npm - @flusys/nestjs-storage - Versions diffs - 1.0.0-beta → 1.0.0-rc - Mend

@flusys/nestjs-storage 1.0.0-beta → 1.0.0-rc

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (60) hide show

package/README.md +131 -13
package/cjs/config/storage-config.service.js +5 -0
package/cjs/config/storage.constants.js +0 -8
package/cjs/controllers/file-manager.controller.js +44 -1
package/cjs/controllers/folder.controller.js +44 -1
package/cjs/controllers/storage-config.controller.js +44 -1
package/cjs/controllers/upload.controller.js +6 -12
package/cjs/dtos/file-manager.dto.js +8 -5
package/cjs/dtos/storage-config.dto.js +41 -1
package/cjs/dtos/upload.dto.js +7 -0
package/cjs/entities/storage-config-base.entity.js +31 -2
package/cjs/interfaces/index.js +0 -1
package/cjs/middlewares/file-serve.middleware.js +6 -0
package/cjs/providers/local-provider.js +52 -2
package/cjs/providers/storage-factory.service.js +2 -2
package/cjs/services/file-manager.service.js +37 -24
package/cjs/services/folder.service.js +5 -8
package/cjs/services/storage-provider-config.service.js +18 -35
package/cjs/services/upload.service.js +39 -27
package/cjs/utils/file-validator.util.js +470 -0
package/cjs/utils/image-compressor.util.js +1 -3
package/config/storage-config.service.d.ts +5 -2
package/config/storage.constants.d.ts +0 -2
package/controllers/upload.controller.d.ts +2 -6
package/dtos/file-manager.dto.d.ts +2 -4
package/dtos/folder.dto.d.ts +2 -4
package/dtos/storage-config.dto.d.ts +9 -6
package/entities/storage-config-base.entity.d.ts +2 -0
package/fesm/config/storage-config.service.js +5 -0
package/fesm/config/storage.constants.js +0 -2
package/fesm/controllers/file-manager.controller.js +45 -2
package/fesm/controllers/folder.controller.js +45 -2
package/fesm/controllers/storage-config.controller.js +45 -2
package/fesm/controllers/upload.controller.js +7 -13
package/fesm/dtos/file-manager.dto.js +8 -5
package/fesm/dtos/storage-config.dto.js +45 -11
package/fesm/dtos/upload.dto.js +8 -1
package/fesm/entities/index.js +1 -5
package/fesm/entities/storage-config-base.entity.js +33 -7
package/fesm/interfaces/index.js +0 -1
package/fesm/interfaces/storage-config.interface.js +1 -3
package/fesm/middlewares/file-serve.middleware.js +7 -1
package/fesm/providers/local-provider.js +52 -2
package/fesm/providers/storage-factory.service.js +2 -2
package/fesm/services/file-manager.service.js +38 -25
package/fesm/services/folder.service.js +5 -8
package/fesm/services/storage-provider-config.service.js +18 -35
package/fesm/services/upload.service.js +40 -28
package/fesm/utils/file-validator.util.js +463 -0
package/fesm/utils/image-compressor.util.js +1 -3
package/interfaces/file-manager.interface.d.ts +7 -4
package/interfaces/index.d.ts +0 -1
package/interfaces/storage-config.interface.d.ts +2 -20
package/package.json +6 -6
package/providers/local-provider.d.ts +2 -0
package/services/file-manager.service.d.ts +2 -2
package/utils/file-validator.util.d.ts +16 -0
package/cjs/interfaces/file-upload-response.interface.js +0 -4
package/fesm/interfaces/file-upload-response.interface.js +0 -1
package/interfaces/file-upload-response.interface.d.ts +0 -6

