ep_media_upload 0.2.0 → 0.2.2

package/README.md

@@ -27,8 +27,9 @@ Etherpad plugin for secure file uploads via S3 presigned URLs.
     "expires": 900,
     "downloadExpires": 300
   },
-  "fileTypes": ["pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "txt", "zip"],
-  "maxFileSize": 52428800
+  "fileTypes": ["pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "txt", "zip", "mp3", "mp4", "wav", "mov"],
+  "maxFileSize": 52428800,
+  "inlineExtensions": ["mp3", "mp4", "wav", "mov", "webm", "ogg"]
 }
 ```
 
@@ -49,6 +50,7 @@ Etherpad plugin for secure file uploads via S3 presigned URLs.
 |--------|----------|---------|-------------|
 | `fileTypes` | No | all | Array of allowed extensions (without dots) |
 | `maxFileSize` | No | unlimited | Max file size in bytes |
+| `inlineExtensions` | No | `[]` | Extensions to open inline in browser (streaming). Files not in this list will download. |
 
 ### Environment Variables
 

package/index.js

@@ -133,7 +133,7 @@ const EXTENSION_MIME_MAP = {
   
   // Audio
   mp3: ['audio/mpeg', 'audio/mp3'],
-  wav: ['audio/wav', 'audio/wave', 'audio/x-wav'],
+  wav: ['audio/wav', 'audio/wave', 'audio/x-wav', 'audio/vnd.wave'],
   ogg: ['audio/ogg'],
   m4a: ['audio/mp4', 'audio/x-m4a'],
   flac: ['audio/flac'],
@@ -281,6 +281,10 @@ exports.expressCreateServer = (hookName, context) => {
       return res.status(500).json({ error: 'Security module unavailable' });
     }
 
+    // Get client IP for rate limiting and audit logging
+    const clientIp = req.ip || req.headers['x-forwarded-for'] || req.connection?.remoteAddress || 'unknown';
+
+    let authorId = 'unknown';
     try {
       const sessionCookie = req.cookies?.sessionID || null;
       const token = req.cookies?.token || null;
@@ -288,16 +292,18 @@ exports.expressCreateServer = (hookName, context) => {
 
       const accessResult = await securityManager.checkAccess(padId, sessionCookie, token, user);
       if (accessResult.accessStatus !== 'grant') {
+        logger.warn(`[ep_media_upload] UPLOAD_DENIED: ip="${clientIp}" pad="${padId}" reason="access_denied"`);
         return res.status(403).json({ error: 'Access denied to this pad' });
       }
+      authorId = accessResult.authorID || 'unknown';
     } catch (authErr) {
       logger.error('[ep_media_upload] Access check error:', authErr);
       return res.status(500).json({ error: 'Access verification failed' });
     }
 
     /* ------------------ Rate limiting --------------------- */
-    const ip = req.ip || req.headers['x-forwarded-for'] || req.connection?.remoteAddress || 'unknown';
-    if (!_rateLimitCheck(ip)) {
+    if (!_rateLimitCheck(clientIp)) {
+      logger.warn(`[ep_media_upload] UPLOAD_RATE_LIMITED: ip="${clientIp}" pad="${padId}"`);
       return res.status(429).json({ error: 'Too many presign requests' });
     }
 
@@ -373,8 +379,8 @@ exports.expressCreateServer = (hookName, context) => {
 
       // Log upload request for audit trail
       // Note: Never log tokens or session cookies - only non-sensitive identifiers
-      const userId = req.session?.user?.username || req.session?.authorId || 'anonymous';
-      logger.info(`[ep_media_upload] UPLOAD: user="${userId}" pad="${padId}" file="${originalFilename}" s3key="${key}"`);
+      const username = req.session?.user?.username || 'anonymous';
+      logger.info(`[ep_media_upload] UPLOAD: author="${authorId}" user="${username}" ip="${clientIp}" pad="${padId}" file="${originalFilename}" s3key="${key}"`);
 
       // Return downloadUrl for hyperlink insertion (authenticated download endpoint)
       // Also return signedUrl for the actual S3 upload and contentDisposition for PUT headers
@@ -414,6 +420,10 @@ exports.expressCreateServer = (hookName, context) => {
       return res.status(500).json({ error: 'Security module unavailable' });
     }
 
+    // Get client IP for rate limiting and audit logging
+    const clientIp = req.ip || req.headers['x-forwarded-for'] || req.connection?.remoteAddress || 'unknown';
