pollutri
/
captive-portal-cms
1
0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
100 Révisions
2 Branches
278 MiB
 
 
Aborescence: 0b3648c3e1
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '0b3648c3e1'
${ noResults }
captive-portal-cms/app/api/upload/route.ts

213 lignes
7.3 KiB
Brut Annotations Historique 

  1. import { NextResponse } from 'next/server';

  2. import { writeFile, mkdir, rename, unlink } from 'fs/promises';

  3. import path from 'path';

  4. import { fromBuffer as fileTypeFromBuffer } from 'file-type';

  5. import { enqueueTranscode, needsTranscode, probeCodecs, isFfmpegAvailable } from '@/lib/transcode';

  6. import { UPLOAD_LIMITS } from '@/lib/config';

  7. import { sanitizeSvg } from '@/lib/svg-sanitize';

  8. 

  9. export const dynamic = 'force-dynamic';

  10. export const maxDuration = 300;

  11. 

  12. // Allowed extensions and their families (size + handling differ per family).

  13. type Family = 'image' | 'video' | 'pdf';

  14. const EXT_FAMILY: Record<string, Family> = {

  15.   png: 'image', jpg: 'image', jpeg: 'image', gif: 'image', webp: 'image',

  16.   mp4: 'video', m4v: 'video', webm: 'video', mov: 'video', ogv: 'video', ogg: 'video',

  17.   pdf: 'pdf',

  18. };

  19. 

  20. // Strict per family, permissive within a family (mov ↔ mp4 are both ISO BMFF).

  21. const ALLOWED_MIMES: Record<string, string[]> = {

  22.   png:  ['image/png'],

  23.   jpg:  ['image/jpeg'],

  24.   jpeg: ['image/jpeg'],

  25.   gif:  ['image/gif'],

  26.   webp: ['image/webp'],

  27.   mp4:  ['video/mp4', 'video/x-m4v', 'video/quicktime'],

  28.   m4v:  ['video/mp4', 'video/x-m4v'],

  29.   webm: ['video/webm'],

  30.   mov:  ['video/quicktime', 'video/mp4'],

  31.   ogv:  ['video/ogg', 'application/ogg'],

  32.   ogg:  ['video/ogg', 'application/ogg', 'audio/ogg'],

  33.   pdf:  ['application/pdf'],

  34. };

  35. 

  36. const MAX_BYTES: Record<Family, number> = UPLOAD_LIMITS;

  37. 

  38. const UPLOAD_DIR = path.join(process.cwd(), 'data', 'uploads');

  39. const TMP_DIR = path.join(UPLOAD_DIR, '.tmp');

  40. 

  41. function extractExt(name: string): string {

  42.   const lastDot = name.lastIndexOf('.');

  43.   if (lastDot < 0 || lastDot === name.length - 1) return '';

  44.   return name.slice(lastDot + 1).toLowerCase();

  45. }

  46. 

  47. export function normalizeFilename(originalName: string): string {

  48.   const ext = extractExt(originalName);

  49.   const safeExt = /^[a-z0-9]{1,5}$/.test(ext) ? ext : 'bin';

  50.   const base = ext ? originalName.slice(0, originalName.length - ext.length - 1) : originalName;

  51. 

  52.   const slug = base

  53.     .normalize('NFKD')

  54.     .replace(/\p{Mn}/gu, '')

  55.     .toLowerCase()

  56.     .replace(/[\s/\\]+/g, '-')

  57.     .replace(/[^a-z0-9_-]/g, '')

  58.     .replace(/-+/g, '-')

  59.     .replace(/^[-_]+|[-_]+$/g, '')

  60.     .slice(0, 40) || 'file';

  61. 

  62.   const ts = Date.now().toString(36);

  63.   const rand = Math.random().toString(36).slice(2, 8);

  64.   return `${ts}-${rand}-${slug}.${safeExt}`;

  65. }

  66. 

  67. export async function POST(request: Request) {

  68.   let tmpPath: string | null = null;

  69.   try {

  70.     const formData = await request.formData();

  71.     const file = formData.get('file') as File | null;

  72. 

  73.     if (!file) {

  74.       return NextResponse.json({ error: 'No file received.' }, { status: 400 });

  75.     }

  76. 

  77.     const ext = extractExt(file.name);

  78. 

  79.     // SVG: ammesso SOLO per upload del logo (`?context=logo`).

  80.     // file-type non rileva l'SVG affidabilmente perché è XML/testo, quindi qui

  81.     // saltiamo il magic-bytes check e affidiamo la verifica al sanitizer

  82.     // (richiede che il file inizi con `<svg>` o `<?xml ... <svg>`).

