-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathserver.js
More file actions
2340 lines (2142 loc) · 97.3 KB
/
Copy pathserver.js
File metadata and controls
2340 lines (2142 loc) · 97.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
// ipfs-gate v0.1 — HTTP server (Express).
// Public endpoints: /reserve, /upload, /status/:cid, /ipfs/:cid
// Admin endpoints: /admin/* (Bearer ADMIN_KEY)
require('dotenv').config();
const express = require('express');
const cors = require('cors');
const rateLimit = require('express-rate-limit');
const multer = require('multer');
const crypto = require('crypto');
const quota = require('./quota');
const envelope = require('./envelope');
const hive = require('./hive-verify');
const moderation = require('./moderation');
const sweeper = require('./sweeper');
const kubo = require('./backends/kubo');
const pricing = require('./pricing');
const releaseAuth = require('./release-policy');
const { parseRange } = require('./range');
// ─── Config ─────────────────────────────────────────────────────────────────
const PORT = parseInt(process.env.PORT || '3001', 10);
// Default 0.0.0.0 — ipfs-gate is meant to live behind nginx in a docker network.
// Override to 127.0.0.1 only when running outside Docker (local dev on a laptop).
const BIND_HOST = process.env.BIND_HOST || '0.0.0.0';
const CORS_ORIGIN = process.env.CORS_ORIGIN || '*';
const ADMIN_KEY = process.env.ADMIN_KEY || '';
const PAYMENT_CURRENCY = process.env.PAYMENT_CURRENCY || 'CNOOBS';
const PAYMENT_AMOUNT = process.env.PAYMENT_AMOUNT || '1';
const IPFS_GATE_HIVE_ACCOUNT = (process.env.IPFS_GATE_HIVE_ACCOUNT || '').toLowerCase();
// parseFloat allows fractional days for testing (e.g. 0.001 ≈ 86s). In the v1
// claim model this is only the DEFAULT duration when a /reserve omits
// hours_requested — the authoritative timer is the claim's expiry_ts.
const DEFAULT_TTL_DAYS = parseFloat(process.env.DEFAULT_TTL_DAYS || '7');
const DEFAULT_HOURS = Math.max(pricing.MIN_HOURS, Math.round(DEFAULT_TTL_DAYS * 24));
const MAX_FILE_SIZE_MB = parseInt(process.env.MAX_FILE_SIZE_MB || '10', 10);
const MAX_FILE_SIZE_BYTES = MAX_FILE_SIZE_MB * 1024 * 1024;
const RATE_LIMIT_RESERVE = parseInt(process.env.RATE_LIMIT_RESERVE_PER_MIN || '30', 10);
const RATE_LIMIT_UPLOAD = parseInt(process.env.RATE_LIMIT_UPLOAD_PER_MIN || '30', 10);
const PUBLIC_GATEWAY_BASE = process.env.PUBLIC_GATEWAY_BASE ||
`https://ipfs.${process.env.SERVER_DOMAIN || 'localhost'}`;
// v0.1.4 — Cache-Control max-age for /ipfs/:cid responses. Browsers honour
// this; during dev/testing keep it short (e.g. 3600 = 1h) so pin expiry is
// observable without incognito tricks. Production default 86400 (1 day).
const GATEWAY_CACHE_MAX_AGE = parseInt(process.env.GATEWAY_CACHE_MAX_AGE || '86400', 10);
// v0.2 — freshness window for signed user-API requests (replay protection on
// /uploads/by-user + /uploads/delete). The signed message embeds a unix-second
// timestamp; requests outside ±SKEW are rejected.
const SIGNED_REQUEST_MAX_SKEW_SEC = parseInt(process.env.SIGNED_REQUEST_MAX_SKEW_SEC || '300', 10);
// v0.2 — MIME types we will NOT serve inline on PUBLIC CIDs, even when claimed.
// These can host active content that would execute on the gate's own origin
// (stored-XSS). Public uploads of these types are forced to octet-stream +
// attachment disposition. Encrypted CIDs are always octet-stream regardless.
const PUBLIC_INLINE_DENY = new Set(['text/html', 'application/xhtml+xml', 'image/svg+xml']);
const MIME_RE = /^[a-z0-9][a-z0-9.+-]*\/[a-z0-9][a-z0-9.+-]*$/i;
if (!IPFS_GATE_HIVE_ACCOUNT) {
console.error('FATAL: IPFS_GATE_HIVE_ACCOUNT not set. Refusing to start.');
process.exit(1);
}
if (!ADMIN_KEY) {
console.warn('WARN: ADMIN_KEY is empty — admin endpoints are unprotected. Set ADMIN_KEY in .env.');
}
// ─── App ────────────────────────────────────────────────────────────────────
const app = express();
app.disable('x-powered-by');
// Behind nginx (one proxy hop), so the client IP is in X-Forwarded-For. Without
// this, express-rate-limit throws ERR_ERL_UNEXPECTED_X_FORWARDED_FOR and would
// otherwise key every request off the nginx container IP. '1' = trust the first
// proxy only (don't blindly trust a client-spoofed XFF chain).
