shimapan/app/util/upload/multipart.js

const Busboy = require('busboy');
const is = require('type-is');
const config = require('config');

const auth = require('../auth');
const disk = require('./disk');
const identifier = require('./id');

const uploadMultipart = async (req, res, next) => {
    if (!is(req, ['multipart']))
        return res.status(400).json({message: 'Bad request.'});

    // Store whether the user has authenticated, because an api key might be included with the form later
    let authStatus = {
        authenticated: false,
        permission: false
    };
    // If not authenticated with a session, we'll have to wait for key authentication from the multipart form data
    await auth.checkSession(req, 'file.upload', authStatus);

    // Function to call once the file is sent or an error is encountered
    let isDone = false;
    const done = async (err, data) => {
        if (isDone) return;
        isDone = true;

        req.unpipe(busboy);
        busboy.removeAllListeners();
        req.on('readable', req.read.bind(req));

        if (err) {
            if (data.path)
                await disk.remove(data.path);

            if (err === 'LIMIT_FILE_SIZE')
                return res.status(413).json({message: 'File too large.'});
            else {
                console.log(err.stack);
                return res.status(500).json({message: 'Internal server error.'});
            }
        } else {
            req.file = data.file;
            next();
        }
    };

    // Create the busboy object to parse the multipart data
    const busboy = new Busboy({
        headers: req.headers,
        limits: {
            fileSize: config.get('Upload.maxSize')
        }
    });

    req.body = {};
    busboy.on('field', (fieldName, value) => {
        req.body[fieldName] = value;
    });

    let fileReceived = false;
    busboy.on('file', async (fieldName, stream, name, encoding, mime) => {
        // Only process one file, discard everything after that
        if (fileReceived)
            return req.unpipe(busboy);
        fileReceived = true;

        // If a key was encountered and we are not authenticated, try to authenticate with it before the final check
        if (req.body.key && !authStatus.authenticated)
            await auth.checkKey(req, 'file.upload', authStatus);

        // Finally, check if we have auth before preceeding, keys should have been processed by now
        if (!authStatus.authenticated)
            return res.status(401).json({message: 'Unauthorized.'});
        if (!authStatus.permission)
            return res.status(403).json({message: 'Forbidden.'});

        // Don't attach to the files object if there is no file
        if (!name) return stream.resume();

        // Generate an ID for the file, saving it with that filename
        const path = config.get('Upload.path');
        const newName = await identifier.generate();
        const finalPath = path + '/' + newName;

        // Set the file attributes
        file = {
            originalName: name,
            name: newName,
            path: finalPath,
            encoding: encoding,
            mime: mime
        };

        // Ensure the output directory exists
        await disk.mkdir(path);

        // Handle errors
        stream.on('error', err => done(err, {path: finalPath}));
        stream.on('limit', () => done('LIMIT_FILE_SIZE', {path: finalPath}));

        file.size = await disk.write(finalPath, stream);

        await done(null, {file: file});
    });

    busboy.on('error', err => done(err));
    busboy.on('finished', () => done(null, {file: file}));

    req.pipe(busboy);
};

module.exports = uploadMultipart;