@zero-server/body 0.9.1 → 0.9.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (32) hide show
  1. package/LICENSE +21 -21
  2. package/index.d.ts +1 -1
  3. package/index.js +6 -6
  4. package/lib/body/index.js +14 -0
  5. package/lib/body/json.js +109 -0
  6. package/lib/body/multipart.js +440 -0
  7. package/lib/body/raw.js +71 -0
  8. package/lib/body/rawBuffer.js +161 -0
  9. package/lib/body/sendError.js +25 -0
  10. package/lib/body/text.js +75 -0
  11. package/lib/body/typeMatch.js +42 -0
  12. package/lib/body/urlencoded.js +235 -0
  13. package/package.json +10 -3
  14. package/types/app.d.ts +223 -0
  15. package/types/auth.d.ts +520 -0
  16. package/types/body.d.ts +14 -0
  17. package/types/cli.d.ts +2 -0
  18. package/types/cluster.d.ts +75 -0
  19. package/types/env.d.ts +80 -0
  20. package/types/errors.d.ts +316 -0
  21. package/types/fetch.d.ts +43 -0
  22. package/types/grpc.d.ts +432 -0
  23. package/types/index.d.ts +384 -0
  24. package/types/lifecycle.d.ts +60 -0
  25. package/types/middleware.d.ts +320 -0
  26. package/types/observe.d.ts +304 -0
  27. package/types/orm.d.ts +1887 -0
  28. package/types/request.d.ts +109 -0
  29. package/types/response.d.ts +157 -0
  30. package/types/router.d.ts +78 -0
  31. package/types/sse.d.ts +78 -0
  32. package/types/websocket.d.ts +126 -0
package/LICENSE CHANGED
@@ -1,21 +1,21 @@
1
- MIT License
2
-
3
- Copyright (c) 2026 Tony Wiedman
4
-
5
- Permission is hereby granted, free of charge, to any person obtaining a copy
6
- of this software and associated documentation files (the "Software"), to deal
7
- in the Software without restriction, including without limitation the rights
8
- to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
- copies of the Software, and to permit persons to whom the Software is
10
- furnished to do so, subject to the following conditions:
11
-
12
- The above copyright notice and this permission notice shall be included in all
13
- copies or substantial portions of the Software.
14
-
15
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
- IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
- AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
- LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
- OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
- SOFTWARE.
1
+ MIT License
2
+
3
+ Copyright (c) 2026 Tony Wiedman
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
package/index.d.ts CHANGED
@@ -1,2 +1,2 @@
1
1
  // AUTO-GENERATED by .tools/generate-package-stubs.js — edit .tools/scope-manifest.js and re-run `npm run packages:generate`.
2
- export { json, urlencoded, text, raw, multipart } from "@zero-server/sdk";
2
+ export * from './types/body';
package/index.js CHANGED
@@ -1,11 +1,11 @@
1
1
  // AUTO-GENERATED by .tools/generate-package-stubs.js — edit .tools/scope-manifest.js and re-run `npm run packages:generate`.
2
2
  'use strict';
3
- const sdk = require("@zero-server/sdk");
3
+ const lib = require("./lib/body");
4
4
 
5
5
  module.exports = {
6
- json: sdk.json,
7
- urlencoded: sdk.urlencoded,
8
- text: sdk.text,
9
- raw: sdk.raw,
10
- multipart: sdk.multipart,
6
+ json: lib.json,
7
+ urlencoded: lib.urlencoded,
8
+ text: lib.text,
9
+ raw: lib.raw,
10
+ multipart: lib.multipart,
11
11
  };
package/lib/body/index.js ADDED
@@ -0,0 +1,14 @@
1
+ /**
2
+ * @module body
3
+ * @description Barrel export for all body-parsing utilities and middleware.
4
+ */
5
+ const rawBuffer = require('./rawBuffer');
6
+ const isTypeMatch = require('./typeMatch');
7
+ const sendError = require('./sendError');
8
+ const json = require('./json');
9
+ const urlencoded = require('./urlencoded');
10
+ const text = require('./text');
11
+ const raw = require('./raw');
12
+ const multipart = require('./multipart');
13
+
14
+ module.exports = { rawBuffer, isTypeMatch, sendError, json, urlencoded, text, raw, multipart };
package/lib/body/json.js ADDED
@@ -0,0 +1,109 @@
1
+ /**
2
+ * @module body/json
3
+ * @description JSON body-parsing middleware.
4
+ * Reads the request body, parses it as JSON, and sets `req.body`.
