most-box 0.0.1 → 0.0.4

package/server.js

@@ -3,20 +3,30 @@ import fs from 'node:fs'
 import path from 'node:path'
 import os from 'node:os'
 import { fileURLToPath } from 'node:url'
-import crypto from 'node:crypto'
-import { exec } from 'node:child_process'
+import { spawn } from 'node:child_process'
+import Busboy from 'busboy'
+import { WebSocketServer } from 'ws'
 import { MostBoxEngine } from './src/index.js'
 import { parseMostLink } from './src/core/cid.js'
+import { MAX_FILE_SIZE } from './src/config.js'
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
-const PORT = Number(process.env.MOSTBOX_PORT) || 1976
-const HOST = '127.0.0.1'
+const PORT = Number(process.env.MOSTBOX_PORT || process.env.PORT) || 1976
+const HOST = process.env.MOSTBOX_HOST || '127.0.0.1'
+
+const MAX_JSON_BODY_SIZE = 10 * 1024 * 1024 // 10MB
+const MAX_UPLOAD_SIZE = MAX_FILE_SIZE
+const UPLOAD_TMP_DIR = path.join(os.tmpdir(), 'most-box-uploads')
+
+const rateLimitMap = new Map()
+const RATE_LIMIT_WINDOW = 60 * 1000
+const RATE_LIMIT_MAX_REQUESTS = 120
 
-const wsClients = new Set()
 let engine = null
 let serverInstance = null
+let wss = null
 
-// --- Config ---
+// --- 配置 ---
 const CONFIG_DIR = path.join(os.homedir(), '.most-box')
 const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json')
 
@@ -36,7 +46,9 @@ function saveConfig(config) {
     if (!fs.existsSync(CONFIG_DIR)) {
       fs.mkdirSync(CONFIG_DIR, { recursive: true })
     }
-    fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2), 'utf-8')
+    const tmpPath = CONFIG_FILE + '.tmp'
+    fs.writeFileSync(tmpPath, JSON.stringify(config, null, 2), 'utf-8')
+    fs.renameSync(tmpPath, CONFIG_FILE)
     return true
   } catch (err) {
     console.error('[Config] Save error:', err.message)
@@ -44,13 +56,33 @@ function saveConfig(config) {
   }
 }
 
-// --- Storage path ---
+// --- 存储路径 ---
 function getDataPath() {
   const config = loadConfig()
   return config.dataPath || path.join(os.homedir(), 'most-data')
 }
 
-// --- Static file serving ---
+// --- 速率限制 ---
+function checkRateLimit(clientIp) {
+  const now = Date.now()
+  if (!rateLimitMap.has(clientIp)) {
+    rateLimitMap.set(clientIp, [])
+  }
+  const requests = rateLimitMap.get(clientIp)
+  while (requests.length > 0 && requests[0] < now - RATE_LIMIT_WINDOW) {
+    requests.shift()
+  }
+  if (requests.length === 0) {
+    rateLimitMap.delete(clientIp)
+  }
+  if (requests.length >= RATE_LIMIT_MAX_REQUESTS) {
+    return false
+  }
+  requests.push(now)
+  return true
+}
+
+// --- 静态文件服务 ---
 const MIME_TYPES = {
   '.html': 'text/html; charset=utf-8',
   '.js': 'application/javascript; charset=utf-8',
@@ -76,13 +108,18 @@ const MIME_TYPES = {
   '.woff': 'font/woff'
 }
 
+function getMimeType(fileName) {
+  const ext = path.extname(fileName).toLowerCase()
+  return MIME_TYPES[ext] || 'application/octet-stream'
+}
+
 function serveStatic(req, res) {
+  const publicDir = path.join(__dirname, 'out')
   let filePath = req.url === '/' ? '/index.html' : req.url
   filePath = filePath.split('?')[0]
 