package/fesm/services/file-manager.service.js CHANGED Viewed

@@ -25,8 +25,9 @@ function _ts_param(paramIndex, decorator) {
         decorator(target, key, paramIndex);
     };
 }
-import { RequestScopedApiService, HybridCache } from '@flusys/nestjs-shared/classes';
+import { HybridCache, RequestScopedApiService } from '@flusys/nestjs-shared/classes';
 import { UtilsService } from '@flusys/nestjs-shared/modules';
+import { applyCompanyFilter, ErrorHandler } from '@flusys/nestjs-shared/utils';
 import { BadRequestException, Inject, Injectable, NotFoundException, Scope } from '@nestjs/common';
 import { Brackets, In } from 'typeorm';
 import { StorageConfigService } from '../config';
@@ -103,8 +104,9 @@ export class FileManagerService extends RequestScopedApiService {
                 const enableCompanyFeature = this.storageConfig.isCompanyFeatureEnabled();
                 const storageConfigEntity = enableCompanyFeature ? (await import('../entities')).StorageConfigWithCompany : (await import('../entities')).StorageConfig;
                 const storageConfigRepository = await this.dataSourceProvider.getRepository(storageConfigEntity);
+                const storageConfigId = dto.storageConfigId;
                 const whereCondition = {
-                    id: dto.storageConfigId
+                    id: storageConfigId
                 };
                 // Filter by company if company feature is enabled
                 if (enableCompanyFeature && user?.companyId) {
@@ -114,25 +116,30 @@ export class FileManagerService extends RequestScopedApiService {
                     where: whereCondition
                 });
                 if (storageConfig) {
-                    storageLocation = storageConfig.storage;
+                    const typedConfig = storageConfig;
+                    if (typedConfig.storage) {
+                        storageLocation = typedConfig.storage;
+                    }
                 }
             } catch (error) {
-                this.logger.warn(`Failed to get storage location from config: ${error}`);
+                const errorMessage = ErrorHandler.getErrorMessage(error);
+                this.logger.warn(`Failed to get storage location from config ${dto.storageConfigId}: ${errorMessage}`);
             // Fall back to DTO location or default
             }
         }
-        // Set basic fields
-        fileManager = {
+        // Set basic fields - merge existing data with DTO
+        const mergedFileManager = {
             ...fileManager,
             ...dto,
             location: storageLocation,
             folder: validatedFolder
         };
-        // Only set company fields if they exist on the entity (when company feature is enabled)
-        if ('companyId' in fileManager) {
-            fileManager.companyId = user?.companyId ?? null;
+        // Only set company fields if company feature is enabled
+        const enableCompanyFeatureForEntity = this.storageConfig.isCompanyFeatureEnabled();
+        if (enableCompanyFeatureForEntity) {
+            mergedFileManager.companyId = user?.companyId ?? null;
         }
-        return fileManager;
+        return mergedFileManager;
     }
     async getSelectQuery(query, _user, select) {
         if (!select || !select.length) {
@@ -209,7 +216,8 @@ export class FileManagerService extends RequestScopedApiService {
             this.logger.debug(`enrichWithProviderNames: First enriched item: ${JSON.stringify(enrichedItems[0])}`);
             return enrichedItems;
         } catch (error) {
-            this.logger.warn(`Failed to fetch provider names: ${error}`);
+            const errorMessage = ErrorHandler.getErrorMessage(error);
+            this.logger.warn(`Failed to fetch provider names: ${errorMessage}`);
             return items.map((item)=>({
                     ...item,
                     providerName: undefined
@@ -247,13 +255,12 @@ export class FileManagerService extends RequestScopedApiService {
    * Override: Extra query manipulation - Auto-filter by user's company and private file permissions
    */ async getExtraManipulateQuery(query, filterDto, user) {
         const result = await super.getExtraManipulateQuery(query, filterDto, user);
-        // If company feature enabled and user has companyId, filter by user's company
+        // Apply company filter using shared utility
         const enableCompanyFeature = this.storageConfig.isCompanyFeatureEnabled();
