@valentinkolb/filegate 0.0.1

package/src/handlers/files.ts

@@ -0,0 +1,423 @@
+import { Hono } from "hono";
+import { describeRoute } from "hono-openapi";
+import { readdir, mkdir, rm, rename, cp, stat } from "node:fs/promises";
+import { join, basename, relative } from "node:path";
+import sanitizeFilename from "sanitize-filename";
+import { validatePath, validateSameBase } from "../lib/path";
+import { parseOwnershipBody, applyOwnership } from "../lib/ownership";
+import { jsonResponse, binaryResponse, requiresAuth } from "../lib/openapi";
+import { v } from "../lib/validator";
+import {
+  FileInfoSchema,
+  DirInfoSchema,
+  ErrorSchema,
+  InfoQuerySchema,
+  PathQuerySchema,
+  MkdirBodySchema,
+  MoveBodySchema,
+  CopyBodySchema,
+  UploadFileHeadersSchema,
+  type FileInfo,
+} from "../schemas";
+import { config } from "../config";
+
+const app = new Hono();
+
+// Cross-platform directory size using `du` command
+const getDirSize = async (dirPath: string): Promise<number> => {
+  const isMac = process.platform === "darwin";
+
+  // macOS (BSD): du -sk (kilobytes), Linux (GNU): du -sb (bytes)
+  const args = isMac ? ["-sk", dirPath] : ["-sb", dirPath];
+  const multiplier = isMac ? 1024 : 1;
+
+  try {
+    const proc = Bun.spawn(["du", ...args], {
+      stdout: "pipe",
+      stderr: "ignore",
+    });
+    const output = await new Response(proc.stdout).text();
+    await proc.exited;
+
+    const value = parseInt(output.split("\t")[0] ?? "", 10);
+    return isNaN(value) ? 0 : value * multiplier;
+  } catch {
+    return 0;
+  }
+};
+
+const getFileInfo = async (path: string, relativeTo?: string): Promise<FileInfo> => {
+  const file = Bun.file(path);
+  const s = await stat(path);
+  const name = basename(path);
+
+  return {
+    name,
+    path: relativeTo ? relative(relativeTo, path) : path,
+    type: s.isDirectory() ? "directory" : "file",
+    size: s.isDirectory() ? 0 : s.size,
+    mtime: s.mtime.toISOString(),
+    isHidden: name.startsWith("."),
+    mimeType: s.isDirectory() ? undefined : file.type,
+  };
+};
+
+// GET /info
+app.get(
+  "/info",
+  describeRoute({
+    tags: ["Files"],
+    summary: "Get file or directory info",
+    ...requiresAuth,
+    responses: {
+      200: jsonResponse(DirInfoSchema, "File or directory info"),
+      400: jsonResponse(ErrorSchema, "Bad request"),
+      403: jsonResponse(ErrorSchema, "Forbidden"),
+      404: jsonResponse(ErrorSchema, "Not found"),
+    },
+  }),
+  v("query", InfoQuerySchema),
+  async (c) => {
+    const { path, showHidden } = c.req.valid("query");
+
+    const result = await validatePath(path, true);
+    if (!result.ok) return c.json({ error: result.error }, result.status);
+
+    let s;
+    try {
+      s = await stat(result.realPath);
+    } catch {
+      return c.json({ error: "not found" }, 404);
+    }
+
+    if (!s.isDirectory()) {
+      return c.json(await getFileInfo(result.realPath));
+    }
+
+    const entries = await readdir(result.realPath, { withFileTypes: true });
+
+    // Parallel file info retrieval
+    const items = (
+      await Promise.all(
+        entries
+          .filter((e) => showHidden || !e.name.startsWith("."))
