feat(uploads): direct-to-B2 presigned uploads with content-length-range policy
Replaces the multipart-via-API path for image uploads with a three-step
direct-to-storage flow:
1. Client POSTs /api/uploads/presign with content_length + content_type;
server validates size (10 MB cap), mime allow-list per category, rate
limit (50/hour/user via Redis sliding window), and concurrent unclaimed
cap (10 in-flight per user). On success it persists a pending_uploads
row, signs an S3 POST policy with content-length-range bound to the
claimed length ±256 bytes, and returns the URL+fields.
2. Client POSTs the bytes directly to B2 using the signed policy. B2
enforces size, content-type, and key match before accepting.
3. Client passes upload_ids[] to /api/task-completions/ or /api/documents/.
Service HEADs each B2 object, verifies size matches expected_bytes
within slack, marks pending_uploads claimed_at, and creates the
associated TaskCompletionImage / DocumentImage rows.
Bytes never traverse our API server. The 1 MB Echo BodyLimit middleware
that was rejecting all task-completion image uploads becomes irrelevant
for this path. Existing multipart endpoints stay functional alongside,
soak-testing the new path before legacy removal.
Cleanup:
- cmd/worker registers a new hourly cron (TypeUploadCleanup, "30 * * * *")
that reaps pending_uploads where claimed_at IS NULL AND expires_at < NOW().
Reaps both the B2 object and the row.
- B2 bucket lifecycle rule on `uploads/` prefix (7 days hide → 1 day delete)
documented in deploy-k3s/manifests/b2-lifecycle.md as a backstop.
Schema:
- migrations/000002_pending_uploads.sql adds the table + partial index for
cleanup + nullable pending_upload_id FKs on task_taskcompletionimage and
task_documentimage.
Policy (single tier, no free/pro split):
- 10 MB cap per upload
- 50 presigns/hour/user
- 10 concurrent unclaimed uploads/user
- allow-list: jpeg/png/heic/heif/webp for image categories;
+ pdf for document_file
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Trey t
@@ -5,6 +5,7 @@ import (
|
||||
"context"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/url"
|
||||
"time"
|
||||
|
||||
"github.com/minio/minio-go/v7"
|
||||
@@ -101,3 +102,81 @@ func (b *S3Backend) ReadStream(key string) (io.ReadCloser, error) {
|
||||
}
|
||||
return obj, nil
|
||||
}
|
||||
|
||||
// PresignedPostResult is the data a client needs to perform a direct multipart
|
||||
// POST to S3-compatible storage. The caller assembles a multipart/form-data
|
||||
// request with the fields below as form parts (in order) and the file last.
|
||||
type PresignedPostResult struct {
|
||||
URL string // e.g. https://s3.us-east-005.backblazeb2.com/honeyDueProd
|
||||
Fields map[string]string // policy, x-amz-*, key, Content-Type, etc.
|
||||
}
|
||||
|
||||
// PresignedPost generates a POST policy that constrains uploads at the protocol
|
||||
// level: only the named key, only the named content-type, only sizes within
|
||||
// the requested range. S3 (and B2's S3-compatible endpoint) reject anything
|
||||
// that doesn't satisfy every condition before accepting the body.
|
||||
//
|
||||
// minBytes/maxBytes are inclusive. The returned URL + Fields can be sent
|
||||
// straight to the client.
|
||||
func (b *S3Backend) PresignedPost(ctx context.Context, key, contentType string, minBytes, maxBytes int64, ttl time.Duration) (*PresignedPostResult, error) {
|
||||
policy := minio.NewPostPolicy()
|
||||
if err := policy.SetBucket(b.bucket); err != nil {
|
||||
return nil, fmt.Errorf("set bucket: %w", err)
|
||||
}
|
||||
if err := policy.SetKey(key); err != nil {
|
||||
return nil, fmt.Errorf("set key: %w", err)
|
||||
}
|
||||
if err := policy.SetContentType(contentType); err != nil {
|
||||
return nil, fmt.Errorf("set content-type: %w", err)
|
||||
}
|
||||
if err := policy.SetContentLengthRange(minBytes, maxBytes); err != nil {
|
||||
return nil, fmt.Errorf("set content-length-range: %w", err)
|
||||
}
|
||||
if err := policy.SetExpires(time.Now().UTC().Add(ttl)); err != nil {
|
||||
return nil, fmt.Errorf("set expires: %w", err)
|
||||
}
|
||||
|
||||
u, fields, err := b.client.PresignedPostPolicy(ctx, policy)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("presign post policy: %w", err)
|
||||
}
|
||||
return &PresignedPostResult{
|
||||
URL: stripQuery(u),
|
||||
Fields: fields,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// Stat returns object metadata without fetching the body. Used by the attach
|
||||
// path to verify the uploaded object's size and content-type match what the
|
||||
// client claimed when requesting the presign.
|
||||
type ObjectInfo struct {
|
||||
Size int64
|
||||
ContentType string
|
||||
ETag string
|
||||
}
|
||||
|
||||
func (b *S3Backend) Stat(ctx context.Context, key string) (*ObjectInfo, error) {
|
||||
info, err := b.client.StatObject(ctx, b.bucket, key, minio.StatObjectOptions{})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("stat S3 object: %w", err)
|
||||
}
|
||||
return &ObjectInfo{
|
||||
Size: info.Size,
|
||||
ContentType: info.ContentType,
|
||||
ETag: info.ETag,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// stripQuery returns the URL with its query string removed. minio-go encodes
|
||||
// the policy/signature into both the form fields and the query; the form
|
||||
// fields are the source of truth for POST policy uploads, and many clients
|
||||
// (including Apple's NSURLSession) will reject the request if the same
|
||||
// signature appears in both places.
|
||||
func stripQuery(u *url.URL) string {
|
||||
if u == nil {
|
||||
return ""
|
||||
}
|
||||
clone := *u
|
||||
clone.RawQuery = ""
|
||||
return clone.String()
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user