feat: enhance multi-part upload API with uploadToken for session-specific authentication

Author: MagicFun1241

MULTIPART_UPLOAD.md

@@ -8,13 +8,17 @@ The server provides three endpoints:
 - Upload a single part: POST /videos/multiparts/:uploadId/parts/:partIndex
 - Check upload status: GET /videos/multiparts/:uploadId
 
-Security: All multi-part endpoints require the `token` query parameter matching the `APP_TOKEN` configuration value.
-Uploading must also be enabled via `APP_UPLOADING_ENABLED=true` and S3 must be configured.
-Redis is required for upload tracking when using multi-part uploads.
+Security: 
+- The initialization endpoint requires `token` query parameter matching `APP_TOKEN`.
+- Part upload requires `uploadToken` (a unique token generated per upload session, returned by init).
+- Status check requires `token` query parameter matching `APP_TOKEN`.
+- Uploading must be enabled via `APP_UPLOADING_ENABLED=true` and S3 must be configured.
+- Redis is required for upload tracking when using multi-part uploads.
 
 ## Key concepts
 
 - uploadId: A server-generated identifier for the multi-part upload session. Returned by the initialization endpoint.
+- uploadToken: A secure random token generated per upload session. Use this to authenticate part uploads (not APP_TOKEN).
 - parts: The file is split into N parts according to the configured chunk size. Each part has index, offset and size.
 - partIndex: Zero-based index of a part in the upload session.
 - chunkSize: The per-part size in bytes. Default is 80 MB (80 * 1024 * 1024). Can be overridden during init.
@@ -49,6 +53,7 @@ Response (200 OK)
 ```json
 {
   "uploadId": "<upload-id>",
+  "uploadToken": "<secure-random-token>",
   "location": "videos/user123/my-video.mp4",
   "totalSize": 157286400,
   "chunkSize": 83886080,
@@ -69,26 +74,28 @@ Errors
 
 Notes
 - The server computes partsCount = ceil(size / chunkSize) and returns an array of part metadata with offsets and sizes.
+- The server generates a unique `uploadToken` for this session. Save this token - you'll need it to upload parts.
 - Upload tracking is stored in Redis under the key `upload:{uploadId}` and kept until the upload `expiresAt` (or a configured TTL).
 
 ## 2) Upload a part
 
 Endpoint
 ```
-POST /videos/multiparts/:uploadId/parts/:partIndex?token={token}
+POST /videos/multiparts/:uploadId/parts/:partIndex?uploadToken={uploadToken}
 ```
 
 Path parameters
 - uploadId (required) — upload session id returned by init
 - partIndex (required) — zero-based part index to upload
 
 Query parameters
-- token (required) — must match `APP_TOKEN`
+- uploadToken (required) — the unique token returned by the init endpoint (NOT APP_TOKEN)
 
 Form data
 - video (required) — the multipart `video` field containing raw bytes for this part. The server expects the part size to exactly match the declared size for this part.
 
 Behavior
+- The server validates the `uploadToken` against the stored upload session.
 - The server reads the `uploadId` info from Redis, validates the `partIndex` and the part size.
 - The part is stored in S3 under `{location}.part{partIndex}` using the configured S3 client.
 - The server marks the part as uploaded in Redis.
@@ -97,7 +104,6 @@ Behavior
 Response (200 OK)
 ```json
 {
-  "success": true,
   "uploadId": "1234567890-videos/user123/video.mp4",
   "partIndex": 0,
   "size": 83886080,
@@ -108,12 +114,10 @@ Response (200 OK)
 When the last part is uploaded:
 ```json
 {
-  "success": true,
   "uploadId": "1234567890-videos/user123/video.mp4",
   "partIndex": 1,
   "size": 73400320,
-  "complete": true,
-  "message": "upload complete, parts will be merged"
+  "complete": true
 }
 ```
 
@@ -185,7 +189,7 @@ curl -X POST \
 ### cURL: upload part 0
 ```bash
 curl -X POST \
-  "http://localhost:3000/videos/multiparts/<UPLOAD_ID>/parts/0?token=${APP_TOKEN}" \
+  "http://localhost:3000/videos/multiparts/<UPLOAD_ID>/parts/0?uploadToken=${UPLOAD_TOKEN}" \
   -F "video=@part0.bin" \
   -i
 ```