app.set('trust proxy', 1);
app.use(cors({ origin: CORS_ORIGIN }));
app.use(express.json({ limit: '64kb' }));
// ─── Helpers ────────────────────────────────────────────────────────────────
function respondError(res, code, message, details) {
const codeToStatus = {
bad_request: 400,
unauthorized: 401,
forbidden: 403,
not_found: 404,
conflict: 409,
gone: 410,
payload_too_large: 413,
rate_limited: 429,
range_not_satisfiable: 416,
unprocessable_entity: 422,
legal_takedown: 451,
insufficient_storage: 507,
internal_error: 500,
bad_gateway: 502,
not_implemented: 501
};
const status = codeToStatus[code] || 500;
res.status(status).json({ error: code, message, details: details || {} });
}
function handleError(res, err, fallbackCode = 'internal_error') {
if (err && err.code && (
typeof err.code === 'string' && err.code !== 'SQLITE_CONSTRAINT_UNIQUE'
)) {
return respondError(res, err.code, err.message);
}
console.error('[server] unhandled error:', err && err.stack || err);
return respondError(res, fallbackCode, err && err.message || String(err));
}
function requireAdmin(req, res, next) {
const h = req.headers['authorization'] || '';
const m = h.match(/^Bearer\s+(.+)$/);
if (!ADMIN_KEY || !m || m[1] !== ADMIN_KEY) {
return respondError(res, 'unauthorized', 'admin auth required');
}
next();
}
function isoFromMs(ms) {
return ms ? new Date(ms).toISOString() : null;
}
/**
* Verify a signed user-API request (no on-chain payment to anchor identity, so
* this is the sole auth gate). Three checks, all must pass:
* 1. ts is within ±SIGNED_REQUEST_MAX_SKEW_SEC of now (replay window).
* 2. sig is a valid Hive signature over `message` by `pubkey`.
* 3. pubkey is a CURRENT posting key of `account` on Hive (binds key→account).
* Throws { code:'bad_request'|'unauthorized' } on failure; resolves on success.
*/
async function verifySignedUserRequest({ account, ts, pubkey, sig, message }) {
if (typeof account !== 'string' || !/^[a-z0-9][a-z0-9.\-]*$/.test(account)) {
throw Object.assign(new Error('valid hive_account required'), { code: 'bad_request' });
}
const tsNum = Number(ts);
if (!Number.isInteger(tsNum)) {
throw Object.assign(new Error('ts (unix seconds) required'), { code: 'bad_request' });
}
if (typeof pubkey !== 'string' || typeof sig !== 'string' || !pubkey || !sig) {
throw Object.assign(new Error('pubkey and sig required'), { code: 'bad_request' });
}
const skew = Math.abs(Math.floor(Date.now() / 1000) - tsNum);
if (skew > SIGNED_REQUEST_MAX_SKEW_SEC) {
throw Object.assign(new Error('request timestamp outside freshness window'), { code: 'unauthorized' });
}
if (!envelope.verifyHiveSig(message, sig, pubkey)) {
throw Object.assign(new Error('signature verification failed'), { code: 'unauthorized' });
}
let postingKeys;
try {
postingKeys = await hive.getAccountPostingPubkeys(account);
} catch (e) {
// Fail closed: if Hive is unreachable we cannot prove key ownership.
throw Object.assign(new Error(`could not verify account keys: ${e.message}`), { code: 'unprocessable_entity' });
}
if (!postingKeys.includes(pubkey)) {
throw Object.assign(new Error('pubkey is not a current posting key for this account'), { code: 'unauthorized' });
}
}
// ─── Hive-account admin tier (WHITELIST-MODE-DESIGN-NOTES.md §5) ─────────────
/**
* The Hive-account admin roster. Read at CALL time (same reasoning as
* quota.whitelistModeEnabled — env is fixed per container, but tests flip it
* in-process). Empty list = the tier is disabled and ADMIN_KEY is the only
* admin auth, exactly as before.
*/
function serverAdminHiveAccounts() {
return (process.env.SERVER_ADMIN_HIVE_ACCOUNTS || '')
.split(',').map(s => s.trim().toLowerCase()).filter(Boolean);
}
/**
* Dual admin auth: Bearer ADMIN_KEY (box owner, unconditional, all powers) OR
* a Hive-signed request from an account in SERVER_ADMIN_HIVE_ACCOUNTS (the
* narrower tier — only the routes that call this accept it). The signed
* message binds action AND target, so a signature authorising "ban bob" can't
* be replayed to ban alice:
* ipfs-gate:admin-action:v1:<action>:<target>:<account>:<ts>
* Auth fields (admin_account/admin_ts/admin_pubkey/admin_sig) are deliberately
* distinct from each route's own primary fields — e.g. hive_account on
* /admin/ban is the ban TARGET, never the admin.
* Returns { adminId }: 'operator' for the Bearer tier, 'hive:<account>' for
* the Hive tier — passed straight into moderation.js's admin_id param.
* Throws { code:'unauthorized'|'forbidden'|...} on failure.
*/
async function verifyAdminAuth(req, { action, target }) {
const h = req.headers['authorization'] || '';
const m = h.match(/^Bearer\s+(.+)$/);
if (ADMIN_KEY && m && m[1] === ADMIN_KEY) return { adminId: 'operator' };
const src = (req.method === 'GET') ? req.query : (req.body || {});
const { admin_account, admin_ts, admin_pubkey, admin_sig } = src;
if (!admin_account || !admin_sig) {
throw Object.assign(new Error('admin auth required'), { code: 'unauthorized' });
}
const account = String(admin_account).toLowerCase();
if (!serverAdminHiveAccounts().includes(account)) {
throw Object.assign(new Error('account is not a server admin'), { code: 'forbidden' });
}
const message = `ipfs-gate:admin-action:v1:${action}:${target}:${account}:${admin_ts}`;
await verifySignedUserRequest({ account, ts: admin_ts, pubkey: admin_pubkey, sig: admin_sig, message });
return { adminId: `hive:${account}` };
}
/**
* Settle one already-cancelled (or expired) claim: compute the pro-rata refund,
* record it in the durable refund ledger, and attempt the on-chain broadcast.
