@flusys/nestjs-storage 1.1.0-beta → 2.0.0-rc.0

package/cjs/services/upload.service.js

@@ -8,11 +8,13 @@ Object.defineProperty(exports, "UploadService", {
         return UploadService;
     }
 });
+const _utils = require("@flusys/nestjs-shared/utils");
 const _common = require("@nestjs/common");
-const _config = require("../config");
+const _storageconfigservice = require("./storage-config.service");
 const _filelocationenum = require("../enums/file-location.enum");
 const _storagefactoryservice = require("../providers/storage-factory.service");
 const _storageproviderconfigservice = require("./storage-provider-config.service");
+const _filevalidatorutil = require("../utils/file-validator.util");
 function _define_property(obj, key, value) {
     if (key in obj) {
         Object.defineProperty(obj, key, {
@@ -42,18 +44,51 @@ function _ts_param(paramIndex, decorator) {
 }
 let UploadService = class UploadService {
     /**
-   * Validate file before upload
+   * Validate file before upload - includes size, type, and content validation.
+   * Uses magic bytes to verify file content matches declared MIME type.
    */ validateFile(file) {
         // Validate file size
         const sizeValidation = this.storageConfigService.validateFileSize(file.size);
         if (!sizeValidation.valid) {
             throw new _common.BadRequestException(sizeValidation.message);
         }
-        // Validate file type
+        // Validate declared file type (MIME)
         const typeValidation = this.storageConfigService.validateFileType(file.mimetype);
         if (!typeValidation.valid) {
             throw new _common.BadRequestException(typeValidation.message);
         }
+        // Validate file content matches declared type (magic bytes check)
+        // This prevents MIME type spoofing attacks
+        const allowedTypes = this.storageConfigService.getAllowedFileTypes();
+        const contentValidation = _filevalidatorutil.FileValidator.validateFileContent(file.buffer, file.mimetype, allowedTypes);
+        if (!contentValidation.valid) {
+            this.logger.warn(`File content validation failed: ${contentValidation.message}`, {
+                declaredType: file.mimetype,
+                detectedType: contentValidation.detectedType
+            });
+            throw new _common.BadRequestException(contentValidation.message || 'File content validation failed');
+        }
+        // Sanitize filename to prevent path traversal attacks
+        file.originalname = _filevalidatorutil.FileValidator.sanitizeFilename(file.originalname);
+    }
+    /**
+   * Create provider from storage config entity
+   */ async createProviderFromConfig(config) {
+        return this.storageFactory.createProvider({
+            provider: config.storage,
+            config: config.config
+        });
+    }
+    /**
+   * Create fallback local provider
+   */ async createFallbackLocalProvider() {
+        this.logger.warn('No storage config found, using fallback local provider');
+        return this.storageFactory.createProvider({
+            provider: _filelocationenum.FileLocationEnum.LOCAL,
+            config: {
+                basePath: this.storageConfigService.getDefaultLocalStoragePath()
+            }
+        });
     }
     /**
    * Get storage provider and config info based on storage config ID
@@ -67,13 +102,8 @@ let UploadService = class UploadService {
             if (!config) {
                 throw new _common.NotFoundException('Storage configuration not found');
             }
-            // Validate company ownership if company feature enabled
-            if (this.storageConfigService.isCompanyFeatureEnabled() && user?.companyId) {
-                const configWithCompany = config;
-                if (configWithCompany.companyId && configWithCompany.companyId !== user.companyId) {
-                    throw new _common.BadRequestException('Storage configuration belongs to another company');
-                }
-            }
+            // Validate company ownership using shared utility
+            (0, _utils.validateCompanyOwnership)(config, user, this.storageConfigService.isCompanyFeatureEnabled(), 'Storage configuration');
             storageConfig = config;
         } else {
             // Use default config (scoped to user's company/branch)
@@ -83,13 +113,7 @@ let UploadService = class UploadService {
             }
             storageConfig = defaultConfig;
         }
-        // Create provider config
-        const providerConfig = {
-            provider: storageConfig.storage,
-            config: storageConfig.config
-        };
-        // Get or create provider instance
-        const provider = await this.storageFactory.createProvider(providerConfig);
+        const provider = await this.createProviderFromConfig(storageConfig);
         return {
             provider,
             location: storageConfig.storage,
