* Verifies the caller may read this file before its bytes are uploaded to a provider. Enforced * for every caller of uploadLargeFilesToProvider (not just the agent path), so a forged * storage key in a passthrough request cannot exfiltrate another user's file.
( file: UserFile, userId: string | undefined )
| 138 | * storage key in a passthrough request cannot exfiltrate another user's file. |
| 139 | */ |
| 140 | async function assertFileAccessForUpload( |
| 141 | file: UserFile, |
| 142 | userId: string | undefined |
| 143 | ): Promise<void> { |
| 144 | if (!file.key) { |
| 145 | throw new Error(`File "${file.name}" has no storage key`) |
| 146 | } |
| 147 | if (!userId) { |
| 148 | throw new Error(`File "${file.name}" requires an authenticated user to upload`) |
| 149 | } |
| 150 | const context = (file.context as StorageContext) || inferContextFromKey(file.key) |
| 151 | const hasAccess = await verifyFileAccess(file.key, userId, undefined, context, false) |
| 152 | if (!hasAccess) { |
| 153 | throw new Error(`File "${file.name}" is not accessible`) |
| 154 | } |
| 155 | } |
| 156 | |
| 157 | /** |
| 158 | * Groups large files needing a Files API upload by storage key so a file referenced across |
no test coverage detected