Upload 4 files

add upload of png, md and txt files. with new display handling.

index.html

@@ -0,0 +1,711 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width,initial-scale=1" />
+  <title>Real-Time Display Board</title>
+  <style>
+    :root {
+      --bg: #111;
+      --panel: #181818;
+      --header: #222;
+      --border: #333;
+      --muted: #aaa;
+      --text: #eee;
+      --ok-bg: #154;
+      --ok-fg: #8f8;
+      --warn-bg: #444;
+      --warn-fg: #ccc;
+      --bad-bg: #511;
+      --bad-fg: #f88;
+      --accent: #8cf;
+    }
+
+    * { box-sizing: border-box; }
+    body { margin: 0; font-family: system-ui, -apple-system, Segoe UI, Roboto, sans-serif; background: var(--bg); color: var(--text); }
+
+    /* Keep top visible */
+    .topbar {
+      position: sticky; /* stays visible while page scrolls */
+      top: 0;
+      z-index: 10;
+      background: var(--header);
+      border-bottom: 1px solid var(--border);
+    }
+
+    header {
+      padding: 10px 16px;
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      gap: 12px;
+    }
+
+    #status { font-size: 0.9em; }
+    #status span { padding: 4px 8px; border-radius: 4px; display: inline-block; }
+    .status-connected { background: var(--ok-bg); color: var(--ok-fg); }
+    .status-connecting { background: var(--warn-bg); color: var(--warn-fg); }
+    .status-disconnected { background: var(--bad-bg); color: var(--bad-fg); }
+
+    #controls {
+      padding: 8px 16px;
+      background: var(--panel);
+      display: flex;
+      gap: 10px;
+      align-items: center;
+      flex-wrap: wrap;
+      border-top: 1px solid var(--border);
+    }
+
+    label { font-size: 0.9em; }
+    input, select, button {
+      padding: 6px 8px;
+      border-radius: 6px;
+      border: 1px solid #444;
+      background: #000;
+      color: var(--text);
+    }
+    button { cursor: pointer; background: #111; }
+    button:hover { background: #151515; }
+
+    #apiKeyInput { width: 280px; }
+
+    /* Messages area */
+    #messages {
+      padding: 8px 16px 16px;
+      height: calc(100vh - 114px); /* approximate height of sticky topbar */
+      overflow-y: auto;
+      overscroll-behavior: contain;
+    }
+
+    .message { border-bottom: 1px solid var(--border); padding: 8px 0; }
+    .meta { font-size: 0.82em; color: var(--muted); margin-bottom: 3px; display: flex; align-items: center; gap: 8px; flex-wrap: wrap; }
+    .poster { font-weight: 700; color: var(--accent); }
+    .timestamp { color: #ccc; }
+    .category { font-size: 0.78em; padding: 2px 7px; border-radius: 999px; background: #333; color: var(--text); }
+    .content { white-space: pre-wrap; }
+
+    .file-link {
+      color: var(--accent);
+      text-decoration: underline;
+      cursor: pointer;
+    }
+    .file-link:hover {
+      color: #adf;
+    }
+
+    .image-content {
+      max-width: 100%;
+      border-radius: 8px;
+      margin-top: 8px;
+      border: 1px solid var(--border);
+    }
+
+    /* Modal styles */
+    .modal-overlay {
+      position: fixed;
+      top: 0;
+      left: 0;
+      right: 0;
+      bottom: 0;
+      background: rgba(0, 0, 0, 0.85);
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      z-index: 1000;
+      padding: 20px;
+    }
+
+    .modal-content {
+      background: var(--panel);
+      border: 1px solid var(--border);
+      border-radius: 8px;
+      max-width: 800px;
+      width: 100%;
+      max-height: 80vh;
+      display: flex;
+      flex-direction: column;
+    }
+
+    .modal-header {
+      padding: 12px 16px;
+      border-bottom: 1px solid var(--border);
+      display: flex;
+      justify-content: space-between;
+      align-items: center;
+      background: var(--header);
+      border-radius: 8px 8px 0 0;
+    }
+
+    .modal-title {
+      font-weight: 600;
+      color: var(--text);
+    }
+
+    .modal-close {
+      background: transparent;
+      border: none;
+      color: var(--muted);
+      font-size: 1.5em;
+      cursor: pointer;
+      padding: 0 4px;
+      line-height: 1;
+    }
+    .modal-close:hover {
+      color: var(--text);
+    }
+
+    .modal-body {
+      padding: 16px;
+      overflow-y: auto;
+      flex: 1;
+    }
+
+    .modal-body pre {
+      margin: 0;
+      padding: 12px;
+      background: var(--bg);
+      border: 1px solid var(--border);
+      border-radius: 6px;
+      white-space: pre-wrap;
+      word-wrap: break-word;
+      font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, monospace;
+      font-size: 0.9em;
+      line-height: 1.6;