* NEVER throws — the claim is closed regardless; the refund row carries
* sent / pending / failed / skipped so the operator can see + retry. Returns a
* small summary. 'pending' is the key-optional gate path (no IPFS_GATE_ACTIVE_KEY).
*/
/**
* Record a refund of `amount` to claim.owner in the durable ledger and attempt
* the on-chain broadcast. NEVER throws. Returns { amount, status, ... } where
* status ∈ sent | pending | failed | skipped. `pending` is the key-optional path
* (no IPFS_GATE_ACTIVE_KEY → operator settles manually). Shared by every refund
* path (user cancel + admin force-action).
*/
async function broadcastRefund(claim, amount, reason) {
const memo = `ipfs-gate:refund:${claim.claim_id}`;
if (!amount || amount <= 0) {
quota.recordRefund({
claim_id: claim.claim_id, to_account: claim.owner, amount: 0,
currency: claim.currency, memo, status: 'skipped',
reason: `${reason}: nothing refundable (consumed/forfeit/dust)`
});
return { amount: 0, status: 'skipped' };
}
const rec = quota.recordRefund({
claim_id: claim.claim_id, to_account: claim.owner, amount,
currency: claim.currency, memo, status: 'pending', reason
});
try {
const sent = await hive.sendRefund({ to: claim.owner, amount, currency: claim.currency, memo });
quota.markRefundSettled(rec.refund_id, 'sent', sent.tx_id);
return { amount, status: 'sent', tx_id: sent.tx_id, refund_id: rec.refund_id };
} catch (e) {
if (e.code === 'no_refund_key') {
console.warn(`[refund] ${rec.refund_id} pending (no escrow key): ${amount} ${claim.currency} → @${claim.owner}`);
return { amount, status: 'pending', refund_id: rec.refund_id };
}
quota.markRefundSettled(rec.refund_id, 'failed', null);
console.error(`[refund] ${rec.refund_id} broadcast failed: ${e.message}`);
return { amount, status: 'failed', refund_id: rec.refund_id, error: e.message };
}
}
/**
* Settle a user-initiated cancel refund (guardian spec §6). DORMANT guardian →
* FULL escrow (minus the optional GUARDIAN_CANCEL_FEE_PCT, default 0); ACTIVE
* claim (original / own_copy / activated guardian) → pro-rata. (claim is the
* pre-flip row, so claim.state still reflects what it WAS.)
*/
async function settleClaimRefund(claim, reason = 'cancel') {
const isDormant = claim.state === 'dormant';
const amount = isDormant
? pricing.calculateDormantRefund(claim).amount
: pricing.calculateRefund(claim, Date.now()).amount;
return broadcastRefund(claim, amount, isDormant ? 'dormant_cancel' : reason);
}
/**
* Settle a refund for an ADMIN force-action (cohosting §7). innocent=true (a
* CID-ban guardian) → full escrow no fee; otherwise per refund_policy.
*/
async function settleForcedRefund(claim, { policy = 'prorata', innocent = false } = {}) {
const amount = pricing.forcedRefundAmount(claim, { policy, innocent });
const reason = innocent
? 'admin_void_innocent_guardian'
: (policy === 'none' ? 'admin_void_forfeit' : 'admin_void_prorata');
return broadcastRefund(claim, amount, reason);
}
// ─── Whitelist fee exemption (WHITELIST-MODE-DESIGN-NOTES.md §4) ─────────────
/**
* The account's live whitelist entry IF it is currently fee-exempt, else null.
* Recomputed fresh at every quote/pay call site — guardian pledge and own-copy
* bypass /reserve, so there's no stored flag to reuse there.
*/
function feeExemptEntryFor(account) {
if (!quota.whitelistModeEnabled()) return null;
const entry = quota.getWhitelistEntry(account);
return (entry && entry.fee_exempt) ? entry : null;
}
/**
* Verify an on-chain payment, OR — when feeExempt — skip verification entirely
* and record a synthetic zero-amount payment row so the FK-required
* pins.payment_id / claims.payment_id still resolve. The synthetic tx_id must
* still be globally unique (payments.tx_id UNIQUE) — callers namespace it off
* the purpose + cid + account + timestamp. Throws with a `code` the caller
* routes through handleError; the non-exempt path preserves the exact error
* behavior the pledge/own-copy routes had inline before this refactor.
