create-100x-mobile 0.4.10 → 0.5.0

package/dist/templates/cloudflare/worker.js

@@ -0,0 +1,762 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.storageWorkerTemplate = storageWorkerTemplate;
+function storageWorkerTemplate() {
+    return `import { init, i, type User } from "@instantdb/admin";
+import type { storageApi } from "../../alchemy.run";
+
+type Env = typeof storageApi.Env;
+
+interface ErrorContext {
+  [key: string]: string | number | boolean;
+}
+
+interface StorageApiError extends Error {
+  name: "StorageApiError";
+  status: number;
+  context: ErrorContext;
+}
+
+interface UploadRecord {
+  id: string;
+  key: string;
+  ownerId: string;
+  fileName: string;
+  contentType: string;
+  size: number;
+  createdAt: string;
+}
+
+interface UploadRow {
+  id: string;
+  object_key: string;
+  owner_id: string;
+  file_name: string;
+  content_type: string;
+  size: number;
+  created_at: string;
+}
+
+interface UserStorageRow {
+  total_size: number | null;
+}
+
+interface UserDailyUploadRow {
+  upload_count: number | null;
+}
+
+interface UploadPolicy {
+  maxUploadBytes: number;
+  userStorageLimitBytes: number;
+  dailyUploadLimit: number;
+  allowedContentTypes: string[];
+}
+
+const defaultAllowedContentTypes = [
+  "image/jpeg",
+  "image/png",
+  "image/webp",
+  "application/pdf",
+  "text/plain",
+];
+const defaultMaxUploadBytes = 25 * 1024 * 1024;
+const defaultUserStorageLimitBytes = 500 * 1024 * 1024;
+const defaultDailyUploadLimit = 100;
+const localDevelopmentOrigins = [
+  "http://localhost:3000",
+  "http://localhost:8080",
+  "http://localhost:8081",
+  "http://localhost:19006",
+];
+const instantSchema = i.schema({
+  entities: {
+    cloudflareObjects: i.entity({
+      uploadId: i.string().indexed(),
+      key: i.string(),
+      ownerId: i.string().indexed(),
+      fileName: i.string(),
+      contentType: i.string(),
+      size: i.number(),
+      workerUrl: i.string(),
+      createdAt: i.number().indexed(),
+    }),
+  },
+});
+
+function createStorageApiError(
+  status: number,
+  message: string,
+  context: ErrorContext,
+): StorageApiError {
+  return Object.assign(new Error(message), {
+    name: "StorageApiError" as const,
+    status,
+    context,
+  });
+}
+
+function isStorageApiError(error: unknown): error is StorageApiError {
+  return (
+    error instanceof Error &&
+    error.name === "StorageApiError" &&
+    "status" in error &&
+    "context" in error
+  );
+}
+
+function toErrorMessage(error: unknown): string {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  return String(error);
+}
+
+function getCsvValues(value: string | undefined, fallback: string[]): string[] {
+  const values = (value ?? "")
+    .split(",")
+    .map((part) => part.trim())
+    .filter(Boolean);
+  return values.length ? values : fallback;
+}
+
+function getNumericBinding(
+  value: string | undefined,
+  fallback: number,
+  bindingName: string,
+): number {
+  if (!value) {
+    return fallback;
+  }
+
+  const parsed = Number(value);
+  if (!Number.isInteger(parsed) || parsed <= 0) {
+    throw createStorageApiError(500, "Numeric Worker binding is invalid.", {
+      binding: bindingName,
+      value,
+    });
+  }
+  return parsed;
+}
+
+function getUploadPolicy(env: Env): UploadPolicy {
+  return {
+    maxUploadBytes: getNumericBinding(
+      env.MAX_UPLOAD_BYTES,
+      defaultMaxUploadBytes,
+      "MAX_UPLOAD_BYTES",
+    ),
+    userStorageLimitBytes: getNumericBinding(
+      env.USER_STORAGE_LIMIT_BYTES,
+      defaultUserStorageLimitBytes,
+      "USER_STORAGE_LIMIT_BYTES",
+    ),
+    dailyUploadLimit: getNumericBinding(
+      env.DAILY_UPLOAD_LIMIT,
+      defaultDailyUploadLimit,
+      "DAILY_UPLOAD_LIMIT",
+    ),
+    allowedContentTypes: getCsvValues(
+      env.ALLOWED_CONTENT_TYPES,
+      defaultAllowedContentTypes,
+    ),
+  };
+}
+
+function getAllowedOrigins(env: Env): string[] {
+  return getCsvValues(env.ALLOWED_ORIGINS, localDevelopmentOrigins);
+}
+
+function getCorsHeaders(request: Request, env: Env): Headers {
+  const headers = new Headers({
+    "access-control-allow-methods": "GET,POST,DELETE,OPTIONS",