+    }
+
+    /* Markdown rendered content */
+    .markdown-content h1, .markdown-content h2, .markdown-content h3,
+    .markdown-content h4, .markdown-content h5, .markdown-content h6 {
+      margin-top: 16px;
+      margin-bottom: 8px;
+      color: var(--accent);
+    }
+    .markdown-content p {
+      margin: 8px 0;
+      line-height: 1.6;
+    }
+    .markdown-content code {
+      background: var(--bg);
+      padding: 2px 6px;
+      border-radius: 4px;
+      font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, monospace;
+      font-size: 0.9em;
+    }
+    .markdown-content pre {
+      background: var(--bg);
+      padding: 12px;
+      border-radius: 6px;
+      border: 1px solid var(--border);
+      overflow-x: auto;
+    }
+    .markdown-content pre code {
+      background: transparent;
+      padding: 0;
+    }
+    .markdown-content ul, .markdown-content ol {
+      margin: 8px 0;
+      padding-left: 24px;
+    }
+    .markdown-content li {
+      margin: 4px 0;
+    }
+    .markdown-content strong {
+      color: var(--text);
+    }
+    .markdown-content em {
+      font-style: italic;
+    }
+    .markdown-content blockquote {
+      border-left: 4px solid var(--accent);
+      margin: 8px 0;
+      padding-left: 16px;
+      color: var(--muted);
+    }
+  </style>
+</head>
+<body>
+  <div class="topbar">
+    <header>
+      <div>Real-Time Display Board</div>
+      <div id="status"><span class="status-disconnected">Disconnected</span></div>
+    </header>
+
+    <div id="controls">
+      <label>Reader API Key:
+        <input id="apiKeyInput" type="password" placeholder="Enter READER_KEY" autocomplete="off" />
+      </label>
+      <button id="connectBtn">Connect</button>
+
+      <label>Poster filter:
+        <select id="posterFilter">
+          <option value="">All posters</option>
+        </select>
+      </label>
+
+      <label>Keyword filter:
+        <input id="keywordFilter" type="text" placeholder="Search poster, content, metadata" />
+      </label>
+
+      <label>
+        <input type="checkbox" id="autoScrollToggle" checked />
+        Auto-scroll
+      </label>
+    </div>
+  </div>
+
+  <div id="messages"></div>
+
+  <div id="fileModal" class="modal-overlay" style="display: none;">
+    <div class="modal-content">
+      <div class="modal-header">
+        <span class="modal-title" id="modalTitle">File Content</span>
+        <button class="modal-close" onclick="closeModal()">&times;</button>
+      </div>
+      <div class="modal-body" id="modalBody"></div>
+    </div>
+  </div>
+
+  <script>
+    const statusEl = document.getElementById("status");
+    const apiKeyInput = document.getElementById("apiKeyInput");
+    const connectBtn = document.getElementById("connectBtn");
+    const messagesEl = document.getElementById("messages");
+    const posterFilterEl = document.getElementById("posterFilter");
+    const keywordFilterEl = document.getElementById("keywordFilter");
+    const autoScrollToggle = document.getElementById("autoScrollToggle");
+
+    let socket = null;
+    let manualDisconnect = false;
+
+    let reconnectDelay = 1000;
+    const maxReconnectDelay = 30000;
+
+    let allMessages = [];
+    let autoScrollEnabled = true;
+
+    // Track whether user is at bottom without doing heavy work on every scroll tick
+    let userAtBottom = true;
+    let scrollTicking = false;
+
+    // Modal elements
+    const fileModal = document.getElementById("fileModal");
+    const modalTitle = document.getElementById("modalTitle");
+    const modalBody = document.getElementById("modalBody");
+
+    // Simple markdown to HTML converter
+    function parseMarkdown(text) {
+      if (!text) return "";
+
+      // Escape HTML first
+      let html = text
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;");
+
+      // Headers (# ## ###)
+      html = html.replace(/^#{6}\s+(.+)$/gm, "<h6>$1</h6>");
+      html = html.replace(/^#{5}\s+(.+)$/gm, "<h5>$1</h5>");
+      html = html.replace(/^#{4}\s+(.+)$/gm, "<h4>$1</h4>");
+      html = html.replace(/^#{3}\s+(.+)$/gm, "<h3>$1</h3>");
+      html = html.replace(/^#{2}\s+(.+)$/gm, "<h2>$1</h2>");
+      html = html.replace(/^#{1}\s+(.+)$/gm, "<h1>$1</h1>");
+
+      // Code blocks (```code```)
+      html = html.replace(/```[\s\S]*?```/g, (match) => {
+        const code = match.slice(3, -3).trim();
+        return `<pre><code>${code}</code></pre>`;
+      });
+
+      // Inline code (`code`)
+      html = html.replace(/`([^`]+)`/g, "<code>$1</code>");
+
