break: secure file upload and download (public and private)

- prevents user uploads from being publicly accesible - makes all S3 routes go through the API - adds a new API Token concept to only allow BoPS to download user files - side-effect: prevents users from downloading their own files
theopensystemslab · Aug 25, 2022 · e81a8c1 · e81a8c1
1 parent b142371
commit e81a8c1
Show file tree

Hide file tree

Showing 28 changed files with 1,057 additions and 266 deletions.
diff --git a/.env b/.env
@@ -56,3 +56,5 @@ GOVUK_NOTIFY_SAVE_RETURN_EMAIL_TEMPLATE_ID=428c4dfd-a70b-44d6-9f81-b4f833d80405
 GOVUK_NOTIFY_RESUME_EMAIL_TEMPLATE_ID=c7202e07-08cf-468e-a6a4-ac528d60d2f7
 GOVUK_NOTIFY_REMINDER_EMAIL_TEMPLATE_ID=43be4c11-a406-4381-b2be-056a1127455d
 GOVUK_NOTIFY_EXPIRY_EMAIL_TEMPLATE_ID=9619f89d-5d33-4cb0-a365-42c431ea9db3
+
+FILE_API_KEY=filekey
diff --git a/api.planx.uk/.env.test b/api.planx.uk/.env.test
@@ -34,3 +34,4 @@ GOVUK_NOTIFY_REMINDER_EMAIL_TEMPLATE_ID=43be4c11-a406-4381-b2be-056a1127455d
 GOVUK_NOTIFY_EXPIRY_EMAIL_TEMPLATE_ID=9619f89d-5d33-4cb0-a365-42c431ea9db3
 
 HASURA_PLANX_API_KEY=testtesttest
+FILE_API_KEY=test
diff --git a/api.planx.uk/helpers.js b/api.planx.uk/helpers.js
@@ -94,4 +94,12 @@ const dataMerged = async (id, ob = {}) => {
   return ob;
 };
 
-export { getFlowData, getMostRecentPublishedFlow, getPublishedFlowByDate, dataMerged };
+function buildFilePath(fileKey, fileName) {
+  if (!fileKey || !fileName) {
+    return null;
+  }
+
+  return `${fileKey}/${fileName}`;
+}
+
+export { getFlowData, getMostRecentPublishedFlow, getPublishedFlowByDate, dataMerged, buildFilePath };
diff --git a/api.planx.uk/package.json b/api.planx.uk/package.json
@@ -26,6 +26,7 @@
     "jsondiffpatch": "^0.4.1",
     "jsonwebtoken": "^8.5.1",
     "mime": "^3.0.0",
+    "multer": "^1.4.4",
     "nanoid": "^3.3.4",
     "notifications-node-client": "^5.1.1",
     "passport": "^0.5.3",