break: secure file upload and download (public and private)

- prevents user uploads from being publicly accesible - makes all S3 routes go through the API - adds a new API Token concept to only allow BoPS to download user files - side-effect: prevents users from downloading their own files
theopensystemslab · Sep 29, 2022 · 8463075 · 8463075
1 parent 3d0b63f
commit 8463075
Show file tree

Hide file tree

Showing 30 changed files with 1,277 additions and 383 deletions.
diff --git a/api.planx.uk/.env.test.example b/api.planx.uk/.env.test.example
@@ -39,3 +39,4 @@ UNIFORM_TOKEN_URL=👻
 UNIFORM_SUBMISSION_URL=👻
 
 SLACK_WEBHOOK_URL=👻
+FILE_API_KEY=👻
diff --git a/api.planx.uk/Dockerfile b/api.planx.uk/Dockerfile
@@ -32,7 +32,7 @@ ENV NODE_ENV development
 ADD . .
 
 RUN pnpm fetch
-RUN pnpm install --recursive --offline 
+RUN pnpm install --recursive --offline -f
 COPY . .
 
 CMD ["pnpm", "dev"]
diff --git a/api.planx.uk/helpers.js b/api.planx.uk/helpers.js
@@ -97,7 +97,7 @@ const dataMerged = async (id, ob = {}) => {
  * @param {object} newFlow - the new flow data
  * @returns {object} - the new flow data with child nodes included
  */
- const getChildren = (node, originalFlow, newFlow) => {
+const getChildren = (node, originalFlow, newFlow) => {
   if (node.edges) {
     node.edges.forEach((edgeId) => {
       if (!Object.keys(newFlow).includes(edgeId)) {
@@ -116,7 +116,7 @@ const dataMerged = async (id, ob = {}) => {
  * @param {string} replaceValue
  * @returns {object} flowData with updated node ids
  */
- const makeUniqueFlow = (flowData, replaceValue) => {
+const makeUniqueFlow = (flowData, replaceValue) => {
   const charactersToReplace = replaceValue.length;
 
   Object.keys(flowData).forEach((node) => {
@@ -140,4 +140,12 @@ const dataMerged = async (id, ob = {}) => {
   return flowData;
 };
 
-export { getFlowData, getMostRecentPublishedFlow, getPublishedFlowByDate, dataMerged, getChildren, makeUniqueFlow };
+function buildFilePath(fileKey, fileName) {
+  if (!fileKey || !fileName) {
+    return null;
+  }
+
+  return `${fileKey}/${fileName}`;
+}
+
+export { getFlowData, getMostRecentPublishedFlow, getPublishedFlowByDate, dataMerged, getChildren, makeUniqueFlow, buildFilePath };
diff --git a/api.planx.uk/package.json b/api.planx.uk/package.json
@@ -26,6 +26,7 @@
     "jsondiffpatch": "^0.4.1",
     "jsonwebtoken": "^8.5.1",
     "mime": "^3.0.0",
+    "multer": "^1.4.4",
     "nanoid": "^3.3.4",
     "notifications-node-client": "^5.1.1",
     "passport": "^0.5.3",