+      // Bold (**text** or __text__)
+      html = html.replace(/\*\*([^*]+)\*\*/g, "<strong>$1</strong>");
+      html = html.replace(/__([^_]+)__/g, "<strong>$1</strong>");
+
+      // Italic (*text* or _text_)
+      html = html.replace(/\*([^*]+)\*/g, "<em>$1</em>");
+      html = html.replace(/_([^_]+)_/g, "<em>$1</em>");
+
+      // Blockquote (> text)
+      html = html.replace(/^>\s+(.+)$/gm, "<blockquote>$1</blockquote>");
+
+      // Lists
+      // Unordered lists (- item or * item)
+      html = html.replace(/^(\s*)[-*]\s+(.+)$/gm, (match, indent, item) => {
+        const level = Math.floor(indent.length / 2);
+        return `<li class="list-level-${level}">${item}</li>`;
+      });
+      // Ordered lists (1. item)
+      html = html.replace(/^(\s*)\d+\.\s+(.+)$/gm, (match, indent, item) => {
+        const level = Math.floor(indent.length / 2);
+        return `<li class="list-level-${level}">${item}</li>`;
+      });
+
+      // Wrap consecutive li elements in ul
+      html = html.replace(/(<li[^>]*>.*?<\/li>)(\n<li[^>]*>.*?<\/li>)*/g, (match) => {
+        return `<ul>${match}</ul>`;
+      });
+
+      // Line breaks - convert remaining newlines to paragraphs
+      const paragraphs = html.split(/\n+/).filter(p => p.trim());
+      html = paragraphs.map(p => {
+        if (p.match(/^<(h\d|ul|li|blockquote|pre)/)) return p;
+        return `<p>${p}</p>`;
+      }).join("");
+
+      return html;
+    }
+
+    function requestFileContent(messageId) {
+      if (!socket || socket.readyState !== WebSocket.OPEN) {
+        alert("WebSocket is not connected.");
+        return;
+      }
+      socket.send(JSON.stringify({ type: "get_file_content", message_id: messageId }));
+    }
+
+    function displayFileContent(content, title, type) {
+      modalTitle.textContent = title || "File Content";
+      modalBody.innerHTML = "";
+
+      if (type === "md") {
+        const div = document.createElement("div");
+        div.className = "markdown-content";
+        div.innerHTML = parseMarkdown(content);
+        modalBody.appendChild(div);
+      } else {
+        const pre = document.createElement("pre");
+        pre.textContent = content;
+        modalBody.appendChild(pre);
+      }
+
+      fileModal.style.display = "flex";
+    }
+
+    function closeModal() {
+      fileModal.style.display = "none";
+    }
+
+    // Close modal on overlay click
+    fileModal.addEventListener("click", (e) => {
+      if (e.target === fileModal) {
+        closeModal();
+      }
+    });
+
+    // Close modal on Escape key
+    document.addEventListener("keydown", (e) => {
+      if (e.key === "Escape" && fileModal.style.display === "flex") {
+        closeModal();
+      }
+    });
+
+    function setStatus(state, text) {
+      const span = document.createElement("span");
+      span.textContent = text;
+      span.className =
+        state === "connected" ? "status-connected" :
+        state === "connecting" ? "status-connecting" :
+        "status-disconnected";
+      statusEl.innerHTML = "";
+      statusEl.appendChild(span);
+    }
+
+    function humanTime(ts) {
+      const d = new Date(ts);
+      // If ts is missing/invalid, show placeholder rather than crashing
+      if (Number.isNaN(d.getTime())) return "--:--:--";
+      return d.toTimeString().split(" ")[0];
+    }
+
+    function computeAtBottom() {
+      // Only read layout values when scheduled (rAF)
+      return Math.abs(messagesEl.scrollHeight - messagesEl.scrollTop - messagesEl.clientHeight) < 5;
+    }
+
+    messagesEl.addEventListener("scroll", () => {
+      if (scrollTicking) return;
+      scrollTicking = true;
+
+      requestAnimationFrame(() => {
+        const atBottom = computeAtBottom();
+        userAtBottom = atBottom;
+
+        if (!atBottom) {
+          autoScrollEnabled = false;
+          autoScrollToggle.checked = false;
+        } else {
+          if (autoScrollToggle.checked) autoScrollEnabled = true;
+        }
+
+        scrollTicking = false;
+      });
+    }, { passive: true }); // helps scroll performance by letting browser scroll immediately [web:48]
+
+    autoScrollToggle.addEventListener("change", () => {
+      autoScrollEnabled = autoScrollToggle.checked;
+      if (autoScrollEnabled) {
+        messagesEl.scrollTop = messagesEl.scrollHeight;
+        userAtBottom = true;
+      }
+    });
+
+    posterFilterEl.addEventListener("change", () => renderMessages());
+    keywordFilterEl.addEventListener("input", () => renderMessages());
+
+    function updatePosterFilterOptions() {
