: true,
+    uploadId,
+    chunkSize,
+    chunksTotal,
+    ...uploadKey ? {
+      uploadKey
+    } : {}
+  };
+};
+const uploadChunk = async (payload, ctx) => {
+  const tenantId = getTenantId(ctx);
+  if (!tenantId) {
+    ctx.res.status(400);
+    return {
+      ok: false,
+      error: "tenant_missing"
+    };
+  }
+  const uploadId = String(ctx.req.params?.uploadId ?? "").trim();
+  const indexRaw = String(ctx.req.params?.index ?? "").trim();
+  const index = Number(indexRaw);
+  if (!uploadId || !Number.isInteger(index) || index < 0) {
+    ctx.res.status(400);
+    return {
+      ok: false,
+      error: "invalid_chunk_ref"
+    };
+  }
+  const ability = buildUploadsAbility(ctx, tenantId);
+  const modelCtx = getModelCtx(ctx, tenantId, ability);
+  const [UploadSession, UploadChunk] = await Promise.all([models.get("RBUploadSession", modelCtx), models.get("RBUploadChunk", modelCtx)]);
+  if (!ability.can("update", "RBUploadSession")) {
+    ctx.res.status(401);
+    return {
+      ok: false,
+      error: "unauthorized"
+    };
+  }
+  const session = await UploadSession.findOne({
+    $and: [{
+      _id: uploadId
+    }, getUploadSessionAccessQuery(ability, "update")]
+  }).lean();
+  if (!session) {
+    ctx.res.status(404);
+    return {
+      ok: false,
+      error: "not_found"
+    };
+  }
+  if (session.status !== "uploading") {
+    ctx.res.status(409);
+    return {
+      ok: false,
+      error: "not_uploading"
+    };
+  }
+  if (index >= session.chunksTotal) {
+    ctx.res.status(400);
+    return {
+      ok: false,
+      error: "index_out_of_range"
+    };
+  }
+  const data = toBufferPayload(payload);
+  if (!data) {
+    ctx.res.status(400);
+    return {
+      ok: false,
+      error: "invalid_body"
+    };
+  }
+  const expectedSize = index === session.chunksTotal - 1 ? session.totalSize - session.chunkSize * (session.chunksTotal - 1) : session.chunkSize;
+  if (data.length > expectedSize) {
+    ctx.res.status(413);
+    return {
+      ok: false,
+      error: "chunk_too_large"
+    };
+  }
+  if (data.length !== expectedSize) {
+    ctx.res.status(400);
+    return {
+      ok: false,
+      error: "invalid_chunk_size"
+    };
+  }
+  const checksumHeader = ctx.req.get("X-Chunk-SHA256");
+  const sha256 = checksumHeader ? computeSha256Hex(data) : void 0;
+  if (checksumHeader) {
+    const expectedSha256 = normalizeSha256Hex(checksumHeader);
+    if (sha256 !== expectedSha256) {
+      ctx.res.status(400);
+      return {
+        ok: false,
+        error: "checksum_mismatch"
+      };
+    }
+  }
+  await ensureUploadIndexes(UploadSession, UploadChunk);
+  await UploadChunk.updateOne({
+    uploadId,
+    index
+  }, {
+    $set: {
+      uploadId,
+      index,
+      data,
+      size: data.length,
+      sha256,
+      expiresAt: session.expiresAt
+    },
+    $setOnInsert: {
+      createdAt: /* @__PURE__ */ new Date()
+    }
+  }, {
+    upsert: true
+  });
+  ctx.res.status(204);
+  return {
+    ok: true
+  };
+};
+const rawBodyParser = ({
+  limitBytes,
+  maxClientBytesPerSecond
+}) => {
+  return (req, res, next) => {
+    const contentType = typeof req?.headers?.["content-type"] === "string" ? String(req.headers["content-type"]) : "";
+    if (!contentType.includes("application/octet-stream")) {
+      next();
+      return;
+    }
+    let total = 0;
+    const chunks = [];
+    let done = false;
+    let paused = false;
+    let throttleTimeout = null;
+    const rateBytesPerSecond = typeof maxClientBytesPerSecond === "number" && maxClientBytesPerSecond > 0 ? maxClientBytesPerSecond : null;
+    const cleanup = () => {
+      req.off("data", onData);
+      req.off("end", onEnd);
+      req.off("error", onError);
+      req.off("aborted", onAborted);
+      if (throttleTimeout) {
