refactor: add server side validation schema for attachments (#4606)

* refactor: schema for attachments.create * refactor: schema for attachments.delete * refactor: remove deprecated "public" request param
2022-12-30 18:49:01 +01:00
parent f3469d25fe
commit 318e1df13b
4 changed files with 67 additions and 90 deletions
--- a/server/routes/api/attachments/attachments.ts
+++ b/server/routes/api/attachments/attachments.ts
@@ -0,0 +1,170 @@
+import Router from "koa-router";
+import { v4 as uuidv4 } from "uuid";
+import { AttachmentPreset } from "@shared/types";
+import { bytesToHumanReadable } from "@shared/utils/files";
+import { AttachmentValidation } from "@shared/validations";
+import { AuthorizationError, ValidationError } from "@server/errors";
+import auth from "@server/middlewares/authentication";
+import { transaction } from "@server/middlewares/transaction";
+import validate from "@server/middlewares/validate";
+import { Attachment, Document, Event } from "@server/models";
+import AttachmentHelper from "@server/models/helpers/AttachmentHelper";
+import { authorize } from "@server/policies";
+import { presentAttachment } from "@server/presenters";
+import { APIContext, ContextWithState } from "@server/types";
+import { getPresignedPost, publicS3Endpoint } from "@server/utils/s3";
+import { assertIn, assertUuid } from "@server/validation";
+import * as T from "./schema";
+
+const router = new Router();
+
+router.post(
+  "attachments.create",
+  auth(),
+  validate(T.AttachmentsCreateSchema),
+  transaction(),
+  async (ctx: APIContext<T.AttachmentCreateReq>) => {
+    const { name, documentId, contentType, size, preset } = ctx.input;
+    const { user, transaction } = ctx.state;
+
+    // All user types can upload an avatar so no additional authorization is needed.
+    if (preset === AttachmentPreset.Avatar) {
+      assertIn(contentType, AttachmentValidation.avatarContentTypes);
+    } else if (preset === AttachmentPreset.DocumentAttachment && documentId) {
+      const document = await Document.findByPk(documentId, {
+        userId: user.id,
+      });
+      authorize(user, "update", document);
+    } else {
+      authorize(user, "createAttachment", user.team);
+    }
+
+    const maxUploadSize = AttachmentHelper.presetToMaxUploadSize(preset);
+
+    if (size > maxUploadSize) {
+      throw ValidationError(
+        `Sorry, this file is too large – the maximum size is ${bytesToHumanReadable(
+          maxUploadSize
+        )}`
+      );
+    }
+
+    const modelId = uuidv4();
+    const acl = AttachmentHelper.presetToAcl(preset);
+    const key = AttachmentHelper.getKey({
+      acl,
+      id: modelId,
+      name,
+      userId: user.id,
+    });
+
+    const attachment = await Attachment.create(
+      {
+        id: modelId,
+        key,
+        acl,
+        size,
+        expiresAt: AttachmentHelper.presetToExpiry(preset),
+        contentType,
+        documentId,
+        teamId: user.teamId,
+        userId: user.id,
+      },
+      { transaction }
+    );
+    await Event.create(
+      {
+        name: "attachments.create",
+        data: {
+          name,
+        },
+        modelId,
+        teamId: user.teamId,
+        actorId: user.id,
+        ip: ctx.request.ip,
+      },
+      { transaction }
+    );
+
+    const presignedPost = await getPresignedPost(
+      key,
+      acl,
+      maxUploadSize,
+      contentType
+    );
+
+    ctx.body = {
+      data: {
+        uploadUrl: publicS3Endpoint(),
+        form: {
+          "Cache-Control": "max-age=31557600",
+          "Content-Type": contentType,
+          ...presignedPost.fields,
+        },
+        attachment: presentAttachment(attachment),
+      },
+    };
+  }
+);
+
+router.post(
+  "attachments.delete",
+  auth(),
+  validate(T.AttachmentDeleteSchema),
+  async (ctx: APIContext<T.AttachmentDeleteReq>) => {
+    const { id } = ctx.input;
+    const { user } = ctx.state;
+    const attachment = await Attachment.findByPk(id, {
+      rejectOnEmpty: true,
+    });
+
+    if (attachment.documentId) {
+      const document = await Document.findByPk(attachment.documentId, {
+        userId: user.id,
+      });
+      authorize(user, "update", document);
+    }
+
+    authorize(user, "delete", attachment);
+    await attachment.destroy();
+    await Event.create({
+      name: "attachments.delete",
+      teamId: user.teamId,
+      actorId: user.id,
+      ip: ctx.request.ip,
+    });
+
+    ctx.body = {
+      success: true,
+    };
+  }
+);
+
+const handleAttachmentsRedirect = async (ctx: ContextWithState) => {
+  const id = ctx.request.body?.id ?? ctx.request.query?.id;
+  assertUuid(id, "id is required");
+
+  const { user } = ctx.state;
+  const attachment = await Attachment.findByPk(id, {
+    rejectOnEmpty: true,
+  });
+
+  if (attachment.isPrivate && attachment.teamId !== user.teamId) {
+    throw AuthorizationError();
+  }
+
+  await attachment.update({
+    lastAccessedAt: new Date(),
+  });
+
+  if (attachment.isPrivate) {
+    ctx.redirect(await attachment.signedUrl);
+  } else {
+    ctx.redirect(attachment.canonicalUrl);
+  }
+};
+
+router.get("attachments.redirect", auth(), handleAttachmentsRedirect);
+router.post("attachments.redirect", auth(), handleAttachmentsRedirect);
+
+export default router;