+      const posters = new Set(allMessages.map(m => m.poster_id).filter(Boolean));
+      const current = posterFilterEl.value;
+
+      // Build options efficiently
+      const frag = document.createDocumentFragment();
+      const optAll = document.createElement("option");
+      optAll.value = "";
+      optAll.textContent = "All posters";
+      frag.appendChild(optAll);
+
+      posters.forEach(p => {
+        const opt = document.createElement("option");
+        opt.value = p;
+        opt.textContent = p;
+        frag.appendChild(opt);
+      });
+
+      posterFilterEl.innerHTML = "";
+      posterFilterEl.appendChild(frag);
+
+      if ([...posterFilterEl.options].some(o => o.value === current)) {
+        posterFilterEl.value = current;
+      }
+    }
+
+    function messageMatchesFilters(m) {
+      const posterFilter = posterFilterEl.value.trim().toLowerCase();
+      const keyword = keywordFilterEl.value.trim().toLowerCase();
+
+      if (posterFilter && (m.poster_id || "").toLowerCase() !== posterFilter) return false;
+      if (!keyword) return true;
+
+      const tokens = [];
+      tokens.push(m.poster_id || "");
+      tokens.push(m.content || "");
+      if (m.category) tokens.push(m.category);
+      if (m.metadata && typeof m.metadata === "object") {
+        for (const v of Object.values(m.metadata)) {
+          try { tokens.push(String(v)); } catch {}
+        }
+      }
+      return tokens.join(" ").toLowerCase().includes(keyword);
+    }
+
+    function buildMessageNode(msg) {
+      const div = document.createElement("div");
+      div.className = "message";
+
+      const meta = document.createElement("div");
+      meta.className = "meta";
+
+      const poster = document.createElement("span");
+      poster.className = "poster";
+      poster.textContent = msg.poster_id || "(unknown)";
+
+      const ts = document.createElement("span");
+      ts.className = "timestamp";
+      ts.textContent = humanTime(msg.timestamp);
+
+      meta.appendChild(poster);
+      meta.appendChild(ts);
+
+      // Add message type indicator for file types
+      if (msg.message_type && msg.message_type !== "text") {
+        const typeLabel = document.createElement("span");
+        typeLabel.className = "category";
+        typeLabel.textContent = msg.message_type.toUpperCase();
+        meta.appendChild(typeLabel);
+      }
+
+      if (msg.category) {
+        const cat = document.createElement("span");
+        cat.className = "category";
+        cat.textContent = msg.category;
+        meta.appendChild(cat);
+      }
+
+      const content = document.createElement("div");
+      content.className = "content";
+
+      // Handle different message types
+      const msgType = msg.message_type || "text";
+
+      if (msgType === "png") {
+        // PNG: show title in meta, display image
+        if (msg.title) {
+          const titleDiv = document.createElement("div");
+          titleDiv.textContent = msg.title;
+          titleDiv.style.marginBottom = "8px";
+          titleDiv.style.color = "var(--accent)";
+          content.appendChild(titleDiv);
+        }
+        if (msg.file_url) {
+          const img = document.createElement("img");
+          img.src = msg.file_url;
+          img.className = "image-content";
+          img.alt = msg.title || "Image";
+          content.appendChild(img);
+        }
+      } else if (msgType === "md" || msgType === "txt") {
+        // Markdown or Text: show clickable title
+        if (msg.title) {
+          const link = document.createElement("span");
+          link.className = "file-link";
+          link.textContent = msg.title;
+          link.onclick = () => requestFileContent(msg.id);
+          content.appendChild(link);
+        } else {
+          content.textContent = msg.content || "";
+        }
+      } else {
+        // Default text type
+        content.textContent = msg.content || "";
+      }
+
+      div.appendChild(meta);
+      div.appendChild(content);
+      return div;
+    }
+
+    function renderMessages() {
+      // Keep the current scroll position; only autoscroll if user is already at bottom + enabled
+      const shouldStickToBottom = autoScrollEnabled && userAtBottom;
+
+      const frag = document.createDocumentFragment();
+      for (const m of allMessages) {
+        if (!messageMatchesFilters(m)) continue;
+        frag.appendChild(buildMessageNode(m));
+      }
+
+      messagesEl.innerHTML = "";
+      messagesEl.appendChild(frag);
+
+      if (shouldStickToBottom) {