@@ -97,74 +121,33 @@ let UploadService = class UploadService {
         };
     }
     /**
-   * Get storage provider based on storage config ID (convenience method)
-   */ async getStorageProvider(storageConfigId, user) {
-        const { provider } = await this.getStorageProviderWithConfig(storageConfigId, user);
-        return provider;
-    }
-    /**
    * Get storage provider for delete operations with fallback
    * If the original storage config doesn't exist, falls back based on locationHint
-   * This ensures files can still be deleted even if storage config was removed
-   * @param storageConfigId - The storage config ID to look up
-   * @param user - User context for company filtering
-   * @param locationHint - The file's original location type (used for fallback)
    */ async getStorageProviderForDelete(storageConfigId, user, locationHint) {
-        // If storageConfigId provided, try to find it
+        // Try to find by storageConfigId
         if (storageConfigId) {
             const config = await this.storageProviderConfigService.findByIdDirect(storageConfigId);
             if (config) {
-                const providerConfig = {
-                    provider: config.storage,
-                    config: config.config
-                };
-                return await this.storageFactory.createProvider(providerConfig);
+                return this.createProviderFromConfig(config);
             }
-            // Config not found, log warning and try fallback
-            this.logger.warn(`Storage config ${storageConfigId} not found, trying fallback for delete`);
+            this.logger.warn(`Storage config ${storageConfigId} not found, trying fallback`);
         }
-        // Fallback: Use locationHint to find a matching config or create provider
+        // Fallback: Use locationHint to find a matching config
         if (locationHint) {
-            // Try to find a config matching the file's original location type
             const matchingConfigs = await this.storageProviderConfigService.getConfigByType(locationHint, user);
             if (matchingConfigs.length > 0) {
-                const providerConfig = {
-                    provider: matchingConfigs[0].storage,
-                    config: matchingConfigs[0].config
-                };
-                this.logger.debug(`Using matching ${locationHint} config for delete fallback`);
-                return await this.storageFactory.createProvider(providerConfig);
+                return this.createProviderFromConfig(matchingConfigs[0]);
             }
-            // No matching config found, create a basic provider based on locationHint
             if (locationHint === _filelocationenum.FileLocationEnum.LOCAL) {
-                this.logger.warn('No local config found, using fallback local provider for delete');
-                const localProviderConfig = {
-                    provider: _filelocationenum.FileLocationEnum.LOCAL,
-                    config: {
-                        basePath: this.storageConfigService.getDefaultLocalStoragePath()
-                    }
-                };
-                return await this.storageFactory.createProvider(localProviderConfig);
+                return this.createFallbackLocalProvider();
             }
         }
-        // Last resort: Try default config (might be different provider type)
+        // Last resort: Try default config
         const defaultConfig = await this.storageProviderConfigService.getDefaultConfig(user);
         if (defaultConfig) {
-            const providerConfig = {
-                provider: defaultConfig.storage,
-                config: defaultConfig.config
-            };
-            return await this.storageFactory.createProvider(providerConfig);
+            return this.createProviderFromConfig(defaultConfig);
         }
-        // Final fallback: Create a basic local provider
-        this.logger.warn('No storage config found, using fallback local provider for delete');
-        const localProviderConfig = {
-            provider: _filelocationenum.FileLocationEnum.LOCAL,
-            config: {
-                basePath: this.storageConfigService.getDefaultLocalStoragePath()
-            }
-        };
-        return await this.storageFactory.createProvider(localProviderConfig);
+        return this.createFallbackLocalProvider();
     }
     async uploadSingleFile(file, options, user) {
         try {
@@ -178,9 +161,9 @@ let UploadService = class UploadService {
                 location,
                 storageConfigId: configId
             };
-        } catch (err) {
-            this.logger.error('Single file upload failed', err);
-            throw new _common.InternalServerErrorException(err?.message || 'Single file upload failed');
+        } catch (error) {
+            _utils.ErrorHandler.logError(this.logger, error, 'uploadSingleFile');
+            _utils.ErrorHandler.rethrowError(error);
