@flusys/nestjs-storage 1.0.0-beta → 1.0.0-rc

package/fesm/controllers/folder.controller.js

@@ -25,13 +25,56 @@ function _ts_param(paramIndex, decorator) {
         decorator(target, key, paramIndex);
     };
 }
-import { createApiController } from '@flusys/nestjs-shared/classes';
+import { createApiController, FOLDER_PERMISSIONS } from '@flusys/nestjs-shared/classes';
 import { CreateFolderDto, FolderResponseDto, UpdateFolderDto } from '../dtos';
 import { Controller, Inject } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
 import { FolderService } from '../services/folder.service';
 export class FolderController extends createApiController(CreateFolderDto, UpdateFolderDto, FolderResponseDto, {
-    security: 'jwt'
+    security: {
+        insert: {
+            level: 'permission',
+            permissions: [
+                FOLDER_PERMISSIONS.CREATE
+            ]
+        },
+        insertMany: {
+            level: 'permission',
+            permissions: [
+                FOLDER_PERMISSIONS.CREATE
+            ]
+        },
+        getById: {
+            level: 'permission',
+            permissions: [
+                FOLDER_PERMISSIONS.READ
+            ]
+        },
+        getAll: {
+            level: 'permission',
+            permissions: [
+                FOLDER_PERMISSIONS.READ
+            ]
+        },
+        update: {
+            level: 'permission',
+            permissions: [
+                FOLDER_PERMISSIONS.UPDATE
+            ]
+        },
+        updateMany: {
+            level: 'permission',
+            permissions: [
+                FOLDER_PERMISSIONS.UPDATE
+            ]
+        },
+        delete: {
+            level: 'permission',
+            permissions: [
+                FOLDER_PERMISSIONS.DELETE
+            ]
+        }
+    }
 }) {
     constructor(folderService){
         super(folderService), _define_property(this, "folderService", void 0), this.folderService = folderService;

package/fesm/controllers/storage-config.controller.js

@@ -25,13 +25,56 @@ function _ts_param(paramIndex, decorator) {
         decorator(target, key, paramIndex);
     };
 }
-import { createApiController } from '@flusys/nestjs-shared/classes';
+import { createApiController, STORAGE_CONFIG_PERMISSIONS } from '@flusys/nestjs-shared/classes';
 import { CreateStorageConfigDto, StorageConfigResponseDto, UpdateStorageConfigDto } from '../dtos';
 import { Controller, Inject } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
 import { StorageProviderConfigService } from '../services/storage-provider-config.service';
 export class StorageConfigController extends createApiController(CreateStorageConfigDto, UpdateStorageConfigDto, StorageConfigResponseDto, {
-    security: 'jwt'
+    security: {
+        insert: {
+            level: 'permission',
+            permissions: [
+                STORAGE_CONFIG_PERMISSIONS.CREATE
+            ]
+        },
+        insertMany: {
+            level: 'permission',
+            permissions: [
+                STORAGE_CONFIG_PERMISSIONS.CREATE
+            ]
+        },
+        getById: {
+            level: 'permission',
+            permissions: [
+                STORAGE_CONFIG_PERMISSIONS.READ
+            ]
+        },
+        getAll: {
+            level: 'permission',
+            permissions: [
+                STORAGE_CONFIG_PERMISSIONS.READ
+            ]
+        },
+        update: {
+            level: 'permission',
+            permissions: [
+                STORAGE_CONFIG_PERMISSIONS.UPDATE
+            ]
+        },
+        updateMany: {
+            level: 'permission',
+            permissions: [
+                STORAGE_CONFIG_PERMISSIONS.UPDATE
+            ]
+        },
+        delete: {
+            level: 'permission',
+            permissions: [
+                STORAGE_CONFIG_PERMISSIONS.DELETE
+            ]
+        }
+    }
 }) {
     constructor(storageConfigService){
         super(storageConfigService), _define_property(this, "storageConfigService", void 0), this.storageConfigService = storageConfigService;

