feat: refactor image download functionality to support spaceId and itemId, improving download handling

Author: FaiiFaiipuipui

apps/api/src/modules/image/download.ts

@@ -1,8 +1,5 @@
 import { Elysia, t } from "elysia";
-import {
-  GetObjectCommand,
-  DeleteObjectCommand,
-} from "@aws-sdk/client-s3";
+import { GetObjectCommand, DeleteObjectCommand } from "@aws-sdk/client-s3";
 import { GetFederationTokenCommand } from "@aws-sdk/client-sts";
 import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
 import { s3, sts, expiresIn, s3Region, s3Bucket } from "@repo/s3";
@@ -11,11 +8,10 @@ import archiver from "archiver";
 import { PassThrough, Readable } from "node:stream";
 import { createDb } from "../../drizzle/client.js";
 import { storageSchema } from "@repo/rdb/schema";
-import {
-  item,
-} from "../../../../../packages/rdb/src/schemas/storage.js";
+import { item } from "../../../../../packages/rdb/src/schemas/storage.js";
 import { eq, inArray, sql, and } from "drizzle-orm";
-import { loadAccessContext } from "../../utils/queryHelper.js";
+import { loadAccessContext, scopeItemRead } from "../../utils/queryHelper.js";
+import { errorFormatter } from "../../utils/resFormatter.js";
 
 const S3_MIN_PART = 5 * 1024 * 1024; // 5 MiB
 const S3_MAX_PART = 5 * 1024 * 1024 * 1024; // 5 GiB
@@ -39,13 +35,14 @@ function recommendPartSize(total: bigint): number {
   const parts = (total + S3_MAX_PARTS - 1n) / S3_MAX_PARTS;
   const miB = 1024n * 1024n;
   const rounded = ((parts + miB - 1n) / miB) * miB;
-  const clamped = rounded < MIN ? MIN : (rounded > MAX ? MAX : rounded);
+  const clamped = rounded < MIN ? MIN : rounded > MAX ? MAX : rounded;
   return Number(clamped);
 }
 
 // Helper: extract itemId from an object key that is either a UUID or `${uuid}-${name}`
 const extractItemIdFromKey = (key: string): string | null => {
-  const uuidPattern = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$/;
+  const uuidPattern =
+    /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$/;
   if (uuidPattern.test(key)) return key;
   const m = key.match(
     /^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12})-/
@@ -57,55 +54,81 @@ export const s3Router = new Elysia({ prefix: "/v1" })
   .use(betterAuthMiddleware)
   //Get single image
   .get(
-    "/image/:imageKey",
+    "/spaces/:spaceId/items/:itemId/download",
     async ({ params, set, query, user }) => {
-      const { imageKey } = params;
-      const { download } = query;
-
+      const doDownload = query.download ?? true;
       // AuthN/Z: allow if public or owner
-      const itemId = extractItemIdFromKey(imageKey);
-      if (!itemId) {
-        set.status = 403;
-        return { error: "forbidden" };
-      }
+      const ctx = await loadAccessContext(db, user?.id ?? null, params.spaceId);
 
-      const rows = await db
-        .select({
-          id: item.id,
-          createdBy: item.createdBy,
-          accessType: item.accessType,
-          trashedAt: item.trashedAt,
-        })
-        .from(item)
-        .where(eq(item.id, itemId))
-        .limit(1);
+      const canAccessItem = await scopeItemRead(ctx, {
+        itemId: params.itemId,
+        includeTrash: false,
+      });
 
-      if (rows.length === 0) {
-        set.status = 404;
-        return { error: "not_found" };
+      if (canAccessItem.length === 0) {
+        const errMessage = errorFormatter(403, "ERR_FORBIDDEN_WRITE", {});
+        set.status = errMessage.status;
+        return {
+          success: false,
+          data: null,
+          error: { errMessage },
+        };
       }
 
-      const rec = rows[0];
-      const isOwner = !!user?.id && String(rec.createdBy) === String(user.id);
-      const isPublic =
-        String((rec as any).accessType ?? "").toLowerCase() === "public";
+      // Normalize to a flat item row for a consistent API contract.
+      let [item]: (typeof storageSchema.item.$inferSelect)[] = (
+        canAccessItem as any[]
+      ).map((r) =>
+        "item" in r
+          ? (r.item as typeof storageSchema.item.$inferSelect)
+          : (r as typeof storageSchema.item.$inferSelect)
+      );
 
