Use signed URLs for uploads

arjunkomath · arjunkomath · commit 759d29ecb90c · 2026-01-31T15:47:25.000+11:00
diff --git a/app/(api)/api/blob/confirm/route.ts b/app/(api)/api/blob/confirm/route.ts
@@ -0,0 +1,78 @@
+import mime from "mime-types";
+import { eq } from "drizzle-orm";
+import { type NextRequest, NextResponse } from "next/server";
+import { blob } from "@/drizzle/schema";
+import { headObject } from "@/lib/blobStore";
+import { database } from "@/lib/utils/useDatabase";
+import { getOwner } from "@/lib/utils/useOwner";
+
+export type ConfirmResponse = {
+	url: string;
+};
+
+export async function POST(request: NextRequest) {
+	const { userId } = await getOwner();
+
+	const body = await request.json();
+	const { fileId } = body as { fileId: string };
+
+	if (!fileId) {
+		return NextResponse.json(
+			{ error: "Missing fileId" },
+			{ status: 400 },
+		);
+	}
+
+	const db = database();
+
+	try {
+		const [blobRecord] = await db
+			.select()
+			.from(blob)
+			.where(eq(blob.id, fileId))
+			.limit(1);
+
+		if (!blobRecord) {
+			return NextResponse.json({ error: "File not found" }, { status: 404 });
+		}
+
+		if (blobRecord.createdByUser !== userId) {
+			return NextResponse.json({ error: "Unauthorized" }, { status: 403 });
+		}
+
+		if (blobRecord.status === "confirmed") {
+			const extension = mime.extension(blobRecord.contentType);
+			return NextResponse.json<ConfirmResponse>({
+				url: `${process.env.NEXT_PUBLIC_APP_URL}/api/blob/${fileId}/file.${extension}`,
+			});
+		}
+
+		const exists = await headObject(blobRecord.key);
+		if (!exists) {
+			return NextResponse.json(
+				{ error: "File not uploaded to storage" },
+				{ status: 400 },
+			);
+		}
+
+		await db
+			.update(blob)
+			.set({
+				status: "confirmed",
+				updatedAt: new Date(),
+			})
+			.where(eq(blob.id, fileId))
+			.execute();
+
+		const extension = mime.extension(blobRecord.contentType);
+		return NextResponse.json<ConfirmResponse>({
+			url: `${process.env.NEXT_PUBLIC_APP_URL}/api/blob/${fileId}/file.${extension}`,
+		});
+	} catch (error) {
+		console.error("Error confirming upload", error);
+		return NextResponse.json(
+			{ error: "Failed to confirm upload" },
+			{ status: 500 },
+		);
+	}
+}
diff --git a/app/(api)/api/blob/presign/route.ts b/app/(api)/api/blob/presign/route.ts
@@ -0,0 +1,85 @@
+import { randomUUID } from "node:crypto";
+import { type NextRequest, NextResponse } from "next/server";
+import { blob } from "@/drizzle/schema";
+import { getUploadUrl } from "@/lib/blobStore";
+import { database } from "@/lib/utils/useDatabase";
+import { getOwner } from "@/lib/utils/useOwner";
+
+const MAX_FILE_SIZE = 10 * 1024 * 1024;
+const ALLOWED_TYPES = [
+	"image/jpeg",
+	"image/png",
+	"image/gif",
+	"image/webp",
+	"image/svg+xml",
+	"application/pdf",
+];
+
+export type PresignResponse = {
+	uploadUrl: string;
+	fileId: string;
+};
+
+export async function POST(request: NextRequest) {
+	const { ownerId, userId } = await getOwner();
+
+	const body = await request.json();
+	const { fileName, contentType, contentSize } = body as {
+		fileName: string;
+		contentType: string;
+		contentSize: number;
+	};
+
+	if (!fileName || !contentType || !contentSize) {
+		return NextResponse.json(
+			{ error: "Missing required fields" },
+			{ status: 400 },
+		);
+	}
+
+	if (!ALLOWED_TYPES.includes(contentType)) {
+		return NextResponse.json({ error: "File type not allowed" }, { status: 400 });
+	}
+
+	if (contentSize > MAX_FILE_SIZE) {
+		return NextResponse.json(
+			{ error: "File size exceeds maximum allowed (10MB)" },
+			{ status: 400 },
+		);
+	}
+
+	const db = database();
+
+	try {
+		const fileId = randomUUID();
+		const key = `${ownerId}/${fileId}`;
+
+		const uploadUrl = await getUploadUrl(key, contentType);
+
+		await db