package/fesm/controllers/upload.controller.js

@@ -26,15 +26,13 @@ function _ts_param(paramIndex, decorator) {
     };
 }
 import { JwtAuthGuard } from '@flusys/nestjs-shared/guards';
-import { ApiResponseDto, CurrentUser } from '@flusys/nestjs-shared/decorators';
+import { ApiResponseDto, CurrentUser, RequirePermission } from '@flusys/nestjs-shared/decorators';
 import { ILoggedUserInfo } from '@flusys/nestjs-shared/interfaces';
 import { DeleteMultipleFileDto, DeleteSingleFileDto, FileUploadResponsePayloadDto, UploadOptionsDto } from '../dtos';
 import { Body, Controller, Inject, Post, Query, UploadedFile, UploadedFiles, UseGuards, UseInterceptors } from '@nestjs/common';
 import { FileInterceptor, FilesInterceptor } from '@nestjs/platform-express';
 import { ApiBearerAuth, ApiBody, ApiConsumes, ApiOperation, ApiQuery, ApiTags } from '@nestjs/swagger';
 import { UploadService } from '../services/upload.service';
-import { StorageConfigService } from '../config';
-import { StorageFactoryService } from '../providers/storage-factory.service';
 export class UploadController {
     async uploadSingleFile(file, options, user) {
         const result = await this.uploadService.uploadSingleFile(file, options, user);
@@ -83,17 +81,14 @@ export class UploadController {
             data
         };
     }
-    constructor(uploadService, storageConfigService, storageFactoryService){
+    constructor(uploadService){
         _define_property(this, "uploadService", void 0);
-        _define_property(this, "storageConfigService", void 0);
-        _define_property(this, "storageFactoryService", void 0);
         this.uploadService = uploadService;
-        this.storageConfigService = storageConfigService;
-        this.storageFactoryService = storageFactoryService;
     }
 }
 _ts_decorate([
     Post('single-file'),
+    RequirePermission('file.upload'),
     ApiResponseDto(FileUploadResponsePayloadDto, false),
     ApiOperation({
         summary: 'Upload a single file'
@@ -135,6 +130,7 @@ _ts_decorate([
 ], UploadController.prototype, "uploadSingleFile", null);
 _ts_decorate([
     Post('multiple-file'),
+    RequirePermission('file.upload'),
     ApiOperation({
         summary: 'Upload multiple files (up to 50)'
     }),
@@ -179,6 +175,7 @@ _ts_decorate([
 ], UploadController.prototype, "uploadMultipleFiles", null);
 _ts_decorate([
     Post('delete-single-file'),
+    RequirePermission('file.delete'),
     ApiOperation({
         summary: 'Delete a single file'
     }),
@@ -196,6 +193,7 @@ _ts_decorate([
 ], UploadController.prototype, "deleteSingleFile", null);
 _ts_decorate([
     Post('delete-multiple-file'),
+    RequirePermission('file.delete'),
     ApiOperation({
         summary: 'Delete multiple files'
     }),
@@ -217,12 +215,8 @@ UploadController = _ts_decorate([
     Controller('storage/upload'),
     UseGuards(JwtAuthGuard),
     _ts_param(0, Inject(UploadService)),
-    _ts_param(1, Inject(StorageConfigService)),
-    _ts_param(2, Inject(StorageFactoryService)),
     _ts_metadata("design:type", Function),
     _ts_metadata("design:paramtypes", [
-        typeof UploadService === "undefined" ? Object : UploadService,
-        typeof StorageConfigService === "undefined" ? Object : StorageConfigService,
-        typeof StorageFactoryService === "undefined" ? Object : StorageFactoryService
+        typeof UploadService === "undefined" ? Object : UploadService
     ])
 ], UploadController);