-      if (!isPublic && !isOwner) {
-        set.status = 403;
-        return { error: "forbidden" };
+      if (item.itemType !== "file") {
+        const errMessage = errorFormatter(422, "INVALID_TYPE", {
+          field: "Item",
+          expected: "file",
+          actualType: item.itemType,
+        });
+        set.status = errMessage.status;
+        return { success: false, data: null, error: errMessage };
+      }
+
+      if (item.assetId === null) {
+        const errMessage = errorFormatter(500, "UNEXPECTED_TYPE", {
+          field: "assetId",
+          expected: "not empty",
+          actualType: "empty",
+        });
       }
-      if (rec.trashedAt) {
-        set.status = 410;
-        return { error: "gone" };
+
+      let [file] = await db
+        .select()
+        .from(storageSchema.fileBlobLocation)
+        .where(
+          and(
+            eq(storageSchema.fileBlobLocation.assetId, item.assetId!),
+            eq(storageSchema.fileBlobLocation.kind, "canon")
+          )
+        );
+
+      if (!file) {
+        const errMessage = errorFormatter(404, "NOT_FOUND", {
+          obj: "file",
+          queryKey: "itemId",
+          queryValue: params.itemId,
+        });
+        set.status = errMessage.status;
+        return { success: false, data: null, error: errMessage };
       }
 
       const getObjectCommandInput = {
         Bucket: BUCKET,
-        Key: imageKey,
+        Key: file.objectKey,
       };
 
-      if (download === "true") {
-        const filename = imageKey.split("/").pop() || "download";
+      if (doDownload === true) {
+        const filename = item.liveName ?? item.name;
         Object.assign(getObjectCommandInput, {
           ResponseContentDisposition: `attachment; filename="${decodeURIComponent(filename)}"`,
         });
@@ -123,65 +146,24 @@ export const s3Router = new Elysia({ prefix: "/v1" })
       return { url, expires: expiresIn };
     },
     {
-      params: t.Object({ imageKey: t.String() }),
-      query: t.Object({ download: t.Optional(t.String()) }),
+      params: t.Object({
+        spaceId: t.String({ format: "uuid" }),
+        itemId: t.String({ format: "uuid" }),
+      }),
+      query: t.Object({ download: t.Optional(t.Boolean()) }),
       auth: { allowPublic: true },
     }
   )
 
   //Bulk download image
-  .post(
-    "/batch-download",
-    async ({ body, set, user }) => {
+/*   .post(
+    "/spaces/:spaceId/batch-download",
+    async ({ body, set, params, user }) => {
       const { imageKeys } = body;
 
-      const keysArray = imageKeys.filter((key: string) => key !== "");
-      if (keysArray.length === 0) {
-        set.status = 400;
-        return { error: "No valid image keys provided for download." };
-      }
-
-      // Resolve and filter authorized keys (public or owned by requester)
-      const idToKeys = new Map<string, string[]>();
-      const ids: string[] = [];
-      for (const k of keysArray) {
-        const id = extractItemIdFromKey(k);
-        if (id) {
-          if (!idToKeys.has(id)) idToKeys.set(id, []);
-          idToKeys.get(id)!.push(k);
-          ids.push(id);
-        }
-      }
-      const uniqueIds = Array.from(new Set(ids));
-      if (uniqueIds.length === 0) {
-        set.status = 403;
-        return { error: "No authorized files for download." };
-      }
-
-      const dbRows = await db
-        .select({
-          id: item.id,
-          createdBy: item.createdBy,
-          accessType: item.accessType,
-          trashedAt: item.trashedAt,
-        })
-        .from(item)
-        .where(inArray(item.id, uniqueIds));
-
-      const allowedIds = new Set<string>();
-      for (const r of dbRows) {
-        const isOwner = !!user?.id && String(r.createdBy) === String(user.id);
-        const isPublic =
-          String((r as any).accessType ?? "").toLowerCase() === "public";
-        if (!r.trashedAt && (isPublic || isOwner)) {
-          allowedIds.add(String(r.id));
-        }
-      }
+      const ctx = await loadAccessContext(db, user?.id ?? null, params.spaceId)
 
-      const allowedKeys: string[] = [];
-      for (const [id, ks] of idToKeys) {
-        if (allowedIds.has(id)) allowedKeys.push(...ks);
-      }
+      
 
       if (allowedKeys.length === 0) {
         set.status = 403;
@@ -235,20 +217,24 @@ export const s3Router = new Elysia({ prefix: "/v1" })
           }
         }
         await Promise.all(
-          Array.from({ length: Math.min(CONCURRENCY, allowedKeys.length) }, worker)
+          Array.from(
+            { length: Math.min(CONCURRENCY, allowedKeys.length) },
+            worker
+          )
         );
         await archive.finalize();
       })();
 
       return zipStream;
     },
     {
+      params: t.Object({ spaceId: t.String({ format: "uuid" }) }),
       body: t.Object({
         imageKeys: t.Array(t.String()),
       }),
       auth: { allowPublic: true },
     }
-  )
+  ) */
 