+        messagesEl.scrollTop = messagesEl.scrollHeight;
+        userAtBottom = true;
+      }
+    }
+
+    function appendMessageIfVisible(msg) {
+      // Avoid full rerender for every new message: append if it matches current filters
+      const shouldStickToBottom = autoScrollEnabled && userAtBottom;
+
+      if (messageMatchesFilters(msg)) {
+        messagesEl.appendChild(buildMessageNode(msg));
+      }
+
+      // Keep dropdown up to date (cheap, small list)
+      updatePosterFilterOptions();
+
+      if (shouldStickToBottom) {
+        messagesEl.scrollTop = messagesEl.scrollHeight;
+        userAtBottom = true;
+      }
+    }
+
+    function connectSocket() {
+      const key = apiKeyInput.value.trim();
+      if (!key) {
+        alert("Please enter READER_KEY.");
+        return;
+      }
+
+      const loc = window.location;
+      const protocol = loc.protocol === "https:" ? "wss:" : "ws:";
+      const wsUrl = `${protocol}//${loc.host}/ws?api_key=${encodeURIComponent(key)}`;
+
+      setStatus("connecting", "Connecting...");
+      socket = new WebSocket(wsUrl);
+
+      socket.onopen = () => {
+        setStatus("connected", "Connected");
+        reconnectDelay = 1000;
+        connectBtn.textContent = "Disconnect";
+      };
+
+      socket.onmessage = (event) => {
+        let data;
+        try { data = JSON.parse(event.data); } catch { return; }
+
+        if (data.type === "history") {
+          allMessages = Array.isArray(data.messages) ? data.messages : [];
+          allMessages.sort((a, b) => new Date(a.timestamp) - new Date(b.timestamp));
+          updatePosterFilterOptions();
+          // On fresh history load, always go to bottom if auto-scroll is enabled
+          if (autoScrollToggle.checked) {
+            autoScrollEnabled = true;
+            userAtBottom = true;
+          }
+          renderMessages();
+          return;
+        }
+
+        if (data.type === "new_post" && data.message) {
+          allMessages.push(data.message);
+          // Keep only last 50 on client too (server already does, but this keeps UI stable)
+          if (allMessages.length > 50) allMessages = allMessages.slice(allMessages.length - 50);
+          appendMessageIfVisible(data.message);
+          return;
+        }
+
+        if (data.type === "file_content") {
+          if (data.error) {
+            alert("Error loading file: " + data.error);
+          } else if (data.content !== undefined) {
+            displayFileContent(data.content, data.title || "File", data.file_type || "txt");
+          }
+          return;
+        }
+
+        if (data.type === "error") {
+          alert(data.error || "Error from server");
+          return;
+        }
+
+        // Ignore ping
+      };
+
+      socket.onclose = () => {
+        socket = null;
+        connectBtn.textContent = "Connect";
+        setStatus("disconnected", "Disconnected");
+
+        if (!manualDisconnect) {
+          setStatus("connecting", "Reconnecting...");
+          setTimeout(() => connectSocket(), reconnectDelay);
+          reconnectDelay = Math.min(reconnectDelay * 2, maxReconnectDelay);
+        }
+      };
+
+      socket.onerror = () => {
+        // onclose will handle UI
+      };
+    }
+
+    connectBtn.addEventListener("click", () => {
+      if (socket) {
+        manualDisconnect = true;
+        socket.close();
+        socket = null;
+        setStatus("disconnected", "Disconnected");
+        connectBtn.textContent = "Connect";
+        return;
+      }
+      manualDisconnect = false;
+      connectSocket();
+    });
+
+    // Initial UI state
+    setStatus("disconnected", "Disconnected");
+  </script>
+</body>
+</html>

main.py

@@ -0,0 +1,362 @@
+from fastapi import FastAPI, WebSocket, WebSocketDisconnect, Request, Header, HTTPException, File, UploadFile, Form
+from fastapi.responses import HTMLResponse, JSONResponse
+from fastapi.staticfiles import StaticFiles
+from fastapi.encoders import jsonable_encoder
+
+from uuid import uuid4
+from datetime import datetime, timezone, timedelta
+from typing import Optional
+import os
+import asyncio
+import base64
+import json
+
+from .models import Message, PostRequest, HistoryPayload, NewPostPayload, ErrorPayload, FileContentPayload
+from .storage import messages, connected_readers, storage_lock
+from .rate_limit import (
+    is_ip_blocked,
+    record_auth_failure,
+    record_auth_success,
+    get_client_ip,
+)
+from .logger_config import logger
+
+POSTER_KEY = os.getenv("POSTER_KEY", "")