*/
async function verifyOrSkipPayment({ feeExempt, tx_id, sender, expectedMemo, expectedAmount, syntheticTxId }) {
if (feeExempt) {
const payment = quota.recordPayment({
tx_id: syntheticTxId, reservation_id: null, uploader: sender,
currency: PAYMENT_CURRENCY, amount: 0, memo: expectedMemo,
block_num: null, status: 'confirmed'
});
return {
payResult: { tx_id: syntheticTxId, sender, paid: 0, currency: PAYMENT_CURRENCY, block_num: null },
payment
};
}
let payResult;
try {
payResult = await hive.verifyPayment({ tx_id, sender, expectedMemo, expectedAmount });
} catch (e) {
if (!e.code) e.code = 'unprocessable_entity';
throw e;
}
let sc;
try {
sc = await hive.verifyHiveEngineSidechain(tx_id);
} catch (e) {
throw Object.assign(
new Error(`Hive-Engine sidechain unreachable: ${e.message}`),
{ code: 'unprocessable_entity' }
);
}
if (sc.confirmed === false) {
const detail = sc.reason === 'rejected'
? ((sc.errors || []).join('; ') || 'sidechain rejected the transfer')
: 'sidechain did not confirm within the retry budget — try again in ~30s';
throw Object.assign(
new Error(`Hive-Engine did not confirm: ${detail}`),
{ code: 'unprocessable_entity' }
);
}
const payment = quota.recordPayment({
tx_id, reservation_id: null, uploader: sender,
currency: payResult.currency, amount: payResult.paid,
memo: expectedMemo, block_num: payResult.block_num, status: 'confirmed'
});
return { payResult, payment };
}
// ─── Rate limiters ──────────────────────────────────────────────────────────
const reserveLimiter = rateLimit({
windowMs: 60 * 1000,
max: RATE_LIMIT_RESERVE,
standardHeaders: true,
legacyHeaders: false,
handler: (req, res) => respondError(res, 'rate_limited', 'too many /reserve requests')
});
const uploadLimiter = rateLimit({
windowMs: 60 * 1000,
max: RATE_LIMIT_UPLOAD,
standardHeaders: true,
legacyHeaders: false,
handler: (req, res) => respondError(res, 'rate_limited', 'too many /upload requests')
});
const userApiLimiter = rateLimit({
windowMs: 60 * 1000,
max: parseInt(process.env.RATE_LIMIT_USER_API_PER_MIN || '60', 10),
standardHeaders: true,
legacyHeaders: false,
handler: (req, res) => respondError(res, 'rate_limited', 'too many requests')
});
// ─── Multer for ciphertext uploads ──────────────────────────────────────────
const upload = multer({
storage: multer.memoryStorage(),
limits: { fileSize: MAX_FILE_SIZE_BYTES + 1024 } // tiny slop for header overhead
});
// ─── Public endpoints ───────────────────────────────────────────────────────
app.get('/', (req, res) => {
res.json({
service: 'ipfs-gate',
version: '1.0.0-dev',
operator: IPFS_GATE_HIVE_ACCOUNT,
// v1 claim model: cost is computed per upload (size × time × copies). The
// flat `amount` is retired — clients must POST /reserve with size_bytes (and
// optional hours_requested/copies) to get a quote. `currency`, `max_size_mb`
// and the default duration stay advertised here for the picker UI.
payment: {
model: 'claim-mb-hour',
currency: PAYMENT_CURRENCY,
max_size_mb: MAX_FILE_SIZE_MB,
default_hours: DEFAULT_HOURS,
ttl_days: DEFAULT_TTL_DAYS
},
pricing: {
rate_per_mb_hour: pricing.RATE_PER_MB_HOUR,
min_hours: pricing.MIN_HOURS,
mb_divisor: pricing.MB_DIVISOR,
node_count: pricing.getNodeCount(),
// copies selector range the gate offers (1..node_count) + the Cluster
// self-heal leeway. node_count=1 → guardian is the only co-host option.
copies_max: pricing.getNodeCount(),
replication_leeway: pricing.REPLICATION_LEEWAY,
guardian_cancel_fee_pct: pricing.GUARDIAN_CANCEL_FEE_PCT
},
features: {
public_uploads: true, uploads_tab: true, claim_model: true,
// Guardian feature (multi-participant hosting of the same CID):
// POST /check (already-hosted detection), POST /claims/own-copy,
// GET|POST /guardian/* (the dormant-pledge queue).
guardian: true, own_copy: true, cid_check: true,
// Whitelist / gated-server mode. Mode only — this endpoint has no caller
// identity, so "am I whitelisted / am I admin" rides on the SIGNED
// /uploads/by-user response instead. The admin roster is never listed.
whitelist_mode: quota.whitelistModeEnabled()
}
});
});
/**
* POST /reserve
* Body: { uploader, size_bytes, hours_requested?, copies?, mode? }
* v1 claim model: the gate computes a per-claim quote (size × time × copies) and
* returns it as payment.amount. hours_requested defaults to DEFAULT_HOURS; copies
* defaults to 1 (capped at NODE_COUNT). The flat-fee path is retired.
* Returns: { reservation_id, expires_at, mode, payment:{currency,amount,escrow_account,memo}, quote:{...}, max_size_bytes }
*/
app.post('/reserve', reserveLimiter, (req, res) => {
try {
const { uploader, size_bytes } = req.body || {};
// v0.2 — optional upload mode. 'encrypted' (default) = ciphertext, served
// as octet-stream (unchanged). 'public' = plaintext, shareable link served
// with the claimed MIME. Same reserve→pay→upload billing for both.
const mode = (req.body && req.body.mode) || 'encrypted';
if (typeof uploader !== 'string' || !Number.isInteger(size_bytes) || size_bytes < 1) {
return respondError(res, 'bad_request', 'uploader (string) and size_bytes (positive integer) required');
}
// Reject over-cap files at RESERVE time — before the client is handed
// payment instructions. /upload re-checks the actual bytes, but by then
// the user has already paid; a reservation that can never be uploaded
// must not be quotable. (The client checks the advertised max_size_mb
// too, but the server is the authority.)
if (size_bytes > MAX_FILE_SIZE_BYTES) {
return respondError(res, 'payload_too_large',
`size_bytes (${size_bytes}) exceeds this gate's ${MAX_FILE_SIZE_MB}MB max — do not pay`,
{ max_size_bytes: MAX_FILE_SIZE_BYTES });
}
if (mode !== 'encrypted' && mode !== 'public') {
return respondError(res, 'bad_request', "mode must be 'encrypted' or 'public'");
}
// Quote inputs. hours_requested / copies are optional; defaults keep a bare
// {uploader,size_bytes} request working (it just gets the default duration).
