I'm wondering how I can get actual downloaded path. because when I print out ctx.request.body.files.pic.path, I get something like '/var/folders/ls/75t48c651sb1pt749vj3wz4m0000gn/T/upload_dc1a848b5aa6da5ff38bbb21d610199e' but actually It's supposed to be /uploads/filename. you can see this in my code below

import IncomingForm from "formidable";
import shortid from "shortid";
import path from "path";

let form = new IncomingForm();
form.encoding = "utf-8";

form.on("fileBegin", function(name, file) {
  let regex = /[^.]*/;
  let fileName = file.name.replace(regex, shortid());
  file.path = path.join(__dirname + "/../uploads/", fileName);
});

export default form;

Hi everyone,

Apologies for the slow responses as of recent. Life has been hectic for me, and I haven't been able to take the time properly maintain this module.

I'm looking for someone to take over this project. The only condition I am stipulating is that I would like it to continue along the lines of a small lightweight middleware that does one thing very well.

Best,
Daryl

DeprecationWarning: os.tmpDir() is deprecated. Use os.tmpdir() instead.

formidable is throwing this warning. This is fixed in the latest version of formidable v1.1.1 released Jan 15, 2017.

https://github.com/felixge/node-formidable/releases

Just opening this issue to track when this module will support koa v2.

The code example using koa-router doesn't works neither the files koa-router.js and multipart.js in the examples directory. All generates the error below:

assert.js:86
  throw new assert.AssertionError({
        ^
AssertionError: app.use() requires a generator function

Screenshot:

About 50% of my POST requests result in koa-body attaching an empty object (i.e this.request.body = {}), as opposed to a set of files uploaded.

Here's a request that failed:
headers
body

And one that succeeded:
headers
body

I can't see anything notably different between these. Digging into Formidable now — I assume there's a decent chance it's coming from there — but figured it was worth documenting here.

koa-body support post xml analysis?

I set koa-body options to

{
    formidable:{
        uploadDir: './static/uploads',
        keepExtensions:true,
        maxFieldsSize :1024*1024,  //1M
    },

    multipart: true,
    urlencoded: true,
}

when I upload a file with size larger than 1M, I get a 0 size file in my disk, but koa-body do not throw this error. How I can handle it ?

I wander if I can check the file's type before uploading it to the disk. So that I can interrupt the job with the wrong type of file.
For example, formidable expose IncomingForm.prototype.onPart to users so that we can define our own function to handle it.

form.onPart = function(part){
  if(part.mime.indexOf('image') != -1){
    this._error(new Error('wrong file type'));
  } else {
    this.handlePart(part); // default work of formidable
  }
}

do you don't care of empty html file submit? it make Junk files!

Hi, I am using koa-body 1.4.0, and have two issues:
1, In the doc the keepExtensions says default to true, but my test is false.
2, If in my form both text input and fileupload present, and if I just input text with no file, after submitting, koa-body will still generate a blank file into my dir
Here are my related codes:

const koaBody = require('koa-body')({
  multipart:true,
  formidable:{
    uploadDir: path.join(__dirname, '../public/audio'),
    keepExtensions: true
  }
});
...
...
/**
 * get upload page
 */
router.get('/upload', co.wrap(function* (ctx, next) {
  ctx.body = `
    <!doctype html>
    <html><body>
      <form action="/upload" enctype="multipart/form-data" method="post">
      <input type="text" name="username" placeholder="username"><br>
      <input type="text" name="title" placeholder="tile of film"><br>
      <input type="file" name="uploads" multiple="multiple"><br>
      <button type="submit">Upload</button>
    </body></html>
  `;
}));
/**
 * upload interface, img, audio, etc.
 *
 */
router.post('/upload', convert(koaBody), co.wrap(function* (ctx, next) {
  ctx.body = ctx.request.body;
  console.log(ctx.request.body);
}));

I checked the docs and can't find any way of accessing the raw stream. In node-formidable module, there is a onPart function by which you can add an listener. But seems it doesn't work with this module.

Thinking about this, some articles have cropped up recently:

https://blogs.dropbox.com/developers/2015/03/limitations-of-the-get-method-in-http/

Is it a good idea to be permissive by default?

When sending an array in a simple urlencoded POST, it gets converted into an object or an array of objects thanks to the qs lib used by the co-body lib.

