feat: implement direct file upload for sends with JWT token validation

- Added `processSendFileUpload` function to handle file uploads for sends.
- Integrated JWT token creation and verification for secure file uploads.
- Updated `handleCreateFileSendV2` and `handleGetSendFileUpload` to use new upload URL generation.
- Refactored upload handling in `handleUploadSendFile` and `handlePublicUploadSendFile` to utilize the new upload process.
- Introduced `uploadDirectEncryptedPayload` for handling direct uploads with progress tracking.
- Enhanced API routes to support both POST and PUT methods for attachment uploads.
- Added localization strings for upload progress messages.
- Created utility functions for direct upload URL building and payload parsing.

src/utils/direct-upload.ts

@@ -0,0 +1,104 @@
+import { LIMITS } from '../config/limits';
+import { DEFAULT_DEV_SECRET, Env } from '../types';
+import { errorResponse } from './response';
+
+export interface DirectUploadPayload {
+  body: ReadableStream;
+  contentType: string;
+  size: number;
+}
+
+interface ParseDirectUploadOptions {
+  expectedSize?: number | null;
+  expectedFileName?: string | null;
+  maxFileSize: number;
+  tooLargeMessage: string;
+  missingBodyMessage?: string;
+  contentLengthRequiredMessage?: string;
+  sizeMismatchMessage?: string;
+  fileNameMismatchMessage?: string;
+}
+
+export function buildDirectUploadUrl(request: Request, path: string, token: string): string {
+  const version = '2023-11-03';
+  const expiresAt = '2099-12-31T23:59:59Z';
+  const origin = new URL(request.url).origin;
+  return `${origin}${path}?sv=${encodeURIComponent(version)}&se=${encodeURIComponent(expiresAt)}&token=${encodeURIComponent(token)}`;
+}
+
+export function getSafeJwtSecret(env: Env): string | null {
+  const secret = (env.JWT_SECRET || '').trim();
+  if (!secret || secret.length < LIMITS.auth.jwtSecretMinLength || secret === DEFAULT_DEV_SECRET) {
+    return null;
+  }
+  return secret;
+}
+
+function parseContentLength(request: Request): number | null {
+  const raw = request.headers.get('content-length');
+  if (!raw) return null;
+  const value = Number(raw);
+  if (!Number.isFinite(value) || value < 0) return null;
+  return Math.floor(value);
+}
+
+export async function parseDirectUploadPayload(
+  request: Request,
+  options: ParseDirectUploadOptions
+): Promise<DirectUploadPayload | Response> {
+  const {
+    expectedSize = null,
+    expectedFileName = null,
+    maxFileSize,
+    tooLargeMessage,
+    missingBodyMessage = 'No file uploaded',
+    contentLengthRequiredMessage = 'Content-Length is required for direct uploads',
+    sizeMismatchMessage,
+    fileNameMismatchMessage,
+  } = options;
+  const contentType = request.headers.get('content-type') || '';
+
+  if (contentType.includes('multipart/form-data')) {
+    const formData = await request.formData();
+    const file = formData.get('data') as File | null;
+    if (!file) {
+      return errorResponse(missingBodyMessage, 400);
+    }
+    if (file.size > maxFileSize) {
+      return errorResponse(tooLargeMessage, 413);
+    }
+    if (expectedFileName && file.name !== expectedFileName) {
+      return errorResponse(fileNameMismatchMessage || 'File name does not match.', 400);
+    }
+    if (expectedSize !== null && expectedSize !== undefined && file.size !== expectedSize) {
+      return errorResponse(sizeMismatchMessage || 'File size does not match.', 400);
+    }
+    return {
+      body: file.stream(),
+      contentType: file.type || 'application/octet-stream',
+      size: file.size,
+    };
+  }
+
+  if (!request.body) {
+    return errorResponse(missingBodyMessage, 400);
+  }
+
+  const declaredSize = parseContentLength(request);
+  const uploadSize = declaredSize ?? (expectedSize && expectedSize > 0 ? expectedSize : null);
+  if (uploadSize === null) {
+    return errorResponse(contentLengthRequiredMessage, 400);
+  }
+  if (uploadSize > maxFileSize) {
+    return errorResponse(tooLargeMessage, 413);
+  }
+  if (expectedSize !== null && expectedSize !== undefined && uploadSize !== expectedSize) {
+    return errorResponse(sizeMismatchMessage || 'File size does not match.', 400);
+  }
+
+  return {
+    body: request.body,
+    contentType: contentType || 'application/octet-stream',
+    size: uploadSize,
+  };
+}

src/utils/jwt.ts

@@ -104,6 +104,13 @@ export interface FileDownloadClaims {
   exp: number;
 }
 
+export interface AttachmentUploadClaims {
+  userId: string;
+  cipherId: string;
+  attachmentId: string;
+  exp: number;
+}
+
 // Create file download token (short-lived, 5 minutes)
 export async function createFileDownloadToken(
   cipherId: string,
@@ -178,6 +185,73 @@ export async function verifyFileDownloadToken(
   }
 }
 
