feat: multipart manga + chapter uploads with magic-byte MIME sniff
POST /api/v1/mangas and POST /api/v1/mangas/{id}/chapters now accept
multipart/form-data, gated by CurrentUser:
- /mangas: required `metadata` part (NewManga JSON) + optional `cover`
image part.
- /mangas/{id}/chapters: required `metadata` (NewChapter JSON) + one or
more `page` parts ordered by arrival. Returns 404 if the parent manga
doesn't exist, 409 on duplicate (manga_id, number).
MIME is sniffed via the `infer` crate (magic bytes), not the
client-supplied filename or Content-Type. Whitelist:
jpeg / png / webp / gif / avif. Anything else → 415
unsupported_media_type. The stored key's extension is derived from the
sniffed type so a "page1.png" that's actually a JPEG lands as `.jpg`.
Size cap is two-layer:
- Request body cap (config.max_request_bytes, default 200 MiB) enforced
by axum's DefaultBodyLimit before the handler sees the request.
- Per-image-part cap (config.max_file_bytes, default 20 MiB) enforced
after reading the part, so a single oversized image can't pass even
if the total request fits.
Storage keys follow the layout documented in CLAUDE.md:
- mangas/{manga_id}/cover.{ext}
- mangas/{manga_id}/chapters/{chapter_id}/pages/{nnnn}.{ext} (1-indexed).
AppError grows PayloadTooLarge/UnsupportedMediaType/ValidationFailed
(413 / 415 / 422). ValidationFailed carries a `details` JSON object the
client can use to highlight bad fields (e.g. {"title":"required"}).
Top-level matching in code() stays exhaustive.
Backend coverage in tests/api_uploads.rs (10 cases):
- create_manga_with_cover_stores_image — file is reachable via
/api/v1/files/{key} with the right Content-Type.
- create_manga_without_cover_leaves_path_null.
- create_manga_rejects_non_image_cover_with_415 — PDF claimed as png.
- create_manga_rejects_oversized_cover_with_413.
- create_chapter_with_pages_stores_each — extension derived from
sniffed MIME, files reachable in arrival order.
- create_chapter_rejects_when_no_pages_with_422 — details.page set.
- create_chapter_rejects_renamed_non_image_page → 415.
- create_chapter_returns_409_on_duplicate_number.
- create_chapter_requires_authentication → 401.
- create_chapter_under_unknown_manga_is_404.
Existing tests/api_mangas.rs is migrated to multipart; the create
response is now 201 Created. tests/common::MultipartBuilder builds the
body by hand so the test crate stays free of HTTP-client deps.
Frontend lib/api/mangas.ts: createManga now sends FormData (metadata +
optional cover Blob). Browser fills in the boundary header automatically.
Vitest asserts the FormData structure via FileReader (jsdom doesn't
implement Blob.text()).
E2E tests wait for the post-hydration nav-login link before
interacting with the login form, fixing a flake where pre-hydration
clicks would submit via the browser default and bypass our handler.
Lockstep version bump to 0.5.0.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
@@ -1,7 +1,9 @@
|
||||
use axum::extract::{Path, Query, State};
|
||||
use axum::extract::{Multipart, Path, Query, State};
|
||||
use axum::http::StatusCode;
|
||||
use axum::routing::get;
|
||||
use axum::{Json, Router};
|
||||
use serde::Deserialize;
|
||||
use serde_json::json;
|
||||
use uuid::Uuid;
|
||||
|
||||
use crate::api::pagination::PagedResponse;
|
||||
@@ -10,6 +12,7 @@ use crate::auth::extractor::CurrentUser;
|
||||
use crate::domain::manga::{Manga, NewManga};
|
||||
use crate::error::{AppError, AppResult};
|
||||
use crate::repo;
|
||||
use crate::upload::{parse_image, UploadedImage};
|
||||
|
||||
pub fn routes() -> Router<AppState> {
|
||||
Router::new()
|
||||
@@ -53,13 +56,94 @@ async fn get_one(
|
||||
Ok(Json(repo::manga::get(&state.db, id).await?))
|
||||
}
|
||||
|
||||
/// `POST /api/v1/mangas` is multipart/form-data. Parts:
|
||||
///
|
||||
/// - `metadata` (required): JSON body matching `NewManga`.