Example:

 books[new-1][is_new]=1
 books[new-1][title]=test

Becomes:

 {
     "books": {
         "new-1": {
             "is_new": "1",
             "title":"test"
         }
     }
 }

But when the same field is sent in a multipart POST (e.g. with a picture). Then the formidable lib is used, and because this lib only processes the fields independantly, it doesn't do the conversion and we end up having the following:

 {
     "books[new-1][is_new]":"1",
     "books[new-1][title]":"test"
 }

A simple fix I have found is to ask qs to rebuild a query string and reparse it instantly like so:

qs.parse(qs.stringify(body.fields))

It probably is not the best solution but it does the job

Is there any way to handle the Error. For example, if I set the uploadDir as a path which doesn't exist, the app will crash.

Whenever I add koaBody as a middleware, no matter what order, koa returns Not Found all the time

I'd love to use this package with the recent type definition files you've added without having to add them manual.

Please update the NPM package 🙂

"koa-router": "^7.3.0"

this is version, app.use can work, but router not work!!!

Request Object

{
	"title" : "Coca Cola",
	"details" : "More and More countries",
	"content" : {
		"options" : {
			"background" : {
				"color" : "#443344"
			}
		},
		"data" : "Hello world"
	}
}

Expected

{
	"title" : "Coca Cola",
	"details" : "More and More countries",
	"content" : {
		"options" : {
			"background" : {
				"color" : "#443344"
			}
		},
		"data" : "Hello world"
	}
}

Actual

{
	"title" : "Coca Cola",
	"details" : "More and More countries",
	"content[options][background][color]" : "#443344",
        "data" : "Hello world"
}

not support DELETE method? or how to plz...

It looks like my request handler is getting called before the upload is complete. Is this how it works? I'm using the formidable: {uploadDir}.

I need to wait for this to complete (aka the formidable onEnd event). Is there a way to wait on this in my request handler?

https://helmetjs.github.io/docs/csp/

part: CSP violations

type: ['json', 'application/csp-report'] not work

I've tried a really quick test with koa-router example you provided and this.request.body returns empty object.

There should be an option to use any type you want instead of 3 dedicated types.
In my case, I need to use application/vnd.api+json

resources:
https://www.npmjs.com/package/type-is#readme

it will throw an error if the uploaddir folder does not exist, although i just need to write one line, i think it's more convenient that koabody can automatically create the uploadDir folder. would you please add the code?

@dlau publish if you want, or discuss.

I need to parse many requests with images and forward them to another server. Is there a way to avoid writing each one to a file? I would rather access some sort of Buffer with the file's data in it. Here is an example request:

curl -F "image=@$HOME/Pictures/blue_red_pill.jpg" -F "username=slim" http://localhost:3234/uploadImage

Hi! There should really be a way to limit the max size for files upload.

In my understanding, this is relates to node-formidable/formidable#324 (comment).

Any thoughts? Cheers!

today,I found a issue when using form-data，this middleware not parse object like

i found cource code

Seems to only support

Excuse me, my English is poor.

The deps version of co-body now is *, and just hours ago co-body release a new version(6.0.0), our Node server(6.10) down because of syntax error, so I think to lock the version.

Hi,

I'm experiencing something strange with error handling when using koa-body.

Errors thrown in my middleware results in unhandled rejections when i have koa-body registered as a middleware.

I tried to reduce this to a minimal use case:

  import koaBody from 'koa-body';

  router.post('/noKb', async (ctx, next) => {
    ctx.throw(500);
    await next();
  });

  router.post('/kb', koaBody(), async (ctx, next) => {
    ctx.throw(500);
    await next();
  });

The first example handles the error as I would expect, but the second route now throws this:

Unhandled rejection InternalServerError: Internal Server Error

As I'm quite new to Koa, I might be doing something wrong here, please let me know if thats the case.

Expected the IKoaBodyFormidableOptions interface to add the following options for the latest version of formidable(1.2.0, https://github.com/felixge/node-formidable/blob/master/lib/incoming_form.js)

maxFileSize?: number;
encoding?: string;

The bytesExpected?: number; option doesn't seem to work so it can be removed for less confusion.

Context:
koaBody is configured with file uploads and custom uploadsDir. If the directory does not exist, an error is thrown that forces the process to require a restart.

Error: ENOENT: no such file or directory, open

Current local setup uses pm2 to manage process that restarts it, although it would be nice if that kind of things would not force the Koa server process to halt.

Seems like this is being propagated from Formidable.

Upon installation, npm is generating this warning:

$ npm i
npm WARN notice [SECURITY] superagent has 1 low vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=superagent&version=2.3.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.

