befly 3.34.0 → 3.36.0

package/apis/upload/file.js

@@ -14,7 +14,7 @@ export default {
     required: [],
     handler: async (befly, ctx) => {
         try {
-            const maxFileSizeMb = Number(befly.config?.uploadMaxSize || 20);
+            const maxFileSizeMb = Number(befly.config.upload.maxSize);
             const maxFileSize = maxFileSizeMb * 1024 * 1024;
             const requestContentType = ctx.req.headers.get("content-type") || "";
 
@@ -22,6 +22,11 @@ export default {
                 return befly.tool.No("请使用 FormData 上传文件");
             }
 
+            const requestContentLength = Number(ctx.req.headers.get("content-length") || 0);
+            if (Number.isFinite(requestContentLength) && requestContentLength > maxFileSize) {
+                return befly.tool.No(`文件不能超过${maxFileSizeMb}MB`);
+            }
+
             if (!ctx.userId) {
                 return befly.tool.No("用户未登录");
             }
@@ -33,6 +38,22 @@ export default {
                 return befly.tool.No("缺少上传文件");
             }
 
+            const originalFileName = file.name || "未命名文件";
+            const extension = extname(originalFileName).toLowerCase();
+            const mimeType = String(file.type || "").toLowerCase();
+
+            if (!extension) {
+                return befly.tool.No("上传文件缺少扩展名");
+            }
+
+            if (!befly.config.upload.allowedExtensions.split(",").includes(extension)) {
+                return befly.tool.No(`不允许上传 ${extension} 类型文件`);
+            }
+
+            if (!befly.config.upload.allowedMimeTypes.split(",").includes(mimeType)) {
+                return befly.tool.No("不允许上传该文件类型");
+            }
+
             const rawBuffer = await file.arrayBuffer();
 
             if (!rawBuffer || rawBuffer.byteLength <= 0) {
@@ -43,9 +64,6 @@ export default {
                 return befly.tool.No(`文件不能超过${maxFileSizeMb}MB`);
             }
 
-            const originalFileName = file.name || "未命名文件";
-            const extension = extname(originalFileName).toLowerCase();
-            const mimeType = String(file.type || "").toLowerCase();
             const mimeTypeGroup = mimeType.split("/")[0];
             const fileType = ["image", "video", "audio"].includes(mimeTypeGroup) ? mimeTypeGroup : "file";
 
@@ -54,9 +72,9 @@ export default {
             const monthDir = getMonthDir(now, befly.config?.tz);
             const fileKey = Bun.randomUUIDv7();
             const savedFileName = extension ? `${fileKey}${extension}` : fileKey;
-            const uploadDir = join(getAppPublicDir(befly.config?.publicDir || "./public"), categoryDir, monthDir);
+            const uploadDir = join(getAppPublicDir(befly.config.upload.publicDir), categoryDir, monthDir);
             const relativeFilePath = `/public/${categoryDir}/${monthDir}/${savedFileName}`;
-            const absoluteFileUrl = `${befly.config.publicHost}${relativeFilePath}`;
+            const absoluteFileUrl = `${befly.config.upload.publicHost}${relativeFilePath}`;
             const isImage = fileType === "image" ? 1 : 0;
 
             mkdirSync(uploadDir, { recursive: true });

package/checks/api.js

@@ -93,7 +93,18 @@ const apiSchema = z
         fields: fieldsSchema,
         required: z.array(noTrimString)
     })
-    .strict();
+    .strict()
+    .superRefine((value, context) => {
+        if (value.source !== "app") {
+            return;
+        }
+
+        if (value.relativePath.split("/")[0] !== "core") {
+            return;
+        }
+
+        addIssue(context, ["relativePath"], "app API 不能使用 core 作为一级目录，避免占用 /api/core 命名空间");
+    });
 
 const apiListSchema = z.array(apiSchema);
 

package/checks/config.js

@@ -10,6 +10,8 @@ z.config(z.locales.zhCN());
 const boolIntSchema = z.union([z.literal(0), z.literal(1), z.literal(true), z.literal(false)]);
 const noTrimString = z.string().refine(isNoTrimStringAllowEmpty, "不允许首尾空格");
 const beflyModeSchema = z.union([z.literal("manual"), z.literal("auto")]);
+const uploadExtensionListSchema = noTrimString.regex(/^\.[a-z0-9]+(?:,\.[a-z0-9]+)*$/);
+const uploadMimeTypeListSchema = noTrimString.regex(/^[a-z0-9][a-z0-9.+-]*\/[a-z0-9][a-z0-9.+-]*(?:,[a-z0-9][a-z0-9.+-]*\/[a-z0-9][a-z0-9.+-]*)*$/);
 const projectListCodeSchema = z.string().regex(/^[a-z][a-zA-Z0-9]*$/, "必须是小驼峰命名");
 const projectListItemSchema = z
     .object({
@@ -30,7 +32,7 @@ const projectListsSchema = z.array(projectListItemSchema).superRefine((projectLi
 
