bopodev-api 0.1.12 → 0.1.13

package/src/routes/issues.ts

@@ -1,15 +1,22 @@
 import { Router } from "express";
+import { mkdir, readFile, rm, stat, writeFile } from "node:fs/promises";
+import { basename, extname, join, resolve } from "node:path";
 import { and, eq } from "drizzle-orm";
+import multer from "multer";
 import { z } from "zod";
 import {
+  addIssueAttachment,
   addIssueComment,
   agents,
   appendActivity,
   appendAuditEvent,
   createIssue,
+  deleteIssueAttachment,
   deleteIssueComment,
   deleteIssue,
+  getIssueAttachment,
   issues,
+  listIssueAttachments,
   listIssueActivity,
   listIssueComments,
   listIssues,
@@ -17,8 +24,10 @@ import {
   updateIssueComment,
   updateIssue
 } from "bopodev-db";
+import { nanoid } from "nanoid";
 import type { AppContext } from "../context";
 import { sendError, sendOk } from "../http";
+import { isInsidePath, normalizeAbsolutePath, resolveProjectWorkspacePath } from "../lib/instance-paths";
 import { requireCompanyScope } from "../middleware/company-scope";
 import { requirePermission } from "../middleware/request-actor";
 
@@ -51,6 +60,31 @@ const updateIssueCommentSchema = z.object({
   body: z.string().min(1)
 });
 
+const MAX_ATTACHMENTS_PER_REQUEST = parsePositiveIntEnv("BOPO_ISSUE_ATTACHMENTS_MAX_FILES", 10);
+const MAX_ATTACHMENT_SIZE_BYTES = parsePositiveIntEnv("BOPO_ISSUE_ATTACHMENTS_MAX_BYTES", 20 * 1024 * 1024);
+const ALLOWED_ATTACHMENT_MIME_TYPES = parseCsvSet(
+  process.env.BOPO_ISSUE_ATTACHMENTS_ALLOWED_MIME_TYPES,
+  [
+    "image/png",
+    "image/jpeg",
+    "image/webp",
+    "image/gif",
+    "application/pdf",
+    "text/plain",
+    "text/markdown",
+    "application/json",
+    "text/csv",
+    "application/zip",
+    "application/x-zip-compressed"
+  ]
+);
+const ALLOWED_ATTACHMENT_EXTENSIONS = parseCsvSet(
+  process.env.BOPO_ISSUE_ATTACHMENTS_ALLOWED_EXTENSIONS,
+  ["png", "jpg", "jpeg", "webp", "gif", "pdf", "txt", "md", "json", "csv", "zip"]
+);
+
+type IssueAttachmentResponse = Record<string, unknown> & { id: string; downloadPath: string };
+
 function parseStringArray(value: unknown) {
   if (Array.isArray(value)) {
     return value.map((entry) => String(entry));
@@ -92,6 +126,13 @@ const updateIssueSchema = z
 
 export function createIssuesRouter(ctx: AppContext) {
   const router = Router();
+  const upload = multer({
+    storage: multer.memoryStorage(),
+    limits: {
+      fileSize: MAX_ATTACHMENT_SIZE_BYTES,
+      files: MAX_ATTACHMENTS_PER_REQUEST
+    }
+  });
   router.use(requireCompanyScope);
 
   router.get("/", async (req, res) => {
@@ -142,6 +183,199 @@ export function createIssuesRouter(ctx: AppContext) {
     return sendOk(res, toIssueResponse(issue as unknown as Record<string, unknown>));
   });
 