+READER_KEY = os.getenv("READER_KEY", "")
+
+app = FastAPI()
+
+# Static HTML (root)
+app.mount("/static", StaticFiles(directory="app/static"), name="static")
+
+
+@app.get("/", response_class=HTMLResponse)
+async def root():
+    with open("app/static/index.html", "r", encoding="utf-8") as f:
+        return f.read()
+
+
+@app.get("/health")
+async def health():
+    async with storage_lock:
+        message_count = len(messages)
+        connected = len(connected_readers)
+    return {
+        "status": "healthy",
+        "message_count": message_count,
+        "connected_readers": connected,
+    }
+
+
+@app.post("/api/v1/posts")
+async def create_post(
+    request: Request,
+    payload: PostRequest,
+    x_api_key: Optional[str] = Header(default=None, alias="X-API-Key"),
+):
+    client_ip = get_client_ip(request)
+
+    # 1) IP block check
+    if is_ip_blocked(client_ip):
+        logger.warning(
+            f"{datetime.utcnow().isoformat()} - AUTH_FAILURE - IP: {client_ip} - Reason: blocked_ip - Endpoint: /api/v1/posts"
+        )
+        return JSONResponse(
+            status_code=429,
+            content={"error": "Too many failed authentication attempts"},
+        )
+
+    # 2) API key validation
+    if not x_api_key or x_api_key != POSTER_KEY:
+        record_auth_failure(client_ip)
+        logger.warning(
+            f"{datetime.utcnow().isoformat()} - AUTH_FAILURE - IP: {client_ip} - Reason: invalid_poster_key - Endpoint: /api/v1/posts"
+        )
+        raise HTTPException(status_code=401, detail="Invalid API key")
+
+    # 3) Defensive length check (pydantic also enforces this)
+    if len(payload.content) > 1000:
+        raise HTTPException(
+            status_code=413, detail="Content exceeds 1000 character limit"
+        )
+
+    now = datetime.now(timezone.utc)
+    msg = Message(
+        id=str(uuid4()),
+        poster_id=payload.poster_id,
+        content=payload.content,
+        timestamp=now,
+        category=payload.category,
+        metadata=payload.metadata or {},
+    )
+
+    async with storage_lock:
+        messages.append(msg)
+
+        # Retention: expire >48h (50-message maxlen still takes precedence)
+        cutoff = now - timedelta(hours=48)
+        tmp = [m for m in messages if m.timestamp >= cutoff]
+        messages.clear()
+        for m in tmp:
+            messages.append(m)
+
+        # Broadcast to all connected readers (JSON-safe)
+        payload_out = jsonable_encoder(NewPostPayload(type="new_post", message=msg))
+        stale = []
+        for ws in connected_readers:
+            try:
+                await ws.send_json(payload_out)
+            except Exception:
+                stale.append(ws)
+        for ws in stale:
+            connected_readers.discard(ws)
+
+    logger.info(
+        f"{datetime.utcnow().isoformat()} - AUTH_SUCCESS - IP: {client_ip} - UserType: poster - Action: post - PosterID: {payload.poster_id}"
+    )
+    record_auth_success(client_ip)
+
+    return JSONResponse(
+        status_code=201,
+        content={
+            "message_id": msg.id,
+            "status": "accepted",
+            "timestamp": msg.timestamp.isoformat(),
+        },
+    )
+
+
+@app.post("/api/v1/upload")
+async def upload_file(
+    request: Request,
+    poster_id: str = Form(...),
+    category: Optional[str] = Form(default=None),
+    file: UploadFile = File(...),
+    x_api_key: Optional[str] = Header(default=None, alias="X-API-Key"),
+):
+    client_ip = get_client_ip(request)
+
+    # 1) IP block check
+    if is_ip_blocked(client_ip):
+        logger.warning(
+            f"{datetime.utcnow().isoformat()} - AUTH_FAILURE - IP: {client_ip} - Reason: blocked_ip - Endpoint: /api/v1/upload"
+        )
+        return JSONResponse(
+            status_code=429,
+            content={"error": "Too many failed authentication attempts"},
+        )
+
+    # 2) API key validation
+    if not x_api_key or x_api_key != POSTER_KEY:
+        record_auth_failure(client_ip)
+        logger.warning(
+            f"{datetime.utcnow().isoformat()} - AUTH_FAILURE - IP: {client_ip} - Reason: invalid_poster_key - Endpoint: /api/v1/upload"
+        )
+        raise HTTPException(status_code=401, detail="Invalid API key")
+
+    # 3) Validate file extension and MIME type
+    filename = file.filename or "unknown"
+    file_ext = os.path.splitext(filename)[1].lower()
+
+    allowed_extensions = {".png", ".md", ".txt"}
+    if file_ext not in allowed_extensions:
+        raise HTTPException(status_code=400, detail="Only PNG, MD, and TXT files are allowed")
