alti3/litestar-file-uploads
plugins/litestar/skills/litestar-file-uploads/SKILL.md
Handle Litestar multipart file uploads securely with `UploadFile`, typed multipart models, multi-file inputs, request body limits, and storage-safe processing patterns. Use when accepting single or multiple uploaded files in request bodies, especially multipart form-data endpoints. Do not use for generic request parsing, static asset serving, or download response behavior.
$ install --global
skillsauthnpx skillsauth add alti3/litestar-skills litestar-file-uploadsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 20, 2026, 3:21 PM2.1s1 file scanned
SKILL.md
- name:
- litestar-file-uploads
- description:
- Handle Litestar multipart file uploads securely with `UploadFile`, typed multipart models, multi-file inputs, request body limits, and storage-safe processing patterns. Use when accepting single or multiple uploaded files in request bodies, especially multipart form-data endpoints. Do not use for generic request parsing, static asset serving, or download response behavior.
File Uploads
Execution Workflow
- Decide whether the endpoint truly needs multipart file transport.
- Choose the input shape: single
UploadFile, typed multipart model,dict[str, UploadFile], orlist[UploadFile]. - Declare multipart explicitly with
Body(media_type=RequestEncodingType.MULTI_PART). - Validate filename, content type, size expectations, and field layout before expensive processing.
- Stream or hand off large files to storage/services without unbounded memory use.
- Keep upload parsing and validation at the transport edge; move persistence and scanning into services.
Core Rules
- Treat every uploaded file as untrusted input.
- Type uploads explicitly with
UploadFileor multipart container models. - Prefer typed multipart models when field names and structure are known.
- Use
dict[str, UploadFile]orlist[UploadFile]only when the field layout is dynamic or intentionally loose. - Keep request size limits explicit with
request_max_body_sizewhen defaults are not sufficient. - Avoid reading whole files into memory unless the endpoint contract is small and bounded.
- Keep upload endpoints aligned with
litestar-requestsfor broader request-parsing concerns.
Decision Guide
- Use a single
UploadFilewhen one file is the entire body contract. - Use a typed dataclass or model when multipart mixes files and ordinary fields.
- Use
dict[str, UploadFile]when filenames/field names are dynamic and validation is minimal. - Use
list[UploadFile]when the files are homogeneous and field names do not matter. - Use async file reads in async handlers and direct
data.file.read()in sync handlers. - Lower
request_max_body_sizefor sensitive upload endpoints unless a larger bound is justified.
Reference Files
Read only the sections you need:
- For single-file uploads, typed multipart models, multi-file forms, and async vs sync upload handling, read references/upload-patterns.md.
- For request body limits,
UploadFileinternals, safe processing guidance, and test patterns, read references/limits-and-testing.md.
Recommended Defaults
- Prefer multipart models when the field layout is fixed.
- Keep upload endpoints narrow and purpose-built.
- Validate metadata before scanning, persisting, or transforming the file.
- Leave the global body-size limit in place unless a route has a documented reason to override it.
- Return only minimal safe metadata to clients after upload.
Anti-Patterns
- Using multipart uploads when plain JSON or form data would do.
- Accepting unbounded file bodies without a front-door size limit.
- Reading large files fully into memory by default.
- Returning internal temp-file paths or unsafe metadata to clients.
- Mixing storage, scanning, and persistence logic directly into the route handler.
- Treating
dict[str, UploadFile]as the default when the form shape is actually known.
Validation Checklist
- Confirm multipart media type is declared explicitly.
- Confirm the chosen upload shape matches the real form contract.
- Confirm body-size limits are appropriate for the endpoint.
- Confirm async vs sync file access matches the handler style.
- Confirm large uploads do not exhaust memory unexpectedly.
- Confirm invalid or unexpected files fail with deterministic client errors.
- Confirm upload metadata returned to clients is minimal and safe.
Cross-Skill Handoffs
- Use
litestar-requestsfor non-file request parsing and mixed request contract design. - Use
litestar-responsesfor download and file-serving behavior after upload. - Use
litestar-testingfor multipart and size-limit regression coverage. - Use
litestar-securitywhen upload endpoints need auth, secret transport, or strict policy enforcement.
Litestar References
- https://docs.litestar.dev/latest/usage/requests.html#file-uploads
- https://docs.litestar.dev/latest/usage/requests.html
Related Skills
alti3/litestar-websockets
development
VerifiedTrustedCommunity
Build Litestar WebSocket endpoints with low-level websocket handlers, websocket listeners, websocket streams, dependency injection, custom websocket classes, transport-mode control, and graceful connection lifecycle handling. Use when implementing bidirectional real-time communication, reactive websocket message handling, or proactive server push over WebSockets. Do not use for server-side pub/sub fanout that is better expressed with channels alone.
5SKILL.mdUpdated Apr 3, 2026
alti3/litestar-testing
tools
VerifiedTrustedCommunity
Test Litestar applications with TestClient, AsyncTestClient, create_test_client, websocket test helpers, dependency overrides, mocked dependencies, lifecycle-aware fixtures, and deterministic success and failure assertions. Use when adding or fixing Litestar test coverage, including exception contracts, override precedence, websocket behavior, event-bus side effects, or live-server-only response patterns. Do not use as a substitute for production observability or runtime debugging strategy.
5SKILL.mdUpdated Apr 3, 2026
alti3/litestar-templating
development
VerifiedTrustedCommunity
Configure Litestar templating with `TemplateConfig`, Jinja/Mako/MiniJinja engines, file-or-string `Template` responses, request and CSRF-aware context, template callables, and custom engine integration. Use when implementing or fixing server-rendered HTML in Litestar. Do not use for static asset serving or pure JSON API endpoints.
5SKILL.mdUpdated Apr 3, 2026
alti3/litestar-stores
development
VerifiedTrustedCommunity
Configure Litestar stores and the store registry for caching, server-side sessions, rate limiting, and other key-value state with explicit backend selection, bytes-safe data handling, TTL and renewal policy, namespacing, registry wiring, and lifecycle cleanup. Use when a Litestar app depends on `MemoryStore`, `FileStore`, `RedisStore`, `ValkeyStore`, or `StoreRegistry`. Do not use for relational persistence, domain repositories, or response-caching policy details that belong in database or caching-focused skills.
5SKILL.mdUpdated Apr 3, 2026