-        if (enableCompanyFeature && user?.companyId) {
-            query.andWhere('file_manager.companyId = :companyId', {
-                companyId: user.companyId
-            });
-        }
+        applyCompanyFilter(query, {
+            isCompanyFeatureEnabled: enableCompanyFeature,
+            entityAlias: 'file_manager'
+        }, user);
         // Check if user has permission to see private files
         if (user) {
             const cacheKey = enableCompanyFeature ? `${USER_ACTION_PERMISSION_CACHE_KEY}_${user.id}_${user.companyId}` : `${USER_ACTION_PERMISSION_CACHE_KEY}_${user.id}`;
@@ -316,8 +323,9 @@ export class FileManagerService extends RequestScopedApiService {
                                 'config'
                             ]
                         });
-                        if (config && config.config?.basePath) {
-                            const basePath = config.config.basePath.replace(/^\.\//, '');
+                        const typedConfig = config;
+                        if (typedConfig?.config?.basePath) {
+                            const basePath = typedConfig.config.basePath.replace(/^\.\//, '');
                             // Convert old keys to new format
                             deleteKeys = keys.map((key)=>{
                                 if (!key.includes('/')) {
@@ -327,7 +335,8 @@ export class FileManagerService extends RequestScopedApiService {
                             });
                         }
                     } catch (error) {
-                        this.logger.warn(`Failed to get basePath for delete: ${error}`);
+                        const errorMessage = ErrorHandler.getErrorMessage(error);
+                        this.logger.warn(`Failed to get basePath for delete: ${errorMessage}`);
                     }
                 }
                 await this.uploadService.deleteMultipleFile(deleteKeys, configId === 'default' ? undefined : configId, user ?? undefined, location);
@@ -361,7 +370,8 @@ export class FileManagerService extends RequestScopedApiService {
                     file.expiresAt = now + expiresIn * 1000;
                     shouldUpdate = true;
                 } catch (error) {
-                    this.logger.error(`Failed to generate URL for file ${file.id}: ${error?.message || 'Unknown error'}`);
+                    const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+                    this.logger.error(`Failed to generate URL for file ${file.id}: ${errorMessage}`);
                     // Use fallback URL with appUrl from config
                     const baseUrl = this.getFileBaseUrl(protocol, host);
                     file.url = `${baseUrl}/storage/upload/file/${file.key}`;
@@ -388,13 +398,15 @@ export class FileManagerService extends RequestScopedApiService {
                                 'config'
                             ]
                         });
-                        if (config && config.config?.basePath) {
-                            const basePath = config.config.basePath.replace(/^\.\//, ''); // Remove leading ./
+                        const typedConfig = config;
+                        if (typedConfig?.config?.basePath) {
+                            const basePath = typedConfig.config.basePath.replace(/^\.\//, ''); // Remove leading ./
                             fileKey = `${basePath}/${file.key}`;
                             this.logger.debug(`Prefixed old key with basePath: ${fileKey}`);
                         }
                     } catch (error) {
-                        this.logger.warn(`Failed to get basePath for file ${file.id}: ${error}`);
+                        const errorMessage = ErrorHandler.getErrorMessage(error);
+                        this.logger.warn(`Failed to get basePath for file ${file.id}: ${errorMessage}`);
                     }
                 }
                 const baseUrl = this.getFileBaseUrl(protocol, host);
@@ -419,7 +431,8 @@ export class FileManagerService extends RequestScopedApiService {
             try {
                 await this.repository.save(updatedFiles);
             } catch (error) {
-                this.logger.error(`Failed to save updated file URLs: ${error?.message || 'Unknown error'}`);
+                const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+                this.logger.error(`Failed to save updated file URLs: ${errorMessage}`);
             }
         }
         return responses;

