336 lines
9.8 KiB
TypeScript
336 lines
9.8 KiB
TypeScript
import { randomUUID } from "node:crypto";
|
|
import {
|
|
Injectable,
|
|
InternalServerErrorException,
|
|
NotFoundException,
|
|
PayloadTooLargeException
|
|
} from "@nestjs/common";
|
|
import { ConfigService } from "@nestjs/config";
|
|
import { PutObjectCommand, S3Client } from "@aws-sdk/client-s3";
|
|
import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
|
|
import { AttachmentType } from "../../generated/prisma/client";
|
|
import { PrismaService } from "../prisma/prisma.service";
|
|
import { DataEncryptionService } from "../security/data-encryption.service";
|
|
import { CompleteAttachmentDto } from "./dto/complete-attachment.dto";
|
|
import { PresignAttachmentDto } from "./dto/presign-attachment.dto";
|
|
|
|
type QuotaInfo = {
|
|
totalBytes: bigint;
|
|
usedBytes: bigint;
|
|
};
|
|
|
|
export type PresignAttachmentResponse = {
|
|
method: "PUT";
|
|
uploadUrl: string;
|
|
bucket: string;
|
|
objectKey: string;
|
|
objectUrl: string;
|
|
expiresInSeconds: number;
|
|
quota: {
|
|
totalBytes: string;
|
|
usedBytes: string;
|
|
remainingBytes: string;
|
|
};
|
|
headers: Record<string, string>;
|
|
};
|
|
|
|
export type AttachmentResponse = {
|
|
id: string;
|
|
taskId: string | null;
|
|
type: AttachmentType;
|
|
url: string;
|
|
mimeType: string | null;
|
|
fileName: string | null;
|
|
fileSize: number;
|
|
width: number | null;
|
|
height: number | null;
|
|
durationMs: number | null;
|
|
checksum: string | null;
|
|
createdAt: string;
|
|
updatedAt: string;
|
|
};
|
|
|
|
@Injectable()
|
|
export class AttachmentService {
|
|
private s3Client: S3Client | null = null;
|
|
|
|
constructor(
|
|
private readonly configService: ConfigService,
|
|
private readonly prismaService: PrismaService,
|
|
private readonly dataEncryptionService: DataEncryptionService
|
|
) {}
|
|
|
|
async presignAttachment(
|
|
userId: string,
|
|
body: PresignAttachmentDto
|
|
): Promise<PresignAttachmentResponse> {
|
|
const quotaInfo = await this.getQuotaSnapshot(userId);
|
|
this.assertQuotaAvailable(quotaInfo.totalBytes, quotaInfo.usedBytes, body.fileSize);
|
|
|
|
if (body.taskId) {
|
|
await this.ensureTaskOwnership(userId, body.taskId);
|
|
}
|
|
|
|
const bucket = this.getDefaultBucket();
|
|
const objectKey = this.generateObjectKey(body.fileName);
|
|
const objectUrl = this.resolveObjectUrl(bucket, objectKey);
|
|
const expiresInSeconds = this.getPresignExpiresInSeconds();
|
|
const serverSideEncryption = this.getServerSideEncryptionMode();
|
|
|
|
const command = new PutObjectCommand({
|
|
Bucket: bucket,
|
|
Key: objectKey,
|
|
ContentType: body.mimeType,
|
|
ContentLength: body.fileSize,
|
|
ServerSideEncryption: serverSideEncryption
|
|
});
|
|
|
|
const uploadUrl = await getSignedUrl(this.getS3Client(), command, {
|
|
expiresIn: expiresInSeconds
|
|
});
|
|
|
|
return {
|
|
method: "PUT",
|
|
uploadUrl,
|
|
bucket,
|
|
objectKey,
|
|
objectUrl,
|
|
expiresInSeconds,
|
|
quota: {
|
|
totalBytes: quotaInfo.totalBytes.toString(),
|
|
usedBytes: quotaInfo.usedBytes.toString(),
|
|
remainingBytes: (quotaInfo.totalBytes - quotaInfo.usedBytes).toString()
|
|
},
|
|
headers: this.buildUploadHeaders(body.mimeType, serverSideEncryption)
|
|
};
|
|
}
|
|
|
|
async completeAttachment(
|
|
userId: string,
|
|
body: CompleteAttachmentDto
|
|
