feat: private content (#1137)

* save images as private and serve via signed url from images.info api

* download private images to directory on export

* fix lint errors

* private s3 default, AWS.s3 module level scope, default s3 url expiry

* combine regex to one, and only replace when there are matches

* fix lint

* code not needed anymore, remove

* updates after pulling master

* revert the uploadToS3FromUrl url return

* use model gettr to compact code, rename to attachments api

* basic checking of document read permission to allow attachment viewing

* fix: Continue to upload avatars as public
fix: Allow redirect for non-private attachments

* add support for publicly shared documents

* catch errors which crash the app during zip export and user creation

* add tests

* enable AWS signature v4 for s3

* switch to use factories to build models for testing

* add isDocker flag for local serving of attachment redirect url

* fix redirect tests

Co-authored-by: Tom Moor <tom.moor@gmail.com>

server/api/attachments.test.js

@@ -0,0 +1,86 @@
+/* eslint-disable flowtype/require-valid-file-annotation */
+import TestServer from 'fetch-test-server';
+import app from '../app';
+import { flushdb } from '../test/support';
+import {
+  buildUser,
+  buildCollection,
+  buildAttachment,
+  buildDocument,
+} from '../test/factories';
+
+const server = new TestServer(app.callback());
+
+beforeEach(flushdb);
+afterAll(server.close);
+
+describe('#attachments.redirect', async () => {
+  it('should require authentication', async () => {
+    const res = await server.post('/api/attachments.redirect');
+    expect(res.status).toEqual(401);
+  });
+
+  it('should return a redirect for an attachment belonging to a document user has access to', async () => {
+    const user = await buildUser();
+    const attachment = await buildAttachment({
+      teamId: user.teamId,
+      userId: user.id,
+    });
+    const res = await server.post('/api/attachments.redirect', {
+      body: { token: user.getJwtToken(), id: attachment.id },
+      redirect: 'manual',
+    });
+
+    expect(res.status).toEqual(302);
+  });
+
+  it('should always return a redirect for a public attachment', async () => {
+    const user = await buildUser();
+    const collection = await buildCollection({
+      teamId: user.teamId,
+      userId: user.id,
+      private: true,
+    });
+    const document = await buildDocument({
+      teamId: user.teamId,
+      userId: user.id,
+      collectionId: collection.id,
+    });
+    const attachment = await buildAttachment({
+      teamId: user.teamId,
+      userId: user.id,
+      documentId: document.id,
+    });
+
+    const res = await server.post('/api/attachments.redirect', {
+      body: { token: user.getJwtToken(), id: attachment.id },
+      redirect: 'manual',
+    });
+
+    expect(res.status).toEqual(302);
+  });
+
+  it('should not return a redirect for a private attachment belonging to a document user does not have access to', async () => {
+    const user = await buildUser();
+    const collection = await buildCollection({
+      private: true,
+    });
+    const document = await buildDocument({
+      teamId: collection.teamId,
+      userId: collection.userId,
+      collectionId: collection.id,
+    });
+    const attachment = await buildAttachment({
+      teamId: document.teamId,
+      userId: document.userId,
+      documentId: document.id,
+      acl: 'private',
+    });
+
+    const res = await server.post('/api/attachments.redirect', {
+      body: { token: user.getJwtToken(), id: attachment.id },
+    });
+
+    expect(res.status).toEqual(403);
+  });
+});