-  const fullPath = path.join(__dirname, 'public', filePath)
+  const fullPath = path.join(publicDir, filePath)
   const ext = path.extname(fullPath)
-  const publicDir = path.join(__dirname, 'public')
 
   if (!fullPath.startsWith(publicDir)) {
     res.writeHead(403)
@@ -92,128 +129,166 @@ function serveStatic(req, res) {
 
   fs.readFile(fullPath, (err, data) => {
     if (err) {
-      res.writeHead(404)
-      res.end('Not found')
+      if (err.code === 'EISDIR') {
+        const indexPath = path.join(fullPath, 'index.html')
+        fs.readFile(indexPath, (err2, indexData) => {
+          if (err2) {
+            res.writeHead(404)
+            res.end('Not found')
+            return
+          }
+          res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' })
+          res.end(indexData)
+        })
+      } else {
+        const indexPath = path.join(publicDir, 'index.html')
+        fs.readFile(indexPath, (err2, indexData) => {
+          if (err2) {
+            res.writeHead(404)
+            res.end('Not found')
+            return
+          }
+          res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' })
+          res.end(indexData)
+        })
+      }
       return
     }
 
-    let content = data
-    if (ext === '.html') {
-      content = data.toString()
-    }
-
+    const ext = path.extname(fullPath)
     res.writeHead(200, { 'Content-Type': MIME_TYPES[ext] || 'application/octet-stream' })
-    res.end(content)
+    res.end(data)
   })
 }
 
-// --- Streaming multipart parser for large files ---
-async function parseMultipart(req) {
-  const boundaryMatch = req.headers['content-type']?.match(/boundary=(?:"([^"]+)"|([^\s;]+))/)
-  if (!boundaryMatch) throw new Error('No boundary in content-type')
-  const boundary = boundaryMatch[1] || boundaryMatch[2]
+function decodeFilenameFromHeader(headerStr) {
+  if (!headerStr) return null
 
-  const chunks = []
-  for await (const chunk of req) {
-    chunks.push(chunk)
+  const filenameStarMatch = headerStr.match(/filename\*=(?:UTF-8''|utf-8'')([^;\r\n]+)/i)
+  if (filenameStarMatch) {
+    return decodeURIComponent(filenameStarMatch[1])
   }
-  const buffer = Buffer.concat(chunks)
-
-  const parts = []
-  const boundaryBuf = Buffer.from('--' + boundary)
-  let start = 0
-
-  while (true) {
-    const idx = buffer.indexOf(boundaryBuf, start)
-    if (idx === -1) break
-
-    if (start > 0) {
-      // Handle both \r\n and \n line endings
-      let partStart = start
-      if (buffer[partStart] === 0x0d && buffer[partStart + 1] === 0x0a) {
-        partStart += 2
-      } else if (buffer[partStart] === 0x0a) {
-        partStart += 1
+
+  const filenameMatch = headerStr.match(/filename="([^"]+)"/)
+  if (filenameMatch) {
+    const rawFilename = filenameMatch[1]
+    try {
+      const buf = Buffer.from(rawFilename, 'latin1')
+      const decoded = buf.toString('utf8')
+      if (decoded.includes('\ufffd')) {
+        return rawFilename
       }
+      return decoded
+    } catch {
+      return rawFilename
+    }
+  }
 
-      let partEnd = idx - 1
-      if (buffer[partEnd] === 0x0a) {
-        partEnd--
-        if (buffer[partEnd] === 0x0d) {
-          partEnd--
-        }
+  const filenamePlainMatch = headerStr.match(/filename=([^;\r\n]+)/)
+  if (filenamePlainMatch) {
+    return filenamePlainMatch[1].trim()
+  }
+  return null
+}
+
+function parseMultipartBusboy(req) {
+  return new Promise((resolve, reject) => {
+    if (!fs.existsSync(UPLOAD_TMP_DIR)) {
+      fs.mkdirSync(UPLOAD_TMP_DIR, { recursive: true })
+    }
+
+    const busboy = Busboy({
+      headers: req.headers,
+      limits: {
+        fileSize: MAX_UPLOAD_SIZE,
+        files: 1,
+        fields: 0
       }
+    })
+
+    const result = { filePath: null, filename: null }
+    let fileSize = 0
+    let writeStream = null
+    let tempPath = null
+
+    busboy.on('file', (name, stream, info) => {
+      result.filename = decodeFilenameFromHeader(`filename="${info.filename}"`)
+      tempPath = path.join(UPLOAD_TMP_DIR, `upload_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`)
+      writeStream = fs.createWriteStream(tempPath)
+
+      stream.on('data', (chunk) => {
+        fileSize += chunk.length
+        if (fileSize > MAX_UPLOAD_SIZE) {
+          stream.destroy()
+          writeStream.destroy()
+          fs.unlink(tempPath, () => {})
+          reject(new Error('File too large'))
+          return
+        }
+      })
 
