4nk/lecoffre-back
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge Staging in Preprod

Browse Source
This commit is contained in:
Arnaud D. Natali 2023-10-26 15:00:54 +02:00 committed by GitHub
commit 5f3a951d37
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 62 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
package.json
View File

@ -52,6 +52,7 @@
"cors": "^2.8.5", "cors": "^2.8.5",
"cron": "^2.3.1", "cron": "^2.3.1",
"express": "^4.18.2", "express": "^4.18.2",
"file-type-checker": "^1.0.8",
"fp-ts": "^2.16.1", "fp-ts": "^2.16.1",
"jsonwebtoken": "^9.0.0", "jsonwebtoken": "^9.0.0",
"le-coffre-resources": "git@github.com:smart-chain-fr/leCoffre-resources.git#v2.94", "le-coffre-resources": "git@github.com:smart-chain-fr/leCoffre-resources.git#v2.94",

7
src/app/api/admin/OfficesController.ts
View File

@ -30,6 +30,13 @@ export default class OfficesController extends ApiController {
return; return;
} }
} }
if(query.where?.office_folders) delete query.where.office_folders;
if(query.include?.office_folders) {
this.httpForbidden(response, "You can't include office_folders");
return;
};
//call service to get prisma entity //call service to get prisma entity
const officesEntities: Offices[] = await this.officesService.get(query); const officesEntities: Offices[] = await this.officesService.get(query);
//Hydrate ressource with prisma entity //Hydrate ressource with prisma entity

10
src/app/api/notary/OfficesController.ts
View File

@ -29,6 +29,12 @@ export default class OfficesController extends ApiController {
return; return;
} }
} }
if(query.where?.office_folders) delete query.where.office_folders;
if(query.include?.office_folders) {
this.httpForbidden(response, "You can't include office_folders");
return;
};
//call service to get prisma entity //call service to get prisma entity
const officesEntities: Offices[] = await this.officesService.get(query); const officesEntities: Offices[] = await this.officesService.get(query);
//Hydrate ressource with prisma entity //Hydrate ressource with prisma entity
@ -56,6 +62,10 @@ export default class OfficesController extends ApiController {
let query; let query;
if (req.query["q"]) { if (req.query["q"]) {
query = JSON.parse(req.query["q"] as string); query = JSON.parse(req.query["q"] as string);
if(query.office_folders) {
this.httpForbidden(response, "You can't include office_folders");
return;
}
} }
const officeEntity = await this.officesService.getByUid(uid, query); const officeEntity = await this.officesService.getByUid(uid, query);

6
src/app/api/super-admin/OfficesController.ts
View File

@ -43,6 +43,12 @@ export default class OfficesController extends ApiController {
} }
} }
} }
if(query.where?.office_folders) delete query.where.office_folders;
if(query.include?.office_folders) {
this.httpForbidden(response, "You can't include office_folders");
return;
};
//call service to get prisma entity //call service to get prisma entity
const officesEntities: Offices[] = await this.officesService.get(query); const officesEntities: Offices[] = await this.officesService.get(query);