         if (codeSet.has(code)) {
             ctx.addIssue({
-                code: z.ZodIssueCode.custom,
+                code: "custom",
                 message: `projectLists[${index}].code 重复`,
                 path: [index, "code"]
             });
@@ -41,7 +43,7 @@ const projectListsSchema = z.array(projectListItemSchema).superRefine((projectLi
 
         if (productCodeSet.has(productCode)) {
             ctx.addIssue({
-                code: z.ZodIssueCode.custom,
+                code: "custom",
                 message: `projectLists[${index}].productCode 重复`,
                 path: [index, "productCode"]
             });
@@ -59,13 +61,20 @@ const configSchema = z
         appPort: z.int().min(1).max(65535),
         appHost: noTrimString,
         apiHost: noTrimString,
-        publicHost: noTrimString,
         devEmail: z.union([z.literal(""), z.email()]),
         devPassword: z.string().min(6),
         bodyLimit: z.int().min(1),
-        uploadMaxSize: z.int().min(1),
+        upload: z
+            .object({
+                maxSize: z.int().min(1),
+                publicDir: noTrimString.min(1),
+                publicHost: noTrimString,
+                allowedExtensions: uploadExtensionListSchema,
+                allowedMimeTypes: uploadMimeTypeListSchema,
+                forceDownloadExtensions: z.union([z.literal(""), uploadExtensionListSchema])
+            })
+            .strict(),
         tz: z.string().refine((value) => isValidTimeZone(value), "无效的时区"),
-        publicDir: noTrimString.min(1),
         excludeApisLog: z.array(noTrimString),
 
         logger: z
@@ -128,7 +137,18 @@ const configSchema = z
                 maxAge: z.int().min(0),
                 credentials: z.union([z.literal("true"), z.literal("false"), z.literal(true), z.literal(false)])
             })
-            .strict(),
+            .strict()
+            .superRefine((cors, ctx) => {
+                if (cors.origin !== "*" || (cors.credentials !== true && cors.credentials !== "true")) {
+                    return;
+                }
+
+                ctx.addIssue({
+                    code: "custom",
+                    message: "cors.credentials 为 true 时 cors.origin 不能为 *",
+                    path: ["credentials"]
+                });
+            }),
 
         rateLimit: z
             .object({

package/checks/menu.js

@@ -36,7 +36,7 @@ const menuListSchema = z.array(menuSchema).superRefine((menuList, refineCtx) =>
             const childFullPath = `${menu.path}${child.path}`;
             if (!fullMenuPathRegex.test(childFullPath)) {
                 refineCtx.addIssue({
-                    code: z.ZodIssueCode.custom,
+                    code: "custom",
                     message: "菜单完整路径必须是 /core/xxx 或无前缀路径",
                     path: [menuIndex, "children", childIndex, "path"]
                 });

package/configs/beflyConfig.json

@@ -6,11 +6,16 @@
     "devEmail": "dev@qq.com",
     "devPassword": "111111",
     "bodyLimit": 1048576,
-    "uploadMaxSize": 20,
+    "upload": {
+        "maxSize": 20,
+        "publicDir": "./public",
+        "publicHost": "http://127.0.0.1:3000",
+        "allowedExtensions": ".jpg,.jpeg,.png,.gif,.webp,.bmp,.mp4,.webm,.mp3,.wav,.pdf,.txt,.doc,.docx,.xls,.xlsx,.ppt,.pptx,.zip",
+        "allowedMimeTypes": "image/jpeg,image/png,image/gif,image/webp,image/bmp,video/mp4,video/webm,audio/mpeg,audio/wav,audio/x-wav,application/pdf,text/plain,application/msword,application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/vnd.ms-excel,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/vnd.ms-powerpoint,application/vnd.openxmlformats-officedocument.presentationml.presentation,application/zip,application/x-zip-compressed",
+        "forceDownloadExtensions": ".html,.htm,.js,.mjs,.css,.svg,.xml,.xhtml,.wasm,.json,.map"
+    },
     "tz": "Asia/Shanghai",
     "apiHost": "http://127.0.0.1",
-    "publicDir": "./public",
-    "publicHost": "http://127.0.0.1:3000",
     "excludeApisLog": ["/api/core/tongJi/*Report"],
     "logger": {
         "debug": 1,
@@ -58,7 +63,7 @@
         "allowedHeaders": "Content-Type,Authorization",
         "exposedHeaders": "",
         "maxAge": 86400,
-        "credentials": "true"
+        "credentials": "false"
     },
 
