Add MapLibre demo and route uploads through backend.

This introduces a MapLibre GL + Three.js web demo for object placement and sharing, and changes asset upload flow to use backend upload endpoints so clients no longer receive direct MinIO URLs.

Made-with: Cursor

internal/http/api_test.go

@@ -8,6 +8,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -32,14 +33,14 @@ func newTestServer(adminPublicKey string) *httptest.Server {
 
 type fakeSigner struct{}
 
-func (fakeSigner) SignedPutObjectURL(_ context.Context, objectKey string, _ time.Duration, _ string) (string, error) {
-	return "http://files.local/upload/" + objectKey, nil
-}
-
 func (fakeSigner) SignedGetObjectURL(_ context.Context, objectKey string, _ time.Duration) (string, error) {
 	return "http://files.local/download/" + objectKey, nil
 }
 
+func (fakeSigner) PutObject(_ context.Context, _ string, _ string, _ io.Reader, _ int64) error {
+	return nil
+}
+
 func mustJSON(t *testing.T, value interface{}) []byte {
 	t.Helper()
 	b, err := json.Marshal(value)
@@ -105,6 +106,25 @@ func patchJSON(t *testing.T, client *http.Client, url string, body interface{},
 	return resp, out
 }
 
+func putRaw(t *testing.T, client *http.Client, url string, payload []byte, contentType string, token string) *http.Response {
+	t.Helper()
+	req, err := http.NewRequest(http.MethodPut, url, bytes.NewReader(payload))
+	if err != nil {
+		t.Fatalf("new request: %v", err)
+	}
+	if contentType != "" {
+		req.Header.Set("Content-Type", contentType)
+	}
+	if token != "" {
+		req.Header.Set("Authorization", "Bearer "+token)
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("do request: %v", err)
+	}
+	return resp
+}
+
 func loginUser(t *testing.T, client *http.Client, baseURL, pubB64 string, priv ed25519.PrivateKey) string {
 	t.Helper()
 	chResp, chData := postJSON(t, client, baseURL+"/v1/auth/challenge", map[string]string{"publicKey": pubB64}, "")
@@ -368,6 +388,15 @@ func TestAssetLifecycleAndVisibility(t *testing.T) {
 	if uploadResp.StatusCode != http.StatusOK {
 		t.Fatalf("signed upload status=%d body=%v", uploadResp.StatusCode, uploadData)
 	}
+	if uploadData["url"] != "/v1/assets/"+assetID+"/upload" {
+		t.Fatalf("unexpected signed-upload backend url: %v", uploadData["url"])
+	}
+
+	putResp := putRaw(t, client, server.URL+"/v1/assets/"+assetID+"/upload", []byte("glb-bytes"), "model/gltf-binary", user1Token)
+	defer putResp.Body.Close()
+	if putResp.StatusCode != http.StatusNoContent {
+		t.Fatalf("upload proxy status=%d", putResp.StatusCode)
+	}
 
 	featuresResp, featuresData := getJSON(t, client, server.URL+"/v1/collections/"+collectionID+"/features", user1Token)
 	if featuresResp.StatusCode != http.StatusOK {

internal/http/handlers.go

@@ -43,6 +43,7 @@ func (a *API) Routes() http.Handler {
 	mux.HandleFunc("POST /v1/assets", a.createAsset)
 	mux.HandleFunc("PATCH /v1/assets/{id}", a.patchAsset)
 	mux.HandleFunc("POST /v1/assets/{id}/signed-upload", a.signedUpload)
+	mux.HandleFunc("PUT /v1/assets/{id}/upload", a.uploadAsset)
 	mux.HandleFunc("GET /v1/assets/{id}/download", a.downloadAsset)
 
 	mux.Handle("/web/", http.StripPrefix("/web/", staticFiles))
@@ -459,6 +460,20 @@ func (a *API) signedUpload(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, http.StatusOK, map[string]string{"url": url, "method": http.MethodPut})
 }
 
+func (a *API) uploadAsset(w http.ResponseWriter, r *http.Request) {
+	user, err := a.authUser(r)
+	if err != nil {
+		writeErr(w, err)
+		return
+	}
+	assetID := r.PathValue("id")
+	if err := a.service.UploadAsset(user, assetID, r.Header.Get("Content-Type"), r.Body, r.ContentLength); err != nil {
+		writeErr(w, err)
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
+
 func (a *API) downloadAsset(w http.ResponseWriter, r *http.Request) {
 	user, err := a.authUser(r)
 	if err != nil {