package/fesm/services/folder.service.js CHANGED Viewed

@@ -27,6 +27,7 @@ function _ts_param(paramIndex, decorator) {
 }
 import { RequestScopedApiService, HybridCache } from '@flusys/nestjs-shared/classes';
 import { UtilsService } from '@flusys/nestjs-shared/modules';
+import { applyCompanyFilter } from '@flusys/nestjs-shared/utils';
 import { Inject, Injectable, Scope } from '@nestjs/common';
 import { StorageConfigService } from '../config';
 import { Folder, FolderWithCompany } from '../entities';
@@ -38,16 +39,13 @@ export class FolderService extends RequestScopedApiService {
     getDataSourceProvider() {
         return this.dataSourceProvider;
     }
-    // Entity Conversion
     async convertSingleDtoToEntity(dto, user) {
         const entity = await super.convertSingleDtoToEntity(dto, user);
-        // Set companyId from user context if company feature enabled
         if (this.storageConfig.isCompanyFeatureEnabled()) {
             entity.companyId = user?.companyId ?? null;
         }
         return entity;
     }
-    // Query Customization
     async getSelectQuery(query, _user, select) {
         if (!select?.length) {
             select = [
@@ -69,11 +67,10 @@ export class FolderService extends RequestScopedApiService {
     }
     async getExtraManipulateQuery(query, filterDto, user) {
         const result = await super.getExtraManipulateQuery(query, filterDto, user);
-        if (this.storageConfig.isCompanyFeatureEnabled() && user?.companyId) {
-            query.andWhere('folder.companyId = :companyId', {
-                companyId: user.companyId
-            });
-        }
+        applyCompanyFilter(query, {
+            isCompanyFeatureEnabled: this.storageConfig.isCompanyFeatureEnabled(),
+            entityAlias: 'folder'
+        }, user);
         return result;
     }
     constructor(cacheManager, utilsService, storageConfig, dataSourceProvider){

package/fesm/services/storage-provider-config.service.js CHANGED Viewed

@@ -27,6 +27,7 @@ function _ts_param(paramIndex, decorator) {
 }
 import { RequestScopedApiService, HybridCache } from '@flusys/nestjs-shared/classes';
 import { UtilsService } from '@flusys/nestjs-shared/modules';
+import { applyCompanyFilter, buildCompanyWhereCondition } from '@flusys/nestjs-shared/utils';
 import { Inject, Injectable, Scope } from '@nestjs/common';
 import { StorageConfigService } from '../config';
 import { StorageConfig, StorageConfigWithCompany } from '../entities';
@@ -38,16 +39,13 @@ export class StorageProviderConfigService extends RequestScopedApiService {
     getDataSourceProvider() {
         return this.dataSourceProvider;
     }
-    // Entity Conversion
     async convertSingleDtoToEntity(dto, user) {
         const entity = await super.convertSingleDtoToEntity(dto, user);
-        // Set companyId from user context if company feature enabled
         if (this.storageConfig.isCompanyFeatureEnabled()) {
             entity.companyId = user?.companyId ?? null;
         }
         return entity;
     }
-    // Query Customization
     async getSelectQuery(query, _user, select) {
         if (!select?.length) {
             select = [
@@ -55,6 +53,8 @@ export class StorageProviderConfigService extends RequestScopedApiService {
                 'name',
                 'storage',
                 'config',
+                'isActive',
+                'isDefault',
                 'createdAt',
                 'updatedAt'
             ];