+  router.post("/:issueId/attachments", async (req, res) => {
+    requirePermission("issues:write")(req, res, () => {});
+    if (res.headersSent) {
+      return;
+    }
+
+    upload.array("files", MAX_ATTACHMENTS_PER_REQUEST)(req, res, async (uploadError) => {
+      if (uploadError) {
+        if (uploadError instanceof multer.MulterError) {
+          if (uploadError.code === "LIMIT_FILE_SIZE") {
+            return sendError(
+              res,
+              `Attachment exceeds max file size of ${MAX_ATTACHMENT_SIZE_BYTES} bytes.`,
+              422
+            );
+          }
+          if (uploadError.code === "LIMIT_FILE_COUNT") {
+            return sendError(
+              res,
+              `Too many files. Max ${MAX_ATTACHMENTS_PER_REQUEST} attachment(s) per request.`,
+              422
+            );
+          }
+          return sendError(res, uploadError.message, 422);
+        }
+        return sendError(res, "Failed to parse multipart attachment payload.", 422);
+      }
+
+      try {
+        const files = (req.files as Express.Multer.File[] | undefined) ?? [];
+        if (files.length === 0) {
+          return sendError(res, "At least one attachment file is required.", 422);
+        }
+        const issueContext = await getIssueContextForAttachment(ctx, req.companyId!, req.params.issueId);
+        if (!issueContext) {
+          return sendError(res, "Issue not found.", 404);
+        }
+        const workspacePath = resolveWorkspacePath(issueContext.companyId, issueContext.projectId, issueContext.workspaceLocalPath);
+        const attachmentDir = join(workspacePath, ".bopo", "issues", issueContext.issueId, "attachments");
+        await mkdir(attachmentDir, { recursive: true });
+
+        const uploaded: IssueAttachmentResponse[] = [];
+        for (const file of files) {
+          if (!isAllowedAttachmentFile(file)) {
+            return sendError(
+              res,
+              `Unsupported attachment type for '${file.originalname}'. Allowed extensions: ${Array.from(ALLOWED_ATTACHMENT_EXTENSIONS).join(", ")}`,
+              422
+            );
+          }
+
+          const attachmentId = nanoid(14);
+          const safeFileName = sanitizeAttachmentFileName(file.originalname);
+          const storedFileName = `${attachmentId}-${safeFileName}`;
+          const relativePath = join(".bopo", "issues", issueContext.issueId, "attachments", storedFileName);
+          const absolutePath = resolve(workspacePath, relativePath);
+          if (!isInsidePath(workspacePath, absolutePath)) {
+            return sendError(res, "Invalid attachment destination path.", 422);
+          }
+
+          await writeFile(absolutePath, file.buffer);
+          try {
+            const attachment = await addIssueAttachment(ctx.db, {
+              id: attachmentId,
+              companyId: req.companyId!,
+              issueId: issueContext.issueId,
+              projectId: issueContext.projectId,
+              fileName: file.originalname,
+              mimeType: file.mimetype || null,
+              fileSizeBytes: file.size,
+              relativePath,
+              uploadedByActorType: req.actor?.type === "agent" ? "agent" : "human",
+              uploadedByActorId: req.actor?.id
+            });
+            uploaded.push(toIssueAttachmentResponse(attachment as unknown as Record<string, unknown>, issueContext.issueId));
+          } catch (error) {
+            await rm(absolutePath, { force: true }).catch(() => undefined);
+            throw error;
+          }
+        }
+
+        await appendActivity(ctx.db, {
+          companyId: req.companyId!,
+          issueId: issueContext.issueId,
+          actorType: req.actor?.type === "agent" ? "agent" : "human",
+          actorId: req.actor?.id,
+          eventType: "issue.attachments_added",
+          payload: { count: uploaded.length, attachmentIds: uploaded.map((entry) => entry.id) }
+        });
+        await appendAuditEvent(ctx.db, {
+          companyId: req.companyId!,
+          actorType: req.actor?.type === "agent" ? "agent" : "human",
+          actorId: req.actor?.id,
+          eventType: "issue.attachments_added",
+          entityType: "issue",
+          entityId: issueContext.issueId,
+          payload: { attachments: uploaded }
+        });
+        return sendOk(res, uploaded);
+      } catch (error) {
+        // eslint-disable-next-line no-console
+        console.error(error);
+        return sendError(res, "Failed to upload attachments.", 500);
+      }
+    });
+  });
+
+  router.get("/:issueId/attachments", async (req, res) => {
+    const issueContext = await getIssueContextForAttachment(ctx, req.companyId!, req.params.issueId);
+    if (!issueContext) {
+      return sendError(res, "Issue not found.", 404);
+    }
