@flusys/nestjs-storage 0.1.0-beta.3 → 1.0.0-rc

package/cjs/services/storage-provider-config.service.js

@@ -10,6 +10,7 @@ Object.defineProperty(exports, "StorageProviderConfigService", {
 });
 const _classes = require("@flusys/nestjs-shared/classes");
 const _modules = require("@flusys/nestjs-shared/modules");
+const _utils = require("@flusys/nestjs-shared/utils");
 const _common = require("@nestjs/common");
 const _config = require("../config");
 const _entities = require("../entities");
@@ -42,73 +43,51 @@ function _ts_param(paramIndex, decorator) {
     };
 }
 let StorageProviderConfigService = class StorageProviderConfigService extends _classes.RequestScopedApiService {
-    /**
-   * Resolve entity class for this service
-   * @returns StorageConfig or StorageConfigWithCompany based on configuration
-   */ resolveEntity() {
-        const enableCompanyFeature = this.storageConfig.isCompanyFeatureEnabled();
-        return enableCompanyFeature ? _entities.StorageConfigWithCompany : _entities.StorageConfig;
+    resolveEntity() {
+        return this.storageConfig.isCompanyFeatureEnabled() ? _entities.StorageConfigWithCompany : _entities.StorageConfig;
     }
-    /**
-   * Get DataSource provider for this service
-   * @returns StorageDataSourceProvider instance
-   */ getDataSourceProvider() {
+    getDataSourceProvider() {
         return this.dataSourceProvider;
     }
     async convertSingleDtoToEntity(dto, user) {
-        let storageConfig = {};
-        // Set basic fields
-        storageConfig = {
-            ...storageConfig,
-            ...dto
-        };
-        // Only set company fields if they exist on the entity (when company feature is enabled)
-        if ('companyId' in storageConfig) {
-            storageConfig.companyId = user?.companyId ?? null;
+        const entity = await super.convertSingleDtoToEntity(dto, user);
+        if (this.storageConfig.isCompanyFeatureEnabled()) {
+            entity.companyId = user?.companyId ?? null;
         }
-        return storageConfig;
+        return entity;
     }
     async getSelectQuery(query, _user, select) {
-        if (!select || !select.length) {
+        if (!select?.length) {
             select = [
                 'id',
                 'name',
                 'storage',
                 'config',
+                'isActive',
+                'isDefault',
                 'createdAt',
                 'updatedAt'
             ];
-            // Add company fields if company feature is enabled
             if (this.storageConfig.isCompanyFeatureEnabled()) {
                 select.push('companyId');
             }
         }
-        const selectFields = select.map((field)=>`${this.entityName}.${field}`);
-        query.select(selectFields);
+        query.select(select.map((f)=>`${this.entityName}.${f}`));
         return {
             query,
             isRaw: false
         };
     }
-    /**
-   * Override: Extra query manipulation - Auto-filter by user's company
-   */ async getExtraManipulateQuery(query, filterDto, user) {
+    async getExtraManipulateQuery(query, filterDto, user) {
         const result = await super.getExtraManipulateQuery(query, filterDto, user);
-        // If company feature enabled and user has companyId, filter by user's company
-        const enableCompanyFeature = this.storageConfig.isCompanyFeatureEnabled();
-        if (enableCompanyFeature && user?.companyId) {
-            query.andWhere('storageConfig.companyId = :companyId', {
-                companyId: user.companyId
-            });
-        }
+        (0, _utils.applyCompanyFilter)(query, {
+            isCompanyFeatureEnabled: this.storageConfig.isCompanyFeatureEnabled(),
+            entityAlias: 'storageConfig'
+        }, user);
         query.orderBy(`${this.entityName}.createdAt`, 'DESC');
         return result;
     }
-    /**
-   * Find storage config by ID without throwing (returns null if not found)
-   * Uses direct repository query - bypasses company filtering
-   * Use for internal operations like file deletion where config ID is already known
-   */ async findByIdDirect(id) {
+    async findByIdDirect(id) {
         await this.ensureRepositoryInitialized();