     "rateLimit": {

package/index.js

@@ -214,7 +214,7 @@ export class Befly {
 
             // 启动 HTTP服务器
             const apiFetch = apiHandler(this.apis, this.hooks, this.context);
-            const staticFetch = staticHandler(this.context.config.cors, this.context.config.publicDir);
+            const staticFetch = staticHandler(this.context.config.cors, this.context.config.upload);
 
             const server = Bun.serve({
                 port: this.context.config.appPort || 3000,

package/lib/dbHelper.js

@@ -154,6 +154,42 @@ function assertWriteDataHasFields(data, message, table) {
     });
 }
 
+function getTableFieldNames(tableInfo) {
+    return Object.keys(tableInfo)
+        .map((fieldName) => snakeCase(fieldName))
+        .toSorted();
+}
+
+function assertWriteFieldNamesDefined(tableInfo, fieldNames, table, label) {
+    const allowedFields = getTableFieldNames(tableInfo);
+    const allowedFieldSet = new Set(allowedFields);
+    const invalidFields = [];
+
+    for (const fieldName of fieldNames) {
+        const snakeFieldName = snakeCase(fieldName);
+
+        if (!allowedFieldSet.has(snakeFieldName)) {
+            invalidFields.push(snakeFieldName);
+        }
+    }
+
+    if (invalidFields.length < 1) {
+        return;
+    }
+
+    throw new Error(`${label} 包含表 ${table} 未定义字段: ${invalidFields.join(", ")}`, {
+        cause: null,
+        code: "validation",
+        table: table,
+        invalidFields: invalidFields,
+        allowedFields: allowedFields
+    });
+}
+
+function assertWriteFieldsDefined(tableInfo, data, table, label) {
+    assertWriteFieldNamesDefined(tableInfo, Object.keys(data), table, label);
+}
+
 function assertNoUndefinedInRecord(row, label) {
     for (const [key, value] of Object.entries(row)) {
         if (value === undefined) {
@@ -744,6 +780,7 @@ class DbHelper {
     async insData(options) {
         const parsed = this.createDbParse().parseInsert(options);
         const { table, snakeTable, data } = parsed;
+        const tableInfo = this.getTableDef(table);
         const inputData = this.prepareWriteInputData(data);
         assertWriteDataHasFields(inputData, "插入数据必须至少有一个字段", snakeTable);
         const now = Date.now();
@@ -751,6 +788,7 @@ class DbHelper {
         const processed = insertRows.processedList[0];
 
         assertWriteDataHasFields(processed, "插入数据必须至少有一个字段", snakeTable);
+        assertWriteFieldsDefined(tableInfo, processed, table, "insData.data");
 
         assertNoUndefinedInRecord(processed, `insData 插入数据 (table: ${snakeTable})`);
 
@@ -779,11 +817,13 @@ class DbHelper {
         assertInsertBatchSize(dataList.length, MAX_BATCH_SIZE);
 
         const snakeTable = parsed.snakeTable;
+        const tableInfo = this.getTableDef(table);
         const now = Date.now();
         const insertRows = await this.createInsertRows(table, snakeTable, dataList, now);
         const processedList = insertRows.processedList;
 
         const insertFields = assertBatchInsertRowsConsistent(processedList, { table: snakeTable });
+        assertWriteFieldNamesDefined(tableInfo, insertFields, table, "insBatch.dataList");
         const builder = this.createSqlBuilder();
         const { sql, params } = builder.toInsertSql(snakeTable, processedList);
 
@@ -851,6 +891,7 @@ class DbHelper {
         }
 
         const snakeTable = parsed.snakeTable;
+        const tableInfo = this.getTableDef(table);
         const now = Date.now();
 
         const processedList = [];
@@ -873,6 +914,11 @@ class DbHelper {
                 sql: { sql: "", params: [], duration: 0 }
             };
         }
+        const writeFields = fields.slice();
+        if (this.beflyMode === "auto") {
+            writeFields.push("updated_at");
+        }
+        assertWriteFieldNamesDefined(tableInfo, writeFields, table, "updBatch.dataList");
 
         const query = SqlBuilder.toUpdateCaseByIdSql({
             table: snakeTable,
@@ -896,6 +942,7 @@ class DbHelper {
 
     async updData(options) {
         const parsed = this.createDbParse().parseUpdate(options);
+        const tableInfo = this.getTableDef(parsed.table);
         const inputData = this.prepareWriteInputData(parsed.data);
         assertWriteDataHasFields(inputData, "更新数据必须至少有一个字段", parsed.snakeTable);
 
