From b07e25a43952a46b016bf57f3924a02e927362e3 Mon Sep 17 00:00:00 2001
From: Maxime Lalo <maxime.lalo.pro@gmail.com>
Date: Tue, 5 Dec 2023 11:21:15 +0100
Subject: [PATCH 1/2] :sparkles: Security for the gateway

---
 src/common/config/variables/Variables.ts         | 8 +++++---
 src/services/common/FilesService/FilesService.ts | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/common/config/variables/Variables.ts b/src/common/config/variables/Variables.ts
index 1a618ab6..49ad7c2f 100644
--- a/src/common/config/variables/Variables.ts
+++ b/src/common/config/variables/Variables.ts
@@ -67,6 +67,9 @@ export class BackendVariables {
 	@IsNotEmpty()
 	public readonly PINATA_GATEWAY!: string;
 
+	@IsNotEmpty()
+	public readonly PINATA_GATEWAY_TOKEN!: string;
+
 	@IsNotEmpty()
 	public readonly ACCESS_TOKEN_SECRET!: string;
 
@@ -150,6 +153,7 @@ export class BackendVariables {
 		this.PINATA_API_KEY = process.env["PINATA_API_KEY"]!;
 		this.PINATA_API_SECRET = process.env["PINATA_API_SECRET"]!;
 		this.PINATA_GATEWAY = process.env["PINATA_GATEWAY"]!;
+		this.PINATA_GATEWAY_TOKEN = process.env["PINATA_GATEWAY_TOKEN"]!;
 		this.ACCESS_TOKEN_SECRET = process.env["ACCESS_TOKEN_SECRET"]!;
 		this.REFRESH_TOKEN_SECRET = process.env["REFRESH_TOKEN_SECRET"]!;
 		this.MAILCHIMP_API_KEY = process.env["MAILCHIMP_API_KEY"]!;
@@ -170,8 +174,6 @@ export class BackendVariables {
 		this.OVH_CONSUMER_KEY = process.env["OVH_CONSUMER_KEY"]!;
 		this.OVH_SMS_SERVICE_NAME = process.env["OVH_SMS_SERVICE_NAME"]!;
 		this.SMS_FACTOR_TOKEN = process.env["SMS_FACTOR_TOKEN"]!;
-
-		
 	}
 	public async validate(groups?: string[]) {
 		const validationOptions = groups ? { groups } : undefined;
@@ -179,7 +181,7 @@ export class BackendVariables {
 		try {
 			await validateOrReject(this, validationOptions);
 		} catch (error: any) {
-			if (process.env["ENV"] === "dev" || process.env["ENV"] === 'stg') {
+			if (process.env["ENV"] === "dev" || process.env["ENV"] === "stg") {
 				throw error;
 			}
 			throw new Error("Some env variables are required!");
diff --git a/src/services/common/FilesService/FilesService.ts b/src/services/common/FilesService/FilesService.ts
index ac14c6b9..ef02f19b 100644
--- a/src/services/common/FilesService/FilesService.ts
+++ b/src/services/common/FilesService/FilesService.ts
@@ -59,7 +59,7 @@ export default class FilesService extends BaseService {
 	public async download(uid: string) {
 		const file = await this.filesRepository.findOneByUid(uid);
 		if (!file?.key) return null;
-		const fileResult = await fetch(file.file_path);
+		const fileResult = await fetch(file.file_path.concat("?pinataGatewayToken=").concat(this.variables.PINATA_GATEWAY_TOKEN));
 		const fileArrayBuffer = await fileResult.arrayBuffer();
 		return { file: file, buffer: await this.cryptoService.decrypt(Buffer.from(fileArrayBuffer), file.key) };
 	}

From 82239adeeb0fa16460545c117f03df9dc358fbab Mon Sep 17 00:00:00 2001
From: Vins <vincent.alamelle@smart-chain.fr>
Date: Tue, 5 Dec 2023 11:28:18 +0100
Subject: [PATCH 2/2] desactivate sms in dev env

---
 .../customer/CustomersService/CustomersService.ts   | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/src/services/customer/CustomersService/CustomersService.ts b/src/services/customer/CustomersService/CustomersService.ts
index 8870873d..ce8d6fff 100644
--- a/src/services/customer/CustomersService/CustomersService.ts
+++ b/src/services/customer/CustomersService/CustomersService.ts
@@ -1,4 +1,4 @@
-// import { BackendVariables } from "@Common/config/variables/Variables";
+import { BackendVariables } from "@Common/config/variables/Variables";
 import { Customers, Prisma, TotpCodes } from "@prisma/client";
 import CustomersRepository from "@Repositories/CustomersRepository";
 import TotpCodesRepository from "@Repositories/TotpCodesRepository";
@@ -57,7 +57,7 @@ export default class CustomersService extends BaseService {
 		private customerRepository: CustomersRepository,
 		private authService: AuthService,
 		private totpCodesRepository: TotpCodesRepository,
-		// private variables: BackendVariables,
+		private variables: BackendVariables,
 		private ovhService: OvhService,
 		private smsFactorService: SmsFactorService,
 	) {
@@ -110,8 +110,7 @@ export default class CustomersService extends BaseService {
 		const totpCode = await this.saveTotpPin(customer, totpPin, new Date(now + 5 * 60 * 1000), reason);
 		if (!totpCode) return null;
 		// 5: Send the SMS code to the customer
-		// if(this.variables.ENV !== 'dev') 
-		await this.sendSmsCodeToCustomer(totpPin, customer);
+		if(this.variables.ENV !== 'dev') await this.sendSmsCodeToCustomer(totpPin, customer);
 		return {
 			customer,
 			totpCode: TotpCodesResource.hydrate<TotpCodesResource>({
@@ -163,8 +162,7 @@ export default class CustomersService extends BaseService {
 		await this.saveTotpPin(customer, totpPin, new Date(now + 5 * 60000), TotpCodesReasons.RESET_PASSWORD);
 
 		// 5: Send the SMS code to the customer
-		// if(this.variables.ENV !== 'dev') 
-		await this.sendSmsCodeToCustomer(totpPin, customer);
+		if(this.variables.ENV !== 'dev') await this.sendSmsCodeToCustomer(totpPin, customer);
 		return customer;
 	}
 
@@ -294,8 +292,7 @@ export default class CustomersService extends BaseService {
 		const totpCode = await this.saveTotpPin(customer, totpPin, new Date(now + 5 * 60 * 1000), totpCodeToResend.reason!, true);
 
 		// 7: Send the SMS code to the customer
-		// if(this.variables.ENV !== 'dev')
-		await this.sendSmsCodeToCustomer(totpPin, customer);
+		if(this.variables.ENV !== 'dev') await this.sendSmsCodeToCustomer(totpPin, customer);
 		return { customer, totpCode };
 	}