4nk/lecoffre-back
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add file content check

Browse Source
This commit is contained in:
OxSaitama 2023-10-26 13:11:28 +02:00
parent 73fb1b2625
commit a93b2616ec
3 changed files with 39 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
package.json
View File

@ -52,6 +52,7 @@
"cors": "^2.8.5", "cors": "^2.8.5",
"cron": "^2.3.1", "cron": "^2.3.1",
"express": "^4.18.2", "express": "^4.18.2",
"file-type-checker": "^1.0.8",
"fp-ts": "^2.16.1", "fp-ts": "^2.16.1",
"jsonwebtoken": "^9.0.0", "jsonwebtoken": "^9.0.0",
"le-coffre-resources": "git@github.com:smart-chain-fr/leCoffre-resources.git#v2.94", "le-coffre-resources": "git@github.com:smart-chain-fr/leCoffre-resources.git#v2.94",

47
src/app/middlewares/CustomerHandler/FileHandler.ts
View File

@ -6,18 +6,24 @@ import { NextFunction, Request, Response } from "express";
import Container from "typedi"; import Container from "typedi";
import { EDocumentStatus } from "@prisma/client"; import { EDocumentStatus } from "@prisma/client";
import CustomersService from "@Services/super-admin/CustomersService/CustomersService"; import CustomersService from "@Services/super-admin/CustomersService/CustomersService";
import fileTypeChecker from "file-type-checker";
/**
* @description Middleware to handle security on access to files
* 1. Check if customer has access to the file
* 2. Check if file is a valid file
* 3. Check if customer can access or update the targeted document
*/
export default async function fileHandler(req: Request, response: Response, next: NextFunction) { export default async function fileHandler(req: Request, response: Response, next: NextFunction) {
const customerId = req.body.user.customerId; const customerId = req.body.user.customerId;
const customerEmail = req.body.user.email; const customerEmail = req.body.user.email;
const uid = req.path && req.path.split("/")[5]; const uid = req.path && req.path.split("/")[5];
const file: string | undefined = req.body["q"]; const file: string | undefined = req.body["q"];
const mimetypes = ["application/pdf", "image/png", "image/jpeg", "image/webp"];
if (req.file && req.file.mimetype !== "application/pdf" && req.file.mimetype !== "image/png" && req.file.mimetype !== "image/jpeg") { /**
response.status(HttpCodes.BAD_REQUEST).send("File type not supported"); * @description Check if customer has access to the file
return; */
}
if (uid) { if (uid) {
const fileService = Container.get(FilesService); const fileService = Container.get(FilesService);
const file = await fileService.getByUidWithDocument(uid); const file = await fileService.getByUidWithDocument(uid);
@ -25,21 +31,40 @@ export default async function fileHandler(req: Request, response: Response, next
response.status(HttpCodes.NOT_FOUND).send("File not found"); response.status(HttpCodes.NOT_FOUND).send("File not found");
return; return;
} }
if (file.document.depositor_uid != customerId) { if (file.document.depositor_uid != customerId) {
const customerService = Container.get(CustomersService); const customerService = Container.get(CustomersService);
const customers = await customerService.get({where: {contact: { email: customerEmail}}}); const customers = await customerService.get({ where: { contact: { email: customerEmail } } });
if (customers && !customers.find((customer) => customer.uid === file.document.depositor_uid)) { if (customers && !customers.find((customer) => customer.uid === file.document.depositor_uid)) {
response.status(HttpCodes.UNAUTHORIZED).send("Not authorized with this depositor"); response.status(HttpCodes.UNAUTHORIZED).send("Not authorized with this depositor");
return; return;
} }
} }
if (req.method === "PUT") {
if (file.document.document_status === EDocumentStatus.VALIDATED) { next();
response.status(HttpCodes.BAD_REQUEST).send("Cannot update a validated document"); return;
}
/**
* @description Check if file is a valid file
*/
if (req.file) {
const infos = fileTypeChecker.detectFile(req.file!.buffer);
if (req.file.mimetype !== infos?.mimeType) {
response.status(HttpCodes.BAD_REQUEST).send(`Corrupted file, detected :${infos?.mimeType}, but extension is ${req.file?.mimetype}`);
return;
}
if (!infos?.mimeType || mimetypes.indexOf(infos?.mimeType) === -1) {
response.status(HttpCodes.BAD_REQUEST).send("File type not supported");
return; return;
} }
} }
}
/**
* @description Check if customer can access or update the targeted document
*/
if (file) { if (file) {
const fileEntity = File.hydrate<File>(JSON.parse(file)); const fileEntity = File.hydrate<File>(JSON.parse(file));
const documentService = Container.get(DocumentsService); const documentService = Container.get(DocumentsService);
@ -50,7 +75,7 @@ export default async function fileHandler(req: Request, response: Response, next
} }
if (documentFound.depositor_uid != customerId) { if (documentFound.depositor_uid != customerId) {
const customerService = Container.get(CustomersService); const customerService = Container.get(CustomersService);
const customers = await customerService.get({where: {contact: { email: customerEmail}}}); const customers = await customerService.get({ where: { contact: { email: customerEmail } } });
if (customers && !customers.find((customer) => customer.uid === documentFound.depositor_uid)) { if (customers && !customers.find((customer) => customer.uid === documentFound.depositor_uid)) {
response.status(HttpCodes.UNAUTHORIZED).send("Not authorized with this depositor"); response.status(HttpCodes.UNAUTHORIZED).send("Not authorized with this depositor");
return; return;

2
src/entries/App.ts
View File

@ -25,7 +25,7 @@ const storage = multer.memoryStorage();
middlwares: [ middlwares: [
cors({ origin: "*" }), cors({ origin: "*" }),
multer({ storage: storage, limits: { fileSize: 32000000 } }).single("file"), //32 MB maximum multer({ storage: storage, limits: { fileSize: 32000000 } }).single("file"), //32 MB maximum
bodyParser.json({ limit: "35mb"}), bodyParser.json({ limit: "35mb" }),
bodyParser.urlencoded({ extended: true, limit: "35mb", parameterLimit: 50000 }), bodyParser.urlencoded({ extended: true, limit: "35mb", parameterLimit: 50000 }),
], ],
errorHandler, errorHandler,