package/fesm/dtos/file-manager.dto.js

@@ -37,8 +37,8 @@ export class CreateFileManagerDto {
 }
 _ts_decorate([
     ApiProperty({
-        description: 'Name of the FileManager item',
-        example: 'Summer Vacation 2025'
+        description: 'Original file name',
+        example: 'vacation-photo.jpg'
     }),
     IsNotEmpty(),
     IsString(),
@@ -46,8 +46,8 @@ _ts_decorate([
 ], CreateFileManagerDto.prototype, "name", void 0);
 _ts_decorate([
     ApiProperty({
-        description: 'Name of the FileManager item',
-        example: 'Summer Vacation 2025'
+        description: 'Storage key or path of the file',
+        example: 'uploads/abc123-vacation-photo.jpg'
     }),
     IsNotEmpty(),
     IsString(),
@@ -115,10 +115,11 @@ export class UpdateFileManagerDto extends PartialType(CreateFileManagerDto) {
 }
 _ts_decorate([
     ApiProperty({
-        description: 'Unique identifier of the folder',
+        description: 'Unique identifier of the file',
         example: 'f2e9c8d0-7a2a-11eb-9439-0242ac130002'
     }),
     IsNotEmpty(),
+    IsString(),
     _ts_metadata("design:type", String)
 ], UpdateFileManagerDto.prototype, "id", void 0);
 export class FileManagerResponseDto extends UpdateFileManagerDto {
@@ -142,6 +143,8 @@ _ts_decorate([
     ApiProperty({
         example: 'f2e9c8d0-7a2a-11eb-9439-0242ac130002'
     }),
+    IsNotEmpty(),
+    IsString(),
     _ts_metadata("design:type", String)
 ], GetFilesRequestDto.prototype, "id", void 0);
 export class FilesResponseDto {

package/fesm/dtos/storage-config.dto.js

@@ -23,14 +23,14 @@ function _ts_metadata(k, v) {
 import { IdentityResponseDto } from '@flusys/nestjs-shared/dtos';
 import { FileLocationEnum } from '../enums';
 import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
-import { IsEnum, IsNotEmpty, IsObject, IsOptional, IsString, MaxLength } from 'class-validator';
-/**
- * DTO for creating storage configuration
- */ export class CreateStorageConfigDto {
+import { IsBoolean, IsEnum, IsNotEmpty, IsObject, IsOptional, IsString, MaxLength } from 'class-validator';
+export class CreateStorageConfigDto {
     constructor(){
         _define_property(this, "name", void 0);
         _define_property(this, "storage", void 0);
         _define_property(this, "config", void 0);
+        _define_property(this, "isActive", void 0);
+        _define_property(this, "isDefault", void 0);
     }
 }
 _ts_decorate([
@@ -78,14 +78,32 @@ _ts_decorate([
     IsNotEmpty(),
     _ts_metadata("design:type", typeof Record === "undefined" ? Object : Record)
 ], CreateStorageConfigDto.prototype, "config", void 0);
-/**
- * DTO for updating storage configuration
- */ export class UpdateStorageConfigDto {
+_ts_decorate([
+    ApiPropertyOptional({
+        example: true,
+        description: 'Whether storage configuration is active'
+    }),
+    IsBoolean(),
+    IsOptional(),
+    _ts_metadata("design:type", Boolean)
+], CreateStorageConfigDto.prototype, "isActive", void 0);
+_ts_decorate([
+    ApiPropertyOptional({
+        example: false,
+        description: 'Set as default storage configuration'
+    }),
+    IsBoolean(),
+    IsOptional(),
+    _ts_metadata("design:type", Boolean)
+], CreateStorageConfigDto.prototype, "isDefault", void 0);
+export class UpdateStorageConfigDto {
     constructor(){
         _define_property(this, "id", void 0);
         _define_property(this, "name", void 0);
         _define_property(this, "storage", void 0);
         _define_property(this, "config", void 0);
+        _define_property(this, "isActive", void 0);
+        _define_property(this, "isDefault", void 0);
     }
 }
 _ts_decorate([
@@ -140,10 +158,26 @@ _ts_decorate([
     IsOptional(),
     _ts_metadata("design:type", typeof Record === "undefined" ? Object : Record)
 ], UpdateStorageConfigDto.prototype, "config", void 0);
-/**
- * Response DTO for storage configuration
- */ export class StorageConfigResponseDto extends IdentityResponseDto {
+_ts_decorate([
+    ApiPropertyOptional({
+        example: true,
+        description: 'Whether storage configuration is active'
+    }),
+    IsBoolean(),
+    IsOptional(),
+    _ts_metadata("design:type", Boolean)
+], UpdateStorageConfigDto.prototype, "isActive", void 0);
+_ts_decorate([
+    ApiPropertyOptional({
+        example: false,
+        description: 'Set as default storage configuration'
+    }),
+    IsBoolean(),
+    IsOptional(),
+    _ts_metadata("design:type", Boolean)
+], UpdateStorageConfigDto.prototype, "isDefault", void 0);
+export class StorageConfigResponseDto extends IdentityResponseDto {
     constructor(...args){
-        super(...args), _define_property(this, "name", void 0), _define_property(this, "storage", void 0), _define_property(this, "config", void 0);
+        super(...args), _define_property(this, "name", void 0), _define_property(this, "storage", void 0), _define_property(this, "config", void 0), _define_property(this, "isActive", void 0), _define_property(this, "isDefault", void 0);
     }
 }