@@ -70,19 +70,14 @@ export class StorageProviderConfigService extends RequestScopedApiService {
     }
     async getExtraManipulateQuery(query, filterDto, user) {
         const result = await super.getExtraManipulateQuery(query, filterDto, user);
-        if (this.storageConfig.isCompanyFeatureEnabled() && user?.companyId) {
-            query.andWhere('storageConfig.companyId = :companyId', {
-                companyId: user.companyId
-            });
-        }
+        applyCompanyFilter(query, {
+            isCompanyFeatureEnabled: this.storageConfig.isCompanyFeatureEnabled(),
+            entityAlias: 'storageConfig'
+        }, user);
         query.orderBy(`${this.entityName}.createdAt`, 'DESC');
         return result;
     }
-    /**
-   * Find storage config by ID without throwing (returns null if not found)
-   * Uses direct repository query - bypasses company filtering
-   * Use for internal operations like file deletion where config ID is already known
-   */ async findByIdDirect(id) {
+    async findByIdDirect(id) {
         await this.ensureRepositoryInitialized();
         return await this.repository.findOne({
             where: {
@@ -90,21 +85,15 @@ export class StorageProviderConfigService extends RequestScopedApiService {
             }
         });
     }
-    /**
-   * Get default storage configuration (scoped to user's company if enabled)
-   * Falls back to any available config if 'default' not found
-   */ async getDefaultConfig(user) {
+    async getDefaultConfig(user) {
         await this.ensureRepositoryInitialized();
-        const baseWhere = {};
-        // Filter by company only if company feature is enabled and user is provided
-        if (this.storageConfig.isCompanyFeatureEnabled() && user?.companyId) {
-            baseWhere.companyId = user.companyId;
-        }
-        // First try to find config named 'default'
+        const baseWhere = buildCompanyWhereCondition({
+            isActive: true
+        }, this.storageConfig.isCompanyFeatureEnabled(), user);
         const defaultConfig = await this.repository.findOne({
             where: {
                 ...baseWhere,
-                name: 'default'
+                isDefault: true
             },
             order: {
                 createdAt: 'ASC'
@@ -113,7 +102,6 @@ export class StorageProviderConfigService extends RequestScopedApiService {
         if (defaultConfig) {
             return defaultConfig;
         }
-        // Fall back to any available config for this company/user
         return await this.repository.findOne({
             where: baseWhere,
             order: {
@@ -121,17 +109,12 @@ export class StorageProviderConfigService extends RequestScopedApiService {
             }
         });
     }
-    /**
-   * Get storage configuration by type (scoped to user's company if enabled)
-   */ async getConfigByType(storage, user) {
+    async getConfigByType(storage, user) {
         await this.ensureRepositoryInitialized();
-        const where = {
-            storage
-        };
-        // Filter by company only if company feature is enabled and user is provided
-        if (this.storageConfig.isCompanyFeatureEnabled() && user?.companyId) {
-            where.companyId = user.companyId;
-        }
+        const where = buildCompanyWhereCondition({
+            storage,
+            isActive: true
+        }, this.storageConfig.isCompanyFeatureEnabled(), user);
         return await this.repository.find({
             where
         });

