Merge branch 'ling-drag0n:main' into main

Author: Ai686Leo

README.md

@@ -1,14 +1,14 @@
-# CloudPaste - Online Clipboard 📋
+# CloudPaste 📋
 
 <div align="center">
     <p>
     <a href="README_CN.md">中文</a> | <a href="README.md">English</a> |
-    <a href="https://www.readme-i18n.com/ling-drag0n/CloudPaste?lang=es">Español</a> | 
-    <a href="https://www.readme-i18n.com/ling-drag0n/CloudPaste?lang=fr">français</a> | 
-    <a href="https://www.readme-i18n.com/ling-drag0n/CloudPaste?lang=ja">日本語</a> 
+    <a href="https://www.readme-i18n.com/ling-drag0n/CloudPaste?lang=es">Español</a> |
+    <a href="https://www.readme-i18n.com/ling-drag0n/CloudPaste?lang=fr">français</a> |
+    <a href="https://www.readme-i18n.com/ling-drag0n/CloudPaste?lang=ja">日本語</a>
     </p>
     <img width="100" height="100" src="https://img.icons8.com/dusk/100/paste.png" alt="paste"/>
-    <h3>Cloudflare-based online clipboard and file sharing service with Markdown editing and file upload support</h3>
+    <h3>🌩️ Serverless file management and Markdown sharing tool, supports multiple storage aggregation, online preview of 30+ file formats, and WebDAV mounting</h3>
 </div>
 
 <div align="center">
@@ -61,7 +61,7 @@
 ### Multi-Storage Support
 
 - **S3 Compatible**: Cloudflare R2, Backblaze B2, AWS S3, Alibaba Cloud OSS, Tencent Cloud COS, MinIO, etc.
-- **Cloud Storage Integration**: WebDAV, OneDrive, Google Drive, Telegram, GitHub API/Releases (read-only), etc.
+- **Cloud Storage Integration**: WebDAV, OneDrive, Google Drive, Telegram, HuggingFace Database, GitHub API/Releases (read-only), etc.
 - **Local Storage**: Docker deployment supports local file system
 - **Smart Upload**: Frontend pre-signed direct upload + streaming upload + chunked resumable upload, with real-time progress display, minimizing CF limitations
 - **File Preview**: Direct preview support for 30+ formats (images, videos, audio, PDF, Office, code, e-books, etc.), others can be previewed through external IFrame embedding [KKFileview](https://github.com/kekingcn/kkFileView)

README_CN.md

@@ -1,14 +1,14 @@
-# CloudPaste - 在线剪贴板 📋
+# CloudPaste 📋
 
 <div align="center">
     <p>
     <a href="README_CN.md">中文</a> | <a href="README.md">English</a> |
-    <a href="https://www.readme-i18n.com/ling-drag0n/CloudPaste?lang=es">Español</a> | 
-    <a href="https://www.readme-i18n.com/ling-drag0n/CloudPaste?lang=fr">français</a> | 
-    <a href="https://www.readme-i18n.com/ling-drag0n/CloudPaste?lang=ja">日本語</a> 
+    <a href="https://www.readme-i18n.com/ling-drag0n/CloudPaste?lang=es">Español</a> |
+    <a href="https://www.readme-i18n.com/ling-drag0n/CloudPaste?lang=fr">français</a> |
+    <a href="https://www.readme-i18n.com/ling-drag0n/CloudPaste?lang=ja">日本語</a>
     </p>
     <img width="100" height="100" src="https://img.icons8.com/dusk/100/paste.png" alt="paste"/>
-    <h3>基于 Cloudflare 的在线剪贴板和文件分享服务，支持 Markdown 编辑和文件上传</h3>
+    <h3>🌩️ Serverless 文件管理与 Markdown 分享工具，支持多种存储聚合、30+文件格式在线预览 与 WebDAV挂载</h3>
 </div>
 
 <div align="center">
@@ -61,7 +61,7 @@
 ### 多存储支持
 
 - **S3 兼容**：Cloudflare R2、Backblaze B2、AWS S3、阿里云 OSS、腾讯云 COS、MinIO 等
-- **网盘集成**：WebDAV、OneDrive、Google Drive、Telegram、GitHub API/Releases（只读）等等
+- **网盘集成**：WebDAV、OneDrive、Google Drive、Telegram、HuggingFace Database、GitHub API/Releases（只读）等等
 - **本地存储**：Docker 部署支持本地文件系统
 - **智能上传**：前端预签名直传 + 流式上传 +分片断点续传，进度实时显示，最大限度摆脱cf限制
 - **文件预览**：支持30+种格式直接预览（图片、视频、音频、PDF、Office、代码、电子书等），其余可通过外部IFrame嵌入[KKFileview](https://github.com/kekingcn/kkFileView)预览

backend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cloudpaste-api",
-  "version": "1.8.0",
+  "version": "1.9.0",
   "description": "CloudPaste API基于Cloudflare Workers和D1数据库",
   "main": "unified-entry.js",
   "scripts": {
@@ -27,15 +27,15 @@
     "@aws-sdk/client-s3": "3.726.1",
     "@aws-sdk/lib-storage": "3.726.1",
     "@aws-sdk/s3-request-presigner": "3.726.1",
-    "@huggingface/hub": "^2.7.1",
     "@hono/node-server": "^1.19.6",
+    "@huggingface/hub": "^2.7.1",
     "better-sqlite3": "^12.5.0",
+    "cron-parser": "^5.4.0",
     "fast-xml-parser": "^5.2.5",
     "file-type": "^21.0.0",
     "hono": "^4.10.6",
     "mime-types": "^3.0.1",
     "node-schedule": "^2.1.1",
-    "cron-parser": "^5.4.0",
     "tsx": "^4.21.0",
     "webdav": "^5.8.0"
   },

backend/src/repositories/StorageConfigRepository.js

@@ -31,9 +31,10 @@ export class StorageConfigRepository extends BaseRepository {
           row,
         });
 
