From 21296a416ba2ca126c13f59cbc64f7fabf1b667a Mon Sep 17 00:00:00 2001 From: ekko <152005280+EKKOLearnAI@users.noreply.github.com> Date: Tue, 21 Apr 2026 07:43:05 +0800 Subject: [PATCH] fix: require auth for file upload and add 50MB size limit (#87) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * refactor: extract inline middleware from index.ts into separate modules - Extract update middleware to routes/update.ts - Extract health middleware and version logic to routes/health.ts - Extract shutdown logic to services/shutdown.ts - Extract gateway init to services/gateway-bootstrap.ts - Remove unused variables, fix duplicate app creation - Bump version to 0.4.0 index.ts: 260 lines → 80 lines Co-Authored-By: Claude Opus 4.6 * fix: require auth for file upload and add 50MB size limit Fixes #86 Co-Authored-By: Claude Opus 4.6 --------- Co-authored-by: Claude Opus 4.6 --- packages/server/src/routes/upload.ts | 19 ++++++++++++++----- packages/server/src/services/auth.ts | 2 +- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/packages/server/src/routes/upload.ts b/packages/server/src/routes/upload.ts index 838d6d6..7661bb7 100644 --- a/packages/server/src/routes/upload.ts +++ b/packages/server/src/routes/upload.ts @@ -1,8 +1,10 @@ import Router from '@koa/router' import { randomBytes } from 'crypto' -import { mkdir, writeFile } from 'fs/promises' +import { writeFile } from 'fs/promises' import { config } from '../config' +const MAX_UPLOAD_SIZE = 50 * 1024 * 1024 // 50MB + export const uploadRoutes = new Router() uploadRoutes.post('/upload', async (ctx) => { @@ -20,11 +22,18 @@ uploadRoutes.post('/upload', async (ctx) => { return } - await mkdir(config.uploadDir, { recursive: true }) - - // Read raw body as Buffer + // Read raw body as Buffer with size limit const chunks: Buffer[] = [] - for await (const chunk of ctx.req) chunks.push(chunk) + let totalSize = 0 + for await (const chunk of ctx.req) { + totalSize += chunk.length + if (totalSize > MAX_UPLOAD_SIZE) { + ctx.status = 413 + ctx.body = { error: `File too large (max ${MAX_UPLOAD_SIZE / 1024 / 1024}MB)` } + return + } + chunks.push(chunk) + } const raw = Buffer.concat(chunks) const boundaryBuf = Buffer.from(boundary) const parts = splitMultipart(raw, boundaryBuf) diff --git a/packages/server/src/services/auth.ts b/packages/server/src/services/auth.ts index 55f66ee..770212e 100644 --- a/packages/server/src/services/auth.ts +++ b/packages/server/src/services/auth.ts @@ -51,7 +51,7 @@ export async function authMiddleware(token: string | null) { const path = ctx.path.toLowerCase() if ( path === '/health' || - (!path.startsWith('/api') && !path.startsWith('/v1') && path !== '/webhook') + (!path.startsWith('/api') && !path.startsWith('/v1') && path !== '/webhook' && path !== '/upload') ) { await next() return