-      const partData = buffer.slice(partStart, partEnd + 1)
+      stream.on('error', () => {
+        if (tempPath) fs.unlink(tempPath, () => {})
+      })
 
-      const headerEnd = partData.indexOf('\r\n\r\n')
-      const headerEndAlt = partData.indexOf('\n\n')
+      stream.pipe(writeStream)
 
-      let headerEndIdx = -1
-      let bodyStart = -1
+      writeStream.on('finish', () => {
+        result.filePath = tempPath
+        resolve(result)
+      })
 
-      if (headerEnd !== -1) {
-        headerEndIdx = headerEnd
-        bodyStart = headerEnd + 4
-      } else if (headerEndAlt !== -1) {
-        headerEndIdx = headerEndAlt
-        bodyStart = headerEndAlt + 2
-      }
+      writeStream.on('error', (err) => {
+        if (tempPath) fs.unlink(tempPath, () => {})
+        reject(err)
+      })
+    })
 
-      if (headerEndIdx !== -1) {
-        const headers = partData.slice(0, headerEndIdx).toString()
-        const body = partData.slice(bodyStart)
-
-        const nameMatch = headers.match(/name="([^"]+)"/)
-        const filenameMatch = headers.match(/filename="([^"]+)"/)
-        parts.push({
-          name: nameMatch?.[1],
-          filename: filenameMatch?.[1],
-          data: body,
-          headers
-        })
-      }
-    }
+    busboy.on('error', (err) => {
+      if (tempPath) fs.unlink(tempPath, () => {})
+      reject(err)
+    })
 
-    // Move to after the boundary
-    start = idx + boundaryBuf.length
-    // Skip optional whitespace after boundary
-    while (start < buffer.length && (buffer[start] === 0x20 || buffer[start] === 0x09)) {
-      start++
-    }
-    // Skip line ending
-    if (start < buffer.length && buffer[start] === 0x0d) {
-      start++
-    }
-    if (start < buffer.length && buffer[start] === 0x0a) {
-      start++
-    }
-  }
+    busboy.on('close', () => {
+      if (!result.filename) {
+        resolve(null)
+      }
+    })
 
-  return parts
+    req.on('error', (err) => {
+      if (tempPath) fs.unlink(tempPath, () => {})
+      reject(err)
+    })
+    req.pipe(busboy)
+  })
 }
 
-// --- JSON body parser ---
+// --- JSON 请求体解析器（带大小限制） ---
 async function parseJSON(req) {
   const chunks = []
+  let totalSize = 0
   for await (const chunk of req) {
+    totalSize += chunk.length
+    if (totalSize > MAX_JSON_BODY_SIZE) {
+      throw new Error('Request body too large')
+    }
     chunks.push(chunk)
   }
-  try {
-    return JSON.parse(Buffer.concat(chunks).toString())
-  } catch {
-    return {}
+  const text = Buffer.concat(chunks).toString()
+  if (!text.trim()) {
+    throw new Error('Empty request body')
   }
+  return JSON.parse(text)
 }
 
-// --- API Routes ---
+// --- API 路由 ---
 async function handleAPI(req, res) {
   const url = new URL(req.url, `http://${HOST}:${PORT}`)
   const pathname = url.pathname
   const method = req.method
 
   const json = (data, status = 200) => {
-    res.writeHead(status, { 'Content-Type': 'application/json' })
+    res.writeHead(status, { 'Content-Type': 'application/json; charset=utf-8' })
     res.end(JSON.stringify(data))
   }
 
@@ -224,6 +299,12 @@ async function handleAPI(req, res) {
       return
     }
 
+    // GET /api/peer-id
+    if (pathname === '/api/peer-id' && method === 'GET') {
+      json({ peerId: engine.getNodeId() })
+      return
+    }
+
     // GET /api/config
     if (pathname === '/api/config' && method === 'GET') {
       const config = loadConfig()
@@ -231,34 +312,34 @@ async function handleAPI(req, res) {
       return
     }
 
