upload: Use tusd for resumable, larger uploads.

Currently, it handles two hook types: 'pre-create' (to verify that the user is authenticated and the file size is within the limit) and 'pre-finish' (which creates an attachment row). No secret is shared between Django and tusd for authentication of the hooks endpoints, because none is necessary -- tusd forwards the end-user's credentials, and the hook checks them like it would any end-user request. An end-user gaining access to the endpoint would be able to do no more harm than via tusd or the normal file upload API. Regardless, the previous commit has restricted access to the endpoint at the nginx layer. Co-authored-by: Brijmohan Siyag <brijsiyag@gmail.com>
2025-10-23 04:52:12 +00:00 · 2024-09-05 21:04:56 +00:00
parent 02d3fb7666
commit 818c30372f
17 changed files with 817 additions and 15 deletions
--- a/zproject/urls.py
+++ b/zproject/urls.py
@@ -176,6 +176,7 @@ from zerver.views.streams import (
 )
 from zerver.views.submessage import process_submessage
 from zerver.views.thumbnail import backend_serve_thumbnail
+from zerver.views.tusd import handle_tusd_hook
 from zerver.views.typing import send_notification_backend
 from zerver.views.unsubscribe import email_unsubscribe
 from zerver.views.upload import (
@@ -732,11 +733,12 @@ for app_name in settings.EXTRA_INSTALLED_APPS:
        urls += [path("", include(f"{app_name}.urls"))]
        i18n_urls += import_string(f"{app_name}.urls.i18n_urlpatterns")

-# Used internally for communication between command-line, Django,
+# Used internally for communication between command-line, tusd, Django,
 # and Tornado processes
 urls += [
    path("api/internal/email_mirror_message", email_mirror_message),
    path("api/internal/notify_tornado", notify),
+    path("api/internal/tusd", handle_tusd_hook),
    path("api/internal/web_reload_clients", web_reload_clients),
    path("api/v1/events/internal", get_events_internal),
 ]