break: secure file upload and download (public and private)

- prevents user uploads from being publicly accesible
- makes all S3 routes go through the API
- adds a new API Token concept to only allow BoPS to download user files
- side-effect: prevents users from downloading their own files

.env

@@ -55,3 +55,5 @@ GOVUK_NOTIFY_SAVE_RETURN_EMAIL_TEMPLATE_ID=428c4dfd-a70b-44d6-9f81-b4f833d80405
 GOVUK_NOTIFY_RESUME_EMAIL_TEMPLATE_ID=c7202e07-08cf-468e-a6a4-ac528d60d2f7
 GOVUK_NOTIFY_REMINDER_EMAIL_TEMPLATE_ID=43be4c11-a406-4381-b2be-056a1127455d
 GOVUK_NOTIFY_EXPIRY_EMAIL_TEMPLATE_ID=9619f89d-5d33-4cb0-a365-42c431ea9db3
+
+FILE_API_KEY=filekey

api.planx.uk/.env.test

@@ -35,3 +35,4 @@ GOVUK_NOTIFY_EXPIRY_EMAIL_TEMPLATE_ID=9619f89d-5d33-4cb0-a365-42c431ea9db3
 GOVUK_NOTIFY_API_KEY_TEAM=Test
 
 HASURA_PLANX_API_KEY=testtesttest
+FILE_API_KEY=test

api.planx.uk/helpers.js

@@ -94,4 +94,12 @@ const dataMerged = async (id, ob = {}) => {
   return ob;
 };
 
-module.exports = { getFlowData, getMostRecentPublishedFlow, getPublishedFlowByDate, dataMerged };
+function buildFilePath(fileKey, fileName) {
+  if (!fileKey || !fileName) {
+    return null;
+  }
+
+  return `${fileKey}/${fileName}`;
+}
+
+module.exports = { getFlowData, getMostRecentPublishedFlow, getPublishedFlowByDate, dataMerged, buildFilePath };

api.planx.uk/package.json

@@ -26,6 +26,7 @@
     "jsondiffpatch": "^0.4.1",
     "jsonwebtoken": "^8.5.1",
     "mime": "^3.0.0",
+    "multer": "^1.4.4",
     "nanoid": "^3.3.4",
     "notifications-node-client": "^5.1.1",
     "passport": "^0.5.3",
@@ -67,4 +68,4 @@
     "node": "^16",
     "pnpm": "^7.8.0"
   }
-}
+}