): Promise<AttachmentResponse> {
|
|
if (body.taskId) {
|
|
await this.ensureTaskOwnership(userId, body.taskId);
|
|
}
|
|
|
|
const bucket = body.bucket ?? this.getDefaultBucket();
|
|
const objectUrl = this.resolveObjectUrl(bucket, body.objectKey);
|
|
|
|
const attachment = await this.prismaService.$transaction(async (tx) => {
|
|
const quotaInfo = await this.getQuotaSnapshot(userId, tx);
|
|
this.assertQuotaAvailable(quotaInfo.totalBytes, quotaInfo.usedBytes, body.fileSize);
|
|
|
|
const uploadBytes = BigInt(body.fileSize);
|
|
const maxUsedBeforeUpload = quotaInfo.totalBytes - uploadBytes;
|
|
const updatedUser = await tx.user.updateMany({
|
|
where: {
|
|
id: userId,
|
|
usedStorageBytes: {
|
|
lte: maxUsedBeforeUpload
|
|
}
|
|
},
|
|
data: {
|
|
usedStorageBytes: {
|
|
increment: uploadBytes
|
|
}
|
|
}
|
|
});
|
|
if (updatedUser.count === 0) {
|
|
throw new PayloadTooLargeException("存储配额不足");
|
|
}
|
|
|
|
return tx.attachment.create({
|
|
data: {
|
|
userId,
|
|
taskId: body.taskId ?? null,
|
|
type: body.type ?? this.resolveAttachmentType(body.mimeType),
|
|
url: this.encryptRequiredString(objectUrl),
|
|
mimeType: body.mimeType,
|
|
fileName: this.encryptNullableString(body.fileName),
|
|
fileSize: body.fileSize,
|
|
width: body.width ?? null,
|
|
height: body.height ?? null,
|
|
durationMs: body.durationMs ?? null,
|
|
checksum: this.encryptNullableString(body.checksum)
|
|
}
|
|
});
|
|
});
|
|
|
|
return {
|
|
id: attachment.id,
|
|
taskId: attachment.taskId,
|
|
type: attachment.type,
|
|
url: this.readDecryptedString(attachment.url) ?? objectUrl,
|
|
mimeType: attachment.mimeType,
|
|
fileName: this.readDecryptedString(attachment.fileName),
|
|
fileSize: attachment.fileSize,
|
|
width: attachment.width,
|
|
height: attachment.height,
|
|
durationMs: attachment.durationMs,
|
|
checksum: this.readDecryptedString(attachment.checksum),
|
|
createdAt: attachment.createdAt.toISOString(),
|
|
updatedAt: attachment.updatedAt.toISOString()
|
|
};
|
|
}
|
|
|
|
private getS3Client(): S3Client {
|
|
if (this.s3Client) {
|
|
return this.s3Client;
|
|
}
|
|
|
|
const endpoint = this.configService.get<string>("S3_ENDPOINT") ?? "http://127.0.0.1:9000";
|
|
const region = this.configService.get<string>("S3_REGION") ?? "us-east-1";
|
|
const forcePathStyle =
|
|
this.configService.get<string>("S3_FORCE_PATH_STYLE")?.toLowerCase() !== "false";
|
|
|
|
this.s3Client = new S3Client({
|
|
endpoint,
|
|
region,
|
|
forcePathStyle,
|
|
credentials: {
|
|
accessKeyId: this.configService.get<string>("S3_ACCESS_KEY_ID") ?? "minioadmin",
|
|
secretAccessKey: this.configService.get<string>("S3_SECRET_ACCESS_KEY") ?? "minioadmin"
|
|
}
|
|
});
|
|
|
|
return this.s3Client;
|
|
}
|
|
|
|
private getDefaultBucket(): string {
|
|
return this.configService.get<string>("S3_BUCKET") ?? "todolist";
|
|
}
|
|
|
|
private getPresignExpiresInSeconds(): number {
|
|
const configValue = Number(this.configService.get<string>("S3_PRESIGN_EXPIRES_SECONDS") ?? 900);
|
|
if (!Number.isFinite(configValue) || configValue <= 0) {
|
|
return 900;
|
|
}
|
|
|
|
return Math.min(configValue, 604800);
|
|
}
|
|
|
|
private generateObjectKey(fileName: string): string {
|
|
const datePrefix = new Date().toISOString().slice(0, 10);
|
|
return `attachments/${datePrefix}/${randomUUID()}${this.extractFileExtension(fileName)}`;
|
|
}
|
|