+          .map((e) => getFileInfo(join(result.realPath, e.name), result.realPath).catch(() => null)),
+      )
+    ).filter((item): item is FileInfo => item !== null);
+
+    const info = await getFileInfo(result.realPath);
+    return c.json({ ...info, items, total: items.length });
+  },
+);
+
+// GET /content
+app.get(
+  "/content",
+  describeRoute({
+    tags: ["Files"],
+    summary: "Download file or directory",
+    description: "Downloads a file directly or a directory as a TAR archive. Size limit applies to both.",
+    ...requiresAuth,
+    responses: {
+      200: binaryResponse("application/octet-stream", "File content or TAR archive"),
+      400: jsonResponse(ErrorSchema, "Bad request"),
+      403: jsonResponse(ErrorSchema, "Forbidden"),
+      404: jsonResponse(ErrorSchema, "Not found"),
+      413: jsonResponse(ErrorSchema, "Content too large"),
+    },
+  }),
+  v("query", PathQuerySchema),
+  async (c) => {
+    const { path } = c.req.valid("query");
+
+    const result = await validatePath(path);
+    if (!result.ok) return c.json({ error: result.error }, result.status);
+
+    let s;
+    try {
+      s = await stat(result.realPath);
+    } catch {
+      return c.json({ error: "not found" }, 404);
+    }
+
+    if (s.isDirectory()) {
+      const size = await getDirSize(result.realPath);
+      if (size > config.maxDownloadBytes) {
+        return c.json(
+          { error: `directory exceeds max download size (${Math.round(config.maxDownloadBytes / 1024 / 1024)}MB)` },
+          413,
+        );
+      }
+
+      const dirName = basename(result.realPath);
+
+      // Create TAR archive using Bun's native API
+      const files: Record<string, Blob> = {};
+
+      // Add directory contents recursively
+      const addDirectoryToArchive = async (dirPath: string, basePath: string) => {
+        const entries = await readdir(dirPath, { withFileTypes: true });
+        for (const entry of entries) {
+          const fullPath = join(dirPath, entry.name);
+          const archivePath = relative(basePath, fullPath);
+
+          if (entry.isDirectory()) {
+            await addDirectoryToArchive(fullPath, basePath);
+          } else if (entry.isFile()) {
+            files[archivePath] = Bun.file(fullPath);
+          }
+        }
+      };
+
+      await addDirectoryToArchive(result.realPath, result.realPath);
+
+      // Generate the tar archive
+      const archive = new Bun.Archive(files);
+      const archiveBlob = await archive.blob();
+
+      return new Response(archiveBlob, {
+        headers: {
+          "Content-Type": "application/x-tar",
+          "Content-Disposition": `attachment; filename="${dirName}.tar"`,
+          "X-File-Name": `${dirName}.tar`,
+        },
+      });
+    }
+
+    const file = Bun.file(result.realPath);
+    if (!(await file.exists())) return c.json({ error: "not found" }, 404);
+
+    if (file.size > config.maxDownloadBytes) {
+      return c.json(
+        { error: `file exceeds max download size (${Math.round(config.maxDownloadBytes / 1024 / 1024)}MB)` },
+        413,
+      );
+    }
+
+    return new Response(file.stream(), {
+      headers: {
+        "Content-Type": file.type,
+        "Content-Length": String(file.size),
+        "X-File-Name": basename(result.realPath),
+      },
+    });
+  },
+);
+
+// PUT /content
+app.put(
+  "/content",
+  describeRoute({
+    tags: ["Files"],
+    summary: "Upload file",
+    description:
+      "Upload a file with optional ownership. Use headers X-File-Path, X-File-Name, and optionally X-Owner-UID, X-Owner-GID, X-File-Mode.",
+    ...requiresAuth,
+    responses: {
+      201: jsonResponse(FileInfoSchema, "File created"),
+      400: jsonResponse(ErrorSchema, "Bad request"),
+      403: jsonResponse(ErrorSchema, "Forbidden"),
+      413: jsonResponse(ErrorSchema, "File too large"),
+    },
+  }),
+  v("header", UploadFileHeadersSchema),
+  async (c) => {
+    const headers = c.req.valid("header");
+    const dirPath = headers["x-file-path"];
+    const rawFilename = headers["x-file-name"];
+
+    // Sanitize filename to prevent path traversal
+    const filename = sanitizeFilename(rawFilename);
+    if (!filename || filename !== rawFilename) {
+      return c.json({ error: "invalid filename" }, 400);
+    }
+
+    const fullPath = join(dirPath, filename);
+    const result = await validatePath(fullPath);
+    if (!result.ok) return c.json({ error: result.error }, result.status);
+
+    // Build ownership from validated headers