-    // POST /api/config
+    // POST /api/config — 更新配置
     if (pathname === '/api/config' && method === 'POST') {
       const body = await parseJSON(req)
       const config = loadConfig()
-      
+
       if (body.resetStorage) {
         config.dataPath = ''
       } else if (body.dataPath !== undefined) {
         let dataPath = body.dataPath.trim()
         let basePath = dataPath
-        
+
         if (dataPath.match(/^[A-Za-z]:\\$/)) {
           basePath = dataPath
           dataPath = path.join(dataPath, 'most-data')
         }
-        
+
         if (!fs.existsSync(basePath)) {
           json({ error: '目录不存在' }, 400)
           return
         }
-        
+
         if (!fs.existsSync(dataPath)) {
           fs.mkdirSync(dataPath, { recursive: true })
         }
-        
+
         config.dataPath = dataPath
       }
-      
+
       const success = saveConfig(config)
       json({ success, dataPath: getDataPath() })
       return
@@ -285,23 +366,25 @@ async function handleAPI(req, res) {
       return
     }
 
-    // POST /api/publish — multipart file upload
+    // POST /api/publish — multipart 文件上传
     if (pathname === '/api/publish' && method === 'POST') {
-      const parts = await parseMultipart(req)
+      const result = await parseMultipartBusboy(req)
 
-      const filePart = parts.find(p => p.name === 'file')
-      if (!filePart || !filePart.filename) {
+      if (!result || !result.filename) {
         json({ error: 'No file provided' }, 400)
         return
       }
 
-      const result = await engine.publishFile(filePart.data, filePart.filename)
-
-      json({ success: true, ...result })
+      try {
+        const publishResult = await engine.publishFile(result.filePath, result.filename)
+        json({ success: true, ...publishResult })
+      } finally {
+        fs.unlink(result.filePath, () => {})
+      }
       return
     }
 
-    // POST /api/download — start async download from P2P
+    // POST /api/download — 从 P2P 开始异步下载
     if (pathname === '/api/download' && method === 'POST') {
       const body = await parseJSON(req)
       if (!body.link) {
@@ -311,14 +394,12 @@ async function handleAPI(req, res) {
 
       const taskId = `dl_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`
 
-      // Parse link to check if file already exists
       const parsed = parseMostLink(body.link)
       if (parsed.error) {
         json({ error: parsed.error }, 400)
         return
       }
 
-      // Check if file already exists in published files
       const existingFile = engine.getPublishedFiles().find(f => f.cid === parsed.cid)
       if (existingFile) {
         console.log(`[MostBox] File already exists: ${existingFile.fileName}`)
@@ -326,7 +407,6 @@ async function handleAPI(req, res) {
         return
       }
 
-      // Async download — do not block HTTP response
       engine.downloadFile(body.link, taskId).catch(err => {
         if (err.message === 'Download cancelled') {
           wsBroadcast('download:cancelled', { taskId })
@@ -339,7 +419,7 @@ async function handleAPI(req, res) {
       return
     }
 
-    // POST /api/download/cancel — cancel an active download
+    // POST /api/download/cancel — 取消活动下载
     if (pathname === '/api/download/cancel' && method === 'POST') {
       const body = await parseJSON(req)
       if (!body.taskId) {
@@ -359,7 +439,7 @@ async function handleAPI(req, res) {
       return
     }
 
-    // POST /api/move — rename/move a published file (changes path without re-uploading)
+    // POST /api/move — 重命名/移动已发布文件
     if (pathname === '/api/move' && method === 'POST') {
       const body = await parseJSON(req)
       if (!body.cid || !body.newFileName) {
@@ -367,7 +447,7 @@ async function handleAPI(req, res) {
         return
       }
       try {
-        const result = await engine.moveFile(body.cid, body.newFileName)
+        const result = engine.moveFile(body.cid, body.newFileName)
         json({ success: true, ...result })
       } catch (err) {
         json({ error: err.message }, 400)
@@ -375,7 +455,7 @@ async function handleAPI(req, res) {
       return
     }
 