|
|
private resolveObjectUrl(bucket: string, objectKey: string): string {
|
|
const publicBaseUrl = this.configService.get<string>("S3_PUBLIC_BASE_URL");
|
|
if (publicBaseUrl) {
|
|
return `${publicBaseUrl.replace(/\/+$/, "")}/${bucket}/${objectKey}`;
|
|
}
|
|
|
|
const endpoint = this.configService.get<string>("S3_ENDPOINT") ?? "http://127.0.0.1:9000";
|
|
return `${endpoint.replace(/\/+$/, "")}/${bucket}/${objectKey}`;
|
|
}
|
|
|
|
private resolveAttachmentType(mimeType: string): AttachmentType {
|
|
if (mimeType.startsWith("image/")) {
|
|
return AttachmentType.IMAGE;
|
|
}
|
|
|
|
if (mimeType.startsWith("video/")) {
|
|
return AttachmentType.VIDEO;
|
|
}
|
|
|
|
return AttachmentType.FILE;
|
|
}
|
|
|
|
private buildUploadHeaders(
|
|
mimeType: string,
|
|
serverSideEncryption: "AES256" | undefined
|
|
): Record<string, string> {
|
|
const headers: Record<string, string> = {
|
|
"Content-Type": mimeType
|
|
};
|
|
|
|
if (serverSideEncryption) {
|
|
headers["x-amz-server-side-encryption"] = serverSideEncryption;
|
|
}
|
|
|
|
return headers;
|
|
}
|
|
|
|
private getServerSideEncryptionMode(): "AES256" | undefined {
|
|
const configValue =
|
|
this.configService.get<string>("S3_SERVER_SIDE_ENCRYPTION")?.trim().toUpperCase() ?? "AES256";
|
|
|
|
if (configValue === "NONE" || configValue === "DISABLED") {
|
|
return undefined;
|
|
}
|
|
|
|
return "AES256";
|
|
}
|
|
|
|
private extractFileExtension(fileName: string): string {
|
|
const match = /\.[a-zA-Z0-9]{1,16}$/.exec(fileName);
|
|
return match?.[0]?.toLowerCase() ?? "";
|
|
}
|
|
|
|
private async ensureTaskOwnership(userId: string, taskId: string): Promise<void> {
|
|
const task = await this.prismaService.task.findFirst({
|
|
where: {
|
|
id: taskId,
|
|
userId
|
|
},
|
|
select: {
|
|
id: true
|
|
}
|
|
});
|
|
|
|
if (!task) {
|
|
throw new NotFoundException("任务不存在");
|
|
}
|
|
}
|
|
|
|
private async getQuotaSnapshot(
|
|
userId: string,
|
|
tx: Pick<PrismaService, "user"> = this.prismaService
|
|
): Promise<QuotaInfo> {
|
|
const user = await tx.user.findUnique({
|
|
where: {
|
|
id: userId
|
|
},
|
|
select: {
|
|
id: true,
|
|
defaultStorageQuotaMb: true,
|
|
usedStorageBytes: true
|
|
}
|
|
});
|
|
|
|
if (!user) {
|
|
throw new NotFoundException("用户不存在");
|
|
}
|
|
|
|
return {
|
|
totalBytes: BigInt(user.defaultStorageQuotaMb) * 1024n * 1024n,
|
|
usedBytes: user.usedStorageBytes
|
|
};
|
|
}
|
|
|
|
private assertQuotaAvailable(totalBytes: bigint, usedBytes: bigint, fileSize: number): void {
|
|
const uploadBytes = BigInt(fileSize);
|
|
if (uploadBytes > totalBytes || usedBytes + uploadBytes > totalBytes) {
|
|
throw new PayloadTooLargeException("存储配额不足");
|
|
}
|
|
}
|
|
|
|
private encryptRequiredString(value: string): string {
|
|
const encryptedValue = this.dataEncryptionService.encryptString(value);
|
|
if (!encryptedValue) {
|
|
throw new InternalServerErrorException("附件元数据加密失败");
|
|
}
|
|
|
|
return encryptedValue;
|
|
}
|
|
|
|
private encryptNullableString(value: string | null | undefined): string | null | undefined {
|
|
return this.dataEncryptionService.encryptString(value);
|
|
}
|
|
|
|
private readDecryptedString(value: string | null): string | null {
|
|
const decryptedValue = this.dataEncryptionService.decryptString(value);
|
|
return typeof decryptedValue === "string" ? decryptedValue : null;
|
|
}
|
|
}
|