admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4efc87559a8d215fd0617425c297cd5d19ae4209
honeyDueAPI/internal/dto/requests/upload.go
T
Trey t 29c9014a33
Backend CI / Test (push) Has been cancelled
Details
Backend CI / Contract Tests (push) Has been cancelled
Details
Backend CI / Build (push) Has been cancelled
Details
Backend CI / Lint (push) Has been cancelled
Details
Backend CI / Secret Scanning (push) Has been cancelled
Details
feat(uploads): direct-to-B2 presigned uploads with content-length-range policy 
Replaces the multipart-via-API path for image uploads with a three-step
direct-to-storage flow:

  1. Client POSTs /api/uploads/presign with content_length + content_type;
     server validates size (10 MB cap), mime allow-list per category, rate
     limit (50/hour/user via Redis sliding window), and concurrent unclaimed
     cap (10 in-flight per user). On success it persists a pending_uploads
     row, signs an S3 POST policy with content-length-range bound to the
     claimed length ±256 bytes, and returns the URL+fields.
  2. Client POSTs the bytes directly to B2 using the signed policy. B2
     enforces size, content-type, and key match before accepting.
  3. Client passes upload_ids[] to /api/task-completions/ or /api/documents/.
     Service HEADs each B2 object, verifies size matches expected_bytes
     within slack, marks pending_uploads claimed_at, and creates the
     associated TaskCompletionImage / DocumentImage rows.

Bytes never traverse our API server. The 1 MB Echo BodyLimit middleware
that was rejecting all task-completion image uploads becomes irrelevant
for this path. Existing multipart endpoints stay functional alongside,
soak-testing the new path before legacy removal.

Cleanup:
  - cmd/worker registers a new hourly cron (TypeUploadCleanup, "30 * * * *")
    that reaps pending_uploads where claimed_at IS NULL AND expires_at < NOW().
    Reaps both the B2 object and the row.
  - B2 bucket lifecycle rule on `uploads/` prefix (7 days hide → 1 day delete)
    documented in deploy-k3s/manifests/b2-lifecycle.md as a backstop.

Schema:
  - migrations/000002_pending_uploads.sql adds the table + partial index for
    cleanup + nullable pending_upload_id FKs on task_taskcompletionimage and
    task_documentimage.

Policy (single tier, no free/pro split):
  - 10 MB cap per upload
  - 50 presigns/hour/user
  - 10 concurrent unclaimed uploads/user
  - allow-list: jpeg/png/heic/heif/webp for image categories;
    + pdf for document_file

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-01 14:36:42 -07:00

23 lines
1.1 KiB
Go
Raw Blame History

package requests
// PresignUploadRequest is the body for POST /api/uploads/presign. The client
// describes what it's about to upload; the server validates against quota,
// rate limits, and per-category caps before returning a signed POST policy.
type PresignUploadRequest struct {
// Category gates allowed mime types and the size cap. One of:
// "completion" — task completion photos
// "document_image" — image attached to a Document
// "document_file" — file (e.g. PDF) attached to a Document
Category string `json:"category" validate:"required,oneof=completion document_image document_file"`
// ContentType is the MIME type the client will upload (e.g. image/jpeg).
// Bound to the policy so the actual upload must match exactly.
ContentType string `json:"content_type" validate:"required,min=3,max=127"`
// ContentLength is the exact byte count the client intends to upload.
// The signed policy permits a small slack window around this value
// (server-side constant) so the client can encode in one pass without
// having to predict the byte count perfectly.
ContentLength int64 `json:"content_length" validate:"required,min=1"`
}
Reference in New Issue View Git Blame Copy Permalink