+        // 注意：row（表字段）优先级应高于 config_json（投影字段）
         const merged = {
-          ...row,
           ...(projected && typeof projected === "object" ? projected : {}),
+          ...row,
         };
 
         // 保留原始 config_json 对象（非枚举属性，避免对外暴露）

backend/src/routes/fs/multipart.js

@@ -5,7 +5,7 @@ import { MountManager } from "../../storage/managers/MountManager.js";
 import { FileSystem } from "../../storage/fs/FileSystem.js";
 import { getEncryptionSecret } from "../../utils/environmentUtils.js";
 import { usePolicy } from "../../security/policies/policies.js";
-import { findUploadSessionById, updateUploadSessionById } from "../../utils/uploadSessions.js";
+import { findUploadSessionById, normalizeUploadSessionUserId, updateUploadSessionById } from "../../utils/uploadSessions.js";
 import { validateFsItemName } from "../../storage/fs/utils/FsInputValidator.js";
 
 /**
@@ -93,6 +93,24 @@ export const registerMultipartRoutes = (router, helpers) => {
     return { db: c.env.DB, encryptionSecret: getEncryptionSecret(c), repositoryFactory: c.get("repos"), userInfo, userIdOrInfo, userType };
   };
 
+  const assertUploadSessionOwnedByUser = (sessionRow, userIdOrInfo, userType) => {
+    if (!sessionRow) {
+      throw new ValidationError("未找到对应的上传会话");
+    }
+
+    const expectedUserId = normalizeUploadSessionUserId(userIdOrInfo, userType);
+    const rowUserId = String(sessionRow.user_id || "");
+    const rowUserType = String(sessionRow.user_type || "");
+
+    // 必须至少匹配 user_id；user_type 为空时视为兼容旧数据（不做强校验）
+    const idMatches = rowUserId === String(expectedUserId || "");
+    const typeMatches = !rowUserType || rowUserType === String(userType || "");
+
+    if (!idMatches || !typeMatches) {
+      throw new AuthenticationError("上传会话不属于当前用户，拒绝访问");
+    }
+  };
+
   const assertValidFileName = (fileName) => {
     const result = validateFsItemName(fileName);
     if (result.valid) return;
@@ -148,6 +166,9 @@ export const registerMultipartRoutes = (router, helpers) => {
       assertValidFileName(fileName);
     }
 
+    const sessionRow = await findUploadSessionById(db, { id: uploadId });
+    assertUploadSessionOwnedByUser(sessionRow, userIdOrInfo, userType);
+
     const mountManager = new MountManager(db, encryptionSecret, repositoryFactory, { env: c.env });
     const fileSystem = new FileSystem(mountManager);
     const safeParts = Array.isArray(parts) ? parts : [];
@@ -167,6 +188,9 @@ export const registerMultipartRoutes = (router, helpers) => {
 
     assertValidFileName(fileName);
 
+    const sessionRow = await findUploadSessionById(db, { id: uploadId });
+    assertUploadSessionOwnedByUser(sessionRow, userIdOrInfo, userType);
+
     const mountManager = new MountManager(db, encryptionSecret, repositoryFactory, { env: c.env });
     const fileSystem = new FileSystem(mountManager);
     await fileSystem.abortFrontendMultipartUpload(path, uploadId, fileName, userIdOrInfo, userType);
@@ -200,6 +224,9 @@ export const registerMultipartRoutes = (router, helpers) => {
 
     assertValidFileName(fileName);
 
+    const sessionRow = await findUploadSessionById(db, { id: uploadId });
+    assertUploadSessionOwnedByUser(sessionRow, userIdOrInfo, userType);
+
     const mountManager = new MountManager(db, encryptionSecret, repositoryFactory, { env: c.env });
     const fileSystem = new FileSystem(mountManager);
     const result = await fileSystem.listMultipartParts(path, uploadId, fileName, userIdOrInfo, userType);
@@ -219,6 +246,9 @@ export const registerMultipartRoutes = (router, helpers) => {
 
     const safePartNumbers = Array.isArray(partNumbers) ? partNumbers : [];
 
+    const sessionRow = await findUploadSessionById(db, { id: uploadId });
+    assertUploadSessionOwnedByUser(sessionRow, userIdOrInfo, userType);
+
     // 状态机推进：请求分片 URL 视为“开始上传”
     try {
       await updateUploadSessionById(db, {
@@ -266,9 +296,7 @@ export const registerMultipartRoutes = (router, helpers) => {
     const contentLength = contentLengthHeader ? Number.parseInt(contentLengthHeader, 10) || 0 : 0;
 
     const sessionRow = await findUploadSessionById(db, { id: uploadId });
-    if (!sessionRow) {
-      throw new ValidationError("未找到对应的上传会话");
-    }
+    assertUploadSessionOwnedByUser(sessionRow, userIdOrInfo, userType);
 
     const mountManager = new MountManager(db, encryptionSecret, repositoryFactory, { env: c.env });
     const fileSystem = new FileSystem(mountManager);

backend/src/routes/systemRoutes.js

@@ -97,7 +97,7 @@ systemRoutes.get("/api/version", async (c) => {
   const isDocker = runtimeEnv === "docker";
 
   // 统一的默认版本配置
-  const DEFAULT_VERSION = "1.8.0";
+  const DEFAULT_VERSION = "1.9.0";
   const DEFAULT_NAME = "cloudpaste-api";
 
   let version = DEFAULT_VERSION;