5
+ * Stores the raw buffer on `req.rawBody` for signature verification.
6
+ */
7
+ const rawBuffer = require('./rawBuffer');
8
+ const { charsetFromContentType } = require('./rawBuffer');
9
+ const isTypeMatch = require('./typeMatch');
10
+ const sendError = require('./sendError');
11
+
12
+ /** @private Recursively remove __proto__, constructor, and prototype keys to prevent prototype pollution. */
13
+ function _sanitize(obj)
14
+ {
15
+ if (!obj || typeof obj !== 'object') return;
16
+ const keys = Object.keys(obj);
17
+ for (let i = 0; i < keys.length; i++)
18
+ {
19
+ const k = keys[i];
20
+ if (k === '__proto__' || k === 'constructor' || k === 'prototype')
21
+ {
22
+ delete obj[k];
23
+ }
24
+ else if (typeof obj[k] === 'object' && obj[k] !== null)
25
+ {
26
+ _sanitize(obj[k]);
27
+ }
28
+ }
29
+ }
30
+
31
+ /**
32
+ * Create a JSON body-parsing middleware.
33
+ *
34
+ * @param {object} [options] - Configuration options.
35
+ * @param {string|number} [options.limit] - Max body size (e.g. `'10kb'`). Default `'1mb'`.
36
+ * @param {Function} [options.reviver] - `JSON.parse` reviver function.
37
+ * @param {boolean} [options.strict=true] - When true, reject non-object/array roots.
38
+ * @param {string|string[]|Function} [options.type='application/json'] - Content-Type(s) to match.
39
+ * @param {boolean} [options.requireSecure=false] - When true, reject non-HTTPS requests with 403.
40
+ * @param {Function} [options.verify] - `verify(req, res, buf, encoding)` — called before parsing. Throw to reject with 403.
41
+ * @param {boolean} [options.inflate=true] - Decompress gzip/deflate/br bodies. When false, compressed bodies return 415.
42
+ * @returns {Function} Async middleware `(req, res, next) => void`.
43
+ *
44
+ * @example
45
+ * const { json } = require('@zero-server/sdk');
46
+ *
47
+ * app.use(json({ limit: '500kb', strict: true }));
48
+ *
49
+ * app.post('/api/data', (req, res) => {
50
+ * console.log(req.body); // parsed JSON object
51
+ * res.json({ ok: true });
52
+ * });
53
+ */
54
+ function json(options = {})
55
+ {
56
+ const opts = options || {};
57
+ const limit = opts.limit !== undefined ? opts.limit : '1mb';
58
+ const reviver = opts.reviver;
59
+ const strict = (opts.hasOwnProperty('strict')) ? !!opts.strict : true;
60
+ const typeOpt = opts.type || 'application/json';
61
+ const requireSecure = !!opts.requireSecure;
62
+ const verify = opts.verify;
63
+ const inflate = opts.inflate !== undefined ? opts.inflate : true;
64
+
65
+ return async (req, res, next) =>
66
+ {
67
+ if (requireSecure && !req.secure) return sendError(res, 403, 'HTTPS required');
68
+ const ct = (req.headers['content-type'] || '');
69
+ if (!isTypeMatch(ct, typeOpt)) return next();
70
+ try
71
+ {
72
+ const buf = await rawBuffer(req, { limit, inflate });
73
+ const encoding = charsetFromContentType(ct) || 'utf8';
74
+
75
+ // Store raw body for webhook signature verification (Stripe, GitHub, etc.)
76
+ req.rawBody = buf;
77
+
78
+ // Optional verification callback (e.g. HMAC signature check)
79
+ if (verify)
80
+ {
81
+ try { verify(req, res, buf, encoding); }
82
+ catch (e) { return sendError(res, 403, e.message || 'verification failed'); }
83
+ }
84
+
85
+ const txt = buf.toString(encoding);
86
+ if (!txt) { req.body = null; return next(); }
87
+ let parsed;
88
+ try { parsed = JSON.parse(txt, reviver); } catch (e) { return sendError(res, 400, 'invalid JSON'); }
89
+ if (strict && (typeof parsed !== 'object' || parsed === null))
90
+ {
91
+ return sendError(res, 400, 'invalid JSON: root must be object or array');
92
+ }
93
+ // Prevent prototype pollution
94
+ if (parsed && typeof parsed === 'object')
95
+ {
96
+ _sanitize(parsed);
97
+ }
98
+ req.body = parsed;
99
+ } catch (err)
100
+ {
101
+ if (err && err.status === 413) return sendError(res, 413, 'payload too large');
102
+ if (err && err.status === 415) return sendError(res, 415, err.message || 'unsupported encoding');
103
+ req.body = null;
104
+ }
105
+ next();
106
+ };
107
+ }
108
+
109
+ module.exports = json;
package/lib/body/multipart.js ADDED
@@ -0,0 +1,440 @@
1
+ /**
2
+ * @module body/multipart
3
+ * @description Streaming multipart/form-data parser.
