feat(comment): reader image upload, quotas, ttl cleanup, admin mgmt

- ReaderAuthGuard + CommentUploadController (POST /comments/uploads,
  GET /comments/uploads/config) with per-reader quota interceptor
- file-type magic-byte mime detection (jpeg/png/webp/gif)
- markdown parse + attach/detach/cascade in CommentService;
  reject 403/409/422 for cross-reader / double-bind / cap exceeded
- cron pending+detached cleanup (15m); hardDeleteFile with structured
  stdout audit log (no DB collection)
- admin endpoints GET/DELETE /comments-uploads for management UI
- new CommentUploadOptionsSchema (ttl, size, mime, quotas, gates) +
  commentUploadPrefix on imageStorageOptions; surfaced under storage
  group in admin form schema
- @mx-space/api-client: comment.getUploadConfig + uploadImage

Author: Innei

apps/core/package.json

@@ -102,6 +102,7 @@
     "dotenv-expand": "^13.0.0",
     "ejs": "5.0.2",
     "es-toolkit": "^1.46.0",
+    "file-type": "^22.0.1",
     "form-data": "4.0.5",
     "inquirer": "^13.4.2",
     "isbot": "5.1.39",

apps/core/src/common/decorators/reader-auth.decorator.ts

@@ -0,0 +1,7 @@
+import { UseGuards } from '@nestjs/common'
+
+import { ReaderAuthGuard } from '../guards/reader-auth.guard'
+
+export function ReaderAuth() {
+  return UseGuards(ReaderAuthGuard)
+}

apps/core/src/common/guards/reader-auth.guard.ts

@@ -0,0 +1,47 @@
+import type { CanActivate, ExecutionContext } from '@nestjs/common'
+import { Injectable } from '@nestjs/common'
+
+import { ErrorCodeEnum } from '~/constants/error-code.constant'
+import { AuthService } from '~/modules/auth/auth.service'
+import type { SessionUser } from '~/modules/auth/auth.types'
+import { getNestExecutionContextRequest } from '~/transformers/get-req.transformer'
+
+import { BizException } from '../exceptions/biz.exception'
+
+@Injectable()
+export class ReaderAuthGuard implements CanActivate {
+  constructor(private readonly authService: AuthService) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const request = getNestExecutionContextRequest(context)
+
+    const session = await this.authService.getSessionUser(request.raw)
+    const user = session?.user as SessionUser | undefined
+
+    if (!user?.id) {
+      throw new BizException(ErrorCodeEnum.AuthNotLoggedIn)
+    }
+
+    if (user.role !== 'reader' && user.role !== 'owner') {
+      throw new BizException(ErrorCodeEnum.AuthNotLoggedIn)
+    }
+
+    request.user = user
+    request.readerId = user.id
+    request.isAuthenticated = true
+    request.hasReaderIdentity = true
+    request.hasAdminAccess = user.role === 'owner'
+    request.isGuest = false
+
+    Object.assign(request.raw, {
+      user,
+      readerId: user.id,
+      isAuthenticated: true,
+      hasReaderIdentity: true,
+      hasAdminAccess: user.role === 'owner',
+      isGuest: false,
+    })
+
+    return true
+  }
+}

apps/core/src/constants/error-code.constant.ts

@@ -56,6 +56,7 @@ export enum ErrorCodeEnum {
   PasswordLoginDisabled = 13006,
   AIProviderNotEnabled = 13007,
   ImageStorageNotConfigured = 13008,
+  CommentUploadDisabled = 13009,
 
   // biz - forbidden (403)
   NoteForbidden = 14000,
@@ -105,6 +106,15 @@ export enum ErrorCodeEnum {
   // biz - config validation (422)
   ConfigValidationFailed = 19100,
   CannotGetIp = 19101,
+  CommentUploadFileTooLarge = 19102,
+  CommentUploadInvalidMime = 19103,
+  CommentImageCapExceeded = 19104,
+  CommentUploadFileNotOwned = 19105,
+  CommentUploadFileAlreadyBound = 19106,
+  CommentUploadRateLimited = 19107,
+  CommentUploadQuotaExceeded = 19108,
+  CommentUploadAccountTooNew = 19109,
+  CommentUploadInsufficientComments = 19110,
 