package/fesm/dtos/upload.dto.js

@@ -21,7 +21,7 @@ function _ts_metadata(k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 }
 import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
-import { IsBoolean, IsEnum, IsInt, IsOptional, IsUUID, Matches, Max, Min } from 'class-validator';
+import { IsArray, IsBoolean, IsEnum, IsInt, IsNotEmpty, IsOptional, IsString, IsUUID, Matches, Max, Min } from 'class-validator';
 import { Type } from 'class-transformer';
 // Image format enum
 export var ImageFormat = /*#__PURE__*/ function(ImageFormat) {
@@ -42,6 +42,8 @@ _ts_decorate([
         description: 'Key of the file to delete',
         example: '/uploads/some path'
     }),
+    IsNotEmpty(),
+    IsString(),
     _ts_metadata("design:type", String)
 ], DeleteSingleFileDto.prototype, "key", void 0);
 _ts_decorate([
@@ -70,6 +72,11 @@ _ts_decorate([
             String
         ]
     }),
+    IsNotEmpty(),
+    IsArray(),
+    IsString({
+        each: true
+    }),
     _ts_metadata("design:type", Array)
 ], DeleteMultipleFileDto.prototype, "keys", void 0);
 _ts_decorate([

package/fesm/entities/index.js

@@ -28,14 +28,10 @@ export const StorageCompanyEntities = [
     FolderWithCompany,
     StorageConfigWithCompany
 ];
-// All entities
 export const StorageAllEntities = [
     ...StorageCoreEntities,
     ...StorageCompanyEntities
 ];
-/**
- * Get Storage entities based on configuration
- * @param enableCompanyFeature - Whether company feature is enabled
- */ export function getStorageEntitiesByConfig(enableCompanyFeature) {
+export function getStorageEntitiesByConfig(enableCompanyFeature) {
     return enableCompanyFeature ? StorageCompanyEntities : StorageCoreEntities;
 }