4
+ * Writes uploaded files to a temp directory and collects
5
+ * form fields. Sets `req.body = { fields, files }`.
6
+ */
7
+ const fs = require('fs');
8
+ const os = require('os');
9
+ const path = require('path');
10
+ const sendError = require('./sendError');
11
+
12
+ /**
13
+ * Generate a unique filename with an optional prefix.
14
+ *
15
+ * @private
16
+ * @param {string} [prefix='miniex'] - Filename prefix.
17
+ * @returns {string} Formatted string.
18
+ */
19
+ function uniqueName(prefix = 'miniex')
20
+ {
21
+ return `${prefix}-${Date.now()}-${Math.floor(Math.random() * 1e9)}`;
22
+ }
23
+
24
+ /**
25
+ * Recursively create a directory if it doesn't exist.
26
+ *
27
+ * @private
28
+ * @param {string} dir - Directory path.
29
+ */
30
+ function ensureDir(dir)
31
+ {
32
+ try { fs.mkdirSync(dir, { recursive: true }); } catch (e) { }
33
+ }
34
+
35
+ /**
36
+ * Parse raw MIME header text (CRLF-separated) into a plain object.
37
+ *
38
+ * @private
39
+ * @param {string} headerText - Raw header block.
40
+ * @returns {Object<string, string>} Lower-cased header key/value map.
41
+ */
42
+ function parseHeaders(headerText)
43
+ {
44
+ const lines = headerText.split('\r\n');
45
+ const obj = {};
46
+ for (const l of lines)
47
+ {
48
+ const idx = l.indexOf(':');
49
+ if (idx === -1) continue;
50
+ const k = l.slice(0, idx).trim().toLowerCase();
51
+ const v = l.slice(idx + 1).trim();
52
+ obj[k] = v;
53
+ }
54
+ return obj;
55
+ }
56
+
57
+ /**
58
+ * Sanitize a filename by stripping path traversal characters and
59
+ * null bytes. Keeps only the basename.
60
+ *
61
+ * @private
62
+ * @param {string} filename - Raw filename from the upload.
63
+ * @returns {string} Sanitized filename.
64
+ */
65
+ function sanitizeFilename(filename)
66
+ {
67
+ if (!filename) return '';
68
+ // Strip null bytes
69
+ let safe = filename.replace(/\0/g, '');
70
+ // Take only the basename (strip directory traversal)
71
+ safe = safe.replace(/^.*[/\\]/, '');
72
+ // Remove leading dots (prevent dotfile creation)
73
+ safe = safe.replace(/^\.+/, '');
74
+ // Replace potentially dangerous characters
75
+ safe = safe.replace(/[<>:"|?*]/g, '_');
76
+ return safe || 'unnamed';
77
+ }
78
+
79
+ /**
80
+ * Extract `name` and `filename` fields from a `Content-Disposition` header.
81
+ *
82
+ * @private
83
+ * @param {string} cd - Content-Disposition value.
84
+ * @returns {Object<string, string>} Parsed disposition parameters.
85
+ */
86
+ function parseContentDisposition(cd)
87
+ {
88
+ const m = /form-data;(.*)/i.exec(cd);
89
+ if (!m) return {};
90
+ const parts = m[1].split(';').map(s => s.trim());
91
+ const out = {};
92
+ for (const p of parts)
93
+ {
94
+ const mm = /([^=]+)="?([^"]+)"?/.exec(p);
95
+ if (mm)
96
+ {
97
+ const key = mm[1].trim();
98
+ let val = mm[2];
99
+ // Sanitize filename values
100
+ if (key === 'filename') val = sanitizeFilename(val);
101
+ out[key] = val;
102
+ }
103
+ }
104
+ return out;
105
+ }
106
+
107
+ /**
108
+ * Create a streaming multipart/form-data parsing middleware.
109
+ *
110
+ * @param {object} [opts] - Configuration options.
111
+ * @param {string} [opts.dir] - Upload directory (default: OS temp dir).