         return await this.repository.findOne({
             where: {
@@ -116,21 +95,15 @@ let StorageProviderConfigService = class StorageProviderConfigService extends _c
             }
         });
     }
-    /**
-   * Get default storage configuration (scoped to user's company if enabled)
-   * Falls back to any available config if 'default' not found
-   */ async getDefaultConfig(user) {
+    async getDefaultConfig(user) {
         await this.ensureRepositoryInitialized();
-        const baseWhere = {};
-        // Filter by company only if company feature is enabled and user is provided
-        if (this.storageConfig.isCompanyFeatureEnabled() && user?.companyId) {
-            baseWhere.companyId = user.companyId;
-        }
-        // First try to find config named 'default'
+        const baseWhere = (0, _utils.buildCompanyWhereCondition)({
+            isActive: true
+        }, this.storageConfig.isCompanyFeatureEnabled(), user);
         const defaultConfig = await this.repository.findOne({
             where: {
                 ...baseWhere,
-                name: 'default'
+                isDefault: true
             },
             order: {
                 createdAt: 'ASC'
@@ -139,7 +112,6 @@ let StorageProviderConfigService = class StorageProviderConfigService extends _c
         if (defaultConfig) {
             return defaultConfig;
         }
-        // Fall back to any available config for this company/user
         return await this.repository.findOne({
             where: baseWhere,
             order: {
@@ -147,24 +119,17 @@ let StorageProviderConfigService = class StorageProviderConfigService extends _c
             }
         });
     }
-    /**
-   * Get storage configuration by type (scoped to user's company if enabled)
-   */ async getConfigByType(storage, user) {
+    async getConfigByType(storage, user) {
         await this.ensureRepositoryInitialized();
-        const where = {
-            storage
-        };
-        // Filter by company only if company feature is enabled and user is provided
-        if (this.storageConfig.isCompanyFeatureEnabled() && user?.companyId) {
-            where.companyId = user.companyId;
-        }
+        const where = (0, _utils.buildCompanyWhereCondition)({
+            storage,
+            isActive: true
+        }, this.storageConfig.isCompanyFeatureEnabled(), user);
         return await this.repository.find({
             where
         });
     }
-    // NOTE: @Inject() required for bundled code - type metadata may be lost during esbuild
     constructor(cacheManager, utilsService, storageConfig, dataSourceProvider){
-        // Repository will be set asynchronously by RequestScopedApiService
         super('storageConfig', null, cacheManager, utilsService, StorageProviderConfigService.name, true), _define_property(this, "cacheManager", void 0), _define_property(this, "utilsService", void 0), _define_property(this, "storageConfig", void 0), _define_property(this, "dataSourceProvider", void 0), this.cacheManager = cacheManager, this.utilsService = utilsService, this.storageConfig = storageConfig, this.dataSourceProvider = dataSourceProvider;
     }
 };

package/cjs/services/upload.service.js

@@ -8,11 +8,13 @@ Object.defineProperty(exports, "UploadService", {
         return UploadService;
     }
 });
+const _utils = require("@flusys/nestjs-shared/utils");
 const _common = require("@nestjs/common");
 const _config = require("../config");
 const _filelocationenum = require("../enums/file-location.enum");
 const _storagefactoryservice = require("../providers/storage-factory.service");
 const _storageproviderconfigservice = require("./storage-provider-config.service");
+const _filevalidatorutil = require("../utils/file-validator.util");
 function _define_property(obj, key, value) {
     if (key in obj) {
         Object.defineProperty(obj, key, {
@@ -42,18 +44,32 @@ function _ts_param(paramIndex, decorator) {
 }
 let UploadService = class UploadService {
     /**
-   * Validate file before upload
+   * Validate file before upload - includes size, type, and content validation.
+   * Uses magic bytes to verify file content matches declared MIME type.