package/fesm/services/upload.service.js CHANGED Viewed

@@ -25,25 +25,41 @@ function _ts_param(paramIndex, decorator) {
         decorator(target, key, paramIndex);
     };
 }
-import { BadRequestException, Inject, Injectable, InternalServerErrorException, Logger, NotFoundException, Scope } from '@nestjs/common';
+import { ErrorHandler, validateCompanyOwnership } from '@flusys/nestjs-shared/utils';
+import { BadRequestException, Inject, Injectable, Logger, NotFoundException, Scope } from '@nestjs/common';
 import { StorageConfigService } from '../config';
 import { FileLocationEnum } from '../enums/file-location.enum';
 import { StorageFactoryService } from '../providers/storage-factory.service';
 import { StorageProviderConfigService } from './storage-provider-config.service';
+import { FileValidator } from '../utils/file-validator.util';
 export class UploadService {
     /**
-   * Validate file before upload
+   * Validate file before upload - includes size, type, and content validation.
+   * Uses magic bytes to verify file content matches declared MIME type.
    */ validateFile(file) {
         // Validate file size
         const sizeValidation = this.storageConfigService.validateFileSize(file.size);
         if (!sizeValidation.valid) {
             throw new BadRequestException(sizeValidation.message);
         }
-        // Validate file type
+        // Validate declared file type (MIME)
         const typeValidation = this.storageConfigService.validateFileType(file.mimetype);
         if (!typeValidation.valid) {
             throw new BadRequestException(typeValidation.message);
         }
+        // Validate file content matches declared type (magic bytes check)
+        // This prevents MIME type spoofing attacks
+        const allowedTypes = this.storageConfigService.getAllowedFileTypes();
+        const contentValidation = FileValidator.validateFileContent(file.buffer, file.mimetype, allowedTypes);
+        if (!contentValidation.valid) {
+            this.logger.warn(`File content validation failed: ${contentValidation.message}`, {
+                declaredType: file.mimetype,
+                detectedType: contentValidation.detectedType
+            });
+            throw new BadRequestException(contentValidation.message || 'File content validation failed');
+        }
+        // Sanitize filename to prevent path traversal attacks
+        file.originalname = FileValidator.sanitizeFilename(file.originalname);
     }
     /**
    * Get storage provider and config info based on storage config ID
@@ -57,13 +73,8 @@ export class UploadService {
             if (!config) {
                 throw new NotFoundException('Storage configuration not found');
             }
-            // Validate company ownership if company feature enabled
-            if (this.storageConfigService.isCompanyFeatureEnabled() && user?.companyId) {
-                const configWithCompany = config;
-                if (configWithCompany.companyId && configWithCompany.companyId !== user.companyId) {
-                    throw new BadRequestException('Storage configuration belongs to another company');
-                }
-            }
+            // Validate company ownership using shared utility
+            validateCompanyOwnership(config, user, this.storageConfigService.isCompanyFeatureEnabled(), 'Storage configuration');
             storageConfig = config;
         } else {
             // Use default config (scoped to user's company/branch)
@@ -168,9 +179,9 @@ export class UploadService {
                 location,
                 storageConfigId: configId
             };
-        } catch (err) {
-            this.logger.error('Single file upload failed', err);
-            throw new InternalServerErrorException(err?.message || 'Single file upload failed');
+        } catch (error) {
+            ErrorHandler.logError(this.logger, error, 'uploadSingleFile');
+            ErrorHandler.rethrowError(error);
         }
     }
     async uploadMultipleFiles(files, options, user) {
@@ -187,31 +198,31 @@ export class UploadService {
                     location,
                     storageConfigId: configId
                 }));
-        } catch (err) {
-            this.logger.error('Multiple files upload failed', err);
-            throw new InternalServerErrorException(err?.message || 'Multiple files upload failed');
+        } catch (error) {
+            ErrorHandler.logError(this.logger, error, 'uploadMultipleFiles');
+            ErrorHandler.rethrowError(error);
         }
     }
     async deleteSingleFile(key, storageConfigId, user, locationHint) {
         try {
-            if (!key) throw new Error('No file path provided');
+            if (!key) throw new BadRequestException('No file path provided');
             const provider = await this.getStorageProviderForDelete(storageConfigId, user, locationHint);
             await provider.deleteFile(key);
             return true;
-        } catch (err) {
-            this.logger.error('Delete single file failed', err);
-            throw new InternalServerErrorException(err?.message || 'Delete single file failed');
+        } catch (error) {
+            ErrorHandler.logError(this.logger, error, 'deleteSingleFile');
+            ErrorHandler.rethrowError(error);
         }
     }
     async deleteMultipleFile(keys, storageConfigId, user, locationHint) {
         try {
-            if (!keys || !keys.length) throw new Error('No file paths provided');
+            if (!keys || !keys.length) throw new BadRequestException('No file paths provided');
             const provider = await this.getStorageProviderForDelete(storageConfigId, user, locationHint);
             await provider.deleteMultipleFiles(keys);
             return true;
-        } catch (err) {
-            this.logger.error('Delete multiple files failed', err);
-            throw new InternalServerErrorException(err?.message || 'Delete multiple files failed');
+        } catch (error) {
+            ErrorHandler.logError(this.logger, error, 'deleteMultipleFiles');
+            ErrorHandler.rethrowError(error);
         }
     }
     bytesToKb(bytes) {
@@ -241,7 +252,8 @@ export class UploadService {
             }
             return null;
         } catch (error) {
-            this.logger.warn(`Failed to get local storage basePath: ${error.message}`);
+            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+            this.logger.warn(`Failed to get local storage basePath: ${errorMessage}`);
             return null;
         }
     }
@@ -258,9 +270,9 @@ export class UploadService {
             }
             // For SFTP or other providers without presigned URLs
             return key;
-        } catch (err) {
-            this.logger.error('Generate file URL failed', err);
-            throw new InternalServerErrorException(err?.message || 'Generate file URL failed');
+        } catch (error) {
+            ErrorHandler.logError(this.logger, error, 'makeFileUrl');
+            ErrorHandler.rethrowError(error);
         }
     }
     // NOTE: @Inject() required for bundled code - type metadata may be lost during esbuild