+
+    # MIME type validation
+    mime_type = file.content_type or ""
+    valid_mime_types = {
+        ".png": ["image/png"],
+        ".md": ["text/markdown", "text/plain", "application/octet-stream"],
+        ".txt": ["text/plain", "application/octet-stream"],
+    }
+
+    if mime_type and mime_type not in valid_mime_types.get(file_ext, []):
+        # Allow if no content-type provided, otherwise validate
+        pass  # Be lenient with MIME types as they can vary
+
+    # 4) Read file content and validate size
+    content = await file.read()
+    file_size = len(content)
+
+    if file_ext == ".png":
+        if file_size > 2 * 1024 * 1024:  # 2MB
+            raise HTTPException(status_code=413, detail="PNG file exceeds 2MB limit")
+    else:  # .md or .txt
+        if file_size > 100 * 1024:  # 100KB
+            raise HTTPException(status_code=413, detail="Text file exceeds 100KB limit")
+
+    # 5) Process file based on type
+    now = datetime.now(timezone.utc)
+    msg_id = str(uuid4())
+
+    if file_ext == ".png":
+        # Store PNG as base64 data URL
+        base64_data = base64.b64encode(content).decode("utf-8")
+        file_url = f"data:image/png;base64,{base64_data}"
+        msg = Message(
+            id=msg_id,
+            poster_id=poster_id,
+            content=filename,
+            timestamp=now,
+            category=category,
+            metadata={},
+            message_type="png",
+            file_url=file_url,
+            title=filename,
+        )
+    elif file_ext == ".md":
+        # Extract first line as title, store full content
+        text_content = content.decode("utf-8", errors="replace")
+        first_line = text_content.split("\n")[0].strip() or filename
+        msg = Message(
+            id=msg_id,
+            poster_id=poster_id,
+            content=filename,
+            timestamp=now,
+            category=category,
+            metadata={},
+            message_type="md",
+            title=first_line,
+            file_content=text_content,
+        )
+    else:  # .txt
+        # Extract first line as title, store full content
+        text_content = content.decode("utf-8", errors="replace")
+        first_line = text_content.split("\n")[0].strip() or filename
+        msg = Message(
+            id=msg_id,
+            poster_id=poster_id,
+            content=filename,
+            timestamp=now,
+            category=category,
+            metadata={},
+            message_type="txt",
+            title=first_line,
+            file_content=text_content,
+        )
+
+    # 6) Store message and broadcast (same as create_post)
+    async with storage_lock:
+        messages.append(msg)
+
+        # Retention: expire >48h (50-message maxlen still takes precedence)
+        cutoff = now - timedelta(hours=48)
+        tmp = [m for m in messages if m.timestamp >= cutoff]
+        messages.clear()
+        for m in tmp:
+            messages.append(m)
+
+        # Broadcast to all connected readers (JSON-safe)
+        payload_out = jsonable_encoder(NewPostPayload(type="new_post", message=msg))
+        stale = []
+        for ws in connected_readers:
+            try:
+                await ws.send_json(payload_out)
+            except Exception:
+                stale.append(ws)
+        for ws in stale:
+            connected_readers.discard(ws)
+
+    logger.info(
+        f"{datetime.utcnow().isoformat()} - AUTH_SUCCESS - IP: {client_ip} - UserType: poster - Action: upload - PosterID: {poster_id}"
+    )
+    record_auth_success(client_ip)
+
+    return JSONResponse(
+        status_code=201,
+        content={
+            "message_id": msg.id,
+            "status": "accepted",
+            "timestamp": msg.timestamp.isoformat(),
+        },
+    )
+
+
+@app.websocket("/ws")
+async def websocket_endpoint(websocket: WebSocket):
+    client_ip = websocket.client.host if websocket.client else "unknown"
+
+    # 1) IP block check
+    if is_ip_blocked(client_ip):
+        logger.warning(
+            f"{datetime.utcnow().isoformat()} - AUTH_FAILURE - IP: {client_ip} - Reason: blocked_ip - Endpoint: /ws"
+        )
+        await websocket.close(code=1008)
+        return
+
+    # 2) API key validation (query param)
+    api_key = websocket.query_params.get("api_key")
+    if not api_key or api_key != READER_KEY:
+        record_auth_failure(client_ip)
+        logger.warning(
+            f"{datetime.utcnow().isoformat()} - AUTH_FAILURE - IP: {client_ip} - Reason: invalid_reader_key - Endpoint: /ws"
