68b7f32568
Two small documentation gaps the second-pass audit flagged:
- CLAUDE.md described only the Vite dev proxy ("Vite dev-proxies to
the backend"), which left the production path opaque. Now lists
both: the Vite proxy for `npm run dev` and
`frontend/src/hooks.server.ts` for adapter-node. Same-origin cookie
story called out explicitly.
- `/api/v1/files/{key}` is an unauthenticated capability URL by
design — reads stay public, keys are unguessable v4 UUIDs, leaked
URL leaks one file. Documented both in `backend/src/api/files.rs`'s
module doc (with a pointer at the seam a future
feat/private-libraries branch would use) and in a new "Capability
URLs" section in README so a casual reader doesn't mistake the lack
of auth for an oversight.
No code or behaviour change.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
67 lines
2.6 KiB
Rust
67 lines
2.6 KiB
Rust
//! Streams blobs from the `Storage` trait. Same endpoint serves manga
|
|
//! covers and chapter pages; the key embedded in the URL is whatever the
|
|
//! writer stored.
|
|
//!
|
|
//! The handler uses `Storage::get_stream` so a multi-MB page is piped to
|
|
//! the client a chunk at a time instead of buffered server-side.
|
|
//!
|
|
//! **Auth model — capability URLs by design.** This endpoint is
|
|
//! deliberately unauthenticated: reads stay public per the project
|
|
//! brief, and per-page authorisation would require either a per-request
|
|
//! ownership lookup (covers + pages are scoped by manga, not user) or a
|
|
//! signed-URL scheme. Mangalord instead relies on the keys being
|
|
//! unguessable — `mangas/{uuid}/...` and
|
|
//! `mangas/{uuid}/chapters/{uuid}/...` — so a leaked URL leaks at most
|
|
//! the one referenced file. A future feat/private-libraries branch
|
|
//! would gate this endpoint behind a `Storage::owner_of(key)` check;
|
|
//! the seam is intentional.
|
|
|
|
use axum::body::Body;
|
|
use axum::extract::{Path, State};
|
|
use axum::http::{header, HeaderName};
|
|
use axum::response::{IntoResponse, Response};
|
|
use axum::routing::get;
|
|
use axum::Router;
|
|
|
|
use crate::app::AppState;
|
|
use crate::error::AppResult;
|
|
use crate::storage::StorageError;
|
|
|
|
pub fn routes() -> Router<AppState> {
|
|
Router::new().route("/files/*key", get(serve))
|
|
}
|
|
|
|
async fn serve(State(state): State<AppState>, Path(key): Path<String>) -> AppResult<Response> {
|
|
let file = match state.storage.get_stream(&key).await {
|
|
Ok(f) => f,
|
|
Err(StorageError::NotFound) => return Err(crate::error::AppError::NotFound),
|
|
Err(e) => return Err(e.into()),
|
|
};
|
|
let ct = content_type_for(&key);
|
|
// `nosniff` makes the contract explicit: the browser must trust the
|
|
// Content-Type we declared (and that the magic-byte sniff at upload
|
|
// time produced) instead of trying to detect HTML/JS in the body.
|
|
// Belt-and-braces vs. polyglot files that survive the upload sniff.
|
|
let headers = [
|
|
(header::CONTENT_TYPE, ct.to_string()),
|
|
(header::CONTENT_LENGTH, file.size_bytes.to_string()),
|
|
(
|
|
HeaderName::from_static("x-content-type-options"),
|
|
"nosniff".to_string(),
|
|
),
|
|
];
|
|
Ok((headers, Body::from_stream(file.stream)).into_response())
|
|
}
|
|
|
|
fn content_type_for(key: &str) -> &'static str {
|
|
let ext = key.rsplit('.').next().unwrap_or("").to_ascii_lowercase();
|
|
match ext.as_str() {
|
|
"jpg" | "jpeg" => "image/jpeg",
|
|
"png" => "image/png",
|
|
"webp" => "image/webp",
|
|
"gif" => "image/gif",
|
|
"avif" => "image/avif",
|
|
_ => "application/octet-stream",
|
|
}
|
|
}
|