+    "access-control-allow-headers": "authorization,content-type,x-file-name",
+    "access-control-max-age": "86400",
+    "vary": "Origin",
+    "x-content-type-options": "nosniff",
+  });
+
+  const origin = request.headers.get("origin");
+  if (!origin) {
+    return headers;
+  }
+
+  if (getAllowedOrigins(env).includes(origin)) {
+    headers.set("access-control-allow-origin", origin);
+    return headers;
+  }
+
+  throw createStorageApiError(403, "Origin is not allowed.", {
+    origin,
+  });
+}
+
+function jsonResponse(
+  request: Request,
+  env: Env,
+  body: unknown,
+  status: number,
+): Response {
+  const headers = getCorsHeaders(request, env);
+  headers.set("cache-control", "no-store");
+  return Response.json(body, {
+    status,
+    headers,
+  });
+}
+
+function errorJsonResponse(
+  request: Request,
+  env: Env,
+  error: StorageApiError,
+): Response {
+  const headers = new Headers({
+    "cache-control": "no-store",
+    "content-type": "application/json",
+    "x-content-type-options": "nosniff",
+  });
+
+  const origin = request.headers.get("origin");
+  if (origin && getAllowedOrigins(env).includes(origin)) {
+    headers.set("access-control-allow-origin", origin);
+    headers.set("vary", "Origin");
+  }
+
+  return Response.json(
+    {
+      error: error.message,
+      context: error.context,
+    },
+    {
+      status: error.status,
+      headers,
+    },
+  );
+}
+
+function getRequiredHeader(headers: Headers, name: string): string {
+  const value = headers.get(name)?.trim();
+  if (!value) {
+    throw createStorageApiError(400, "Required header is missing.", {
+      header: name,
+    });
+  }
+  return value;
+}
+
+function getBearerToken(headers: Headers): string {
+  const authorization = headers.get("authorization")?.trim() ?? "";
+  const [scheme, token] = authorization.split(" ");
+  if (scheme?.toLowerCase() !== "bearer" || !token) {
+    throw createStorageApiError(401, "Bearer authorization token is required.", {
+      header: "authorization",
+    });
+  }
+  return token;
+}
+
+function requireInstantAppId(env: Env): string {
+  if (!env.INSTANT_APP_ID) {
+    throw createStorageApiError(500, "INSTANT_APP_ID binding is not configured.", {
+      binding: "INSTANT_APP_ID",
+    });
+  }
+  return env.INSTANT_APP_ID;
+}
+
+async function requireInstantUser(request: Request, env: Env): Promise<User> {
+  const appId = requireInstantAppId(env);
+  const token = getBearerToken(request.headers);
+  try {
+    const db = init({ appId });
+    return await db.auth.verifyToken(token);
+  } catch (error) {
+    throw createStorageApiError(401, "InstantDB auth token is invalid.", {
+      cause: toErrorMessage(error),
+    });
+  }
+}
+
+function requireInstantAdminToken(env: Env): string {
+  if (!env.INSTANT_ADMIN_TOKEN) {
+    throw createStorageApiError(
+      500,
+      "INSTANT_ADMIN_TOKEN binding is not configured.",
+      {
+        binding: "INSTANT_ADMIN_TOKEN",
+      },
+    );
+  }
+  return env.INSTANT_ADMIN_TOKEN;
+}
+
+function getWorkerOrigin(request: Request): string {
+  const url = new URL(request.url);
+  return url.origin;
+}
+
+function getRequestBody(request: Request): ReadableStream<Uint8Array> {
+  if (!request.body) {
+    throw createStorageApiError(400, "Upload request body is required.", {
+      method: request.method,
+    });
+  }
+  return request.body;
+}
+
+function getContentLength(request: Request): number | null {
+  const rawContentLength = request.headers.get("content-length");
+  if (!rawContentLength) {
+    return null;
+  }
+
+  const contentLength = Number(rawContentLength);
+  if (!Number.isInteger(contentLength) || contentLength < 0) {
+    throw createStorageApiError(400, "Invalid content-length header.", {
+      contentLength: rawContentLength,
+    });
+  }
+  return contentLength;
+}
+
+function assertUploadSize(contentLength: number | null, policy: UploadPolicy): void {
+  if (contentLength !== null && contentLength > policy.maxUploadBytes) {
+    throw createStorageApiError(413, "Upload exceeds the configured size limit.", {
+      contentLength,