Details: https://nodesecurity.io/advisories?search=superagent&version=2.3.0

ED: Appears to be a sub-dep of supertest, so not as critical of an issue.

fileBegin event from formidable never gets triggered when using koa-body(works fine with koa-better-body) It's really weird that It worked until yeserday and it randomly stopped working. file path should be /uploads/file_name but since fileBegin event never get triggered, file path is always like PROJECT_FOLDER/upload_3b1ae29425ef0e8f45a121173cec0d27/. Does anyone have any idea about this?

import Router from 'koa-router'
import IncomingForm from 'formidable'
import shortid from 'shortid'
import path from 'path'

const router = new Router()

router.post('/image/cover', async (ctx, next) => {
    let form = new IncomingForm();
form.encoding = "utf-8";

form.on("fileBegin", function(name, file) {
    let regex = /[^.]*/
    console.log("file name is", file.name)
    let fileName = file.name.replace(regex, shortid())
    file.path = path.join(__dirname + '/../uploads/', fileName)
});
    console.log(ctx.request.body.files.cover.path)
    //ctx.body = { url: URLpath }
})

Hi! Can I get blob file in koa?
I send data from browser jQuery

$.ajax({
                    url: '/api/attachments/',
                    method: 'POST',
                    data: blob, // result FileReader.readAsArrayBuffer => blob
                    processData: false,
                    headers : {
                        'Content-Type': file.type != '' ? file.type : 'application/octet-stream' //  => image/jpeg
                    }
                });

node-formidable/formidable#324

Hi,

I'm trying to figure out how to set the filename of an incoming multipart upload. I'd prefer to avoid renaming the file afterwards.

Formidable docs mention this:

• https://github.com/felixge/node-formidable#formidablefile
• https://github.com/felixge/node-formidable#filebegin

Is there any way to access form and the fileBegin event using koa-body?

Thanks!

Hi,

I've just realised that it is very easy to create a big security vulnerability when using this package to upload files (I almost did this on my site).

Suppose you have JSON body parsing enabled on a POST or PUT route, say '/upload-files', as well as multipart parsing. This is quite easy to do e.g. if you add JSON parsing as global middleware. Suppose it expects the files to be in a field named 'uploads'. Then you can make a POST or PUT request to '/upload-files' with a JSON body that looks something like {"files": {"uploads": [{"path": "/any/file/path"}]}}, making the request handler think a file has been uploaded to /any/file/path. Now suppose that the handler is set up to copy uploaded files into a public uploads folder. By choosing the path appropriately I can make the server copy any file I like on the server into the public uploads folder and then view its contents. So by using well-known paths of sensitive files I can read private keys, passwords etc. and maybe even gain full access to the server this way.

I haven't tried actually doing this, but I think it's correct (sorry if I'm wrong). In my opinion, it would be better to put the files object on ctx.request instead of ctx.request.body, so that we know it can be trusted.

Thanks.

@dlau

Hi, thanks for your awesome koa2 middleware. It is really powerful.

Now i have an advice for upload files.

when user specify a folder for the upload files, generate the specified folder automatically if the folder not existed

app.use(koaBody({
    multipart: true,
    formidable: {
        uploadDir: './uploads',
        keepExtensions: true,
        onFileBegin: function(name, file) {
            file.path = 'uploads/' + file.name
        }
    }
}))

➜  koa2-test node "/Users/percy/working/koa2-test/app.js"
server at http://localhost:3333 ~
请求: GET /
请求: POST /page/upload
events.js:182
      throw er; // Unhandled 'error' event
      ^

Error: ENOENT: no such file or directory, open 'uploads/'

If i do not create the folder manually, i will get the error message as shown above.

could you create some?

In the section "Some options for formidable" of documentation, it indicates:

maxFields {Integer} Limits the number of fields that the querystring parser will decode, default 10
maxFieldsSize {Integer} Limits the amount of memory a field (not file) can allocate in bytes, default 2mb

For "maxFields", it's 1000 in formidable.
For "maxFieldsSize", here you indicated the amount of a field, but actually it is the amount of all form fields.

Hi

there is a typo in README at Some options for formidable section

maxFieldsSize {Integer} Limits the amount of memory all fields together (except files) can allocate in bytes. If this value is exceeded, an 'error' event is emitted, default 2mb (2 * 2 * 1024)

It seems the last part should be

2mb (2 * 1024 * 1024)

Hi :)

When will the multipart support be ready? Or is there any other way to let users upload files?

Thanks

keepExtensions default value is false, no true