         }
     }
     async uploadMultipleFiles(files, options, user) {
@@ -197,31 +180,31 @@ let UploadService = class UploadService {
                     location,
                     storageConfigId: configId
                 }));
-        } catch (err) {
-            this.logger.error('Multiple files upload failed', err);
-            throw new _common.InternalServerErrorException(err?.message || 'Multiple files upload failed');
+        } catch (error) {
+            _utils.ErrorHandler.logError(this.logger, error, 'uploadMultipleFiles');
+            _utils.ErrorHandler.rethrowError(error);
         }
     }
     async deleteSingleFile(key, storageConfigId, user, locationHint) {
         try {
-            if (!key) throw new Error('No file path provided');
+            if (!key) throw new _common.BadRequestException('No file path provided');
             const provider = await this.getStorageProviderForDelete(storageConfigId, user, locationHint);
             await provider.deleteFile(key);
             return true;
-        } catch (err) {
-            this.logger.error('Delete single file failed', err);
-            throw new _common.InternalServerErrorException(err?.message || 'Delete single file failed');
+        } catch (error) {
+            _utils.ErrorHandler.logError(this.logger, error, 'deleteSingleFile');
+            _utils.ErrorHandler.rethrowError(error);
         }
     }
     async deleteMultipleFile(keys, storageConfigId, user, locationHint) {
         try {
-            if (!keys || !keys.length) throw new Error('No file paths provided');
+            if (!keys || !keys.length) throw new _common.BadRequestException('No file paths provided');
             const provider = await this.getStorageProviderForDelete(storageConfigId, user, locationHint);
             await provider.deleteMultipleFiles(keys);
             return true;
-        } catch (err) {
-            this.logger.error('Delete multiple files failed', err);
-            throw new _common.InternalServerErrorException(err?.message || 'Delete multiple files failed');
+        } catch (error) {
+            _utils.ErrorHandler.logError(this.logger, error, 'deleteMultipleFiles');
+            _utils.ErrorHandler.rethrowError(error);
         }
     }
     bytesToKb(bytes) {
@@ -251,7 +234,8 @@ let UploadService = class UploadService {
             }
             return null;
         } catch (error) {
-            this.logger.warn(`Failed to get local storage basePath: ${error.message}`);
+            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+            this.logger.warn(`Failed to get local storage basePath: ${errorMessage}`);
             return null;
         }
     }
@@ -261,16 +245,16 @@ let UploadService = class UploadService {
    * For Local/SFTP: returns direct path
    */ async makeFileUrl(key, storageConfigId, expiresIn = 3600, user) {
         try {
-            const provider = await this.getStorageProvider(storageConfigId, user);
+            const { provider } = await this.getStorageProviderWithConfig(storageConfigId, user);
             // Check if provider supports presigned URLs
             if (provider.generatePresignedUrl) {
                 return await provider.generatePresignedUrl(key, expiresIn);
             }
             // For SFTP or other providers without presigned URLs
             return key;
-        } catch (err) {
-            this.logger.error('Generate file URL failed', err);
-            throw new _common.InternalServerErrorException(err?.message || 'Generate file URL failed');
+        } catch (error) {
+            _utils.ErrorHandler.logError(this.logger, error, 'makeFileUrl');
+            _utils.ErrorHandler.rethrowError(error);
         }
     }
     // NOTE: @Inject() required for bundled code - type metadata may be lost during esbuild
@@ -290,12 +274,12 @@ UploadService = _ts_decorate([
         scope: _common.Scope.REQUEST
     }),
     _ts_param(0, (0, _common.Inject)(_storagefactoryservice.StorageFactoryService)),
-    _ts_param(1, (0, _common.Inject)(_config.StorageConfigService)),
+    _ts_param(1, (0, _common.Inject)(_storageconfigservice.StorageConfigService)),
     _ts_param(2, (0, _common.Inject)(_storageproviderconfigservice.StorageProviderConfigService)),
     _ts_metadata("design:type", Function),
     _ts_metadata("design:paramtypes", [
         typeof _storagefactoryservice.StorageFactoryService === "undefined" ? Object : _storagefactoryservice.StorageFactoryService,
-        typeof _config.StorageConfigService === "undefined" ? Object : _config.StorageConfigService,
+        typeof _storageconfigservice.StorageConfigService === "undefined" ? Object : _storageconfigservice.StorageConfigService,
         typeof _storageproviderconfigservice.StorageProviderConfigService === "undefined" ? Object : _storageproviderconfigservice.StorageProviderConfigService
     ])
 ], UploadService);