@@ -906,6 +953,7 @@ class DbHelper {
             beflyMode: this.beflyMode
         });
         assertWriteDataHasFields(processed, "更新数据必须至少有一个字段", parsed.snakeTable);
+        assertWriteFieldsDefined(tableInfo, processed, parsed.table, "updData.data");
         const builder = this.createSqlBuilder().where(parsed.where);
         const { sql, params } = builder.toUpdateSql(parsed.snakeTable, processed);
 
@@ -919,6 +967,7 @@ class DbHelper {
 
     async delData(options) {
         const parsed = this.createDbParse().parseDelete(options, false);
+        const tableInfo = this.getTableDef(parsed.table);
         let processed;
 
         if (parsed.deleteMode === "manual") {
@@ -932,6 +981,7 @@ class DbHelper {
                 updated_at: now
             };
         }
+        assertWriteFieldsDefined(tableInfo, processed, parsed.table, "delData.data");
 
         const builder = this.createSqlBuilder().where(parsed.where);
         const { sql, params } = builder.toUpdateSql(parsed.snakeTable, processed);
@@ -960,6 +1010,8 @@ class DbHelper {
 
     async increment(table, field, where, value = 1) {
         const parsed = this.createDbParse().parseIncrement(table, field, where, value, "increment");
+        const tableInfo = this.getTableDef(table);
+        assertWriteFieldNamesDefined(tableInfo, [parsed.snakeField], table, "increment.field");
 
         const builder = this.createSqlBuilder().where(parsed.where);
         const { sql: whereClause, params: whereParams } = builder.getWhereConditions();

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "befly",
-    "version": "3.34.0",
+    "version": "3.36.0",
     "gitHead": "49c39d36695036e85fc64083cc43c1652fff96cb",
     "private": false,
     "description": "Befly - 为 Bun 专属打造的 JavaScript API 接口框架核心引擎",

package/paths.js

@@ -113,7 +113,7 @@ export const appTableDir = join(appDir, "tables");
 
 /**
  * 项目上传/公共文件目录
- * @description 默认 {appDir}/public，可通过 config.publicDir 覆盖
+ * @description 默认 {appDir}/public，可通过 config.upload.publicDir 覆盖
  * @usage 用于本地上传文件保存目录解析，不承担 HTTP 静态托管职责
  */
 export function getAppPublicDir(publicDir = "./public") {

package/router/api.js

@@ -9,7 +9,7 @@ import { Logger } from "../lib/logger.js";
 // 相对导入
 import { setCorsOptions } from "../utils/cors.js";
 import { getClientIp } from "../utils/getClientIp.js";
-import { FinalResponse } from "../utils/response.js";
+import { ErrorResponse, FinalResponse } from "../utils/response.js";
 import { genShortId } from "../utils/util.js";
 
 function createExcludeApisLogMatchers(excludeApisLog) {
@@ -41,7 +41,7 @@ export function apiHandler(apis, hooks, context) {
         const requestId = genShortId();
         const now = Date.now();
 
-        const corsHeaders = setCorsOptions(req, context.config?.cors || {});
+        const corsHeaders = setCorsOptions(req, context.config.cors);
         corsHeaders["X-Request-ID"] = requestId;
 
         // 2. OPTIONS 预检请求：直接返回，不走 hooks，不打日志
@@ -95,6 +95,21 @@ export function apiHandler(apis, hooks, context) {
             apiFile: apiData.filePath
         };
 
+        if (ctx.apiMethod !== "ALL" && ctx.method !== ctx.apiMethod) {
+            return ErrorResponse(
+                ctx,
+                `请求方法不允许，请使用 ${ctx.apiMethod}`,
+                1,
+                null,
+                {
+                    method: ctx.method,
+                    allowMethod: ctx.apiMethod,
+                    apiPath: ctx.apiPath
+                },
+                "method"
+            );
+        }
+
         try {
             // 4. 串联执行所有钩子
             for (const hook of hooks) {

package/router/static.js

@@ -4,24 +4,40 @@
  */
 
 // 外部依赖
-import { join } from "pathe";
+import { basename, extname, isAbsolute, normalize, relative, resolve } from "pathe";
 
 import { Logger } from "../lib/logger.js";
 // 相对导入
 import { getAppPublicDir } from "../paths.js";
 import { setCorsOptions } from "../utils/cors.js";
 