-    // POST /api/folder/rename — rename a folder (renames all files within)
+    // POST /api/folder/rename — 重命名文件夹
     if (pathname === '/api/folder/rename' && method === 'POST') {
       const body = await parseJSON(req)
       if (!body.oldPath || !body.newPath) {
@@ -391,14 +471,62 @@ async function handleAPI(req, res) {
       return
     }
 
-    // GET /api/files/:cid/download — serve file inline for preview / download
+    // GET /api/files/:cid/download — 内联服务文件，支持 Range
     if (pathname.match(/^\/api\/files\/[^/]+\/download$/) && method === 'GET') {
-      json({ error: 'Use P2P network to download this file' }, 400)
+      const cid = pathname.split('/')[3]
+      const rangeHeader = req.headers['range']
+
+      try {
+        if (rangeHeader) {
+          const rangeMatch = rangeHeader.match(/bytes=(\d+)-(\d*)/)
+          if (rangeMatch) {
+            const start = parseInt(rangeMatch[1], 10)
+            const end = rangeMatch[2] ? parseInt(rangeMatch[2], 10) : undefined
+
+            const offset = start
+            const limit = end !== undefined ? end - start + 1 : undefined
+
+            const result = await engine.readFileRaw(cid, { offset, limit })
+            const contentType = getMimeType(result.fileName)
+
+            res.writeHead(206, {
+              'Content-Type': contentType,
+              'Content-Length': result.buffer.length,
+              'Content-Range': `bytes ${offset}-${offset + result.buffer.length - 1}/${result.totalSize}`,
+              'Accept-Ranges': 'bytes'
+            })
+            res.end(result.buffer)
+            return
+          }
+        }
+
+        const result = await engine.readFileRaw(cid)
+        const contentType = getMimeType(result.fileName)
+        res.writeHead(200, {
+          'Content-Type': contentType,
+          'Content-Length': result.totalSize,
+          'Accept-Ranges': 'bytes',
+          'Content-Disposition': `inline; filename="${encodeURIComponent(result.fileName)}"`
+        })
+        res.end(result.buffer)
+      } catch (err) {
+        if (err.message === 'File not found') {
+          json({ error: err.message }, 404)
+        } else {
+          json({ error: err.message }, 400)
+        }
+      }
       return
     }
 
-    // POST /api/shutdown — graceful server shutdown
+    // POST /api/shutdown — 优雅关闭服务器（仅允许 localhost 连接）
     if (pathname === '/api/shutdown' && method === 'POST') {
+      const clientIp = req.socket.remoteAddress
+      const isLocalhost = clientIp === '127.0.0.1' || clientIp === '::1' || clientIp === '::ffff:127.0.0.1'
+      if (!isLocalhost) {
+        json({ error: 'Forbidden' }, 403)
+        return
+      }
       json({ success: true })
       console.log('[MostBox] Shutdown requested via API...')
       setTimeout(async () => {
@@ -410,13 +538,13 @@ async function handleAPI(req, res) {
       return
     }
 
-    // GET /api/trash — list trash files
+    // GET /api/trash — 列出回收站文件
     if (pathname === '/api/trash' && method === 'GET') {
       json(engine.listTrashFiles())
       return
     }
 
-    // POST /api/trash/:cid/restore — restore file from trash
+    // POST /api/trash/:cid/restore — 从回收站恢复文件
     if (pathname.match(/^\/api\/trash\/[^/]+\/restore$/) && method === 'POST') {
       const cid = pathname.split('/')[3]
       try {
@@ -428,7 +556,7 @@ async function handleAPI(req, res) {
       return
     }
 
-    // DELETE /api/trash/:cid — permanently delete a trash file
+    // DELETE /api/trash/:cid — 永久删除回收站文件
     if (pathname.match(/^\/api\/trash\/[^/]+$/) && method === 'DELETE') {
       const cid = pathname.split('/')[3]
       const result = await engine.permanentDeleteTrashFile(cid)
@@ -436,14 +564,14 @@ async function handleAPI(req, res) {
       return
     }
 
-    // DELETE /api/trash — empty trash
+    // DELETE /api/trash — 清空回收站
     if (pathname === '/api/trash' && method === 'DELETE') {
       const result = await engine.emptyTrash()
       json({ success: true, trashFiles: result })
       return
     }
 