const rawHours = (req.body && req.body.hours_requested);
const hoursRequested = (rawHours === undefined || rawHours === null) ? DEFAULT_HOURS : Number(rawHours);
const rawCopies = (req.body && req.body.copies);
const copiesRequested = (rawCopies === undefined || rawCopies === null) ? 1 : Number(rawCopies);
if (!Number.isFinite(hoursRequested) || hoursRequested <= 0) {
return respondError(res, 'bad_request', 'hours_requested must be a positive number');
}
// Whitelist fee exemption: quote at rate 0 for a fee-exempt account. The
// resulting quoted_amount=0 on the reservation is the signal /upload uses
// to skip on-chain payment verification. Surfaced in the response so the
// $0 is never silent (same philosophy as copies_capped).
const feeExempt = !!feeExemptEntryFor(uploader.toLowerCase());
let quote;
try {
quote = pricing.calculateCost({
sizeBytes: size_bytes, hoursRequested, copies: copiesRequested,
...(feeExempt ? { rate: 0 } : {})
});
} catch (e) {
return handleError(res, e);
}
const r = quota.createReservation(uploader.toLowerCase(), size_bytes, mode, {
hoursRequested: quote.billable_hrs,
copies: quote.copies,
quotedAmount: quote.total
});
res.json({
reservation_id: r.id,
expires_at: isoFromMs(r.expires_at),
mode,
payment: {
currency: PAYMENT_CURRENCY,
amount: String(quote.total),
escrow_account: IPFS_GATE_HIVE_ACCOUNT,
memo: quota.getMemoForReservation(r.id)
},
quote: {
billable_mb: quote.billable_mb,
billable_hrs: quote.billable_hrs,
copies: quote.copies,
// honest surfacing: if the client asked for more copies than the gate has
// nodes, the granted `copies` is capped — don't let that be silent.
copies_requested: Math.max(1, Math.floor(copiesRequested) || 1),
copies_capped: quote.copies < Math.max(1, Math.floor(copiesRequested) || 1),
node_count: pricing.getNodeCount(),
replication: pricing.replicationConfig(quote.copies),
rate_per_mb_hour: quote.rate,
total: quote.total,
currency: PAYMENT_CURRENCY,
fee_exempt: feeExempt
},
max_size_bytes: quota.MAX_FILE_SIZE_BYTES
});
} catch (e) {
return handleError(res, e);
}
});
/**
* POST /upload
* multipart/form-data with fields: reservation_id, tx_id, uploader_pubkey,
* upload_proof_sig, ciphertext (file)
* Returns: { cid, size_bytes, expires_at, gateway_url, deduped, existing_expires_at }
*/
app.post('/upload', uploadLimiter, upload.single('ciphertext'), async (req, res) => {
try {
const { reservation_id, tx_id, uploader_pubkey, upload_proof_sig } = req.body || {};
// v0.2 — public uploads carry a claimed plaintext MIME (rendering hint only,
// never a security input — see GET /ipfs/:cid hardening). `kind` is v4call's
// kind_hint, accepted for audit but not otherwise used by the gate.
const claimedMime = (req.body && req.body.mime) || null;
// tx_id is validated AFTER the reservation is loaded — a fee-exempt
// reservation (quoted_amount 0, whitelist mode) legitimately has no
// on-chain payment, so no tx_id to present.
if (!reservation_id || !uploader_pubkey || !upload_proof_sig) {
return respondError(res, 'bad_request', 'reservation_id, uploader_pubkey, upload_proof_sig all required');
}
if (!req.file || !req.file.buffer) {
return respondError(res, 'bad_request', 'ciphertext file field required');
}
const ciphertext = req.file.buffer;
const sizeBytes = ciphertext.length;
if (sizeBytes > MAX_FILE_SIZE_BYTES) {
return respondError(res, 'payload_too_large', `ciphertext exceeds ${MAX_FILE_SIZE_MB}MB`);
}
// 1. Look up reservation
const r = quota.getReservation(reservation_id);
if (!r) return respondError(res, 'not_found', 'reservation not found');
if (r.status === 'expired') return respondError(res, 'gone', 'reservation expired');
if (r.status !== 'pending') {
return respondError(res, 'conflict', `reservation is ${r.status}, expected pending`);
}
if (r.expires_at < quota.now()) {
return respondError(res, 'gone', 'reservation expired');
}
if (sizeBytes > r.size_bytes) {
return respondError(res, 'payload_too_large', `ciphertext (${sizeBytes}) exceeds reserved size (${r.size_bytes})`);
}
const uploader = r.uploader;
// 1b. Resolve upload mode from the (paid) reservation and validate the
// claimed MIME for public uploads BEFORE doing any Hive payment work,
// so malformed requests are rejected cheaply.
const mode = r.mode || 'encrypted';
let mime = null;
if (mode === 'public') {
if (typeof claimedMime !== 'string' || !MIME_RE.test(claimedMime) || claimedMime.length > 255) {
return respondError(res, 'bad_request', 'public upload requires a valid `mime` field');
}
mime = claimedMime.toLowerCase();
}
// 1c. Optional release-authority policy (Stage 3). Validated up-front so a bad
// policy is rejected before any payment work. Defaults to owner_only.
let releasePolicyObj = null;
if (req.body && req.body.release_policy) {
let parsed;
try { parsed = JSON.parse(req.body.release_policy); }
catch (e) { return respondError(res, 'bad_request', 'release_policy must be valid JSON'); }
try { releasePolicyObj = releaseAuth.normalizeReleasePolicy(parsed); }
catch (e) { return handleError(res, e); }
}
// 1d. Optional proof-of-receipt commitment (Stage 6). SHA-256(plaintext) the
// sender commits to; stored on the order so a recipient can later prove
// decryption (POST /claims/receipt). NOT in the public Reveal link, so a
// bystander (ciphertext only) can't reproduce it. NULL for public uploads.