|
||||
/// - `cover` (optional): image bytes. MIME is sniffed from magic bytes
|
||||
/// (jpeg/png/webp/gif/avif); size capped at `upload.max_file_bytes`.
|
||||
///
|
||||
/// Anything else is ignored.
|
||||
async fn create(
|
||||
State(state): State<AppState>,
|
||||
CurrentUser(_user): CurrentUser,
|
||||
Json(input): Json<NewManga>,
|
||||
) -> AppResult<Json<Manga>> {
|
||||
if input.title.trim().is_empty() {
|
||||
return Err(AppError::InvalidInput("title is required".into()));
|
||||
mut multipart: Multipart,
|
||||
) -> AppResult<(StatusCode, Json<Manga>)> {
|
||||
let mut metadata: Option<NewManga> = None;
|
||||
let mut cover: Option<UploadedImage> = None;
|
||||
|
||||
while let Some(field) = next_field(&mut multipart).await? {
|
||||
match field.name() {
|
||||
Some("metadata") => {
|
||||
let bytes = read_field_bytes(field).await?;
|
||||
metadata = Some(parse_metadata_json(&bytes)?);
|
||||
}
|
||||
Some("cover") => {
|
||||
let bytes = read_field_bytes(field).await?.to_vec();
|
||||
cover = Some(parse_image(bytes, state.upload.max_file_bytes, "cover")?);
|
||||
}
|
||||
_ => continue,
|
||||
}
|
||||
}
|
||||
|
||||
let metadata = metadata.ok_or_else(|| AppError::ValidationFailed {
|
||||
message: "metadata part is required".into(),
|
||||
details: json!({ "metadata": "required" }),
|
||||
})?;
|
||||
validate_new_manga(&metadata)?;
|
||||
|
||||
let mut manga = repo::manga::create(&state.db, metadata).await?;
|
||||
|
||||
if let Some(img) = cover {
|
||||
let key = format!("mangas/{}/cover.{}", manga.id, img.ext);
|
||||
state.storage.put(&key, &img.bytes).await?;
|
||||
sqlx::query("UPDATE mangas SET cover_image_path = $1, updated_at = now() WHERE id = $2")
|
||||
.bind(&key)
|
||||
.bind(manga.id)
|
||||
.execute(&state.db)
|
||||
.await?;
|
||||
manga.cover_image_path = Some(key);
|
||||
}
|
||||
|
||||
Ok((StatusCode::CREATED, Json(manga)))
|
||||
}
|
||||
|
||||
fn validate_new_manga(input: &NewManga) -> AppResult<()> {
|
||||
if input.title.trim().is_empty() {
|
||||
return Err(AppError::ValidationFailed {
|
||||
message: "title is required".into(),
|
||||
details: json!({ "title": "required" }),
|
||||
});
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn parse_metadata_json(bytes: &[u8]) -> AppResult<NewManga> {
|
||||
serde_json::from_slice(bytes).map_err(|e| AppError::ValidationFailed {
|
||||
message: "metadata is not valid JSON".into(),
|
||||
details: json!({ "metadata": e.to_string() }),
|
||||
})
|
||||
}
|
||||
|
||||
pub(crate) async fn next_field(
|
||||
multipart: &mut Multipart,
|
||||
) -> AppResult<Option<axum::extract::multipart::Field<'_>>> {
|
||||
multipart
|
||||
.next_field()
|
||||
.await
|
||||
.map_err(map_multipart_error)
|
||||
}
|
||||
|
||||
pub(crate) async fn read_field_bytes(
|
||||
field: axum::extract::multipart::Field<'_>,
|
||||
) -> AppResult<axum::body::Bytes> {
|
||||
field.bytes().await.map_err(map_multipart_error)
|
||||
}
|
||||
|
||||
fn map_multipart_error(e: axum::extract::multipart::MultipartError) -> AppError {
|
||||
let status = e.status();
|
||||
if status == StatusCode::PAYLOAD_TOO_LARGE {
|
||||
AppError::PayloadTooLarge("upload exceeds the request size limit".into())
|
||||
} else {
|
||||
AppError::InvalidInput(format!("multipart parse error: {e}"))
|
||||
}
|
||||
Ok(Json(repo::manga::create(&state.db, input).await?))
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user