-    // POST /api/files/:cid/star — toggle starred status
+    // POST /api/files/:cid/star — 切换星标状态
     if (pathname.match(/^\/api\/files\/[^/]+\/star$/) && method === 'POST') {
       const cid = pathname.split('/')[3]
       try {
@@ -455,13 +583,104 @@ async function handleAPI(req, res) {
       return
     }
 
-    // GET /api/storage — get storage statistics
+    // GET /api/storage — 获取存储统计信息
     if (pathname === '/api/storage' && method === 'GET') {
       const result = await engine.getStorageStats()
       json(result)
       return
     }
 
+    // GET /api/display-name — 获取显示名
+    if (pathname === '/api/display-name' && method === 'GET') {
+      json({ displayName: engine.getDisplayName() })
+      return
+    }
+
+    // POST /api/display-name — 设置显示名
+    if (pathname === '/api/display-name' && method === 'POST') {
+      const body = await parseJSON(req)
+      if (!body.name || !body.name.trim()) {
+        json({ error: 'name is required' }, 400)
+        return
+      }
+      const success = engine.setDisplayName(body.name)
+      json({ success, displayName: engine.getDisplayName() })
+      return
+    }
+
+    // POST /api/channels — 创建/加入频道
+    if (pathname === '/api/channels' && method === 'POST') {
+      const body = await parseJSON(req)
+      if (!body.name || !body.name.trim()) {
+        json({ error: 'name is required' }, 400)
+        return
+      }
+      try {
+        const result = await engine.createChannel(body.name.trim(), body.type || 'personal')
+        json({ success: true, ...result })
+      } catch (err) {
+        json({ error: err.message }, 400)
+      }
+      return
+    }
+
+    // GET /api/channels — 获取频道列表
+    if (pathname === '/api/channels' && method === 'GET') {
+      json(engine.listChannels())
+      return
+    }
+
+    // DELETE /api/channels/:name — 离开频道
+    if (pathname.startsWith('/api/channels/') && method === 'DELETE') {
+      const name = pathname.split('/')[3]
+      try {
+        const result = await engine.leaveChannel(name)
+        json({ success: true, channels: result })
+      } catch (err) {
+        json({ error: err.message }, 400)
+      }
+      return
+    }
+
+    // GET /api/channels/:name/messages — 获取频道消息
+    if (pathname.match(/^\/api\/channels\/[^/]+\/messages$/) && method === 'GET') {
+      const name = pathname.split('/')[3]
+      const urlObj = new URL(req.url, `http://${HOST}:${PORT}`)
+      const limit = parseInt(urlObj.searchParams.get('limit') || '100', 10)
+      const offset = parseInt(urlObj.searchParams.get('offset') || '0', 10)
+      try {
+        const messages = await engine.getChannelMessages(name, { limit, offset })
+        json(messages)
+      } catch (err) {
+        json({ error: err.message }, 400)
+      }
+      return
+    }
+
+    // POST /api/channels/:name/messages — 发送消息
+    if (pathname.match(/^\/api\/channels\/[^/]+\/messages$/) && method === 'POST') {
+      const name = pathname.split('/')[3]
+      const body = await parseJSON(req)
+      if (!body.content || !body.content.trim()) {
+        json({ error: 'content is required' }, 400)
+        return
+      }
+      try {
+        const message = await engine.sendMessage(name, body.content, body.authorName)
+        json({ success: true, message })
+      } catch (err) {
+        json({ error: err.message }, 400)
+      }
+      return
+    }
+
+    // GET /api/channels/:name/peers — 获取频道内在线用户
+    if (pathname.match(/^\/api\/channels\/[^/]+\/peers$/) && method === 'GET') {
+      const name = pathname.split('/')[3]
+      json(engine.getChannelPeers(name))
+      return
+    }
+
     json({ error: 'Not found' }, 404)
   } catch (err) {
     console.error('[API Error]', err)
@@ -469,79 +688,43 @@ async function handleAPI(req, res) {
   }
 }
 