package/fesm/entities/storage-config-base.entity.js

@@ -22,14 +22,10 @@ function _ts_metadata(k, v) {
 }
 import { Identity } from '@flusys/nestjs-shared/entities';
 import { FileLocationEnum } from '../enums';
-import { Column } from 'typeorm';
-/**
- * Base StorageConfig Entity
- * Contains common fields shared by both StorageConfig and StorageConfigWithCompany
- */ export class StorageConfigBase extends Identity {
+import { Column, Index } from 'typeorm';
+export class StorageConfigBase extends Identity {
     constructor(...args){
-        super(...args), _define_property(this, "name", void 0), _define_property(this, "storage", void 0), // add config for storage
-        _define_property(this, "config", void 0);
+        super(...args), _define_property(this, "name", void 0), _define_property(this, "storage", void 0), _define_property(this, "config", void 0), _define_property(this, "isActive", void 0), _define_property(this, "isDefault", void 0);
     }
 }
 _ts_decorate([
@@ -55,3 +51,33 @@ _ts_decorate([
     }),
     _ts_metadata("design:type", typeof Record === "undefined" ? Object : Record)
 ], StorageConfigBase.prototype, "config", void 0);
+_ts_decorate([
+    Column({
+        type: 'boolean',
+        default: true,
+        name: 'is_active'
+    }),
+    _ts_metadata("design:type", Boolean)
+], StorageConfigBase.prototype, "isActive", void 0);
+_ts_decorate([
+    Column({
+        type: 'boolean',
+        default: false,
+        name: 'is_default'
+    }),
+    _ts_metadata("design:type", Boolean)
+], StorageConfigBase.prototype, "isDefault", void 0);
+StorageConfigBase = _ts_decorate([
+    Index([
+        'name'
+    ]),
+    Index([
+        'storage'
+    ]),
+    Index([
+        'isActive'
+    ]),
+    Index([
+        'isDefault'
+    ])
+], StorageConfigBase);

package/fesm/interfaces/index.js

@@ -1,5 +1,4 @@
 export * from './file-manager.interface';
-export * from './file-upload-response.interface';
 export * from './folder.interface';
 export * from './storage-config.interface';
 export * from './storage-module-options.interface';

package/fesm/interfaces/storage-config.interface.js

@@ -1,3 +1 @@
-/**
- * SFTP Configuration
- */ export { };
+export { };

package/fesm/middlewares/file-serve.middleware.js

@@ -20,7 +20,12 @@ function _ts_decorate(decorators, target, key, desc) {
 function _ts_metadata(k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 }
-import { Injectable, Logger, NotFoundException } from '@nestjs/common';
+function _ts_param(paramIndex, decorator) {
+    return function(target, key) {
+        decorator(target, key, paramIndex);
+    };
+}
+import { Injectable, Logger, NotFoundException, Inject } from '@nestjs/common';
 import { createReadStream, existsSync, statSync } from 'fs';
 import { join, resolve } from 'path';
 import * as mime from 'mime-types';
@@ -146,6 +151,7 @@ export class FileServeMiddleware {
 }
 FileServeMiddleware = _ts_decorate([
     Injectable(),
+    _ts_param(0, Inject(UploadService)),
     _ts_metadata("design:type", Function),
     _ts_metadata("design:paramtypes", [
         typeof UploadService === "undefined" ? Object : UploadService

