import { NextRequest, NextResponse } from 'next/server' import { writeFile, mkdir } from 'fs/promises' import path from 'path' import { randomUUID } from 'crypto' import { auth } from '@/auth' import { writeUploadMeta } from '@/lib/upload-access' const ALLOWED_TYPES = ['image/jpeg', 'image/png', 'image/gif', 'image/webp'] const MAX_SIZE = 5 * 1024 * 1024 // 5MB export async function POST(request: NextRequest) { try { const session = await auth() if (!session?.user?.id) { return NextResponse.json({ error: 'Unauthorized' }, { status: 401 }) } const userId = session.user.id const formData = await request.formData() const file = formData.get('file') as File if (!file) { return NextResponse.json({ error: 'No file uploaded' }, { status: 400 }) } if (!ALLOWED_TYPES.includes(file.type)) { return NextResponse.json({ error: 'Invalid file type' }, { status: 400 }) } if (file.size > MAX_SIZE) { return NextResponse.json({ error: 'File too large (max 5MB)' }, { status: 400 }) } const buffer = Buffer.from(await file.arrayBuffer()) let ext = path.extname(file.name).toLowerCase() if (!['.jpg', '.jpeg', '.png', '.gif', '.webp'].includes(ext)) { const mimeToExt: Record = { 'image/jpeg': '.jpg', 'image/png': '.png', 'image/gif': '.gif', 'image/webp': '.webp', } ext = mimeToExt[file.type] || '.png' } const filename = `${randomUUID()}${ext}` // Ownership in path: /uploads/notes/{userId}/{filename} const relativeUnderNotes = `${userId}/${filename}` const uploadDir = path.join(process.cwd(), 'data', 'uploads', 'notes', userId) await mkdir(uploadDir, { recursive: true }) const filePath = path.join(uploadDir, filename) await writeFile(filePath, buffer) await writeUploadMeta(relativeUnderNotes, userId) const url = `/uploads/notes/${relativeUnderNotes}` return NextResponse.json({ success: true, url, }) } catch (error) { console.error('[upload]', error) return NextResponse.json( { error: 'Failed to upload file' }, { status: 500 }, ) } }