feat: add UploadHanlder interface (#21352)

Add upload handler callback
when xhr upload happens.

closes #21232
closes #21233

Author: caalador

flow-server/src/main/java/com/vaadin/flow/server/Constants.java

@@ -408,6 +408,23 @@ public final class Constants implements Serializable {
      */
     public static final String ATTRIBUTE_HEIGHT_FULL = "data-height-full";
 
+    /**
+     * maximum allowed size of a complete request for multipart stream upload
+     * requests.
+     */
+    public static final long DEFAULT_REQUEST_SIZE_MAX = -1;
+
+    /**
+     * maximum allowed size of a single uploaded file for multipart stream
+     * upload requests.
+     */
+    public static final long DEFAULT_FILE_SIZE_MAX = -1;
+
+    /**
+     * maximum number of files allowed per multipart stream upload requests.
+     */
+    public static final long DEFAULT_FILE_COUNT_MAX = 10000;
+
     private Constants() {
         // prevent instantiation constants class only
     }

flow-server/src/main/java/com/vaadin/flow/server/communication/StreamReceiverHandler.java

@@ -17,6 +17,9 @@
 
 import javax.naming.SizeLimitExceededException;
 
+import static com.vaadin.flow.server.Constants.DEFAULT_FILE_COUNT_MAX;
+import static com.vaadin.flow.server.Constants.DEFAULT_FILE_SIZE_MAX;
+import static com.vaadin.flow.server.Constants.DEFAULT_REQUEST_SIZE_MAX;
 import static java.nio.charset.StandardCharsets.UTF_8;
 
 import java.io.BufferedWriter;
@@ -77,16 +80,10 @@ public class StreamReceiverHandler implements Serializable {
 
     private static final int MAX_UPLOAD_BUFFER_SIZE = 4 * 1024;
 
-    static final long DEFAULT_SIZE_MAX = -1;
-
-    static final long DEFAULT_FILE_SIZE_MAX = -1;
-
-    static final long DEFAULT_FILE_COUNT_MAX = 10000;
-
     /* Minimum interval which will be used for streaming progress events. */
     public static final int DEFAULT_STREAMING_PROGRESS_EVENT_INTERVAL_MS = 500;
 
-    private long requestSizeMax = DEFAULT_SIZE_MAX;
+    private long requestSizeMax = DEFAULT_REQUEST_SIZE_MAX;
 
     private long fileSizeMax = DEFAULT_FILE_SIZE_MAX;
 

flow-server/src/main/java/com/vaadin/flow/server/communication/StreamRequestHandler.java

@@ -18,6 +18,8 @@
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
 import java.util.Optional;
 
 import org.slf4j.Logger;
@@ -28,18 +30,22 @@
 import com.vaadin.flow.internal.StateNode;
 import com.vaadin.flow.internal.UrlUtil;
 import com.vaadin.flow.server.AbstractStreamResource;
+import com.vaadin.flow.server.ErrorEvent;
 import com.vaadin.flow.server.HttpStatusCode;
 import com.vaadin.flow.server.RequestHandler;
 import com.vaadin.flow.server.StreamReceiver;
 import com.vaadin.flow.server.StreamResource;
 import com.vaadin.flow.server.StreamResourceRegistry;
+import com.vaadin.flow.server.UploadException;
 import com.vaadin.flow.server.VaadinRequest;
 import com.vaadin.flow.server.VaadinResponse;
 import com.vaadin.flow.server.VaadinSession;
+import com.vaadin.flow.server.frontend.FrontendUtils;
+import com.vaadin.flow.server.streams.UploadHandler;
 
-import static com.vaadin.flow.server.communication.StreamReceiverHandler.DEFAULT_FILE_COUNT_MAX;
-import static com.vaadin.flow.server.communication.StreamReceiverHandler.DEFAULT_FILE_SIZE_MAX;
-import static com.vaadin.flow.server.communication.StreamReceiverHandler.DEFAULT_SIZE_MAX;
+import static com.vaadin.flow.server.Constants.DEFAULT_FILE_COUNT_MAX;
+import static com.vaadin.flow.server.Constants.DEFAULT_FILE_SIZE_MAX;
+import static com.vaadin.flow.server.Constants.DEFAULT_REQUEST_SIZE_MAX;
 
 /**
  * Handles {@link StreamResource} and {@link StreamReceiver} instances
@@ -109,48 +115,108 @@ public boolean handleRequest(VaadinSession session, VaadinRequest request,
 
