Extend file adapter with url sign util and add signature and expirati…

…on check in gridfs webhook
unchainedshop · Dec 13, 2024 · bab4558 · bab4558
1 parent 70ea03b
commit bab4558
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 5 deletions.
diff --git a/examples/kitchensink/boot.ts b/examples/kitchensink/boot.ts
@@ -48,7 +48,7 @@ const start = async () => {
     ],
     options: {
       files: {
-        privateFileSharingMaxAge: 1111111111,
+        privateFileSharingMaxAge: 86400000,
       },
       payment: {
         filterSupportedProviders: async ({ providers }) => {

diff --git a/packages/api/src/resolvers/type/media-types.ts b/packages/api/src/resolvers/type/media-types.ts
@@ -1,4 +1,4 @@
-import { File as FileType } from '@unchainedshop/core-files';
+import { filesSettings, File as FileType, getFileAdapter } from '@unchainedshop/core-files';
 import { Context } from '../../context.js';
 import { checkAction } from '../../acl.js';
 import { actions } from '../../roles/index.js';
@@ -8,11 +8,22 @@ export interface MediaHelperTypes {
 }
 
 export const Media: MediaHelperTypes = {
-  url: async (root, params, context) => {
+  url: async (file, params, context) => {
     const { modules } = context;
     try {
-      await checkAction(context, actions.downloadFile, [root, params]);
-      return modules.files.getUrl(root, params);
+      await checkAction(context, actions.downloadFile, [file, params]);
+      const fileUploadAdapter = getFileAdapter();
+      const mediaUrl = modules.files.getUrl(file, params);
+      if (file.isPrivate) {
+        const expiryTimestamp = new Date(
+          new Date().getTime() + (filesSettings?.privateFileSharingMaxAge || 0),
+        ).getTime();
+
+        const mediaSignature = fileUploadAdapter.signUrl(file?._id, expiryTimestamp);
+        return `${mediaUrl}?s=${mediaSignature}&e=${expiryTimestamp}`;
+      } else {
+        return mediaUrl;
+      }
     } catch (e) {
       console.error(e);
       return null;

diff --git a/packages/core-files/src/types.ts b/packages/core-files/src/types.ts
@@ -9,6 +9,7 @@ export type File = {
   size?: number;
   type?: string;
   url?: string;
+  isPrivate?: boolean;
 } & TimestampFields;
 
 export type SignedFileUpload = File & {

diff --git a/packages/file-upload/src/director/FileAdapter.ts b/packages/file-upload/src/director/FileAdapter.ts
@@ -2,8 +2,20 @@ import { Readable } from 'stream';
 import { log, LogLevel } from '@unchainedshop/logger';
 import { IBaseAdapter } from '@unchainedshop/utils';
 import { UploadedFile, UploadFileData } from '../types.js';
+import crypto from 'crypto';
+
+const signUrl = (fileUrl: string, expiry: number): string => {
+  const secretKey = process.env.UNCHAINED_SECRET;
+  if (!secretKey) {
+    throw new Error('UNCHAINED_SECRET is not set in environment variables');
+  }
+
+  const data = `${fileUrl}:${expiry}`;
+  return crypto.createHmac('sha256', secretKey).update(data).digest('hex');
+};
 
 export interface IFileAdapter<Context = unknown> extends IBaseAdapter {
+  signUrl: (fileUrl: string, expiry: number) => string;
   createSignedURL: (
     directoryName: string,
     fileName: string,
@@ -29,6 +41,7 @@ export interface IFileAdapter<Context = unknown> extends IBaseAdapter {
   createDownloadStream: (file: UploadedFile, unchainedAPI: Context) => Promise<Readable>;
 }
 export const FileAdapter: Omit<IFileAdapter, 'key' | 'label' | 'version'> = {
+  signUrl,
   createSignedURL() {
     return new Promise<null>((resolve) => {
       resolve(null);

diff --git a/packages/plugins/src/files/gridfs/gridfs-webhook.ts b/packages/plugins/src/files/gridfs/gridfs-webhook.ts
@@ -6,6 +6,7 @@ import express from 'express';
 import sign from './sign.js';
 import { configureGridFSFileUploadModule } from './index.js';
 import { Context } from '@unchainedshop/api';
+import { getFileAdapter } from '@unchainedshop/core-files';
 
 const { ROOT_URL } = process.env;
 
@@ -76,8 +77,21 @@ export const gridfsHandler = async (
 
     if (req.method === 'GET') {
       const fileId = fileName;
+      const { s: signature, e: expiryTimestamp } = req.query;
 
       const file = await modules.gridfsFileUploads.getFileInfo(directoryName, fileId);
+      if (signature && expiryTimestamp) {
+        const fileDocument = await modules.files.findFile({ fileId });
+        if (fileDocument.isPrivate) {
+          const fileAdapter = getFileAdapter();
+          const fileSignature = fileAdapter.signUrl(fileId, parseInt(expiryTimestamp));
+          if (fileSignature !== signature || parseInt(expiryTimestamp, 10) <= Date.now()) {
+            res.statusCode = 403;
+            res.end('Access restricted: Invalid or expired signature.');
+            return;
+          }
+        }
+      }
       if (file?.metadata?.['content-type']) {
         res.setHeader('Content-Type', file.metadata['content-type']);
       }