yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
85ca25371c0ccf96aa6ed89f3f3f7c00a228584a
outline/server/routes/api/attachments/attachments.ts
Apoorv Mishra b6141442b7 Validate API request query (#4642) 
* fix: refactor to accommodate authentication, transaction and pagination together into ctx.state

* feat: allow passing response type to APIContext

* feat: preliminary work for initial review

* fix: use unknown for base types

* fix: api/attachments

* fix: api/documents

* fix: jsdoc comment for input

* fix: replace at() with index access for compatibility

* fix: validation err message

* fix: error handling

* fix: remove unnecessary extend
2023-01-05 20:24:03 +05:30

183 lines
4.7 KiB
TypeScript
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
import Router from "koa-router";
import { v4 as uuidv4 } from "uuid";
import { AttachmentPreset } from "@shared/types";
import { bytesToHumanReadable } from "@shared/utils/files";
import { AttachmentValidation } from "@shared/validations";
import { AuthorizationError, ValidationError } from "@server/errors";
import auth from "@server/middlewares/authentication";
import { transaction } from "@server/middlewares/transaction";
import validate from "@server/middlewares/validate";
import { Attachment, Document, Event } from "@server/models";
import AttachmentHelper from "@server/models/helpers/AttachmentHelper";
import { authorize } from "@server/policies";
import { presentAttachment } from "@server/presenters";
import { APIContext } from "@server/types";
import { getPresignedPost, publicS3Endpoint } from "@server/utils/s3";
import { assertIn } from "@server/validation";
import * as T from "./schema";
const router = new Router();
router.post(
"attachments.create",
auth(),
validate(T.AttachmentsCreateSchema),
transaction(),
async (ctx: APIContext<T.AttachmentCreateReq>) => {
const { name, documentId, contentType, size, preset } = ctx.input.body;
const { auth, transaction } = ctx.state;
const { user } = auth;
// All user types can upload an avatar so no additional authorization is needed.
if (preset === AttachmentPreset.Avatar) {
assertIn(contentType, AttachmentValidation.avatarContentTypes);
} else if (preset === AttachmentPreset.DocumentAttachment && documentId) {
const document = await Document.findByPk(documentId, {
userId: user.id,
});
authorize(user, "update", document);
} else {
authorize(user, "createAttachment", user.team);
}
const maxUploadSize = AttachmentHelper.presetToMaxUploadSize(preset);
if (size > maxUploadSize) {
throw ValidationError(
`Sorry, this file is too large the maximum size is ${bytesToHumanReadable(
maxUploadSize
)}`
);
}
const modelId = uuidv4();
const acl = AttachmentHelper.presetToAcl(preset);
const key = AttachmentHelper.getKey({
acl,
id: modelId,
name,
userId: user.id,
});
const attachment = await Attachment.create(
{
id: modelId,
key,
acl,
size,
expiresAt: AttachmentHelper.presetToExpiry(preset),
contentType,
documentId,
teamId: user.teamId,
userId: user.id,
},
{ transaction }
);
await Event.create(
{
name: "attachments.create",
data: {
name,
},
modelId,
teamId: user.teamId,
actorId: user.id,
ip: ctx.request.ip,
},
{ transaction }
);
const presignedPost = await getPresignedPost(
key,
acl,
maxUploadSize,
contentType
);
ctx.body = {
data: {
uploadUrl: publicS3Endpoint(),
form: {
"Cache-Control": "max-age=31557600",
"Content-Type": contentType,
...presignedPost.fields,
},
attachment: presentAttachment(attachment),
},
};
}
);
router.post(
"attachments.delete",
auth(),
validate(T.AttachmentDeleteSchema),
async (ctx: APIContext<T.AttachmentDeleteReq>) => {
const { id } = ctx.input.body;
const { user } = ctx.state.auth;
const attachment = await Attachment.findByPk(id, {
rejectOnEmpty: true,
});
if (attachment.documentId) {
const document = await Document.findByPk(attachment.documentId, {
userId: user.id,
});
authorize(user, "update", document);
}
authorize(user, "delete", attachment);
await attachment.destroy();
await Event.create({
name: "attachments.delete",
teamId: user.teamId,
actorId: user.id,
ip: ctx.request.ip,
});
ctx.body = {
success: true,
};
}
);
const handleAttachmentsRedirect = async (
ctx: APIContext<T.AttachmentsRedirectReq>
) => {
const id = (ctx.input.body.id ?? ctx.input.query.id) as string;
const { user } = ctx.state.auth;
const attachment = await Attachment.findByPk(id, {
rejectOnEmpty: true,
});
if (attachment.isPrivate && attachment.teamId !== user.teamId) {
throw AuthorizationError();
}
await attachment.update({
lastAccessedAt: new Date(),
});
if (attachment.isPrivate) {
ctx.redirect(await attachment.signedUrl);
} else {
ctx.redirect(attachment.canonicalUrl);
}
};
router.get(
"attachments.redirect",
auth(),
validate(T.AttachmentsRedirectSchema),
handleAttachmentsRedirect
);
router.post(
"attachments.redirect",
auth(),
validate(T.AttachmentsRedirectSchema),
handleAttachmentsRedirect
);
export default router;
Reference in New Issue View Git Blame Copy Permalink