    */ validateFile(file) {
         // Validate file size
         const sizeValidation = this.storageConfigService.validateFileSize(file.size);
         if (!sizeValidation.valid) {
             throw new _common.BadRequestException(sizeValidation.message);
         }
-        // Validate file type
+        // Validate declared file type (MIME)
         const typeValidation = this.storageConfigService.validateFileType(file.mimetype);
         if (!typeValidation.valid) {
             throw new _common.BadRequestException(typeValidation.message);
         }
+        // Validate file content matches declared type (magic bytes check)
+        // This prevents MIME type spoofing attacks
+        const allowedTypes = this.storageConfigService.getAllowedFileTypes();
+        const contentValidation = _filevalidatorutil.FileValidator.validateFileContent(file.buffer, file.mimetype, allowedTypes);
+        if (!contentValidation.valid) {
+            this.logger.warn(`File content validation failed: ${contentValidation.message}`, {
+                declaredType: file.mimetype,
+                detectedType: contentValidation.detectedType
+            });
+            throw new _common.BadRequestException(contentValidation.message || 'File content validation failed');
+        }
+        // Sanitize filename to prevent path traversal attacks
+        file.originalname = _filevalidatorutil.FileValidator.sanitizeFilename(file.originalname);
     }
     /**
    * Get storage provider and config info based on storage config ID
@@ -67,13 +83,8 @@ let UploadService = class UploadService {
             if (!config) {
                 throw new _common.NotFoundException('Storage configuration not found');
             }
-            // Validate company ownership if company feature enabled
-            if (this.storageConfigService.isCompanyFeatureEnabled() && user?.companyId) {
-                const configWithCompany = config;
-                if (configWithCompany.companyId && configWithCompany.companyId !== user.companyId) {
-                    throw new _common.BadRequestException('Storage configuration belongs to another company');
-                }
-            }
+            // Validate company ownership using shared utility
+            (0, _utils.validateCompanyOwnership)(config, user, this.storageConfigService.isCompanyFeatureEnabled(), 'Storage configuration');
             storageConfig = config;
         } else {
             // Use default config (scoped to user's company/branch)
@@ -178,9 +189,9 @@ let UploadService = class UploadService {
                 location,
                 storageConfigId: configId
             };
-        } catch (err) {
-            this.logger.error('Single file upload failed', err);
-            throw new _common.InternalServerErrorException(err?.message || 'Single file upload failed');
+        } catch (error) {
+            _utils.ErrorHandler.logError(this.logger, error, 'uploadSingleFile');
+            _utils.ErrorHandler.rethrowError(error);
         }
     }
     async uploadMultipleFiles(files, options, user) {
@@ -197,31 +208,31 @@ let UploadService = class UploadService {
                     location,
                     storageConfigId: configId
                 }));
-        } catch (err) {
-            this.logger.error('Multiple files upload failed', err);
-            throw new _common.InternalServerErrorException(err?.message || 'Multiple files upload failed');
+        } catch (error) {
+            _utils.ErrorHandler.logError(this.logger, error, 'uploadMultipleFiles');
+            _utils.ErrorHandler.rethrowError(error);
         }
     }
     async deleteSingleFile(key, storageConfigId, user, locationHint) {
         try {
-            if (!key) throw new Error('No file path provided');
+            if (!key) throw new _common.BadRequestException('No file path provided');
             const provider = await this.getStorageProviderForDelete(storageConfigId, user, locationHint);
             await provider.deleteFile(key);
             return true;
-        } catch (err) {
-            this.logger.error('Delete single file failed', err);
-            throw new _common.InternalServerErrorException(err?.message || 'Delete single file failed');
+        } catch (error) {
+            _utils.ErrorHandler.logError(this.logger, error, 'deleteSingleFile');
+            _utils.ErrorHandler.rethrowError(error);
         }
     }
     async deleteMultipleFile(keys, storageConfigId, user, locationHint) {
         try {
-            if (!keys || !keys.length) throw new Error('No file paths provided');
+            if (!keys || !keys.length) throw new _common.BadRequestException('No file paths provided');
             const provider = await this.getStorageProviderForDelete(storageConfigId, user, locationHint);
             await provider.deleteMultipleFiles(keys);
             return true;
-        } catch (err) {
-            this.logger.error('Delete multiple files failed', err);
-            throw new _common.InternalServerErrorException(err?.message || 'Delete multiple files failed');
+        } catch (error) {
+            _utils.ErrorHandler.logError(this.logger, error, 'deleteMultipleFiles');
+            _utils.ErrorHandler.rethrowError(error);
         }
     }
     bytesToKb(bytes) {
@@ -251,7 +262,8 @@ let UploadService = class UploadService {
             }
             return null;
         } catch (error) {
-            this.logger.warn(`Failed to get local storage basePath: ${error.message}`);
+            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+            this.logger.warn(`Failed to get local storage basePath: ${errorMessage}`);
             return null;
         }
     }
@@ -268,9 +280,9 @@ let UploadService = class UploadService {
             }
             // For SFTP or other providers without presigned URLs
             return key;
-        } catch (err) {
-            this.logger.error('Generate file URL failed', err);
-            throw new _common.InternalServerErrorException(err?.message || 'Generate file URL failed');
+        } catch (error) {
+            _utils.ErrorHandler.logError(this.logger, error, 'makeFileUrl');
+            _utils.ErrorHandler.rethrowError(error);
         }
     }
     // NOTE: @Inject() required for bundled code - type metadata may be lost during esbuild