+      maxUploadBytes: policy.maxUploadBytes,
+    });
+  }
+}
+
+function assertContentType(contentType: string, policy: UploadPolicy): void {
+  const normalizedContentType = contentType.toLowerCase();
+  if (!policy.allowedContentTypes.includes(normalizedContentType)) {
+    throw createStorageApiError(415, "Content type is not allowed.", {
+      contentType,
+    });
+  }
+}
+
+function sanitizeFileName(fileName: string): string {
+  const normalized = fileName
+    .replace(/[\\\\/]/g, "-")
+    .replace(/[\\u0000-\\u001f\\u007f]/g, "")
+    .replace(/\\s+/g, " ")
+    .trim()
+    .slice(0, 160);
+  if (!normalized || normalized === "." || normalized === "..") {
+    throw createStorageApiError(400, "File name is invalid.", {
+      fileName,
+    });
+  }
+  return normalized;
+}
+
+function createLimitedBodyStream(
+  body: ReadableStream<Uint8Array>,
+  maxUploadBytes: number,
+): ReadableStream<Uint8Array> {
+  let totalBytes = 0;
+  return body.pipeThrough(
+    new TransformStream<Uint8Array, Uint8Array>({
+      transform(chunk, controller) {
+        totalBytes += chunk.byteLength;
+        if (totalBytes > maxUploadBytes) {
+          throw createStorageApiError(
+            413,
+            "Upload stream exceeds the configured size limit.",
+            {
+              maxUploadBytes,
+            },
+          );
+        }
+        controller.enqueue(chunk);
+      },
+    }),
+  );
+}
+
+function assertUploadOwner(record: UploadRecord, user: User): void {
+  if (record.ownerId !== user.id) {
+    throw createStorageApiError(403, "Upload does not belong to the authenticated user.", {
+      uploadId: record.id,
+      ownerId: record.ownerId,
+      authenticatedUserId: user.id,
+    });
+  }
+}
+
+function toUploadRecord(row: UploadRow): UploadRecord {
+  return {
+    id: row.id,
+    key: row.object_key,
+    ownerId: row.owner_id,
+    fileName: row.file_name,
+    contentType: row.content_type,
+    size: row.size,
+    createdAt: row.created_at,
+  };
+}
+
+function toUploadResponse(request: Request, record: UploadRecord): UploadRecord & {
+  url: string;
+} {
+  const url = new URL(request.url);
+  url.pathname = "/" + ["uploads", record.id, "content"].join("/");
+  url.search = "";
+  return {
+    ...record,
+    url: url.toString(),
+  };
+}
+
+function getDayStartIso(date: Date): string {
+  return new Date(
+    Date.UTC(date.getUTCFullYear(), date.getUTCMonth(), date.getUTCDate()),
+  ).toISOString();
+}
+
+async function getUserStorageBytes(env: Env, ownerId: string): Promise<number> {
+  const row = await env.DB.prepare(
+    "SELECT COALESCE(SUM(size), 0) AS total_size FROM uploads WHERE owner_id = ?",
+  )
+    .bind(ownerId)
+    .first<UserStorageRow>();
+  return row?.total_size ?? 0;
+}
+
+async function getDailyUploadCount(
+  env: Env,
+  ownerId: string,
+  dayStartIso: string,
+): Promise<number> {
+  const row = await env.DB.prepare(
+    "SELECT COUNT(*) AS upload_count FROM uploads WHERE owner_id = ? AND created_at >= ?",
+  )
+    .bind(ownerId, dayStartIso)
+    .first<UserDailyUploadRow>();
+  return row?.upload_count ?? 0;
+}
+
+async function assertUserQuotaBeforeUpload(
+  env: Env,
+  ownerId: string,
+  contentLength: number | null,
+  policy: UploadPolicy,
+): Promise<void> {
+  const [currentStorageBytes, dailyUploadCount] = await Promise.all([
+    getUserStorageBytes(env, ownerId),
+    getDailyUploadCount(env, ownerId, getDayStartIso(new Date())),
+  ]);
+
+  if (dailyUploadCount >= policy.dailyUploadLimit) {
+    throw createStorageApiError(429, "Daily upload limit reached.", {
+      ownerId,
+      dailyUploadLimit: policy.dailyUploadLimit,
+    });
+  }
+
+  if (
+    contentLength !== null &&
+    currentStorageBytes + contentLength > policy.userStorageLimitBytes
+  ) {
+    throw createStorageApiError(413, "User storage quota would be exceeded.", {
+      ownerId,
+      currentStorageBytes,
+      contentLength,
+      userStorageLimitBytes: policy.userStorageLimitBytes,
+    });
+  }
+}
+
+async function assertUserQuotaAfterUpload(
+  env: Env,
+  ownerId: string,
+  objectSize: number,