let receiptHash = null;
if (req.body && req.body.receipt_hash) {
const rh = String(req.body.receipt_hash).toLowerCase();
if (!/^[a-f0-9]{64}$/.test(rh)) {
return respondError(res, 'bad_request', 'receipt_hash must be a 64-char hex sha256');
}
receiptHash = rh;
}
// 2. Banned-account check (banlist could've been added between reserve and upload)
if (quota.isAccountBanned(uploader)) {
return respondError(res, 'forbidden', 'uploader is banned');
}
// 2b. Whitelist re-check (membership could've been revoked between reserve
// and upload — same defensive pattern as the ban re-check above).
if (quota.whitelistModeEnabled() && !quota.isAccountWhitelisted(uploader)) {
return respondError(res, 'forbidden', 'this server is invite-only — uploader is no longer whitelisted');
}
// 2c. Fee exemption: a $0 quote captured at /reserve (quoted_amount 0) plus
// a CURRENTLY fee-exempt whitelist entry means there is no on-chain
// payment to verify — a synthetic zero-amount payment row is recorded
// instead. Both conditions required: a paid-rate reservation is never
// skipped just because the account became exempt afterwards.
const isFeeExempt = !!(feeExemptEntryFor(uploader) && r.quoted_amount === 0);
if (!isFeeExempt && !tx_id) {
return respondError(res, 'bad_request', 'tx_id required');
}
// 3. Verify upload_proof_sig
const ciphertextSha256Hex = envelope.sha256Hex(ciphertext);
const sigOk = envelope.verifyUploadProof({
ciphertextSha256Hex,
reservationId: reservation_id,
uploader,
uploaderPubkey: uploader_pubkey,
sigStr: upload_proof_sig
});
if (!sigOk) {
return respondError(res, 'unauthorized', 'upload_proof_sig verification failed');
}
// 4–6. Payment. Fee-exempt (whitelist) reservations skip the on-chain
// verify entirely and record a synthetic zero-amount payment row (the
// pins/claims FK still needs a payments row). The synthetic tx_id is
// namespaced off the reservation_id — one payment per reservation, and
// payments.tx_id UNIQUE stays the replay guard for both paths.
const expectedMemo = quota.getMemoForReservation(reservation_id);
const effectiveTxId = isFeeExempt ? `whitelist-free:upload:${reservation_id}` : tx_id;
// 4. Replay protection (UNIQUE on payments.tx_id is the schema-level guarantee,
// but check here so we can return a clean error before doing Hive work)
if (quota.getPaymentByTxId(effectiveTxId)) {
return respondError(res, 'conflict', 'tx_id already used');
}
let payResult;
if (isFeeExempt) {
payResult = { tx_id: effectiveTxId, paid: 0, currency: PAYMENT_CURRENCY, block_num: null };
} else {
// 5. Verify Hive payment (tx_id lookup + amount/memo/currency validation).
// v1 claim model: the required amount is the per-claim QUOTE captured at
// /reserve (size × time × copies), not a flat fee.
try {
payResult = await hive.verifyPayment({
tx_id,
sender: uploader,
expectedMemo,
expectedAmount: r.quoted_amount
});
} catch (e) {
return handleError(res, e, 'unprocessable_entity');
}
// Sidechain confirmation — HARD reject. v0.1.2 (and earlier) used a balance
// comparison which was useless: the escrow's existing balance always exceeded
// the per-payment amount, so an under-balanced sender whose transfer was
// rejected by the Hive-Engine sidechain still passed the check, and the file
// got pinned for free. v0.1.3 polls getTransactionInfo on the Hive-Engine
// blockchain RPC for an authoritative success/fail signal.
let sidechainResult;
try {
sidechainResult = await hive.verifyHiveEngineSidechain(tx_id);
} catch (e) {
console.error(`[server] sidechain RPC failed for ${tx_id}: ${e.message}`);
quota.markReservationCancelled(reservation_id);
return respondError(res, 'unprocessable_entity', `Hive-Engine sidechain unreachable: ${e.message}`);
}
if (sidechainResult.confirmed === false) {
quota.markReservationCancelled(reservation_id);
if (sidechainResult.reason === 'rejected') {
const detail = (sidechainResult.errors || []).join('; ') || 'sidechain rejected the transfer';
console.warn(`[server] sidechain rejected tx ${tx_id}: ${detail}`);
return respondError(res, 'unprocessable_entity', `Hive-Engine rejected the transfer: ${detail}`);
}
// 'pending' — exhausted retries; safer to reject than to pin a phantom payment
console.warn(`[server] sidechain still pending for tx ${tx_id} after retries`);
return respondError(res, 'unprocessable_entity', 'Hive-Engine sidechain did not confirm the transfer within the retry budget. Try uploading again in ~30s.');
}
// Belt-and-braces: also record balance for the audit log
try {
payResult.balance_after = await hive.getHiveEngineBalance(IPFS_GATE_HIVE_ACCOUNT, PAYMENT_CURRENCY);
} catch (e) {
console.warn(`[server] post-confirm balance read failed: ${e.message}`);
}
}
// 6. Record payment + mark reservation paid (atomic)
let payment;
try {
payment = quota.recordPayment({
tx_id: effectiveTxId,
reservation_id,
uploader,
currency: payResult.currency,
amount: payResult.paid,
memo: expectedMemo,
block_num: payResult.block_num,
status: 'confirmed'
});
} catch (e) {
return handleError(res, e);
}
quota.markReservationPaid(reservation_id, effectiveTxId);
// 7. Compute CID locally (defence: also verify against Kubo's response after pin)
// For v0.1 we trust Kubo's returned CID since it's the same machine.