+
+    let authorId = 'unknown';
     try {
       const sessionCookie = req.cookies?.sessionID || null;
       const token = req.cookies?.token || null;
@@ -421,16 +431,18 @@ exports.expressCreateServer = (hookName, context) => {
 
       const accessResult = await securityManager.checkAccess(padId, sessionCookie, token, user);
       if (accessResult.accessStatus !== 'grant') {
+        logger.warn(`[ep_media_upload] DOWNLOAD_DENIED: ip="${clientIp}" pad="${padId}" file="${fileId}" reason="access_denied"`);
         return res.status(403).json({ error: 'Access denied to this pad' });
       }
+      authorId = accessResult.authorID || 'unknown';
     } catch (authErr) {
       logger.error('[ep_media_upload] Download access check error:', authErr);
       return res.status(500).json({ error: 'Access verification failed' });
     }
 
     /* ------------------ Rate limiting --------------------- */
-    const ip = req.ip || req.headers['x-forwarded-for'] || req.connection?.remoteAddress || 'unknown';
-    if (!_rateLimitCheck(ip)) {
+    if (!_rateLimitCheck(clientIp)) {
+      logger.warn(`[ep_media_upload] DOWNLOAD_RATE_LIMITED: ip="${clientIp}" pad="${padId}" file="${fileId}"`);
       return res.status(429).json({ error: 'Too many download requests' });
     }
 
@@ -455,11 +467,30 @@ exports.expressCreateServer = (hookName, context) => {
       const prefix = keyPrefix || '';
       const key = `${prefix}${padId}/${fileId}`;
 
+      // Extract file extension to determine inline vs attachment disposition
+      const fileExtension = getValidExtension(fileId);
+      
+      // Get inlineExtensions from config (extensions that should open in browser)
+      // Default behavior is download (attachment) for all files
+      const inlineExtensions = settings.ep_media_upload?.inlineExtensions || [];
+      const shouldOpenInline = fileExtension && 
+        Array.isArray(inlineExtensions) && 
+        inlineExtensions.map(e => e.toLowerCase()).includes(fileExtension.toLowerCase());
+
+      // Determine Content-Disposition based on extension config
+      // Extract filename for Content-Disposition header (UUID.ext -> use as filename)
+      const filename = fileId.replace(/[^\w\-_.]/g, '_'); // Sanitize for header
+      const disposition = shouldOpenInline 
+        ? `inline; filename="${filename}"` 
+        : `attachment; filename="${filename}"`;
+
       // Generate presigned GET URL with short expiry
+      // Use ResponseContentDisposition to override the stored header
       const s3Client = new S3Client({ region });
       const getCommand = new GetObjectCommand({
         Bucket: bucket,
         Key: key,
+        ResponseContentDisposition: disposition,
       });
 
       // Use downloadExpires from config, default to 300 seconds (5 minutes)
@@ -467,8 +498,9 @@ exports.expressCreateServer = (hookName, context) => {
       const presignedGetUrl = await getSignedUrl(s3Client, getCommand, { expiresIn });
 
       // Log download request for audit trail
-      const userId = req.session?.user?.username || req.session?.authorId || 'anonymous';
-      logger.info(`[ep_media_upload] DOWNLOAD: user="${userId}" pad="${padId}" file="${fileId}"`);
+      const username = req.session?.user?.username || 'anonymous';
+      const dispositionType = shouldOpenInline ? 'inline' : 'attachment';
+      logger.info(`[ep_media_upload] DOWNLOAD: author="${authorId}" user="${username}" ip="${clientIp}" pad="${padId}" file="${fileId}" disposition="${dispositionType}"`);
 
       // Redirect to the presigned URL
       return res.redirect(302, presignedGetUrl);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "ep_media_upload",
   "description": "beta - Upload files to S3 and insert hyperlinks into the pad. Requires ep_hyperlinked_text.",
-  "version": "0.2.0",
+  "version": "0.2.2",
   "author": {
     "name": "DCastelone",
     "url": "https://github.com/dcastelone"