+  policy: UploadPolicy,
+): Promise<void> {
+  const currentStorageBytes = await getUserStorageBytes(env, ownerId);
+  if (currentStorageBytes + objectSize > policy.userStorageLimitBytes) {
+    throw createStorageApiError(413, "User storage quota would be exceeded.", {
+      ownerId,
+      currentStorageBytes,
+      objectSize,
+      userStorageLimitBytes: policy.userStorageLimitBytes,
+    });
+  }
+}
+
+async function insertUploadRecord(
+  env: Env,
+  record: UploadRecord,
+): Promise<void> {
+  await env.DB.prepare(
+    "INSERT INTO uploads (id, object_key, owner_id, file_name, content_type, size, created_at) VALUES (?, ?, ?, ?, ?, ?, ?)",
+  )
+    .bind(
+      record.id,
+      record.key,
+      record.ownerId,
+      record.fileName,
+      record.contentType,
+      record.size,
+      record.createdAt,
+    )
+    .run();
+}
+
+async function deleteUploadRecord(env: Env, uploadId: string): Promise<void> {
+  await env.DB.prepare("DELETE FROM uploads WHERE id = ?").bind(uploadId).run();
+}
+
+async function syncInstantUploadRecord(
+  request: Request,
+  env: Env,
+  record: UploadRecord,
+): Promise<void> {
+  const appId = requireInstantAppId(env);
+  const adminToken = requireInstantAdminToken(env);
+  const db = init({
+    appId,
+    adminToken,
+    schema: instantSchema,
+  });
+
+  await db.transact(
+    db.tx.cloudflareObjects[record.id].create({
+      uploadId: record.id,
+      key: record.key,
+      ownerId: record.ownerId,
+      fileName: record.fileName,
+      contentType: record.contentType,
+      size: record.size,
+      workerUrl: getWorkerOrigin(request),
+      createdAt: Date.parse(record.createdAt),
+    }),
+  );
+}
+
+async function deleteInstantUploadRecord(
+  env: Env,
+  uploadId: string,
+): Promise<void> {
+  const appId = requireInstantAppId(env);
+  const adminToken = requireInstantAdminToken(env);
+  const db = init({
+    appId,
+    adminToken,
+    schema: instantSchema,
+  });
+
+  await db.transact(db.tx.cloudflareObjects[uploadId].delete());
+}
+
+async function findUploadRecord(env: Env, uploadId: string): Promise<UploadRecord> {
+  const row = await env.DB.prepare(
+    "SELECT id, object_key, owner_id, file_name, content_type, size, created_at FROM uploads WHERE id = ?",
+  )
+    .bind(uploadId)
+    .first<UploadRow>();
+
+  if (!row) {
+    throw createStorageApiError(404, "Upload record was not found.", {
+      uploadId,
+    });
+  }
+
+  return toUploadRecord(row);
+}
+
+async function handleUpload(
+  request: Request,
+  env: Env,
+  policy: UploadPolicy,
+): Promise<Response> {
+  const user = await requireInstantUser(request, env);
+  const fileName = sanitizeFileName(getRequiredHeader(request.headers, "x-file-name"));
+  const contentType = getRequiredHeader(request.headers, "content-type").toLowerCase();
+  assertContentType(contentType, policy);
+  const contentLength = getContentLength(request);
+  assertUploadSize(contentLength, policy);
+  await assertUserQuotaBeforeUpload(env, user.id, contentLength, policy);
+
+  const uploadId = crypto.randomUUID();
+  const objectKey = ["uploads", user.id, uploadId].join("/");
+  let object: R2Object;
+  try {
+    object = await env.STORAGE.put(
+      objectKey,
+      createLimitedBodyStream(getRequestBody(request), policy.maxUploadBytes),
+      {
+        httpMetadata: {
+          contentType,
+        },
+        customMetadata: {
+          fileName,
+          ownerId: user.id,
+          uploadId,
+        },
+      },
+    );
+  } catch (error) {
+    if (isStorageApiError(error)) {
+      throw error;
+    }
+    throw createStorageApiError(500, "Could not store upload object.", {
+      objectKey,
+      cause: toErrorMessage(error),
+    });
+  }
+
+  try {
+    await assertUserQuotaAfterUpload(env, user.id, object.size, policy);
+    const record: UploadRecord = {
+      id: uploadId,
+      key: objectKey,
+      ownerId: user.id,
+      fileName,
+      contentType,
+      size: object.size,
+      createdAt: new Date().toISOString(),
+    };
+    await insertUploadRecord(env, record);
+    await syncInstantUploadRecord(request, env, record);
