feat(sandbox): in-RAM blob sandbox for out-of-band page transfer (#243)
Add an ephemeral, process-local blob store so the in-app agent (and the
embedded MCP) can hand a large page document and its images to an external
consumer WITHOUT routing the bytes through the model context or Docmost auth.
- SandboxStore (@Injectable singleton): Map<uuid,{buf,mime,sha256,expiresAt}>
in RAM only. put() picks a per-blob cap by mime (image vs doc), enforces a
total-bytes RAM guard with oldest-first eviction, and stamps a TTL; get()
lazily expires. sha256 computed at put() doubles as the strong ETag. An
unref'd sweep interval clears expired entries and is cleared on destroy.
- GET /api/sb/:uuid anonymous controller: serves raw bytes with Content-Type,
Content-Length and ETag=sha256; 404 on missing/expired/non-UUID (anti-
traversal), 304 on a matching If-None-Match. No tokens, no 401 — the
capability is the unguessable UUID + short TTL + TLS. Auth-exempt the same
way as /api/files/public (no JwtAuthGuard) plus an /api/sb entry in main.ts's
workspace-resolution preHandler so a remote consumer with no workspace host
is not rejected.
- stash_page tool in both layers (MCP resource_link + in-app {uri,size,sha256,
images}). client.stashPage serializes the get_page_json shape, mirrors every
INTERNAL file/image src (type-agnostic, covers drawio/excalidraw/video/file)
into the sandbox under Docmost auth and rewrites src to the sandbox URL;
external http(s) srcs are left untouched; dedup by src; a failed image fetch
is counted, never aborts the doc.
- SANDBOX_PUBLIC_URL / SANDBOX_TTL_MS / SANDBOX_MAX_BYTES /
SANDBOX_MAX_IMAGE_BYTES / SANDBOX_MAX_TOTAL_BYTES wired through the
environment service + validation + .env.example.
- SandboxModule (@Global) provides the shared store to the controller,
McpService and AiChatToolsService (same instance for put and get).
Tests: SandboxStore (round-trip, sha256, TTL lazy + sweep, caps, eviction),
SandboxController (200+ETag+CT+CL, 404 missing/expired/non-UUID, 304), and a
mock-HTTP stashPage test (mirror+rewrite internal, keep external, dedup, failed
image counted, returns only a link). Interoperates with the vvzvlad/habr-mcp
consumer's anonymous-GET + sha256-ETag + resource_link contract.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,94 @@
|
||||
import { Controller, Get, Param, Req, Res } from '@nestjs/common';
|
||||
import { FastifyReply, FastifyRequest } from 'fastify';
|
||||
import { SandboxStore } from './sandbox.store';
|
||||
|
||||
// Strict UUID v-agnostic shape. This is anti-traversal / input hygiene (so `:id`
|
||||
// can never be a path like `../...`), NOT authorization — the capability is the
|
||||
// unguessable id itself plus the short TTL plus TLS.
|
||||
const UUID_RE =
|
||||
/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
|
||||
|
||||
/**
|
||||
* Anonymous read endpoint for the in-RAM blob sandbox.
|
||||
*
|
||||
* Mounted under the global `/api` prefix as `GET /api/sb/:id`. It carries NO
|
||||
* `@UseGuards(JwtAuthGuard)`, so — exactly like the public attachment route
|
||||
* `GET /api/files/public/...` — it is exempt from Docmost session auth. The
|
||||
* route is ALSO listed in the workspace-resolution preHandler's excludedPaths
|
||||
* in main.ts so a request from a remote consumer (which carries no workspace
|
||||
* host) is not rejected with "Workspace not found".
|
||||
*
|
||||
* It only ever serves blobs looked up from the SandboxStore by a validated
|
||||
* UUID; `:id` is never used as a filesystem path, so there is no traversal
|
||||
* surface. Never returns tokens, never 401s.
|
||||
*/
|
||||
@Controller('sb')
|
||||
export class SandboxController {
|
||||
constructor(private readonly store: SandboxStore) {}
|
||||
|
||||
@Get(':id')
|
||||
async get(
|
||||
@Param('id') id: string,
|
||||
@Req() req: FastifyRequest,
|
||||
@Res() res: FastifyReply,
|
||||
): Promise<void> {
|
||||
// Non-UUID id (including any traversal attempt) → 404 before touching the
|
||||
// store. No stack trace leaks out.
|
||||
if (!UUID_RE.test(id)) {
|
||||
res.status(404).send();
|
||||
return;
|
||||
}
|
||||
|
||||
const entry = this.store.get(id);
|
||||
if (!entry) {
|
||||
// Missing or expired — indistinguishable to the caller, by design.
|
||||
res.status(404).send();
|
||||
return;
|
||||
}
|
||||
|
||||
// Strong validator: quoted sha256, no W/ weak prefix. Same value computed
|
||||
// at put() time, so an external consumer can detect a truncated/corrupted
|
||||
// body — the original bug this whole channel exists to fix.
|
||||
const etag = `"${entry.sha256}"`;
|
||||
|
||||
// Conditional request: an exact ETag match → 304 with no body. The blob is
|
||||
// immutable, so the validator is stable for the blob's whole lifetime.
|
||||
if (this.ifNoneMatchMatches(req.headers['if-none-match'], entry.sha256)) {
|
||||
res.status(304).header('ETag', etag).send();
|
||||
return;
|
||||
}
|
||||
|
||||
const ttlSeconds = Math.max(
|
||||
0,
|
||||
Math.floor((entry.expiresAt - Date.now()) / 1000),
|
||||
);
|
||||
|
||||
// Use @Res() + res.send(Buffer) with an explicit Content-Type so the binary
|
||||
// body bypasses the global JSON response transform/serializer.
|
||||
res
|
||||
.status(200)
|
||||
.headers({
|
||||
'Content-Type': entry.mime,
|
||||
'Content-Length': entry.buf.length,
|
||||
ETag: etag,
|
||||
// Capability URL — keep it out of shared caches; immutable for its TTL.
|
||||
'Cache-Control': `private, max-age=${ttlSeconds}, immutable`,
|
||||
})
|
||||
.send(entry.buf);
|
||||
}
|
||||
|
||||
// Accept the consumer's If-None-Match whether it sends the quoted ETag, a bare
|
||||
// sha256, a weak "W/"-prefixed validator, or a comma-separated list.
|
||||
private ifNoneMatchMatches(
|
||||
header: string | string[] | undefined,
|
||||
sha256: string,
|
||||
): boolean {
|
||||
if (!header) return false;
|
||||
const raw = Array.isArray(header) ? header.join(',') : header;
|
||||
if (raw.trim() === '*') return true;
|
||||
return raw
|
||||
.split(',')
|
||||
.map((t) => t.trim().replace(/^W\//, '').replace(/^"|"$/g, ''))
|
||||
.some((t) => t === sha256);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user