181 lines
4.8 KiB
TypeScript
181 lines
4.8 KiB
TypeScript
import Router from "koa-router";
|
||
import { v4 as uuidv4 } from "uuid";
|
||
import { AttachmentPreset } from "@shared/types";
|
||
import { bytesToHumanReadable } from "@shared/utils/files";
|
||
import { AttachmentValidation } from "@shared/validations";
|
||
import { AuthorizationError, ValidationError } from "@server/errors";
|
||
import auth from "@server/middlewares/authentication";
|
||
import {
|
||
transaction,
|
||
TransactionContext,
|
||
} from "@server/middlewares/transaction";
|
||
import { Attachment, Document, Event } from "@server/models";
|
||
import AttachmentHelper from "@server/models/helpers/AttachmentHelper";
|
||
import { authorize } from "@server/policies";
|
||
import { presentAttachment } from "@server/presenters";
|
||
import { ContextWithState } from "@server/types";
|
||
import { getPresignedPost, publicS3Endpoint } from "@server/utils/s3";
|
||
import { assertIn, assertPresent, assertUuid } from "@server/validation";
|
||
|
||
const router = new Router();
|
||
|
||
router.post(
|
||
"attachments.create",
|
||
auth(),
|
||
transaction(),
|
||
async (ctx: TransactionContext) => {
|
||
const {
|
||
name,
|
||
documentId,
|
||
contentType = "application/octet-stream",
|
||
size,
|
||
// 'public' is now deprecated and can be removed on December 1 2022.
|
||
public: isPublicDeprecated,
|
||
preset = isPublicDeprecated
|
||
? AttachmentPreset.Avatar
|
||
: AttachmentPreset.DocumentAttachment,
|
||
} = ctx.request.body;
|
||
const { user, transaction } = ctx.state;
|
||
|
||
assertPresent(name, "name is required");
|
||
assertPresent(size, "size is required");
|
||
|
||
// All user types can upload an avatar so no additional authorization is needed.
|
||
if (preset === AttachmentPreset.Avatar) {
|
||
assertIn(contentType, AttachmentValidation.avatarContentTypes);
|
||
} else if (preset === AttachmentPreset.DocumentAttachment && documentId) {
|
||
assertUuid(documentId, "documentId must be a uuid");
|
||
const document = await Document.findByPk(documentId, {
|
||
userId: user.id,
|
||
});
|
||
authorize(user, "update", document);
|
||
} else {
|
||
authorize(user, "createAttachment", user.team);
|
||
}
|
||
|
||
const maxUploadSize = AttachmentHelper.presetToMaxUploadSize(preset);
|
||
|
||
if (size > maxUploadSize) {
|
||
throw ValidationError(
|
||
`Sorry, this file is too large – the maximum size is ${bytesToHumanReadable(
|
||
maxUploadSize
|
||
)}`
|
||
);
|
||
}
|
||
|
||
const modelId = uuidv4();
|
||
const acl = AttachmentHelper.presetToAcl(preset);
|
||
const key = AttachmentHelper.getKey({
|
||
acl,
|
||
id: modelId,
|
||
name,
|
||
userId: user.id,
|
||
});
|
||
|
||
const attachment = await Attachment.create(
|
||
{
|
||
id: modelId,
|
||
key,
|
||
acl,
|
||
size,
|
||
expiresAt: AttachmentHelper.presetToExpiry(preset),
|
||
contentType,
|
||
documentId,
|
||
teamId: user.teamId,
|
||
userId: user.id,
|
||
},
|
||
{ transaction }
|
||
);
|
||
await Event.create(
|
||
{
|
||
name: "attachments.create",
|
||
data: {
|
||
name,
|
||
},
|
||
modelId,
|
||
teamId: user.teamId,
|
||
actorId: user.id,
|
||
ip: ctx.request.ip,
|
||
},
|
||
{ transaction }
|
||
);
|
||
|
||
const presignedPost = await getPresignedPost(
|
||
key,
|
||
acl,
|
||
maxUploadSize,
|
||
contentType
|
||
);
|
||
|
||
ctx.body = {
|
||
data: {
|
||
uploadUrl: publicS3Endpoint(),
|
||
form: {
|
||
"Cache-Control": "max-age=31557600",
|
||
"Content-Type": contentType,
|
||
...presignedPost.fields,
|
||
},
|
||
attachment: presentAttachment(attachment),
|
||
},
|
||
};
|
||
}
|
||
);
|
||
|
||
router.post("attachments.delete", auth(), async (ctx) => {
|
||
const { id } = ctx.request.body;
|
||
assertUuid(id, "id is required");
|
||
const { user } = ctx.state;
|
||
const attachment = await Attachment.findByPk(id, {
|
||
rejectOnEmpty: true,
|
||
});
|
||
|
||
if (attachment.documentId) {
|
||
const document = await Document.findByPk(attachment.documentId, {
|
||
userId: user.id,
|
||
});
|
||
authorize(user, "update", document);
|
||
}
|
||
|
||
authorize(user, "delete", attachment);
|
||
await attachment.destroy();
|
||
await Event.create({
|
||
name: "attachments.delete",
|
||
teamId: user.teamId,
|
||
actorId: user.id,
|
||
ip: ctx.request.ip,
|
||
});
|
||
|
||
ctx.body = {
|
||
success: true,
|
||
};
|
||
});
|
||
|
||
const handleAttachmentsRedirect = async (ctx: ContextWithState) => {
|
||
const id = ctx.request.body?.id ?? ctx.request.query?.id;
|
||
assertUuid(id, "id is required");
|
||
|
||
const { user } = ctx.state;
|
||
const attachment = await Attachment.findByPk(id, {
|
||
rejectOnEmpty: true,
|
||
});
|
||
|
||
if (attachment.isPrivate && attachment.teamId !== user.teamId) {
|
||
throw AuthorizationError();
|
||
}
|
||
|
||
await attachment.update({
|
||
lastAccessedAt: new Date(),
|
||
});
|
||
|
||
if (attachment.isPrivate) {
|
||
ctx.redirect(await attachment.signedUrl);
|
||
} else {
|
||
ctx.redirect(attachment.canonicalUrl);
|
||
}
|
||
};
|
||
|
||
router.get("attachments.redirect", auth(), handleAttachmentsRedirect);
|
||
router.post("attachments.redirect", auth(), handleAttachmentsRedirect);
|
||
|
||
export default router;
|