// 8. Pin to Kubo
let pinResult;
try {
pinResult = await kubo.pin(ciphertext);
} catch (e) {
// Pin failed. Mark reservation cancelled. Payment stays as 'confirmed' for now —
// operator should refund manually + log via /admin/log-refund.
quota.markReservationCancelled(reservation_id);
console.error(`[server] kubo.pin failed for reservation ${reservation_id}: ${e.message}`);
return handleError(res, e, 'bad_gateway');
}
const cid = pinResult.cid;
// 9. Block list check on CID (could have been added between reserve and pin)
if (quota.isCidBlocked(cid)) {
// Unpin immediately
try { await kubo.unpin(cid); } catch (e) { /* best-effort */ }
quota.markReservationCancelled(reservation_id);
return respondError(res, 'legal_takedown', 'this CID is blocked on this server');
}
// 10. Derive the claim from the (paid) reservation's quote, then create the
// pin (mirroring the claim's expiry_ts) + the order/claim atomically.
// The claim's expiry_ts is the lifecycle authority; the pin row carries
// the same timestamp so disk/serve accounting and the sweeper agree.
// Guardian spec §2: if the CID is ALREADY live-hosted, this uploader is
// not the original host — their claim is an independent own_copy (same
// mechanics, distinct role). Checked before our own pin row lands.
const hostedBefore = quota.alreadyHostedForCid(cid);
const claimKind = hostedBefore ? 'own_copy' : 'original';
const hoursPaid = (r.hours_requested && r.hours_requested > 0) ? r.hours_requested : DEFAULT_HOURS;
const copies = pricing.cappedCopies(r.copies || 1);
const sizeMB = pricing.billableMB(sizeBytes);
// Fee-exempt claims lock rate 0 — the charged rate and the persisted
// rate_locked must agree or a later pro-rata refund/extend would silently
// bill the real rate on a claim that was free.
const rateLocked = isFeeExempt ? 0 : pricing.RATE_PER_MB_HOUR;
const startTs = quota.now();
const expiryTs = startTs + hoursPaid * pricing.HOUR_MS;
const pin = quota.createPin({
cid,
uploader,
size_bytes: sizeBytes,
payment_id: payment.id,
expires_at: expiryTs,
mode,
mime
});
quota.markReservationUploaded(reservation_id, pin.id);
const claim = quota.createOrderWithClaim({
cid,
owner: uploader,
pinId: pin.id,
paymentId: payment.id,
sizeBytes,
sizeMB,
rateLocked,
paidHours: hoursPaid,
copies,
amountPaid: payResult.paid,
currency: payResult.currency,
startTs,
expiryTs,
kind: claimKind,
releasePolicy: releasePolicyObj,
receiptHash
});
// 11. Dedup info (was there already an active pin for this CID before us?)
const allActive = quota.getActivePinsForCid(cid);
const deduped = allActive.length > 1;
const otherExpiries = allActive.filter(p => p.id !== pin.id).map(p => p.expires_at);
const existing_expires_at = otherExpiries.length > 0
? isoFromMs(Math.max(...otherExpiries))
: null;
res.json({
cid,
size_bytes: sizeBytes,
expires_at: isoFromMs(pin.expires_at),
gateway_url: `${PUBLIC_GATEWAY_BASE}/ipfs/${cid}`,
deduped,
existing_expires_at,
claim_id: claim.claim_id,
order_id: claim.order_id,
claim: {
kind: claimKind,
paid_hours: hoursPaid,
copies,
size_mb: sizeMB,
rate_per_mb_hour: rateLocked,
amount_paid: payResult.paid,
currency: payResult.currency
}
});
} catch (e) {
return handleError(res, e);
}
});
/**
* GET /status/:cid
* Guardian feature: also surfaces the "already hosted" snapshot (how long the
* file is paid to stay up + the co-hosting options) so a client that knows the
* CID can offer own-copy / guardian without uploading anything.
*/
app.get('/status/:cid', (req, res) => {
try {
const cid = req.params.cid;
if (quota.isCidBlocked(cid)) {
return respondError(res, 'legal_takedown', 'this CID has been removed');
}
const hosted = quota.alreadyHostedForCid(cid);
if (!hosted) {
return respondError(res, 'not_found', 'CID not pinned');
}
res.json({
cid,
pinned: true,
already_hosted: true,
expires_at: isoFromMs(hosted.hosted_until),
hosted_until: isoFromMs(hosted.hosted_until),
active_pin_count: hosted.active_hosts,
active_hosts: hosted.active_hosts,
guardian_queue_depth: hosted.guardian_queue_depth
});
} catch (e) {
return handleError(res, e);
}
});
/**
* POST /check — already-hosted detection (guardian spec §3 / §8 item 1).
* multipart/form-data with a `ciphertext` file field (same field as /upload).
* Computes the CID via Kubo only-hash — nothing is stored, pinned or paid —
* and reports whether the file is already hosted here, how long it's paid to
* stay up, and the two co-hosting options (own copy / guardian). Clients call
* this FIRST, before /reserve + payment, so the user can choose to back the
* existing copy instead of re-uploading and re-paying from scratch.