+function getStaticFilePath(url, baseDir) {
+    try {
+        const relativePath = normalize(decodeURIComponent(url.pathname.slice("/public/".length)));
+        const filePath = resolve(baseDir, relativePath);
+        const fileRelativePath = relative(baseDir, filePath);
+
+        if (fileRelativePath.startsWith("..") || isAbsolute(fileRelativePath)) {
+            return "";
+        }
+
+        return filePath;
+    } catch {
+        return "";
+    }
+}
+
 /**
  * 静态文件处理器工厂
  */
-export function staticHandler(corsConfig = undefined, publicDir = "./public") {
+export function staticHandler(corsConfig, uploadConfig) {
     return async (req) => {
         // 设置 CORS 响应头
         const corsHeaders = setCorsOptions(req, corsConfig);
 
         const url = new URL(req.url);
-        const publicPath = url.pathname.replace(/^\/public/, "") || "/";
-        const filePath = join(getAppPublicDir(publicDir), publicPath);
+        const baseDir = resolve(getAppPublicDir(uploadConfig.publicDir));
+        const filePath = getStaticFilePath(url, baseDir);
 
         try {
             // OPTIONS预检请求
@@ -32,6 +48,18 @@ export function staticHandler(corsConfig = undefined, publicDir = "./public") {
                 });
             }
 
+            if (!filePath) {
+                return Response.json(
+                    {
+                        code: 1,
+                        msg: "文件未找到"
+                    },
+                    {
+                        headers: corsHeaders
+                    }
+                );
+            }
+
             const file = Bun.file(filePath);
             if (await file.exists()) {
                 const headers = {};
@@ -41,6 +69,10 @@ export function staticHandler(corsConfig = undefined, publicDir = "./public") {
                     }
                 }
                 headers["Content-Type"] = file.type || "application/octet-stream";
+                headers["X-Content-Type-Options"] = "nosniff";
+                if (uploadConfig.forceDownloadExtensions.split(",").includes(extname(filePath).toLowerCase())) {
+                    headers["Content-Disposition"] = `attachment; filename="${basename(filePath).replaceAll('"', "")}"`;
+                }
                 return new Response(file, {
                     headers: headers
                 });

package/utils/cors.js

@@ -1,21 +1,12 @@
 /**
  * 设置 CORS 响应头
  * @param req - 请求对象
- * @param config - CORS 配置（可选）
+ * @param config - CORS 配置
  * @returns CORS 响应头对象
  */
-export function setCorsOptions(req, config = {}) {
-    const defaultConfig = {
-        origin: "*",
-        methods: "GET, POST, OPTIONS",
-        allowedHeaders: "Content-Type, Authorization, authorization, token",
-        exposedHeaders: "Content-Range, X-Content-Range, Authorization, authorization, token",
-        maxAge: 86400,
-        credentials: "true"
-    };
-
-    const merged = Object.assign({}, defaultConfig, config || {});
-    const origin = merged.origin;
+export function setCorsOptions(req, config) {
+    const origin = config.origin;
+    const allowCredentials = config.credentials === true || config.credentials === "true" ? "true" : "false";
     const requestedHeaders = req.headers.get("Access-Control-Request-Headers") || "";
 
     const allowedHeaderItems = [];
@@ -40,7 +31,7 @@ export function setCorsOptions(req, config = {}) {
         allowedHeaderItems.push(value);
     };
 
-    for (const item of String(merged.allowedHeaders || "").split(",")) {
+    for (const item of String(config.allowedHeaders || "").split(",")) {
         pushHeaderIfNeeded(item);
     }
 
@@ -51,11 +42,11 @@ export function setCorsOptions(req, config = {}) {
     const allowHeaders = allowedHeaderItems.join(", ");
 
     return {
-        "Access-Control-Allow-Origin": origin === "*" ? req.headers.get("origin") || "*" : origin,
-        "Access-Control-Allow-Methods": merged.methods,
+        "Access-Control-Allow-Origin": origin === "*" && allowCredentials === "false" ? req.headers.get("origin") || "*" : origin,
+        "Access-Control-Allow-Methods": config.methods,
         "Access-Control-Allow-Headers": allowHeaders,
-        "Access-Control-Expose-Headers": merged.exposedHeaders,
-        "Access-Control-Max-Age": String(merged.maxAge),
-        "Access-Control-Allow-Credentials": merged.credentials
+        "Access-Control-Expose-Headers": config.exposedHeaders,
+        "Access-Control-Max-Age": String(config.maxAge),
+        "Access-Control-Allow-Credentials": allowCredentials
     };
 }