feat(upload): add resumable chunk configuration and file validation

- Add `WARPBOX_RESUMABLE_CHUNK_MODE` and `WARPBOX_RESUMABLE_CHUNK_PATH` environment variables to configure temporary chunk storage. - Implement strict file validation for resuming uploads to ensure selected files match the pending session's metadata. - Add `PLANS.md` to document development stages, roadmap, and API specifications (including batching and resumable flows).
2026-06-02 22:13:54 +03:00
parent 5cd476e7f3
commit 313c89483c
22 changed files with 1809 additions and 324 deletions
--- a/backend/libs/handlers/download.go
+++ b/backend/libs/handlers/download.go
@@ -52,6 +52,7 @@ type fileView struct {
 	Reactions    []reactionView
 	ReactionMore int
 	Reacted      bool
+	Processing   bool
 }

 type reactionView struct {
@@ -101,6 +102,15 @@ func (a *App) DownloadPage(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	locked := a.uploadService.IsProtected(box) && !a.isBoxUnlocked(r, box)
+	if isSocialPreviewBot(r) && !locked && len(box.Files) == 1 {
+		if box.Files[0].Processing {
+			http.Error(w, "file is still processing", http.StatusAccepted)
+			return
+		}
+		a.serveFileContent(w, r, box, box.Files[0], false)
+		a.logger.Info("single-file box served inline for social preview", withRequestLogAttrs(r, "source", "download", "severity", "user_activity", "code", 2008, "box_id", box.ID, "file_id", box.Files[0].ID)...)
+		return
+	}
 	visitorID := a.reactionVisitorID(w, r)
 	reactionsByFile, reactedByFile, err := a.reactionService.SummaryForBox(box.ID, visitorID)
 	if err != nil {
@@ -159,6 +169,15 @@ func (a *App) DownloadFile(w http.ResponseWriter, r *http.Request) {
 	}

 	locked := a.uploadService.IsProtected(box) && !a.isBoxUnlocked(r, box)
+	if isSocialPreviewBot(r) && !locked {
+		if file.Processing {
+			http.Error(w, "file is still processing", http.StatusAccepted)
+			return
+		}
+		a.serveFileContent(w, r, box, file, false)
+		a.logger.Info("file served inline for social preview", withRequestLogAttrs(r, "source", "download", "severity", "user_activity", "code", 2009, "box_id", box.ID, "file_id", file.ID)...)
+		return
+	}
 	view := a.fileView(box, file)
 	title := file.Name
 	description := fmt.Sprintf("%s shared via Warpbox", helpers.FormatBytes(file.Size))
@@ -193,6 +212,10 @@ func (a *App) DownloadFileContent(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "password required", http.StatusUnauthorized)
 		return
 	}
+	if file.Processing {
+		http.Error(w, "file is still processing", http.StatusAccepted)
+		return
+	}

 	a.serveFileContent(w, r, box, file, r.URL.Query().Get("inline") != "1")
 	a.logger.Info("file content served", withRequestLogAttrs(r, "source", "download", "severity", "user_activity", "code", 2005, "box_id", box.ID, "file_id", file.ID, "attachment", r.URL.Query().Get("inline") != "1")...)
@@ -373,6 +396,7 @@ func (a *App) fileViewWithReactions(box services.Box, file services.File, reacti
 		Reactions:    reactionViews,
 		ReactionMore: reactionOverflowCount(reactionViews),
 		Reacted:      reacted,
+		Processing:   file.Processing,
 	}
 }

@@ -583,3 +607,31 @@ func absoluteURL(r *http.Request, path string) string {
 	}
 	return fmt.Sprintf("%s://%s%s", scheme, r.Host, path)
 }
+
+func isSocialPreviewBot(r *http.Request) bool {
+	agent := strings.ToLower(r.UserAgent())
+	if agent == "" {
+		return false
+	}
+	bots := []string{
+		"discordbot",
+		"twitterbot",
+		"facebookexternalhit",
+		"telegrambot",
+		"whatsapp",
+		"slackbot",
+		"linkedinbot",
+		"skypeuripreview",
+		"embedly",
+		"pinterest",
+		"vkshare",
+		"mattermost",
+		"mastodon",
+	}
+	for _, bot := range bots {
+		if strings.Contains(agent, bot) {
+			return true
+		}
+	}
+	return false
+}