feat: private content (#1137)

* save images as private and serve via signed url from images.info api

* download private images to directory on export

* fix lint errors

* private s3 default, AWS.s3 module level scope, default s3 url expiry

* combine regex to one, and only replace when there are matches

* fix lint

* code not needed anymore, remove

* updates after pulling master

* revert the uploadToS3FromUrl url return

* use model gettr to compact code, rename to attachments api

* basic checking of document read permission to allow attachment viewing

* fix: Continue to upload avatars as public
fix: Allow redirect for non-private attachments

* add support for publicly shared documents

* catch errors which crash the app during zip export and user creation

* add tests

* enable AWS signature v4 for s3

* switch to use factories to build models for testing

* add isDocker flag for local serving of attachment redirect url

* fix redirect tests

Co-authored-by: Tom Moor <tom.moor@gmail.com>

server/api/attachments.js

@@ -0,0 +1,32 @@
+// @flow
+import Router from 'koa-router';
+import auth from '../middlewares/authentication';
+import { Attachment, Document } from '../models';
+import { getSignedImageUrl } from '../utils/s3';
+
+import policy from '../policies';
+
+const { authorize } = policy;
+const router = new Router();
+
+router.post('attachments.redirect', auth(), async ctx => {
+  const { id } = ctx.body;
+  ctx.assertPresent(id, 'id is required');
+
+  const user = ctx.state.user;
+  const attachment = await Attachment.findByPk(id);
+
+  if (attachment.isPrivate) {
+    const document = await Document.findByPk(attachment.documentId, {
+      userId: user.id,
+    });
+    authorize(user, 'read', document);
+
+    const accessUrl = await getSignedImageUrl(attachment.key);
+    ctx.redirect(accessUrl);
+  } else {
+    ctx.redirect(attachment.url);
+  }
+});
+
+export default router;