112
+ * @param {number} [opts.maxFileSize] - Maximum size per file in bytes.
113
+ * @param {boolean} [opts.requireSecure=false] - When true, reject non-HTTPS requests with 403.
114
+ * @param {number} [opts.maxFields=1000] - Maximum number of non-file fields. Prevents DoS via field flooding.
115
+ * @param {number} [opts.maxFiles=10] - Maximum number of uploaded files.
116
+ * @param {number} [opts.maxFieldSize] - Maximum size of a single field value in bytes. Default 1 MB.
117
+ * @param {string[]} [opts.allowedMimeTypes] - Whitelist of MIME types for uploaded files (e.g. `['image/png', 'image/jpeg']`).
118
+ * @param {number} [opts.maxTotalSize] - Maximum combined size of all uploaded files in bytes.
119
+ * @returns {Function} Async middleware `(req, res, next) => void`.
120
+ *
121
+ * @example
122
+ * const { multipart } = require('@zero-server/sdk');
123
+ *
124
+ * app.use(multipart({
125
+ * dir: './uploads',
126
+ * maxFileSize: 10 * 1024 * 1024, // 10 MB
127
+ * maxFiles: 5,
128
+ * allowedMimeTypes: ['image/png', 'image/jpeg'],
129
+ * }));
130
+ *
131
+ * app.post('/upload', (req, res) => {
132
+ * const { fields, files } = req.body;
133
+ * res.json({ fields, uploaded: Object.keys(files) });
134
+ * });
135
+ */
136
+ function multipart(opts = {})
137
+ {
138
+ return async (req, res, next) =>
139
+ {
140
+ if (opts.requireSecure && !req.secure) return sendError(res, 403, 'HTTPS required');
141
+ const ct = req.headers['content-type'] || '';
142
+ const m = /boundary=(?:"([^"]+)"|([^;\s]+))/i.exec(ct);
143
+ if (!m) return next();
144
+ const boundary = (m[1] || m[2] || '').replace(/^"|"$/g, '');
145
+ const dashBoundary = `--${boundary}`;
146
+ const dashBoundaryBuf = Buffer.from('\r\n' + dashBoundary);
147
+ const startBoundaryBuf = Buffer.from(dashBoundary);
148
+
149
+ let tmpDir;
150
+ if (opts.dir)
151
+ {
152
+ tmpDir = path.isAbsolute(opts.dir) ? opts.dir : path.join(process.cwd(), opts.dir);
153
+ } else
154
+ {
155
+ tmpDir = path.join(os.tmpdir(), 'zero-server-uploads');
156
+ }
157
+ const maxFileSize = opts.maxFileSize || null; // bytes
158
+ const maxFields = opts.maxFields !== undefined ? opts.maxFields : 1000;
159
+ const maxFiles = opts.maxFiles !== undefined ? opts.maxFiles : 10;
160
+ const maxFieldSize = opts.maxFieldSize !== undefined ? opts.maxFieldSize : (1024 * 1024); // 1 MB
161
+ const allowedMimeTypes = opts.allowedMimeTypes || null;
162
+ const maxTotalSize = opts.maxTotalSize || null;
163
+ ensureDir(tmpDir);
164
+
165
+ const fields = {};
166
+ const files = {};
167
+ let fieldCount = 0;
168
+ let fileCount = 0;
169
+ let totalFileSize = 0;
170
+
171
+ let buffer = Buffer.alloc(0);
172
+ let state = 'start'; // start, headers, body
173
+ let current = null; // { headers, name, filename, contentType, writeStream, collectedSize }
174
+
175
+ const pendingWrites = [];
176
+
177
+ function abortFileTooLarge()
178
+ {
179
+ if (current.writeStream) { current.writeStream.on('error', () => {}); try { current.writeStream.destroy(); } catch (e) { } }
180
+ try { fs.unlinkSync(current.filePath); } catch (e) { }
181
+ if (!req._multipartErrorHandled)
182
+ {
183
+ req._multipartErrorHandled = true;
184
+ sendError(res, 413, 'file too large');
185
+ req.raw.pause && req.raw.pause();
186
+ }
187
+ }
188
+
189
+ function closeCurrent()
190
+ {
191
+ if (!current) return;
192
+ if (current.writeStream)
193
+ {
194
+ // end the stream and record file after it's flushed to disk
195
+ // capture values so we don't rely on `current` later
196