-// --- Minimal WebSocket (RFC 6455) ---
-function upgradeToWebSocket(req, socket) {
-  const key = req.headers['sec-websocket-key']
-  if (!key) { socket.destroy(); return }
-
-  const MAGIC = '258EAFA5-E914-47DA-95CA-C5AB0DC85B11'
-  const accept = crypto.createHash('sha1')
-    .update(key + MAGIC)
-    .digest('base64')
-
-  socket.write(
-    'HTTP/1.1 101 Switching Protocols\r\n' +
-    'Upgrade: websocket\r\n' +
-    'Connection: Upgrade\r\n' +
-    `Sec-WebSocket-Accept: ${accept}\r\n` +
-    '\r\n'
-  )
-
-  wsClients.add(socket)
-  socket.on('close', () => wsClients.delete(socket))
-  socket.on('error', () => wsClients.delete(socket))
-
-  socket.on('data', (buf) => {
-    if (buf.length < 2) return
-    const opcode = buf[0] & 0x0f
-    if (opcode === 0x8) {
-      wsClients.delete(socket)
-      socket.end()
-    }
-    if (opcode === 0x9) {
-      const pong = Buffer.from(buf)
-      pong[0] = (pong[0] & 0xf0) | 0xa
-      socket.write(pong)
-    }
-    if (opcode === 0x1 || opcode === 0x2) {
-      // Text or binary message - could broadcast to other clients if needed
-    }
-  })
-}
-
 function wsBroadcast(event, data) {
   const payload = JSON.stringify({ event, data })
-  const buf = Buffer.from(payload)
-
-  let frame
-  if (buf.length < 126) {
-    frame = Buffer.alloc(2 + buf.length)
-    frame[0] = 0x81
-    frame[1] = buf.length
-    buf.copy(frame, 2)
-  } else if (buf.length < 65536) {
-    frame = Buffer.alloc(4 + buf.length)
-    frame[0] = 0x81
-    frame[1] = 126
-    frame.writeUInt16BE(buf.length, 2)
-    buf.copy(frame, 4)
-  } else {
-    frame = Buffer.alloc(10 + buf.length)
-    frame[0] = 0x81
-    frame[1] = 127
-    frame.writeBigUInt64BE(BigInt(buf.length), 2)
-    buf.copy(frame, 10)
+  if (wss) {
+    wss.clients.forEach((client) => {
+      if (client.readyState === 1) {
+        try { client.send(payload) } catch {}
+      }
+    })
   }
+}
+
+const channelSubscriptions = new Map()
 
-  for (const client of wsClients) {
-    try { client.write(frame) } catch {}
+function wsSendToChannel(channelName, event, data) {
+  const payload = JSON.stringify({ event, data })
+  const subscribers = channelSubscriptions.get(channelName)
+  if (subscribers) {
+    subscribers.forEach((ws) => {
+      if (ws.readyState === 1) {
+        try { ws.send(payload) } catch {}
+      }
+    })
   }
 }
 
-// --- Main ---
+// --- 主函数 ---
 async function main() {
   console.log('[MostBox] Starting core daemon...')
 
+  if (fs.existsSync(UPLOAD_TMP_DIR)) {
+    const staleFiles = fs.readdirSync(UPLOAD_TMP_DIR)
+    for (const file of staleFiles) {
+      try { fs.unlinkSync(path.join(UPLOAD_TMP_DIR, file)) } catch {}
+    }
+    console.log(`[MostBox] Cleaned ${staleFiles.length} stale upload temp files`)
+  }
+
   const dataPath = getDataPath()
   console.log(`[MostBox] Storage: ${dataPath}`)
 
@@ -556,12 +739,17 @@ async function main() {
   engine.on('connection', () => {
     wsBroadcast('network:status', engine.getNetworkStatus())
   })
+  engine.on('channel:message', (data) => wsSendToChannel(data.channel, 'channel:message', data))
+  engine.on('channel:peer:online', (data) => wsBroadcast('channel:peer:online', data))
+  engine.on('channel:peer:offline', (data) => wsBroadcast('channel:peer:offline', data))
+  engine.on('channel:joined', (data) => wsBroadcast('channel:joined', data))
+  engine.on('channel:left', (data) => wsBroadcast('channel:left', data))
 
   await engine.start()
   console.log('[MostBox] Engine ready')
 
   serverInstance = http.createServer((req, res) => {
-    res.setHeader('Access-Control-Allow-Origin', '*')
+    res.setHeader('Access-Control-Allow-Origin', `http://${HOST}:${PORT}`)
     res.setHeader('Access-Control-Allow-Methods', 'GET, POST, DELETE, OPTIONS')
     res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization')
 