*/
app.post('/check', uploadLimiter, upload.single('ciphertext'), async (req, res) => {
try {
if (!req.file || !req.file.buffer) {
return respondError(res, 'bad_request', 'ciphertext file field required');
}
if (req.file.buffer.length > MAX_FILE_SIZE_BYTES) {
return respondError(res, 'payload_too_large', `file exceeds ${MAX_FILE_SIZE_MB}MB`);
}
const { cid } = await kubo.cidOf(req.file.buffer);
if (quota.isCidBlocked(cid)) {
return respondError(res, 'legal_takedown', 'this CID is blocked on this server');
}
const hosted = quota.alreadyHostedForCid(cid);
if (!hosted) {
return res.json({ cid, already_hosted: false });
}
// Quote hints for both options at the default duration — the client re-quotes
// with the user's chosen hours via /claims/own-copy/quote / /guardian/quote.
const quote = pricing.calculateCost({ sizeBytes: hosted.size_bytes, hoursRequested: DEFAULT_HOURS, copies: 1 });
res.json({
cid,
already_hosted: true,
hosted_until: isoFromMs(hosted.hosted_until),
active_hosts: hosted.active_hosts,
guardian_queue_depth: hosted.guardian_queue_depth,
options: {
own_copy: {
description: 'Pay now for your own independent copy (own timer, own refund).',
quote_url: `/claims/own-copy/quote?cid=${encodeURIComponent(cid)}`,
default_quote: { hours: quote.billable_hrs, amount: quote.total, currency: PAYMENT_CURRENCY }
},
guardian: {
description: 'Pledge a budget that only spends if the file would otherwise be dropped; takes over hosting FIFO when the last live host ends.',
quote_url: `/guardian/quote?cid=${encodeURIComponent(cid)}`,
default_quote: { hours: quote.billable_hrs, amount: quote.total, currency: PAYMENT_CURRENCY }
}
}
});
} catch (e) {
return handleError(res, e);
}
});
/**
* GET /ipfs/:cid — gateway pass-through
*/
app.get('/ipfs/:cid', async (req, res) => {
try {
const cid = req.params.cid;
if (quota.isCidBlocked(cid)) {
return respondError(res, 'legal_takedown', 'this CID has been removed');
}
const serve = quota.getServeInfoForCid(cid);
if (!serve) {
return respondError(res, 'not_found', 'CID not pinned here');
}
// v0.2 — content-type. Encrypted CIDs are opaque ciphertext → octet-stream.
// Public CIDs are served with their claimed MIME so links render directly,
// EXCEPT active-content types (html/svg/...), which are forced to download
// so a public link can't become stored-XSS on the gate's own origin. The
// claimed MIME is a rendering hint, never trusted for a security decision.
res.set('X-Content-Type-Options', 'nosniff');
if (serve.mode === 'public' && serve.mime && MIME_RE.test(serve.mime) && !PUBLIC_INLINE_DENY.has(serve.mime)) {
res.set('Content-Type', serve.mime);
} else {
res.set('Content-Type', 'application/octet-stream');
if (serve.mode === 'public') {
res.set('Content-Disposition', 'attachment');
}
}
// Cache-Control max-age is env-configurable (v0.1.4). Default 86400 (1 day)
// for production; recommend 3600 or less during dev/testing so pin expiry
// is visible without browser cache lying. Set GATEWAY_CACHE_MAX_AGE in .env.
res.set('Cache-Control', `public, max-age=${GATEWAY_CACHE_MAX_AGE}`);
// Byte-range support (BYTE-RANGE-DESIGN-NOTES.md). size_bytes was recorded
// from the uploaded buffer, so it's byte-exact for what kubo.cat streams.
// Content-Length MUST equal the bytes actually sent — always computed from
// the CLAMPED range, never the client's raw ask.
res.set('Accept-Ranges', 'bytes');
const size = serve.size_bytes;
const range = parseRange(req.headers.range, size);
if (range && range.unsatisfiable) {
res.set('Content-Range', `bytes */${size}`);
return respondError(res, 'range_not_satisfiable', 'requested range beyond end of file');
}
if (range) {
// Includes the `bytes=0-` Chrome/Safari media probe — MUST answer 206,
// not 200, or those players give up on seeking.
res.status(206);
res.set('Content-Range', `bytes ${range.start}-${range.end}/${size}`);
res.set('Content-Length', String(range.end - range.start + 1));
} else if (Number.isFinite(size)) {
res.set('Content-Length', String(size));
}
// HEAD short-circuit: Express routes HEAD through this GET handler and
// Node discards the body anyway — without this, every player HEAD-probe
// would stream the whole file out of Kubo for nothing.
if (req.method === 'HEAD') {
return res.end();
}
const upstream = await kubo.cat(
cid,
range ? { offset: range.start, length: range.end - range.start + 1 } : {}
);
// Stream the response
upstream.body.pipeTo(new WritableStream({
write(chunk) { res.write(Buffer.from(chunk)); },
close() { res.end(); }
})).catch(e => {
console.warn(`[server] gateway stream failed for ${cid}: ${e.message}`);
try { res.end(); } catch (_) {}
});
} catch (e) {
return handleError(res, e);
}
});
// ─── Signed user endpoints (Hive posting-key auth, no payment) ───────────────
// These let a user manage their OWN uploads. Unlike /upload there is no
// on-chain payment to anchor identity, so the signed request IS the auth — see
// verifySignedUserRequest (proves the supplied pubkey is the account's posting
// key on Hive, not just that some key signed).
/**
* GET /uploads/by-user
* Query: hive_account, ts (unix seconds), pubkey, sig
* Signed message: ipfs-gate:list-uploads:v1:<hive_account>:<ts>