+    return jsonResponse(request, env, toUploadResponse(request, record), 201);
+  } catch (error) {
+    await env.STORAGE.delete(objectKey);
+    await deleteUploadRecord(env, uploadId);
+    if (isStorageApiError(error)) {
+      throw error;
+    }
+    throw createStorageApiError(500, "Could not persist upload metadata.", {
+      objectKey,
+      cause: toErrorMessage(error),
+    });
+  }
+}
+
+async function handleGetUpload(
+  request: Request,
+  env: Env,
+  uploadId: string,
+): Promise<Response> {
+  const user = await requireInstantUser(request, env);
+  const record = await findUploadRecord(env, uploadId);
+  assertUploadOwner(record, user);
+  return jsonResponse(request, env, toUploadResponse(request, record), 200);
+}
+
+async function handleGetUploadContent(
+  request: Request,
+  env: Env,
+  uploadId: string,
+): Promise<Response> {
+  const user = await requireInstantUser(request, env);
+  const record = await findUploadRecord(env, uploadId);
+  assertUploadOwner(record, user);
+  const object = await env.STORAGE.get(record.key);
+  if (!object) {
+    throw createStorageApiError(404, "Stored object was not found.", {
+      uploadId,
+      objectKey: record.key,
+    });
+  }
+
+  const headers = getCorsHeaders(request, env);
+  object.writeHttpMetadata(headers);
+  headers.set("cache-control", "private, no-store");
+  headers.set("content-disposition", "inline; filename*=UTF-8''" + encodeURIComponent(record.fileName));
+  headers.set("etag", object.httpEtag);
+  return new Response(object.body, {
+    headers,
+  });
+}
+
+async function handleDeleteUpload(
+  request: Request,
+  env: Env,
+  uploadId: string,
+): Promise<Response> {
+  const user = await requireInstantUser(request, env);
+  const record = await findUploadRecord(env, uploadId);
+  assertUploadOwner(record, user);
+  await env.STORAGE.delete(record.key);
+  await deleteUploadRecord(env, uploadId);
+  await deleteInstantUploadRecord(env, uploadId);
+  return jsonResponse(request, env, { deleted: true, id: uploadId }, 200);
+}
+
+async function routeRequest(request: Request, env: Env): Promise<Response> {
+  if (request.method === "OPTIONS") {
+    return new Response(null, {
+      status: 204,
+      headers: getCorsHeaders(request, env),
+    });
+  }
+
+  const url = new URL(request.url);
+  const segments = url.pathname.split("/").filter(Boolean);
+  const policy = getUploadPolicy(env);
+
+  if (request.method === "GET" && url.pathname === "/health") {
+    return jsonResponse(request, env, { ok: true }, 200);
+  }
+
+  if (request.method === "POST" && segments.length === 1 && segments[0] === "uploads") {
+    return await handleUpload(request, env, policy);
+  }
+
+  if (segments.length === 2 && segments[0] === "uploads") {
+    if (request.method === "GET") {
+      return await handleGetUpload(request, env, segments[1]);
+    }
+    if (request.method === "DELETE") {
+      return await handleDeleteUpload(request, env, segments[1]);
+    }
+  }
+
+  if (
+    request.method === "GET" &&
+    segments.length === 3 &&
+    segments[0] === "uploads" &&
+    segments[2] === "content"
+  ) {
+    return await handleGetUploadContent(request, env, segments[1]);
+  }
+
+  throw createStorageApiError(404, "Route was not found.", {
+    method: request.method,
+    path: url.pathname,
+  });
+}
+
+export default {
+  async fetch(request: Request, env: Env): Promise<Response> {
+    try {
+      return await routeRequest(request, env);
+    } catch (error) {
+      if (isStorageApiError(error)) {
+        console.warn(
+          JSON.stringify({
+            level: "warn",
+            event: "storage_api_error",
+            message: error.message,
+            status: error.status,
+            context: error.context,
+          }),
+        );
+        return errorJsonResponse(request, env, error);
+      }
+
+      console.error(
+        JSON.stringify({
+          level: "error",
+          event: "unhandled_storage_api_error",
+          message: toErrorMessage(error),
+        }),
+      );
+      throw error;
+    }
+  },
+} satisfies ExportedHandler<Env>;
+`;
+}