+			.insert(blob)
+			.values({
+				id: fileId,
+				key,
+				name: fileName,
+				contentType,
+				contentSize,
+				status: "pending",
+				createdByUser: userId,
+				createdAt: new Date(),
+				updatedAt: new Date(),
+			})
+			.execute();
+
+		return NextResponse.json<PresignResponse>({
+			uploadUrl,
+			fileId,
+		});
+	} catch (error) {
+		console.error("Error generating presigned URL", error);
+		return NextResponse.json(
+			{ error: "Failed to generate upload URL" },
+			{ status: 500 },
+		);
+	}
+}
diff --git a/components/editor/index.tsx b/components/editor/index.tsx
@@ -110,14 +110,46 @@ const Editor = memo(function Editor({
 				initialContent === "loading" ? undefined : metadata || initialContent,
 			uploadFile: allowImageUpload
 				? async (file) => {
-						const result: { url: string } = await fetch(
-							`/api/blob?name=${file.name}`,
-							{
-								method: "PUT",
-								body: file,
-							},
-						).then((res) => res.json());
-						return result.url;
+						const presignRes = await fetch("/api/blob/presign", {
+							method: "POST",
+							headers: { "Content-Type": "application/json" },
+							body: JSON.stringify({
+								fileName: file.name,
+								contentType: file.type,
+								contentSize: file.size,
+							}),
+						});
+
+						if (!presignRes.ok) {
+							const error = await presignRes.json();
+							throw new Error(error.error || "Failed to get upload URL");
+						}
+
+						const { uploadUrl, fileId } = await presignRes.json();
+
+						const uploadRes = await fetch(uploadUrl, {
+							method: "PUT",
+							headers: { "Content-Type": file.type },
+							body: file,
+						});
+
+						if (!uploadRes.ok) {
+							throw new Error("Failed to upload file to storage");
+						}
+
+						const confirmRes = await fetch("/api/blob/confirm", {
+							method: "POST",
+							headers: { "Content-Type": "application/json" },
+							body: JSON.stringify({ fileId }),
+						});
+
+						if (!confirmRes.ok) {
+							const error = await confirmRes.json();
+							throw new Error(error.error || "Failed to confirm upload");
+						}
+
+						const { url } = await confirmRes.json();
+						return url;
 					}
 				: undefined,
 		},
diff --git a/drizzle/schema.ts b/drizzle/schema.ts
@@ -158,6 +158,7 @@ export const blob = pgTable("blob", {
 	name: text("name").notNull(),
 	contentType: text("contentType").notNull(),
 	contentSize: integer("contentSize").notNull(),
+	status: text("status").notNull().default("confirmed"),
 	createdByUser: text("createdByUser")
 		.notNull()
 		.references(() => user.id, { onDelete: "cascade", onUpdate: "cascade" }),
diff --git a/lib/blobStore/index.ts b/lib/blobStore/index.ts
@@ -1,6 +1,7 @@
 import {
 	DeleteObjectCommand,
 	GetObjectCommand,
+	HeadObjectCommand,
 	ListObjectsV2Command,
 	PutObjectCommand,
 	S3Client,
@@ -78,4 +79,43 @@ const listFiles = async (prefix: string, maxKeys?: number) => {
 	return response.Contents || [];
 };
 
-export { bytesToMegabytes, deleteFile, getFileUrl, getUrl, listFiles, upload };
+const getUploadUrl = async (
+	key: string,
+	contentType: string,
+): Promise<string> => {
+	const command = new PutObjectCommand({
+		Bucket: process.env.S3_BUCKET_NAME,
+		Key: key,
+		ContentType: contentType,
+	});
+
+	const signedUrl = await getSignedUrl(blobStorage, command, {
+		expiresIn: 300,
+	});
+
+	return signedUrl;
+};
+
+const headObject = async (key: string): Promise<boolean> => {
+	try {
+		const command = new HeadObjectCommand({
+			Bucket: process.env.S3_BUCKET_NAME,
+			Key: key,
+		});
+		await blobStorage.send(command);
+		return true;
+	} catch {
+		return false;
+	}
+};
+
+export {
+	bytesToMegabytes,
+	deleteFile,
+	getFileUrl,
+	getUploadUrl,
+	getUrl,
+	headObject,
+	listFiles,
+	upload,
+};