+        )
+        await websocket.accept()
+        await websocket.send_json(
+            jsonable_encoder(ErrorPayload(type="error", error="Invalid API key"))
+        )
+        await websocket.close(code=1008)
+        return
+
+    await websocket.accept()
+    logger.info(
+        f"{datetime.utcnow().isoformat()} - AUTH_SUCCESS - IP: {client_ip} - UserType: reader - Action: connect"
+    )
+    record_auth_success(client_ip)
+
+    # Register + send initial history (JSON-safe)
+    async with storage_lock:
+        connected_readers.add(websocket)
+        history_payload = HistoryPayload(type="history", messages=list(messages))
+        await websocket.send_json(jsonable_encoder(history_payload))
+
+    try:
+        while True:
+            # Keepalive: wait for client message; if none, send ping
+            try:
+                data = await asyncio.wait_for(websocket.receive_text(), timeout=30.0)
+                # Handle file content request
+                try:
+                    msg = json.loads(data)
+                    if msg.get("type") == "get_file_content":
+                        message_id = msg.get("message_id")
+                        async with storage_lock:
+                            target_msg = None
+                            for m in messages:
+                                if m.id == message_id:
+                                    target_msg = m
+                                    break
+
+                        if target_msg is None:
+                            await websocket.send_json(
+                                jsonable_encoder(ErrorPayload(
+                                    type="error",
+                                    error="Message not found"
+                                ))
+                            )
+                        elif target_msg.message_type not in ("md", "txt"):
+                            await websocket.send_json(
+                                jsonable_encoder(ErrorPayload(
+                                    type="error",
+                                    error="Invalid message type"
+                                ))
+                            )
+                        else:
+                            await websocket.send_json(
+                                jsonable_encoder(FileContentPayload(
+                                    type="file_content",
+                                    message_id=message_id,
+                                    content=target_msg.file_content or "",
+                                    content_type=target_msg.message_type
+                                ))
+                            )
+                except json.JSONDecodeError:
+                    # Ignore non-JSON messages (keepalive behavior)
+                    pass
+            except asyncio.TimeoutError:
+                await websocket.send_json({"type": "ping"})
+    except WebSocketDisconnect:
+        pass
+    finally:
+        async with storage_lock:
+            connected_readers.discard(websocket)

models.py

@@ -0,0 +1,46 @@
+from pydantic import BaseModel, Field
+from datetime import datetime
+from typing import Optional, Dict, Any, List, Literal
+
+
+class PostRequest(BaseModel):
+    poster_id: str = Field(..., min_length=1)
+    content: str = Field(..., min_length=1, max_length=1000)
+    category: Optional[str] = None
+    metadata: Optional[Dict[str, Any]] = None
+
+
+class Message(BaseModel):
+    id: str
+    poster_id: str
+    content: str
+    timestamp: datetime
+    category: Optional[str] = None
+    metadata: Dict[str, Any] = {}
+    # File-related fields
+    message_type: Literal["text", "png", "md", "txt"] = "text"
+    file_url: Optional[str] = None
+    title: Optional[str] = None
+    file_content: Optional[str] = None  # For MD/TXT - stored but not shown in list
+
+
+class HistoryPayload(BaseModel):
+    type: str = "history"
+    messages: List[Message]
+
+
+class NewPostPayload(BaseModel):
+    type: str = "new_post"
+    message: Message
+
+
+class ErrorPayload(BaseModel):
+    type: str = "error"
+    error: str
+
+
+class FileContentPayload(BaseModel):
+    type: str = "file_content"
+    message_id: str
+    content: str
+    content_type: Literal["md", "txt"]

requirements.txt

@@ -1,4 +1,6 @@
-fastapi==0.104.1
-uvicorn[standard]==0.24.0
-websockets==12.0
-python-dotenv==1.0.0
+fastapi==0.104.1
+uvicorn[standard]==0.24.0
+websockets==12.0
+python-dotenv==1.0.0
+python-multipart==0.0.19
+markdown==3.7