+ const info = { name: current.name, filename: current.filename, filePath: current.filePath, contentType: current.contentType, size: current.collectedSize };
197
+ const p = new Promise((resolve) =>
198
+ {
199
+ current.writeStream.on('finish', () =>
200
+ {
201
+ files[info.name] = { originalFilename: info.filename, storedName: path.basename(info.filePath), path: info.filePath, contentType: info.contentType, size: info.size };
202
+ resolve();
203
+ });
204
+ current.writeStream.on('error', () =>
205
+ {
206
+ resolve();
207
+ });
208
+ });
209
+ pendingWrites.push(p);
210
+ current.writeStream.end();
211
+ } else
212
+ {
213
+ fields[current.name] = current.value || '';
214
+ }
215
+ current = null;
216
+ }
217
+
218
+ req.raw.on('data', (chunk) =>
219
+ {
220
+ buffer = Buffer.concat([buffer, chunk]);
221
+
222
+ while (true)
223
+ {
224
+ if (state === 'start')
225
+ {
226
+ // look for starting boundary
227
+ const idx = buffer.indexOf(startBoundaryBuf);
228
+ if (idx === -1)
229
+ {
230
+ // boundary not yet found
231
+ if (buffer.length > startBoundaryBuf.length) buffer = buffer.slice(buffer.length - startBoundaryBuf.length);
232
+ break;
233
+ }
234
+ // consume up to after boundary and CRLF
235
+ const after = idx + startBoundaryBuf.length;
236
+ if (buffer.length < after + 2) break; // wait for CRLF
237
+ buffer = buffer.slice(after);
238
+ if (buffer.slice(0, 2).toString() === '\r\n') buffer = buffer.slice(2);
239
+ state = 'headers';
240
+ } else if (state === 'headers')
241
+ {
242
+ const idx = buffer.indexOf('\r\n\r\n');
243
+ if (idx === -1)
244
+ {
245
+ // wait for more
246
+ if (buffer.length > 1024 * 1024)
247
+ {
248
+ // keep buffer bounded
249
+ buffer = buffer.slice(buffer.length - 1024 * 16);
250
+ }
251
+ break;
252
+ }
253
+ const headerText = buffer.slice(0, idx).toString('utf8');
254
+ buffer = buffer.slice(idx + 4);
255
+ const hdrs = parseHeaders(headerText);
256
+ const disp = hdrs['content-disposition'] || '';
257
+ const cd = parseContentDisposition(disp);
258
+ const name = cd.name;
259
+ const filename = cd.filename;
260
+ const contentType = hdrs['content-type'] || null;
261
+ current = { headers: hdrs, name, filename, contentType, collectedSize: 0 };
262
+ if (filename)
263
+ {
264
+ // Enforce file count limit
265
+ fileCount++;
266
+ if (maxFiles && fileCount > maxFiles)
267
+ {
268
+ if (!req._multipartErrorHandled)
269
+ {
270
+ req._multipartErrorHandled = true;
271
+ sendError(res, 413, 'too many files');
272
+ req.raw.pause && req.raw.pause();
273
+ }
274
+ return;
275
+ }
276
+ // Enforce MIME type whitelist
277
+ if (allowedMimeTypes && contentType && !allowedMimeTypes.includes(contentType))
278
+ {
279
+ if (!req._multipartErrorHandled)
280
+ {
281
+ req._multipartErrorHandled = true;
282
+ sendError(res, 415, 'file type not allowed: ' + contentType);
283
+ req.raw.pause && req.raw.pause();
284
+ }
285
+ return;
286
+ }
287
+ // create temp file; preserve the original extension when possible
288
+ const ext = path.extname(filename) || '';
289
+ const safeExt = ext.replace(/[^a-z0-9.]/gi, '');
290
+ let fname = uniqueName('upload');
291
+ if (safeExt) fname = fname + (safeExt.startsWith('.') ? safeExt : ('.' + safeExt));
292
+ const filePath = path.join(tmpDir, fname);
293
+ current.filePath = filePath;
294
+ current.writeStream = fs.createWriteStream(filePath);
295
+ } else
296
+ {
297
+ // Enforce field count limit
298
+ fieldCount++;
299
+ if (maxFields && fieldCount > maxFields)
300
+ {
301
+ if (!req._multipartErrorHandled)
302
+ {
303
+ req._multipartErrorHandled = true;
304
+ sendError(res, 413, 'too many fields');
305
+ req.raw.pause && req.raw.pause();
306
+ }