package/fesm/providers/local-provider.js

@@ -32,6 +32,29 @@ import { v4 as uuidv4 } from 'uuid';
  * Uses Node.js built-in fs module - no external dependencies
  */ export class LocalProvider {
     /**
+   * SECURITY: Validates that a target path does not escape the base directory
+   * Prevents path traversal attacks using ../ sequences
+   * @throws Error if path traversal is detected
+   */ validatePathWithinBase(targetPath) {
+        const normalizedBasePath = path.resolve(this.basePath);
+        const normalizedTargetPath = path.resolve(targetPath);
+        if (!normalizedTargetPath.startsWith(normalizedBasePath + path.sep) && normalizedTargetPath !== normalizedBasePath) {
+            this.logger.warn(`Path traversal attempt detected: ${targetPath}`);
+            throw new Error('Invalid path: Path traversal attempt detected');
+        }
+    }
+    /**
+   * SECURITY: Validates file key format to prevent malicious input
+   * @throws Error if key contains suspicious patterns
+   */ validateKeyFormat(key) {
+        if (!key || typeof key !== 'string' || key.trim().length === 0) {
+            throw new Error('Invalid file key: empty or invalid');
+        }
+        if (key.includes('\0')) {
+            throw new Error('Invalid file key: contains null bytes');
+        }
+    }
+    /**
    * Initialize Local File System provider with configuration
    * @param config.basePath - Base path for file storage (default: './uploads')
    * @param config.baseUrl - Optional base URL for generating file URLs
@@ -64,7 +87,11 @@ import { v4 as uuidv4 } from 'uuid';
         }
         // Build file path
         const folderPath = options.folderPath ? path.join(this.basePath, options.folderPath) : this.basePath;
+        // SECURITY: Validate path does not escape base directory
+        this.validatePathWithinBase(folderPath);
         const filePath = path.join(folderPath, fileName);
+        // SECURITY: Double-check final file path
+        this.validatePathWithinBase(filePath);
         // Ensure directory exists
         await fs.mkdir(folderPath, {
             recursive: true
@@ -87,14 +114,20 @@ import { v4 as uuidv4 } from 'uuid';
     }
     async deleteFile(key) {
         try {
+            // SECURITY: Validate key format first
+            this.validateKeyFormat(key);
             // Key now includes the basePath, resolve from cwd
             let filePath = path.resolve(key);
+            // SECURITY: Validate resolved path is within base directory
+            this.validatePathWithinBase(filePath);
             // Check if file exists at the resolved path
             try {
                 await fs.access(filePath);
             } catch  {
                 // Fallback: try with basePath prefix (for old keys without basePath)
                 const fallbackPath = path.join(this.basePath, key);
+                // SECURITY: Validate fallback path as well
+                this.validatePathWithinBase(fallbackPath);
                 try {
                     await fs.access(fallbackPath);
                     filePath = fallbackPath;
@@ -107,7 +140,11 @@ import { v4 as uuidv4 } from 'uuid';
             }
             await fs.unlink(filePath);
             this.logger.log(`Deleted file from local storage: ${key}`);
-        } catch (_error) {
+        } catch (error) {
+            // Re-throw security errors
+            if (error instanceof Error && error.message.includes('Invalid')) {
+                throw error;
+            }
             this.logger.warn(`Failed to delete file from local storage: ${key}`);
         }
     }
@@ -138,14 +175,23 @@ import { v4 as uuidv4 } from 'uuid';
    * Get the absolute path for a file key
    * Key now includes basePath, so resolve from cwd
    */ getAbsolutePath(key) {
-        return path.resolve(key);
+        // SECURITY: Validate key format
+        this.validateKeyFormat(key);
+        const filePath = path.resolve(key);
+        // SECURITY: Validate path is within base directory
+        this.validatePathWithinBase(filePath);
+        return filePath;
     }
     /**
    * Check if a file exists
    */ async fileExists(key) {
         try {
+            // SECURITY: Validate key format
+            this.validateKeyFormat(key);
             // Key now includes basePath, resolve from cwd
             const filePath = path.resolve(key);
+            // SECURITY: Validate path is within base directory
+            this.validatePathWithinBase(filePath);
             await fs.access(filePath);
             return true;
         } catch  {
@@ -155,8 +201,12 @@ import { v4 as uuidv4 } from 'uuid';
     /**
    * Get file stats
    */ async getFileStats(key) {
+        // SECURITY: Validate key format
+        this.validateKeyFormat(key);
         // Key now includes basePath, resolve from cwd
         const filePath = path.resolve(key);
+        // SECURITY: Validate path is within base directory
+        this.validatePathWithinBase(filePath);
         const stats = await fs.stat(filePath);
         return {
             size: stats.size,

package/fesm/providers/storage-factory.service.js

@@ -79,8 +79,8 @@ export class StorageFactoryService {
         } catch (error) {
             this.logger.error(`Failed to create provider ${config.provider}:`, error);
             // Preserve original error message for better debugging
-            const originalMessage = error?.message || 'Unknown error';
-            throw new Error(`Failed to initialize storage provider '${config.provider}': ${originalMessage}`);
+            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+            throw new Error(`Failed to initialize storage provider '${config.provider}': ${errorMessage}`);
         }
     }
     /**