README.md

@@ -293,7 +293,6 @@ POST /videos?deadline={unix_timestamp}&location={base64_location}&signature={hma
 **Response (201 Created):**
 ```json
 {
-  "success": true,
   "location": "videos/user123/my-video.mp4",
   "size": 1048576
 }
@@ -380,202 +379,7 @@ For more details, see [VIDEO_UPLOAD.md](VIDEO_UPLOAD.md).
 
 For large video files, the service supports multi-part uploads with progress tracking via Redis.
 
-#### Configuration
-```bash
-export APP_UPLOADING_ENABLED=true
-export APP_TOKEN="your-upload-token"
-export REDIS_ENABLED=true
-export REDIS_ADDR="localhost:6379"
-export S3_ENABLED=true
-export S3_ENDPOINT="s3.amazonaws.com"
-export S3_ACCESS_KEY_ID="your-access-key"
-export S3_SECRET_ACCESS_KEY="your-secret-key"
-export S3_BUCKET="your-bucket"
-export APP_CHUNK_SIZE=83886080  # 80MB chunks
-```
-
-#### Step 1: Initialize Multi-Part Upload
-```
-POST /videos/multiparts?token={token}&deadline={unix_timestamp}&location={location}&size={bytes}&contentType={mime_type}&chunkSize={bytes}
-```
-
-**Query Parameters:**
-- `token`: Authentication token (required)
-- `deadline`: Unix timestamp when upload expires (required)
-- `location`: S3 object key where video will be stored (required)
-- `size`: Total file size in bytes (required)
-- `contentType`: Video MIME type (required)
-- `chunkSize`: Optional chunk size in bytes (default: 80MB)
-
-**Response (200 OK):**
-```json
-{
-  "uploadId": "1234567890-videos/user123/video.mp4",
-  "location": "videos/user123/video.mp4",
-  "totalSize": 157286400,
-  "chunkSize": 83886080,
-  "partsCount": 2,
-  "parts": [
-    { "index": 0, "offset": 0, "size": 83886080 },
-    { "index": 1, "offset": 83886080, "size": 73400320 }
-  ],
-  "expiresAt": "2025-11-03T12:00:00Z"
-}
-```
-
-#### Step 2: Upload Each Part
-```
-POST /videos/multiparts/{uploadId}/parts/{partIndex}?token={token}
-```
-
-**Path Parameters:**
-- `uploadId`: Upload ID from initialization (required)
-- `partIndex`: Zero-based part index (required)
-
-**Query Parameters:**
-- `token`: Authentication token (required)
-
-**Form Data:**
-- `video`: The video part data (required)
-
-**Response (200 OK):**
-```json
-{
-  "success": true,
-  "uploadId": "1234567890-videos/user123/video.mp4",
-  "partIndex": 0,
-  "size": 83886080,
-  "complete": false
-}
-```
-
-When the last part is uploaded:
-```json
-{
-  "success": true,
-  "uploadId": "1234567890-videos/user123/video.mp4",
-  "partIndex": 1,
-  "size": 73400320,
-  "complete": true,
-  "message": "upload complete, parts will be merged"
-}
-```
-
-#### Step 3: Check Upload Status
-```
-GET /videos/multiparts/{uploadId}?token={token}
-```
-
-**Path Parameters:**
-- `uploadId`: Upload ID from initialization (required)
-
-**Query Parameters:**
-- `token`: Authentication token (required)
-
-**Response (200 OK):**
-```json
-{
-  "uploadId": "1234567890-videos/user123/video.mp4",
-  "location": "videos/user123/video.mp4",
-  "totalSize": 157286400,
-  "partsCount": 2,
-  "uploadedParts": [0, 1],
-  "uploadedCount": 2,
-  "complete": true,
-  "progress": 100,
-  "contentType": "video/mp4",
-  "createdAt": "2025-11-03T11:00:00Z",
-  "expiresAt": "2025-11-03T12:00:00Z"
-}
-```
-
-#### Example: Multi-Part Upload (Node.js)
-```javascript
-const fs = require('fs');
-const FormData = require('form-data');
-
-const CHUNK_SIZE = 80 * 1024 * 1024; // 80MB
-const token = 'your-upload-token';
-const baseUrl = 'http://localhost:3000';
-
-async function uploadVideoMultipart(filePath, location) {
-  // Get file stats
-  const stats = fs.statSync(filePath);
-  const fileSize = stats.size;
-  const contentType = 'video/mp4';
-  
-  // Calculate deadline (5 hours from now)
-  const deadline = Math.floor(Date.now() / 1000) + (5 * 3600);
-  
-  // Step 1: Initialize upload
-  const initUrl = new URL(`${baseUrl}/videos/multiparts`);
-  initUrl.searchParams.set('token', token);
-  initUrl.searchParams.set('deadline', deadline);
-  initUrl.searchParams.set('location', location);
-  initUrl.searchParams.set('size', fileSize);
-  initUrl.searchParams.set('contentType', contentType);
-  initUrl.searchParams.set('chunkSize', CHUNK_SIZE);
-  
-  const initResponse = await fetch(initUrl, { method: 'POST' });
-  const uploadInfo = await initResponse.json();