@@ -571,16 +759,82 @@ async function main() {
       return
     }
 
+    const clientIp = req.socket.remoteAddress || 'unknown'
+
+    if (!checkRateLimit(clientIp)) {
+      res.writeHead(429, { 'Content-Type': 'application/json' })
+      res.end(JSON.stringify({ error: 'Too many requests' }))
+      return
+    }
+
     if (req.url.startsWith('/api/')) {
-      handleAPI(req, res)
+      handleAPI(req, res).catch(err => {
+        console.error('[Unhandled API Error]', err)
+        if (!res.headersSent) {
+          res.writeHead(500, { 'Content-Type': 'application/json' })
+          res.end(JSON.stringify({ error: 'Internal server error' }))
+        }
+      })
     } else {
       serveStatic(req, res)
     }
   })
 
-  serverInstance.on('upgrade', (req, socket) => {
+  wss = new WebSocketServer({ noServer: true })
+  wss.on('connection', (ws) => {
+    ws.on('error', () => {})
+    ws.on('close', () => {
+      for (const [channelName, subscribers] of channelSubscriptions) {
+        if (subscribers.has(ws)) {
+          subscribers.delete(ws)
+          if (subscribers.size === 0) {
+            channelSubscriptions.delete(channelName)
+          }
+        }
+      }
+    })
+    ws.on('message', (raw) => {
+      try {
+        const msg = JSON.parse(raw)
+        const { event, data } = msg
+
+        switch (event) {
+          case 'register':
+            ws.peerId = data.peerId
+            break
+          case 'channel:subscribe':
+            if (data.channel) {
+              const channelName = data.channel
+              if (!channelSubscriptions.has(channelName)) {
+                channelSubscriptions.set(channelName, new Set())
+              }
+              channelSubscriptions.get(channelName).add(ws)
+            }
+            break
+          case 'channel:unsubscribe':
+            if (data.channel) {
+              const channelName = data.channel
+              const subscribers = channelSubscriptions.get(channelName)
+              if (subscribers) {
+                subscribers.delete(ws)
+                if (subscribers.size === 0) {
+                  channelSubscriptions.delete(channelName)
+                }
+              }
+            }
+            break
+        }
+      } catch (err) {
+        console.error('[WS Message Error]', err.message)
+      }
+    })
+  })
+
+  serverInstance.on('upgrade', (req, socket, head) => {
     if (req.url.startsWith('/ws')) {
-      upgradeToWebSocket(req, socket)
+      wss.handleUpgrade(req, socket, head, (ws) => {
+        wss.emit('connection', ws, req)
+      })
     } else {
       socket.destroy()
     }
@@ -590,20 +844,31 @@ async function main() {
     const url = `http://${HOST}:${PORT}`
     console.log(`[MostBox] Server running at ${url}`)
 
-    const cmd = process.platform === 'win32' ? 'start ""'
-      : process.platform === 'darwin' ? 'open' : 'xdg-open'
-    exec(`${cmd} "${url}"`)
+    if (process.platform === 'win32') {
+      spawn('cmd.exe', ['/c', 'start', '', url], {
+        detached: true,
+        stdio: 'ignore'
+      }).unref()
+    } else {
+      const cmd = process.platform === 'darwin' ? 'open' : 'xdg-open'
+      spawn(cmd, [url], {
+        detached: true,
+        stdio: 'ignore'
+      }).unref()
+    }
   })
 
   process.on('SIGINT', async () => {
     console.log('\n[MostBox] Shutting down...')
     await engine.stop()
+    if (wss) wss.close()
     serverInstance.close()
     process.exit(0)
   })
 
   process.on('SIGTERM', async () => {
     await engine.stop()
+    if (wss) wss.close()
     serverInstance.close()
     process.exit(0)
   })