+    const ownership: import("../lib/ownership").Ownership | null =
+      headers["x-owner-uid"] != null && headers["x-owner-gid"] != null && headers["x-file-mode"] != null
+        ? {
+            uid: headers["x-owner-uid"],
+            gid: headers["x-owner-gid"],
+            mode: parseInt(headers["x-file-mode"], 8),
+          }
+        : null;
+
+    await mkdir(dirPath, { recursive: true });
+
+    const body = c.req.raw.body;
+    if (!body) return c.json({ error: "missing body" }, 400);
+
+    // Stream to file instead of buffering in memory
+    let written = 0;
+    const file = Bun.file(result.realPath);
+    const writer = file.writer();
+
+    try {
+      for await (const chunk of body) {
+        written += chunk.length;
+        if (written > config.maxUploadBytes) {
+          writer.end();
+          await rm(result.realPath).catch(() => {});
+          return c.json({ error: "file exceeds max upload size" }, 413);
+        }
+        writer.write(chunk);
+      }
+      await writer.end();
+    } catch (e) {
+      writer.end();
+      await rm(result.realPath).catch(() => {});
+      throw e;
+    }
+
+    const ownershipError = await applyOwnership(result.realPath, ownership);
+    if (ownershipError) {
+      await rm(result.realPath).catch(() => {});
+      return c.json({ error: ownershipError }, 500);
+    }
+
+    return c.json(await getFileInfo(result.realPath), 201);
+  },
+);
+
+// POST /mkdir
+app.post(
+  "/mkdir",
+  describeRoute({
+    tags: ["Files"],
+    summary: "Create directory",
+    ...requiresAuth,
+    responses: {
+      201: jsonResponse(FileInfoSchema, "Directory created"),
+      400: jsonResponse(ErrorSchema, "Bad request"),
+      403: jsonResponse(ErrorSchema, "Forbidden"),
+    },
+  }),
+  v("json", MkdirBodySchema),
+  async (c) => {
+    const body = c.req.valid("json");
+
+    const result = await validatePath(body.path);
+    if (!result.ok) return c.json({ error: result.error }, result.status);
+
+    const ownership = parseOwnershipBody(body);
+
+    await mkdir(result.realPath, { recursive: true });
+
+    const ownershipError = await applyOwnership(result.realPath, ownership);
+    if (ownershipError) {
+      await rm(result.realPath, { recursive: true }).catch(() => {});
+      return c.json({ error: ownershipError }, 500);
+    }
+
+    return c.json(await getFileInfo(result.realPath), 201);
+  },
+);
+
+// DELETE /delete
+app.delete(
+  "/delete",
+  describeRoute({
+    tags: ["Files"],
+    summary: "Delete file or directory",
+    ...requiresAuth,
+    responses: {
+      204: { description: "Deleted" },
+      400: jsonResponse(ErrorSchema, "Bad request"),
+      403: jsonResponse(ErrorSchema, "Forbidden"),
+      404: jsonResponse(ErrorSchema, "Not found"),
+    },
+  }),
+  v("query", PathQuerySchema),
+  async (c) => {
+    const { path } = c.req.valid("query");
+
+    const result = await validatePath(path);
+    if (!result.ok) return c.json({ error: result.error }, result.status);
+
+    let s;
+    try {
+      s = await stat(result.realPath);
+    } catch {
+      return c.json({ error: "not found" }, 404);
+    }
+
+    await rm(result.realPath, { recursive: s.isDirectory() });
+    return c.body(null, 204);
+  },
+);
+
+// POST /move
+app.post(
+  "/move",
+  describeRoute({
+    tags: ["Files"],
+    summary: "Move file or directory",
+    description: "Move within same base path only",
+    ...requiresAuth,
+    responses: {
+      200: jsonResponse(FileInfoSchema, "Moved"),
+      400: jsonResponse(ErrorSchema, "Bad request"),
+      403: jsonResponse(ErrorSchema, "Forbidden"),
+      404: jsonResponse(ErrorSchema, "Not found"),
+    },
+  }),
+  v("json", MoveBodySchema),
+  async (c) => {
+    const { from, to } = c.req.valid("json");
+
+    const result = await validateSameBase(from, to);
+    if (!result.ok) return c.json({ error: result.error }, result.status);
+
+    try {
+      await stat(result.realPath);
+    } catch {
+      return c.json({ error: "source not found" }, 404);
+    }
+
+    await mkdir(join(result.realTo, ".."), { recursive: true });
+    await rename(result.realPath, result.realTo);
+
+    return c.json(await getFileInfo(result.realTo));
+  },
+);
+
+// POST /copy
+app.post(
+  "/copy",
+  describeRoute({
+    tags: ["Files"],
+    summary: "Copy file or directory",
+    description: "Copy within same base path only",
+    ...requiresAuth,
+    responses: {