-  
-  console.log(`Upload initialized: ${uploadInfo.uploadId}`);
-  console.log(`Total parts: ${uploadInfo.partsCount}`);
-  
-  // Step 2: Upload each part
-  const fileStream = fs.createReadStream(filePath);
-  
-  for (const part of uploadInfo.parts) {
-    console.log(`Uploading part ${part.index + 1}/${uploadInfo.partsCount}...`);
-    
-    // Read chunk from file
-    const buffer = Buffer.alloc(part.size);
-    const fd = fs.openSync(filePath, 'r');
-    fs.readSync(fd, buffer, 0, part.size, part.offset);
-    fs.closeSync(fd);
-    
-    // Create form data
-    const formData = new FormData();
-    formData.append('video', buffer, { filename: 'part.mp4' });
-    
-    // Upload part
-    const uploadUrl = new URL(`${baseUrl}/videos/multiparts/${uploadInfo.uploadId}/parts/${part.index}`);
-    uploadUrl.searchParams.set('token', token);
-    
-    const partResponse = await fetch(uploadUrl, {
-      method: 'POST',
-      body: formData
-    });
-    
-    const result = await partResponse.json();
-    console.log(`Part ${part.index} uploaded (${result.complete ? 'COMPLETE' : 'in progress'})`);
-  }
-  
-  // Step 3: Check final status
-  const statusUrl = new URL(`${baseUrl}/videos/multiparts/${uploadInfo.uploadId}`);
-  statusUrl.searchParams.set('token', token);
-  
-  const statusResponse = await fetch(statusUrl);
-  const status = await statusResponse.json();
-  
-  console.log(`Upload complete: ${status.complete}`);
-  console.log(`Progress: ${status.progress}%`);
-  
-  return status;
-}
-
-// Usage
-uploadVideoMultipart('./large-video.mp4', 'videos/user123/large-video.mp4')
-  .then(status => console.log('Done!', status))
-  .catch(err => console.error('Error:', err));
-```
-
-#### Benefits of Multi-Part Upload
-- **Resume capability**: Track which parts have been uploaded
-- **Parallel uploads**: Upload multiple parts simultaneously
-- **Progress tracking**: Monitor upload progress in real-time
-- **Large file support**: Handle files larger than server memory limits
-- **Fault tolerance**: Retry individual parts on failure
+For detailed documentation including API endpoints, parameters, examples, and security model, see [MULTIPART_UPLOAD.md](MULTIPART_UPLOAD.md).
 
 ## URL Encoding for Path-based Format
 

routes/multipart_upload.go

@@ -2,6 +2,8 @@ package routes
 
 import (
 	"context"
+	"crypto/rand"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"time"
@@ -28,6 +30,7 @@ type UploadPart struct {
 // UploadInfo represents the multi-part upload tracking information
 type UploadInfo struct {
 	UploadID      string       `json:"uploadId"`
+	UploadToken   string       `json:"uploadToken"` // Token specific to this upload session
 	Location      string       `json:"location"`
 	TotalSize     int64        `json:"totalSize"`
 	ChunkSize     int64        `json:"chunkSize"`
@@ -75,6 +78,15 @@ func (r *RedisUploadTracker) Close() error {
 	return r.client.Close()
 }
 
+// generateUploadToken generates a secure random token for upload authentication
+func generateUploadToken() (string, error) {
+	bytes := make([]byte, 32) // 256-bit token
+	if _, err := rand.Read(bytes); err != nil {
+		return "", err
+	}
+	return hex.EncodeToString(bytes), nil
+}
+
 // InitializeUpload creates upload tracking information and returns part details
 func (r *RedisUploadTracker) InitializeUpload(ctx context.Context, uploadID, location string, totalSize int64, chunkSize int64, contentType string, deadline time.Time) (*UploadInfo, error) {
 	if r == nil || r.client == nil {
@@ -85,6 +97,12 @@ func (r *RedisUploadTracker) InitializeUpload(ctx context.Context, uploadID, loc
 		chunkSize = DefaultChunkSize
 	}
 
+	// Generate upload-specific token
+	uploadToken, err := generateUploadToken()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate upload token: %w", err)
+	}
+
 	// Calculate parts
 	partsCount := int((totalSize + chunkSize - 1) / chunkSize) // Ceiling division
 
@@ -108,6 +126,7 @@ func (r *RedisUploadTracker) InitializeUpload(ctx context.Context, uploadID, loc
 
 	uploadInfo := &UploadInfo{
 		UploadID:      uploadID,
+		UploadToken:   uploadToken,
 		Location:      location,
 		TotalSize:     totalSize,
 		ChunkSize:     chunkSize,