  83.     const { searchParams } = new URL(request.url);

  84.     const isLogoContext = searchParams.get('context') === 'logo';

  85.     if (ext === 'svg') {

  86.       if (!isLogoContext) {

  87.         return NextResponse.json(

  88.           { error: 'SVG accettato solo per upload del logo.' },

  89.           { status: 400 }

  90.         );

  91.       }

  92.       if (file.size > MAX_BYTES.image) {

  93.         const mb = (MAX_BYTES.image / (1024 * 1024)).toFixed(0);

  94.         return NextResponse.json(

  95.           { error: `File troppo grande (max ${mb} MB per image).` },

  96.           { status: 413 }

  97.         );

  98.       }

  99.       const text = Buffer.from(await file.arrayBuffer()).toString('utf-8');

  100.       const result = sanitizeSvg(text);

  101.       if (!result.ok) {

  102.         return NextResponse.json({ error: result.error }, { status: 400 });

  103.       }

  104.       const storedName = normalizeFilename(file.name);

  105.       await mkdir(TMP_DIR, { recursive: true });

  106.       tmpPath = path.join(TMP_DIR, storedName);

  107.       await writeFile(tmpPath, Buffer.from(result.sanitized, 'utf-8'));

  108.       const finalPath = path.join(UPLOAD_DIR, storedName);

  109.       await rename(tmpPath, finalPath);

  110.       tmpPath = null;

  111.       return NextResponse.json(

  112.         { url: `/api/files?name=${encodeURIComponent(storedName)}` },

  113.         { status: 201 }

  114.       );

  115.     }

  116. 

  117.     const family = EXT_FAMILY[ext];

  118.     if (!family) {

  119.       return NextResponse.json(

  120.         { error: `Estensione non permessa: .${ext || '(nessuna)'}` },

  121.         { status: 400 }

  122.       );

  123.     }

  124. 

  125.     if (file.size > MAX_BYTES[family]) {

  126.       const mb = (MAX_BYTES[family] / (1024 * 1024)).toFixed(0);

  127.       return NextResponse.json(

  128.         { error: `File troppo grande (max ${mb} MB per ${family}).` },

  129.         { status: 413 }

  130.       );

  131.     }

  132. 

  133.     const buffer = Buffer.from(await file.arrayBuffer());

  134. 

  135.     // Magic-bytes sniffing: reject if the file content doesn't match its claimed extension.

  136.     const detected = await fileTypeFromBuffer(buffer);

  137.     if (!detected) {

  138.       return NextResponse.json(

  139.         { error: 'Tipo del file non riconoscibile dal contenuto.' },

  140.         { status: 400 }

  141.       );

  142.     }

  143.     const allowedMimes = ALLOWED_MIMES[ext] ?? [];

  144.     if (!allowedMimes.includes(detected.mime)) {

  145.       return NextResponse.json(

  146.         { error: `Contenuto del file non corrisponde all'estensione (.${ext} dichiarato, rilevato ${detected.mime}).` },

  147.         { status: 400 }

  148.       );

  149.     }

  150. 

  151.     const storedName = normalizeFilename(file.name);

  152. 

  153.     await mkdir(TMP_DIR, { recursive: true });

  154.     tmpPath = path.join(TMP_DIR, storedName);

  155.     await writeFile(tmpPath, buffer);

  156. 

  157.     // Image / PDF: rename atomically into the uploads dir and we're done.

  158.     if (family !== 'video') {

  159.       const finalPath = path.join(UPLOAD_DIR, storedName);

  160.       await rename(tmpPath, finalPath);

  161.       tmpPath = null;

  162.       return NextResponse.json(

  163.         { url: `/api/files?name=${encodeURIComponent(storedName)}` },

  164.         { status: 201 }

  165.       );

  166.     }

  167. 

  168.     // Video: probe codecs. If already h264+aac/mp3 → fast path (rename).

  169.     const codecs = await probeCodecs(tmpPath);

  170.     if (!needsTranscode(codecs)) {

  171.       const finalPath = path.join(UPLOAD_DIR, storedName);

  172.       await rename(tmpPath, finalPath);

  173.       tmpPath = null;

  174.       return NextResponse.json(

  175.         { url: `/api/files?name=${encodeURIComponent(storedName)}` },

  176.         { status: 201 }

  177.       );

  178.     }

  179. 

  180.     // Needs transcoding: bail out early if ffmpeg is unavailable.

  181.     if (!(await isFfmpegAvailable())) {

  182.       return NextResponse.json(

  183.         { error: 'Video richiede ricodifica ma ffmpeg non è disponibile sul server.' },

  184.         { status: 503 }

  185.       );

  186.     }

  187. 

  188.     // The final file is always an .mp4 once transcoded — replace the extension.

  189.     const finalMp4Name = storedName.replace(/\.[^.]+$/, '.mp4');

  190.     const job = await enqueueTranscode({

  191.       inputPath: tmpPath,

  192.       outputName: finalMp4Name,

  193.       originalUploadName: file.name,

  194.     });

  195.     // The input is now owned by the transcode worker; don't unlink in our catch.

  196.     tmpPath = null;

  197. 

  198.     return NextResponse.json(

  199.       {

  200.         url: `/api/files?name=${encodeURIComponent(finalMp4Name)}`,

  201.         transcoding: { jobId: job.id, status: job.status },

  202.       },

  203.       { status: 201 }

  204.     );

  205.   } catch (error) {

  206.     console.error('Upload Error:', error);

  207.     if (tmpPath) {

  208.       try { await unlink(tmpPath); } catch {}

  209.     }

  210.     return NextResponse.json({ error: 'Failed to upload file.' }, { status: 500 });

  211.   }

  212. }