+      200: jsonResponse(FileInfoSchema, "Copied"),
+      400: jsonResponse(ErrorSchema, "Bad request"),
+      403: jsonResponse(ErrorSchema, "Forbidden"),
+      404: jsonResponse(ErrorSchema, "Not found"),
+    },
+  }),
+  v("json", CopyBodySchema),
+  async (c) => {
+    const { from, to } = c.req.valid("json");
+
+    const result = await validateSameBase(from, to);
+    if (!result.ok) return c.json({ error: result.error }, result.status);
+
+    try {
+      await stat(result.realPath);
+    } catch {
+      return c.json({ error: "source not found" }, 404);
+    }
+
+    await mkdir(join(result.realTo, ".."), { recursive: true });
+    await cp(result.realPath, result.realTo, { recursive: true });
+
+    return c.json(await getFileInfo(result.realTo));
+  },
+);
+
+export default app;

package/src/handlers/search.ts

@@ -0,0 +1,119 @@
+import { Hono } from "hono";
+import { describeRoute } from "hono-openapi";
+import { Glob } from "bun";
+import { stat } from "node:fs/promises";
+import { join, basename, relative } from "node:path";
+import { validatePath } from "../lib/path";
+import { jsonResponse, requiresAuth } from "../lib/openapi";
+import { v } from "../lib/validator";
+import {
+  SearchResponseSchema,
+  ErrorSchema,
+  SearchQuerySchema,
+  countRecursiveWildcards,
+  type FileInfo,
+  type SearchResult,
+} from "../schemas";
+import { config } from "../config";
+
+const app = new Hono();
+
+const getFileInfo = async (fullPath: string, basePath: string): Promise<FileInfo | null> => {
+  try {
+    const s = await stat(fullPath);
+    const name = basename(fullPath);
+    const file = Bun.file(fullPath);
+
+    return {
+      name,
+      path: relative(basePath, fullPath),
+      type: s.isDirectory() ? "directory" : "file",
+      size: s.isDirectory() ? 0 : s.size,
+      mtime: s.mtime.toISOString(),
+      isHidden: name.startsWith("."),
+      mimeType: s.isDirectory() ? undefined : file.type,
+    };
+  } catch {
+    return null;
+  }
+};
+
+const searchInPath = async (
+  basePath: string,
+  pattern: string,
+  showHidden: boolean,
+  limit: number,
+): Promise<SearchResult> => {
+  const glob = new Glob(pattern);
+  const files: FileInfo[] = [];
+  let hasMore = false;
+
+  for await (const match of glob.scan({ cwd: basePath, dot: showHidden })) {
+    if (!showHidden && basename(match).startsWith(".")) continue;
+
+    if (files.length >= limit) {
+      hasMore = true;
+      break;
+    }
+
+    const info = await getFileInfo(join(basePath, match), basePath);
+    if (info) files.push(info);
+  }
+
+  return { basePath, files, total: files.length, hasMore };
+};
+
+app.get(
+  "/search",
+  describeRoute({
+    tags: ["Search"],
+    summary: "Search files with glob pattern",
+    description: "Search multiple paths in parallel using glob patterns",
+    ...requiresAuth,
+    responses: {
+      200: jsonResponse(SearchResponseSchema, "Search results"),
+      400: jsonResponse(ErrorSchema, "Bad request"),
+      403: jsonResponse(ErrorSchema, "Forbidden"),
+      404: jsonResponse(ErrorSchema, "Not found"),
+    },
+  }),
+  v("query", SearchQuerySchema),
+  async (c) => {
+    const { paths: pathsParam, pattern, showHidden, limit: limitParam } = c.req.valid("query");
+
+    // Validate recursive wildcard count
+    const wildcardCount = countRecursiveWildcards(pattern);
+    if (wildcardCount > config.searchMaxRecursiveWildcards) {
+      return c.json(
+        { error: `too many recursive wildcards: ${wildcardCount} (max ${config.searchMaxRecursiveWildcards})` },
+        400,
+      );
+    }
+
+    const limit = Math.min(limitParam ?? config.searchMaxResults, config.searchMaxResults);
+    const paths = pathsParam
+      .split(",")
+      .map((p) => p.trim())
+      .filter(Boolean);
+    const validPaths: string[] = [];
+
+    for (const p of paths) {
+      const result = await validatePath(p, true);
+      if (!result.ok) return c.json({ error: result.error }, result.status);
+
+      const s = await stat(result.realPath).catch(() => null);
+      if (!s) return c.json({ error: `path not found: ${p}` }, 404);
+      if (!s.isDirectory()) return c.json({ error: `not a directory: ${p}` }, 400);
+
+      validPaths.push(result.realPath);
+    }
+
+    const results = await Promise.all(validPaths.map((p) => searchInPath(p, pattern, showHidden, limit)));
+
+    const totalFiles = results.reduce((sum, r) => sum + r.total, 0);
+
+    return c.json({ results, totalFiles });
+  },
+);
+
+export default app;