+        clearTimeout(throttleTimeout);
+        throttleTimeout = null;
+      }
+    };
+    const finish = (error) => {
+      if (done) return;
+      done = true;
+      cleanup();
+      if (error) {
+        next(error);
+        return;
+      }
+      req.body = Buffer.concat(chunks, total);
+      next();
+    };
+    const onData = (chunk) => {
+      if (done) return;
+      const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+      total += buffer.length;
+      if (total > limitBytes) {
+        done = true;
+        cleanup();
+        req.destroy();
+        res.status(413).json({
+          ok: false,
+          error: "chunk_too_large"
+        });
+        return;
+      }
+      chunks.push(buffer);
+      if (!rateBytesPerSecond) return;
+      const now = Date.now();
+      const clientKey = getClientKey(req);
+      const state = getClientRateState(clientKey, rateBytesPerSecond, now);
+      const waitMs = consumeRateBudget(state, buffer.length, rateBytesPerSecond, now);
+      if (waitMs > 0 && !paused) {
+        paused = true;
+        req.pause();
+        throttleTimeout = setTimeout(() => {
+          throttleTimeout = null;
+          paused = false;
+          if (done) return;
+          try {
+            req.resume();
+          } catch {
+          }
+        }, waitMs);
+      }
+    };
+    const onEnd = () => finish();
+    const onError = (err) => finish(err);
+    const onAborted = () => finish(new Error("request_aborted"));
+    req.on("data", onData);
+    req.on("end", onEnd);
+    req.on("error", onError);
+    req.on("aborted", onAborted);
+  };
+};
+const MAX_BURST_SECONDS = 1;
+const STALE_CLIENT_MS = 15 * 60 * 1e3;
+const clientRateStates = /* @__PURE__ */ new Map();
+let lastCleanupMs = 0;
+const getClientKey = (req) => {
+  const rawClientIp = typeof req?.clientIp === "string" ? req.clientIp : "";
+  if (rawClientIp.trim()) return rawClientIp.trim();
+  const rawIp = typeof req?.ip === "string" ? req.ip : "";
+  return rawIp.trim() || "unknown";
+};
+const maybeCleanupStates = (now) => {
+  if (now - lastCleanupMs < 6e4) return;
+  lastCleanupMs = now;
+  if (clientRateStates.size < 2e3) return;
+  for (const [key, state] of clientRateStates) {
+    if (now - state.lastSeenMs > STALE_CLIENT_MS) {
+      clientRateStates.delete(key);
+    }
+  }
+};
+const getClientRateState = (key, rateBytesPerSecond, now) => {
+  maybeCleanupStates(now);
+  const capacity = rateBytesPerSecond * MAX_BURST_SECONDS;
+  const existing = clientRateStates.get(key);
+  if (existing) {
+    existing.lastSeenMs = now;
+    existing.tokens = Math.min(capacity, existing.tokens);
+    return existing;
+  }
+  const next = {
+    tokens: capacity,
+    lastRefillMs: now,
+    lastSeenMs: now
+  };
+  clientRateStates.set(key, next);
+  return next;
+};
+const consumeRateBudget = (state, bytes, rateBytesPerSecond, now) => {
+  const capacity = rateBytesPerSecond * MAX_BURST_SECONDS;
+  const elapsedMs = Math.max(0, now - state.lastRefillMs);
+  if (elapsedMs > 0) {
+    state.tokens = Math.min(capacity, state.tokens + elapsedMs * rateBytesPerSecond / 1e3);
+    state.lastRefillMs = now;
+  }
+  state.tokens -= bytes;
+  if (state.tokens >= 0) return 0;
+  return Math.ceil(-state.tokens / rateBytesPerSecond * 1e3);
+};
+const handler = (api) => {
+  const chunkSizeBytes = getChunkSizeBytes();
+  api.use(InitRoute, rawBodyParser({
+    limitBytes: getRawBodyLimitBytes(chunkSizeBytes),
+    maxClientBytesPerSecond: getMaxClientUploadBytesPerSecond()
+  }));
+  api.post(InitRoute, initUpload);
+  api.put(ChunkRoute, uploadChunk);
+  api.get(StatusRoute, getStatus);
+  api.post(CompleteRoute, completeUpload);
+};
+export {
+  handler as default
+};
+//# sourceMappingURL=handler-ClQF4MOn.js.map