   // comment
   CommentDisabled = 30000,
@@ -213,6 +223,7 @@ export const ErrorCode = Object.freeze<Record<ErrorCodeEnum, [string, number]>>(
       'S3 图床未配置或配置不完整',
       400,
     ],
+    [ErrorCodeEnum.CommentUploadDisabled]: ['评论图片上传未启用', 503],
 
     // forbidden (403)
     [ErrorCodeEnum.NoteForbidden]: ['不要偷看人家的小心思啦~', 403],
@@ -265,6 +276,24 @@ export const ErrorCode = Object.freeze<Record<ErrorCodeEnum, [string, number]>>(
     // config validation (422)
     [ErrorCodeEnum.ConfigValidationFailed]: ['配置验证失败', 422],
     [ErrorCodeEnum.CannotGetIp]: ['无法获取 IP', 422],
+    [ErrorCodeEnum.CommentUploadFileTooLarge]: ['图片大小超出限制', 413],
+    [ErrorCodeEnum.CommentUploadInvalidMime]: ['不支持的图片格式', 415],
+    [ErrorCodeEnum.CommentImageCapExceeded]: ['评论图片数量超过上限', 422],
+    [ErrorCodeEnum.CommentUploadFileNotOwned]: ['不能引用他人上传的图片', 403],
+    [ErrorCodeEnum.CommentUploadFileAlreadyBound]: [
+      '该图片已绑定其他评论，请重新上传',
+      409,
+    ],
+    [ErrorCodeEnum.CommentUploadRateLimited]: ['上传过于频繁，请稍后再试', 429],
+    [ErrorCodeEnum.CommentUploadQuotaExceeded]: ['图片总容量超出限制', 429],
+    [ErrorCodeEnum.CommentUploadAccountTooNew]: [
+      '账号注册时间不足，暂无法上传',
+      403,
+    ],
+    [ErrorCodeEnum.CommentUploadInsufficientComments]: [
+      '需累计更多评论后方可上传',
+      403,
+    ],
 
     [ErrorCodeEnum.MineZip]: ['文件格式必须是 zip 类型', 422],
 

apps/core/src/modules/comment/comment.controller.ts

@@ -382,6 +382,10 @@ export class CommentController {
         updateResult,
       )
 
+      if (!isUndefined(state)) {
+        await this.commentService.cascadeFilesForCommentsIfSpam([id], state)
+      }
+
       return
     } catch {
       throw new NoContentCanBeModifiedException()
@@ -409,19 +413,30 @@ export class CommentController {
   async batchUpdateState(@Body() body: BatchCommentStateDto) {
     const { ids, all, state, currentState } = body
 
+    let affected: string[] = []
     if (all) {
       const filter: Record<string, any> = {}
       if (!isUndefined(currentState)) {
         filter.state = currentState
       }
+      const docs = await this.commentService.model
+        .find(filter)
+        .select('_id')
+        .lean()
+      affected = docs.map((d) => d._id.toString())
       await this.commentService.model.updateMany(filter, { state })
     } else if (ids?.length) {
+      affected = ids.map((id) => id.toString())
       await this.commentService.model.updateMany(
         { _id: { $in: ids } },
         { state },
       )
     }
 
+    if (affected.length) {
+      await this.commentService.cascadeFilesForCommentsIfSpam(affected, state)
+    }
+
     return
   }
 

apps/core/src/modules/comment/comment.lifecycle.service.ts

@@ -15,6 +15,8 @@ import { scheduleManager } from '~/utils/schedule.util'
 import { getAvatar } from '~/utils/tool.util'
 