49
src/app/middlewares/CustomerHandler/FileHandler.ts
View File

@ -6,18 +6,24 @@ import { NextFunction, Request, Response } from "express";
import Container from "typedi"; import Container from "typedi";
import { EDocumentStatus } from "@prisma/client"; import { EDocumentStatus } from "@prisma/client";
import CustomersService from "@Services/super-admin/CustomersService/CustomersService"; import CustomersService from "@Services/super-admin/CustomersService/CustomersService";
import fileTypeChecker from "file-type-checker";
/**
* @description Middleware to handle security on access to files
* 1. Check if customer has access to the file
* 2. Check if file is a valid file
* 3. Check if customer can access or update the targeted document
*/
export default async function fileHandler(req: Request, response: Response, next: NextFunction) { export default async function fileHandler(req: Request, response: Response, next: NextFunction) {
const customerId = req.body.user.customerId; const customerId = req.body.user.customerId;
const customerEmail = req.body.user.email; const customerEmail = req.body.user.email;
const uid = req.path && req.path.split("/")[5]; const uid = req.path && req.path.split("/")[5];
const file: string | undefined = req.body["q"]; const file: string | undefined = req.body["q"];
const mimetypes = ["application/pdf", "image/png", "image/jpeg", "image/webp"];
if (req.file && req.file.mimetype !== "application/pdf" && req.file.mimetype !== "image/png" && req.file.mimetype !== "image/jpeg") { /**
response.status(HttpCodes.BAD_REQUEST).send("File type not supported"); * @description Check if customer has access to the file
return; */
}
if (uid) { if (uid) {
const fileService = Container.get(FilesService); const fileService = Container.get(FilesService);
const file = await fileService.getByUidWithDocument(uid); const file = await fileService.getByUidWithDocument(uid);
@ -25,21 +31,40 @@ export default async function fileHandler(req: Request, response: Response, next
response.status(HttpCodes.NOT_FOUND).send("File not found"); response.status(HttpCodes.NOT_FOUND).send("File not found");
return; return;
} }
if (file.document.depositor_uid != customerId) { if (file.document.depositor_uid != customerId) {
const customerService = Container.get(CustomersService); const customerService = Container.get(CustomersService);
const customers = await customerService.get({where: {contact: { email: customerEmail}}}); const customers = await customerService.get({ where: { contact: { email: customerEmail } } });
if (customers && !customers.find((customer) => customer.uid === file.document.depositor_uid)) { if (customers && !customers.find((customer) => customer.uid === file.document.depositor_uid)) {
response.status(HttpCodes.UNAUTHORIZED).send("Not authorized with this depositor"); response.status(HttpCodes.UNAUTHORIZED).send("Not authorized with this depositor");
return; return;
} }
} }
if (req.method === "PUT") {
if (file.document.document_status === EDocumentStatus.VALIDATED) { next();
response.status(HttpCodes.BAD_REQUEST).send("Cannot update a validated document"); return;
return; }
}
/**
* @description Check if file is a valid file
*/
if (req.file) {
const infos = fileTypeChecker.detectFile(req.file!.buffer);
if (req.file.mimetype !== infos?.mimeType) {
response.status(HttpCodes.BAD_REQUEST).send(`Corrupted file, detected :${infos?.mimeType}, but extension is ${req.file?.mimetype}`);
return;
}
if (!infos?.mimeType || mimetypes.indexOf(infos?.mimeType) === -1) {
response.status(HttpCodes.BAD_REQUEST).send("File type not supported");
return;
} }
} }
/**
* @description Check if customer can access or update the targeted document
*/
if (file) { if (file) {
const fileEntity = File.hydrate<File>(JSON.parse(file)); const fileEntity = File.hydrate<File>(JSON.parse(file));
const documentService = Container.get(DocumentsService); const documentService = Container.get(DocumentsService);
@ -50,7 +75,7 @@ export default async function fileHandler(req: Request, response: Response, next
} }
if (documentFound.depositor_uid != customerId) { if (documentFound.depositor_uid != customerId) {
const customerService = Container.get(CustomersService); const customerService = Container.get(CustomersService);
const customers = await customerService.get({where: {contact: { email: customerEmail}}}); const customers = await customerService.get({ where: { contact: { email: customerEmail } } });
if (customers && !customers.find((customer) => customer.uid === documentFound.depositor_uid)) { if (customers && !customers.find((customer) => customer.uid === documentFound.depositor_uid)) {
response.status(HttpCodes.UNAUTHORIZED).send("Not authorized with this depositor"); response.status(HttpCodes.UNAUTHORIZED).send("Not authorized with this depositor");
return; return;

2
src/entries/App.ts
View File

@ -25,7 +25,7 @@ const storage = multer.memoryStorage();
middlwares: [ middlwares: [
cors({ origin: "*" }), cors({ origin: "*" }),
multer({ storage: storage, limits: { fileSize: 32000000 } }).single("file"), //32 MB maximum multer({ storage: storage, limits: { fileSize: 32000000 } }).single("file"), //32 MB maximum
bodyParser.json({ limit: "35mb"}), bodyParser.json({ limit: "35mb" }),
bodyParser.urlencoded({ extended: true, limit: "35mb", parameterLimit: 50000 }), bodyParser.urlencoded({ extended: true, limit: "35mb", parameterLimit: 50000 }),
], ],
errorHandler, errorHandler,