307
+ return;
308
+ }
309
+ current.value = '';
310
+ }
311
+ state = 'body';
312
+ } else if (state === 'body')
313
+ {
314
+ // look for boundary preceded by CRLF
315
+ const idx = buffer.indexOf(dashBoundaryBuf);
316
+ if (idx === -1)
317
+ {
318
+ // keep tail in buffer to match partial boundary
319
+ const keep = Math.max(dashBoundaryBuf.length, 1024);
320
+ const writeLen = buffer.length - keep;
321
+ if (writeLen > 0)
322
+ {
323
+ const toWrite = buffer.slice(0, writeLen);
324
+ if (current.writeStream)
325
+ {
326
+ current.collectedSize += toWrite.length;
327
+ totalFileSize += toWrite.length;
328
+ if (maxFileSize && current.collectedSize > maxFileSize)
329
+ {
330
+ abortFileTooLarge();
331
+ return;
332
+ }
333
+ if (maxTotalSize && totalFileSize > maxTotalSize)
334
+ {
335
+ abortFileTooLarge();
336
+ return;
337
+ }
338
+ current.writeStream.write(toWrite);
339
+ } else
340
+ {
341
+ if (maxFieldSize && current.value.length + toWrite.length > maxFieldSize)
342
+ {
343
+ if (!req._multipartErrorHandled)
344
+ {
345
+ req._multipartErrorHandled = true;
346
+ sendError(res, 413, 'field value too large');
347
+ req.raw.pause && req.raw.pause();
348
+ }
349
+ return;
350
+ }
351
+ current.value += toWrite.toString('utf8');
352
+ }
353
+ buffer = buffer.slice(writeLen);
354
+ }
355
+ break;
356
+ }
357
+ // boundary found at idx; data before idx is body chunk (without the leading CRLF)
358
+ const bodyChunk = buffer.slice(0, idx);
359
+ // if bodyChunk starts with CRLF, strip it
360
+ const toWrite = (bodyChunk.slice(0, 2).toString() === '\r\n') ? bodyChunk.slice(2) : bodyChunk;
361
+ if (toWrite.length)
362
+ {
363
+ if (current.writeStream)
364
+ {
365
+ current.collectedSize += toWrite.length;
366
+ totalFileSize += toWrite.length;
367
+ if (maxFileSize && current.collectedSize > maxFileSize)
368
+ {
369
+ abortFileTooLarge();
370
+ return;
371
+ }
372
+ if (maxTotalSize && totalFileSize > maxTotalSize)
373
+ {
374
+ abortFileTooLarge();
375
+ return;
376
+ }
377
+ current.writeStream.write(toWrite);
378
+ } else
379
+ {
380
+ if (maxFieldSize && current.value.length + toWrite.length > maxFieldSize)
381
+ {
382
+ if (!req._multipartErrorHandled)
383
+ {
384
+ req._multipartErrorHandled = true;
385
+ sendError(res, 413, 'field value too large');
386
+ req.raw.pause && req.raw.pause();
387
+ }
388
+ return;
389
+ }
390
+ current.value += toWrite.toString('utf8');
391
+ }
392
+ }
393
+ // consume boundary marker
394
+ buffer = buffer.slice(idx + dashBoundaryBuf.length);
395
+ // check for final boundary '--'
396
+ if (buffer.slice(0, 2).toString() === '--')
397
+ {
398
+ // final
399
+ closeCurrent();
400
+ // wait for any pending file flushes then continue
401
+ req.raw.pause && req.raw.pause();
402
+ Promise.all(pendingWrites).then(() =>
403
+ {
404
+ req.body = { fields, files };
405
+ req._multipart = true;
406
+ return next();
407
+ }).catch(() =>
408
+ {
409
+ req.body = { fields, files };
410
+ req._multipart = true;
411
+ return next();
412
+ });
413
+ return;
414
+ }
415
+ // trim leading CRLF if present
416
+ if (buffer.slice(0, 2).toString() === '\r\n') buffer = buffer.slice(2);
417
+ // close current and continue to next headers
418
+ closeCurrent();
419
+ state = 'headers';
420
+ }
421
+ }
422
+ });
423
+
424
+ req.raw.on('end', () =>
425
+ {
426
+ // finish any current
427
+ if (current) closeCurrent();
428
+ req.body = { fields, files };
429
+ req._multipart = true;
430
+ next();
431
+ });
432
+
433
+ req.raw.on('error', (err) =>
434
+ {
435
+ next();
436
+ });
437
+ };
438
+ }
439
+
440
+ module.exports = multipart;