 import { ConfigsService } from '../configs/configs.service'
+import { FileDeletionReason } from '../file/file-reference.model'
+import { FileReferenceService } from '../file/file-reference.service'
 import { OwnerModel } from '../owner/owner.model'
 import { OwnerService } from '../owner/owner.service'
 import { ReaderService } from '../reader/reader.service'
@@ -53,6 +55,7 @@ export class CommentLifecycleService implements OnModuleInit, OnModuleDestroy {
     private readonly serverlessService: ServerlessService,
     private readonly eventManager: EventManagerService,
     private readonly barkService: BarkPushService,
+    private readonly fileReferenceService: FileReferenceService,
   ) {}
 
   async onModuleInit() {
@@ -92,10 +95,22 @@ export class CommentLifecycleService implements OnModuleInit, OnModuleDestroy {
     this.commentCreateListenerDisposer?.()
   }
 
-  async afterCreateComment(
-    commentId: string,
-    ipLocation: { ip: string },
-  ) {
+  private async cascadeDeleteFilesIfSpamConfigured(commentId: string) {
+    try {
+      const config = await this.configsService.get('commentUploadOptions')
+      if (config.deleteFilesOnSpam === false) return
+      await this.fileReferenceService.hardDeleteFilesForComment(
+        commentId,
+        FileDeletionReason.CommentSpam,
+      )
+    } catch (err) {
+      this.logger.warn(
+        `cascade file delete after spam(${commentId}) failed: ${err instanceof Error ? err.message : err}`,
+      )
+    }
+  }
+
+  async afterCreateComment(commentId: string, ipLocation: { ip: string }) {
     const comment = await this.commentModel
       .findById(commentId)
       .lean({ getters: true })
@@ -121,6 +136,7 @@ export class CommentLifecycleService implements OnModuleInit, OnModuleDestroy {
           { _id: commentId },
           { state: CommentState.Junk },
         )
+        await this.cascadeDeleteFilesIfSpamConfigured(commentId)
         return
       }
 
@@ -142,10 +158,7 @@ export class CommentLifecycleService implements OnModuleInit, OnModuleDestroy {
     })
   }
 
-  async afterReplyComment(
-    comment: CommentModel,
-    ipLocation: { ip: string },
-  ) {
+  async afterReplyComment(comment: CommentModel, ipLocation: { ip: string }) {
     const commentId = comment.id ?? (comment as any)._id?.toString()
     const isLoggedInComment = !!comment.readerId
 
@@ -187,7 +200,9 @@ export class CommentLifecycleService implements OnModuleInit, OnModuleDestroy {
       .then((readers) => readers[0] ?? null)
   }
 
-  private toOwnerIdentity(ownerInfo: Awaited<ReturnType<OwnerService['getOwnerInfo']>>) {
+  private toOwnerIdentity(
+    ownerInfo: Awaited<ReturnType<OwnerService['getOwnerInfo']>>,
+  ) {
     return {
       role: 'owner' as const,
       author: ownerInfo.name || '',
@@ -221,7 +236,9 @@ export class CommentLifecycleService implements OnModuleInit, OnModuleDestroy {
           author: reader.name || comment.author || '',
           mail: reader.email || comment.mail || '',
           avatar:
-            reader.image || comment.avatar || getAvatar(reader.email || comment.mail),
+            reader.image ||
+            comment.avatar ||
+            getAvatar(reader.email || comment.mail),
         }
       }
     }
@@ -257,14 +274,20 @@ export class CommentLifecycleService implements OnModuleInit, OnModuleDestroy {
     const parentIdentity = await this.resolveCommentIdentity(parent, ownerInfo)
 
     if (!refDoc || !ownerInfo.mail) return
-    if (type === CommentReplyMailType.Guest && commentIdentity.role === 'guest') {
+    if (
+      type === CommentReplyMailType.Guest &&
+      commentIdentity.role === 'guest'
+    ) {
       commentIdentity =
         !comment.author && !comment.mail && !comment.avatar
           ? this.toOwnerIdentity(ownerInfo)
           : commentIdentity
     }
 
-    if (type === CommentReplyMailType.Owner && commentIdentity.role === 'owner') {
+    if (
+      type === CommentReplyMailType.Owner &&
+      commentIdentity.role === 'owner'
+    ) {
       return
     }