   //get bulk image (maybe optimizing for scalability ex pagination in the future??)
   .get(

apps/api/src/utils/queryHelper.ts

@@ -40,14 +40,14 @@ export function ensureOwner(ctx: AccessContext) {
   return true;
 }
 
-export async function scopeItemRead<T extends PgSelect>(
+export async function scopeItemRead(
   ctx: AccessContext,
   args: {
     itemId: string;
     includeTrash?: boolean;
   }
 ) {
-  let qb = db.select().from(storageSchema.item)
+  let qb = db.select().from(storageSchema.item);
   const base = ctx.isOwner
     ? qb
     : qb.innerJoin(
@@ -62,26 +62,35 @@ export async function scopeItemRead<T extends PgSelect>(
         )
       );
 
-  return await base.where(
-    and(
-      eq(storageSchema.item.spaceId, ctx.spaceId),
-      eq(storageSchema.item.id, args.itemId),
-      args.includeTrash ? sql`TRUE` : isNull(storageSchema.item.purgeAt)
+  return await base
+    .where(
+      and(
+        eq(storageSchema.item.spaceId, ctx.spaceId),
+        eq(storageSchema.item.id, args.itemId),
+        args.includeTrash ? sql`TRUE` : isNull(storageSchema.item.purgeAt)
+      )
     )
-  ).limit(1);
+    .limit(1);
 }
 
 export function scopeItemsRead<T extends PgSelect>(
   qb: T,
   ctx: AccessContext,
   args: {
     parentId: string | null;
+    skipParentCheck?: boolean;
     includeTrash?: boolean;
     name?: string;
     match?: MatchType;
   }
 ) {
-  const match = args.match ?? MatchType.CONTAINS
+  args.skipParentCheck = args.skipParentCheck ?? false;
+  const parentIdFilter = args.skipParentCheck
+    ? sql`TRUE`
+    : args.parentId === null
+      ? isNull(storageSchema.item.parentId)
+      : eq(storageSchema.item.parentId, args.parentId);
+  const match = args.match ?? MatchType.CONTAINS;
   const base = ctx.isOwner
     ? qb
     : qb.innerJoin(
@@ -99,11 +108,11 @@ export function scopeItemsRead<T extends PgSelect>(
   return base.where(
     and(
       eq(storageSchema.item.spaceId, ctx.spaceId),
-      args.parentId === null
-        ? isNull(storageSchema.item.parentId)
-        : eq(storageSchema.item.parentId, args.parentId),
+      parentIdFilter,
       args.includeTrash ? sql`TRUE` : isNull(storageSchema.item.purgeAt),
-      args.name ? patternBuilder(storageSchema.item.name, args.name, match) : sql`TRUE`
+      args.name
+        ? patternBuilder(storageSchema.item.name, args.name, match)
+        : sql`TRUE`
     )
   );
 }
@@ -120,7 +129,7 @@ export const MatchType = {
   EXACT: "exact",
   CONTAINS: "contains",
   STARTS_WITH: "startsWith",
-  ID: "id"
+  ID: "id",
 } as const;
 export type MatchType = (typeof MatchType)[keyof typeof MatchType];
 
@@ -130,11 +139,15 @@ export function withMatch<T extends PgSelect>(
   matchType: MatchType,
   searchString: string
 ): T {
-  return qb.where(patternBuilder(matchColumn, searchString, matchType))
+  return qb.where(patternBuilder(matchColumn, searchString, matchType));
 }
 
-function patternBuilder(matchColumn: PgColumn, searchString: string, matchType: MatchType) {
-    switch (matchType) {
+function patternBuilder(
+  matchColumn: PgColumn,
+  searchString: string,
+  matchType: MatchType
+) {
+  switch (matchType) {
     case MatchType.EXACT:
       return eq(matchColumn, searchString);
 
@@ -145,7 +158,7 @@ function patternBuilder(matchColumn: PgColumn, searchString: string, matchType:
       return like(matchColumn, `${searchString}%`);
 
     case MatchType.ID:
-      return eq(matchColumn, searchString) // This should be rewritten ASAP
+      return eq(matchColumn, searchString); // This should be rewritten ASAP
 
     default: {
       // Exhaustiveness guard – makes sure we handled every literal
@@ -167,4 +180,4 @@ export const getColumnLength = (column: PgColumn) => {
   }
 
   return length;
-};
+};

apps/web/src/components/image-folder/file-tool-bar.tsx

@@ -28,6 +28,7 @@ export function FileToolBar({
     <div className="sticky top-[10vh] z-50 bg-background py-4 ml-[20vw] flex justify-end gap-4">
       {isSelectable ? (
         <SelectionBar
+        spaceId={spaceInfo.spaceId}
           selectedCount={selectedCount}
           selectedImageKeys={selectedImageKeys}
           onCancel={onCancel}