feat: multipart manga + chapter uploads with magic-byte MIME sniff

POST /api/v1/mangas and POST /api/v1/mangas/{id}/chapters now accept multipart/form-data, gated by CurrentUser: - /mangas: required `metadata` part (NewManga JSON) + optional `cover` image part. - /mangas/{id}/chapters: required `metadata` (NewChapter JSON) + one or more `page` parts ordered by arrival. Returns 404 if the parent manga doesn't exist, 409 on duplicate (manga_id, number). MIME is sniffed via the `infer` crate (magic bytes), not the client-supplied filename or Content-Type. Whitelist: jpeg / png / webp / gif / avif. Anything else → 415 unsupported_media_type. The stored key's extension is derived from the sniffed type so a "page1.png" that's actually a JPEG lands as `.jpg`. Size cap is two-layer: - Request body cap (config.max_request_bytes, default 200 MiB) enforced by axum's DefaultBodyLimit before the handler sees the request. - Per-image-part cap (config.max_file_bytes, default 20 MiB) enforced after reading the part, so a single oversized image can't pass even if the total request fits. Storage keys follow the layout documented in CLAUDE.md: - mangas/{manga_id}/cover.{ext} - mangas/{manga_id}/chapters/{chapter_id}/pages/{nnnn}.{ext} (1-indexed). AppError grows PayloadTooLarge/UnsupportedMediaType/ValidationFailed (413 / 415 / 422). ValidationFailed carries a `details` JSON object the client can use to highlight bad fields (e.g. {"title":"required"}). Top-level matching in code() stays exhaustive. Backend coverage in tests/api_uploads.rs (10 cases): - create_manga_with_cover_stores_image — file is reachable via /api/v1/files/{key} with the right Content-Type. - create_manga_without_cover_leaves_path_null. - create_manga_rejects_non_image_cover_with_415 — PDF claimed as png. - create_manga_rejects_oversized_cover_with_413. - create_chapter_with_pages_stores_each — extension derived from sniffed MIME, files reachable in arrival order. - create_chapter_rejects_when_no_pages_with_422 — details.page set. - create_chapter_rejects_renamed_non_image_page → 415. - create_chapter_returns_409_on_duplicate_number. - create_chapter_requires_authentication → 401. - create_chapter_under_unknown_manga_is_404. Existing tests/api_mangas.rs is migrated to multipart; the create response is now 201 Created. tests/common::MultipartBuilder builds the body by hand so the test crate stays free of HTTP-client deps. Frontend lib/api/mangas.ts: createManga now sends FormData (metadata + optional cover Blob). Browser fills in the boundary header automatically. Vitest asserts the FormData structure via FileReader (jsdom doesn't implement Blob.text()). E2E tests wait for the post-hydration nav-login link before interacting with the login form, fixing a flake where pre-hydration clicks would submit via the browser default and bypass our handler. Lockstep version bump to 0.5.0. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 22:21:10 +02:00
parent 2f9912533f
commit a92f6f70e2
17 changed files with 931 additions and 75 deletions
--- a/backend/src/app.rs
+++ b/backend/src/app.rs
@@ -1,5 +1,6 @@
 use std::sync::Arc;

+use axum::extract::DefaultBodyLimit;
 use axum::http::{HeaderName, HeaderValue, Method};
 use axum::Router;
 use sqlx::postgres::PgPoolOptions;
@@ -7,7 +8,7 @@ use sqlx::PgPool;
 use tower_http::cors::{AllowOrigin, CorsLayer};
 use tower_http::trace::TraceLayer;

-use crate::config::{AuthConfig, Config};
+use crate::config::{AuthConfig, Config, UploadConfig};
 use crate::storage::{LocalStorage, Storage};

 #[derive(Clone)]
@@ -15,6 +16,7 @@ pub struct AppState {
    pub db: PgPool,
    pub storage: Arc<dyn Storage>,
    pub auth: AuthConfig,
+    pub upload: UploadConfig,
 }

 pub async fn build(config: Config) -> anyhow::Result<Router> {
@@ -26,15 +28,22 @@ pub async fn build(config: Config) -> anyhow::Result<Router> {

    let storage: Arc<dyn Storage> = Arc::new(LocalStorage::new(config.storage_dir.clone()));

-    let state = AppState { db, storage, auth: config.auth.clone() };
+    let state = AppState {
+        db,
+        storage,
+        auth: config.auth.clone(),
+        upload: config.upload.clone(),
+    };
    Ok(router(state).layer(cors_layer(&config.cors_allowed_origins)))
 }

 /// Build a router from a pre-assembled state. Used by integration tests
 /// so they can swap in a test DB pool and a `tempfile`-backed storage.
 pub fn router(state: AppState) -> Router {
+    let max_request_bytes = state.upload.max_request_bytes;
    Router::new()
        .nest("/api/v1", crate::api::routes())
+        .layer(DefaultBodyLimit::max(max_request_bytes))
        .with_state(state)
        .layer(TraceLayer::new_for_http())
 }