         AbstractStreamResource resource = abstractStreamResource.get();
         if (resource instanceof StreamResourceRegistry.ElementStreamResource elementRequest) {
-            Element owner = elementRequest.getOwner();
-            StateNode node = owner.getNode();
-
-            if ((node.isInert()
-                    && !elementRequest.getElementRequestHandler().allowInert())
-                    || !node.isAttached() || !node.isEnabled()) {
-                response.sendError(HttpStatusCode.FORBIDDEN.getCode(),
-                        "Resource not available");
-                return true;
-            } else {
-                elementRequest.getElementRequestHandler().handleRequest(request,
-                        response, session, elementRequest.getOwner());
-            }
+            callElementResourceHandler(session, request, response,
+                    elementRequest, pathInfo);
         } else if (resource instanceof StreamResource) {
             resourceHandler.handleRequest(session, request, response,
                     (StreamResource) resource);
         } else if (resource instanceof StreamReceiver streamReceiver) {
-            String[] parts = parsePath(pathInfo);
+            PathData parts = parsePath(pathInfo);
 
             receiverHandler.handleRequest(session, request, response,
-                    streamReceiver, parts[0], parts[1]);
+                    streamReceiver, parts.UIid, parts.securityKey);
         } else {
             getLogger().warn("Received unknown stream resource.");
         }
         return true;
     }
 
+    private void callElementResourceHandler(VaadinSession session,
+            VaadinRequest request, VaadinResponse response,
+            StreamResourceRegistry.ElementStreamResource elementRequest,
+            String pathInfo) throws IOException {
+        Element owner = elementRequest.getOwner();
+        StateNode node = owner.getNode();
+
+        if ((node.isInert()
+                && !elementRequest.getElementRequestHandler().allowInert())
+                || !node.isAttached() || !node.isEnabled()) {
+            response.sendError(HttpStatusCode.FORBIDDEN.getCode(),
+                    "Resource not available");
+            return;
+        }
+
+        if (elementRequest
+                .getElementRequestHandler() instanceof UploadHandler) {
+            // Validate upload security key. Else respond with
+            // FORBIDDEN.
+            PathData parts = parsePath(pathInfo);
+            session.lock();
+            try {
+                String secKey = elementRequest.getId();
+                if (secKey == null || !MessageDigest.isEqual(
+                        secKey.getBytes(StandardCharsets.UTF_8),
+                        parts.securityKey.getBytes(StandardCharsets.UTF_8))) {
+                    LoggerFactory.getLogger(StreamRequestHandler.class).warn(
+                            "Received incoming stream with faulty security key.");
+                    response.sendError(HttpStatusCode.FORBIDDEN.getCode(),
+                            "Resource not available");
+                    return;
+                }
+
+                // Set current UI to upload url ui.
+                UI ui = session.getUIById(Integer.parseInt(parts.UIid));
+                UI.setCurrent(ui);
+
+                if (node == null) {
+                    session.getErrorHandler()
+                            .error(new ErrorEvent(new UploadException(
+                                    "File upload ignored because the node for the upload owner component was not found")));
+                    response.sendError(HttpStatusCode.FORBIDDEN.getCode(),
+                            "Resource not available");
+                    return;
+                }
+                if (!node.isAttached()) {
+                    session.getErrorHandler()
+                            .error(new ErrorEvent(new UploadException(
+                                    "Warning: file upload ignored for "
+                                            + node.getId()
+                                            + " because the component was disabled")));
+                    response.sendError(HttpStatusCode.FORBIDDEN.getCode(),
+                            "Resource not available");
+                    return;
+                }
+            } finally {
+                session.unlock();
+            }
+        }
+
+        elementRequest.getElementRequestHandler().handleRequest(request,
+                response, session, elementRequest.getOwner());
+    }
+
+    private record PathData(String UIid, String securityKey, String fileName) {
+    }
+
     /**
      * Parse the pathInfo for id data.
      * <p>
      * URI pattern: VAADIN/dynamic/resource/[UIID]/[SECKEY]/[NAME]
      *
      * @see #generateURI
      */
-    private String[] parsePath(String pathInfo) {
+    private PathData parsePath(String pathInfo) {
         // strip away part until the data we are interested starts
         int startOfData = pathInfo.indexOf(DYN_RES_PREFIX)
                 + DYN_RES_PREFIX.length();
 
         String uppUri = pathInfo.substring(startOfData);
         // [0] UIid, [1] security key, [2] name
-        return uppUri.split("/", 3);
+        String[] split = uppUri.split("/", 3);
+        if (split.length == 3) {
+            return new PathData(split[0], split[1], split[2]);
+        }
+        return new PathData(split[0], split[1], "");
     }
 
     /**
@@ -195,7 +261,7 @@ private static Optional<URI> getPathUri(String path) {
      * @return maximum request size for upload
      */
     protected long getRequestSizeMax() {
-        return DEFAULT_SIZE_MAX;
+        return DEFAULT_REQUEST_SIZE_MAX;
     }
 
     /**