+export async function createAttachmentUploadToken(
+  userId: string,
+  cipherId: string,
+  attachmentId: string,
+  secret: string
+): Promise<string> {
+  const header = { alg: 'HS256', typ: 'JWT' };
+  const now = Math.floor(Date.now() / 1000);
+  const payload: AttachmentUploadClaims = {
+    userId,
+    cipherId,
+    attachmentId,
+    exp: now + LIMITS.auth.fileDownloadTokenTtlSeconds,
+  };
+
+  const encoder = new TextEncoder();
+  const headerB64 = base64UrlEncode(encoder.encode(JSON.stringify(header)));
+  const payloadB64 = base64UrlEncode(encoder.encode(JSON.stringify(payload)));
+  const data = `${headerB64}.${payloadB64}`;
+
+  const key = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign']
+  );
+
+  const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
+  const signatureB64 = base64UrlEncode(new Uint8Array(signature));
+  return `${data}.${signatureB64}`;
+}
+
+export async function verifyAttachmentUploadToken(
+  token: string,
+  secret: string
+): Promise<AttachmentUploadClaims | null> {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+
+    const [headerB64, payloadB64, signatureB64] = parts;
+    const encoder = new TextEncoder();
+
+    const key = await crypto.subtle.importKey(
+      'raw',
+      encoder.encode(secret),
+      { name: 'HMAC', hash: 'SHA-256' },
+      false,
+      ['verify']
+    );
+
+    const data = `${headerB64}.${payloadB64}`;
+    const signature = base64UrlDecode(signatureB64);
+    const valid = await crypto.subtle.verify('HMAC', key, signature, encoder.encode(data));
+    if (!valid) return null;
+
+    const payload: AttachmentUploadClaims = JSON.parse(new TextDecoder().decode(base64UrlDecode(payloadB64)));
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp < now) return null;
+    if (!payload.userId || !payload.cipherId || !payload.attachmentId) return null;
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
 export interface SendFileDownloadClaims {
   sendId: string;
   fileId: string;
@@ -185,6 +259,13 @@ export interface SendFileDownloadClaims {
   exp: number;
 }
 
+export interface SendFileUploadClaims {
+  userId: string;
+  sendId: string;
+  fileId: string;
+  exp: number;
+}
+
 export async function createSendFileDownloadToken(
   sendId: string,
   fileId: string,
@@ -260,6 +341,73 @@ export async function verifySendFileDownloadToken(
   }
 }
 
+export async function createSendFileUploadToken(
+  userId: string,
+  sendId: string,
+  fileId: string,
+  secret: string
+): Promise<string> {
+  const header = { alg: 'HS256', typ: 'JWT' };
+  const now = Math.floor(Date.now() / 1000);
+  const payload: SendFileUploadClaims = {
+    userId,
+    sendId,
+    fileId,
+    exp: now + LIMITS.auth.fileDownloadTokenTtlSeconds,
+  };
+
+  const encoder = new TextEncoder();
+  const headerB64 = base64UrlEncode(encoder.encode(JSON.stringify(header)));
+  const payloadB64 = base64UrlEncode(encoder.encode(JSON.stringify(payload)));
+  const data = `${headerB64}.${payloadB64}`;
+
+  const key = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign']
+  );
+
+  const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
+  const signatureB64 = base64UrlEncode(new Uint8Array(signature));
+  return `${data}.${signatureB64}`;
+}
+
+export async function verifySendFileUploadToken(
+  token: string,
+  secret: string
+): Promise<SendFileUploadClaims | null> {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+
+    const [headerB64, payloadB64, signatureB64] = parts;
+    const encoder = new TextEncoder();
+
+    const key = await crypto.subtle.importKey(
+      'raw',
+      encoder.encode(secret),
+      { name: 'HMAC', hash: 'SHA-256' },
+      false,
+      ['verify']
+    );
+
+    const data = `${headerB64}.${payloadB64}`;
+    const signature = base64UrlDecode(signatureB64);
+    const valid = await crypto.subtle.verify('HMAC', key, signature, encoder.encode(data));
+    if (!valid) return null;
+
+    const payload: SendFileUploadClaims = JSON.parse(new TextDecoder().decode(base64UrlDecode(payloadB64)));
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp < now) return null;
+    if (!payload.userId || !payload.sendId || !payload.fileId) return null;
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
 export interface SendAccessTokenClaims {
   sub: string; // send id
   typ: 'send_access';