+    const attachments = await listIssueAttachments(ctx.db, req.companyId!, req.params.issueId);
+    return sendOk(
+      res,
+      attachments.map((attachment) =>
+        toIssueAttachmentResponse(attachment as unknown as Record<string, unknown>, req.params.issueId)
+      )
+    );
+  });
+
+  router.get("/:issueId/attachments/:attachmentId/download", async (req, res) => {
+    const issueContext = await getIssueContextForAttachment(ctx, req.companyId!, req.params.issueId);
+    if (!issueContext) {
+      return sendError(res, "Issue not found.", 404);
+    }
+    const attachment = await getIssueAttachment(ctx.db, req.companyId!, req.params.issueId, req.params.attachmentId);
+    if (!attachment) {
+      return sendError(res, "Attachment not found.", 404);
+    }
+    const workspacePath = resolveWorkspacePath(issueContext.companyId, issueContext.projectId, issueContext.workspaceLocalPath);
+    const absolutePath = resolve(workspacePath, attachment.relativePath);
+    if (!isInsidePath(workspacePath, absolutePath)) {
+      return sendError(res, "Invalid attachment path.", 422);
+    }
+    try {
+      await stat(absolutePath);
+    } catch {
+      return sendError(res, "Attachment file is missing on disk.", 404);
+    }
+    const fileBuffer = await readFile(absolutePath);
+    if (attachment.mimeType) {
+      res.setHeader("content-type", attachment.mimeType);
+    } else {
+      res.setHeader("content-type", "application/octet-stream");
+    }
+    res.setHeader("content-disposition", `attachment; filename="${encodeURIComponent(attachment.fileName)}"`);
+    return res.send(fileBuffer);
+  });
+
+  router.delete("/:issueId/attachments/:attachmentId", async (req, res) => {
+    requirePermission("issues:write")(req, res, () => {});
+    if (res.headersSent) {
+      return;
+    }
+    const issueContext = await getIssueContextForAttachment(ctx, req.companyId!, req.params.issueId);
+    if (!issueContext) {
+      return sendError(res, "Issue not found.", 404);
+    }
+    const attachment = await getIssueAttachment(ctx.db, req.companyId!, req.params.issueId, req.params.attachmentId);
+    if (!attachment) {
+      return sendError(res, "Attachment not found.", 404);
+    }
+    const workspacePath = resolveWorkspacePath(issueContext.companyId, issueContext.projectId, issueContext.workspaceLocalPath);
+    const absolutePath = resolve(workspacePath, attachment.relativePath);
+    if (!isInsidePath(workspacePath, absolutePath)) {
+      return sendError(res, "Invalid attachment path.", 422);
+    }
+    await rm(absolutePath, { force: true }).catch(() => undefined);
+    const deleted = await deleteIssueAttachment(ctx.db, req.companyId!, req.params.issueId, req.params.attachmentId);
+    if (!deleted) {
+      return sendError(res, "Attachment not found.", 404);
+    }
+    await appendActivity(ctx.db, {
+      companyId: req.companyId!,
+      issueId: issueContext.issueId,
+      actorType: req.actor?.type === "agent" ? "agent" : "human",
+      actorId: req.actor?.id,
+      eventType: "issue.attachment_deleted",
+      payload: { attachmentId: req.params.attachmentId }
+    });
+    await appendAuditEvent(ctx.db, {
+      companyId: req.companyId!,
+      actorType: req.actor?.type === "agent" ? "agent" : "human",
+      actorId: req.actor?.id,
+      eventType: "issue.attachment_deleted",
+      entityType: "issue_attachment",
+      entityId: req.params.attachmentId,
+      payload: deleted as unknown as Record<string, unknown>
+    });
+    return sendOk(res, { deleted: true });
+  });
+
   router.get("/:issueId/comments", async (req, res) => {
     const comments = await listIssueComments(ctx.db, req.companyId!, req.params.issueId);
     return sendOk(res, comments);
@@ -435,3 +669,90 @@ async function validateIssueAssignmentScope(
   return null;
 }
 
+function parsePositiveIntEnv(name: string, fallback: number) {
+  const raw = process.env[name];
+  if (!raw) {
+    return fallback;
+  }
+  const parsed = Number.parseInt(raw, 10);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    return fallback;
+  }
+  return parsed;
+}
+
+function parseCsvSet(raw: string | undefined, fallback: string[]) {
+  if (!raw || raw.trim().length === 0) {
+    return new Set(fallback);
+  }
+  return new Set(
+    raw
+      .split(",")
+      .map((value) => value.trim().toLowerCase())
+      .filter(Boolean)
+  );
+}
+
+function sanitizeAttachmentFileName(input: string) {
+  const original = basename(input || "attachment");
+  const sanitized = original.replace(/[^a-zA-Z0-9._-]/g, "_");
+  return sanitized.length > 0 ? sanitized : "attachment";
+}
+
+function isAllowedAttachmentFile(file: Express.Multer.File) {
+  const extension = extname(file.originalname).slice(1).toLowerCase();
+  const mime = (file.mimetype ?? "").toLowerCase();
+  if (extension && ALLOWED_ATTACHMENT_EXTENSIONS.has(extension)) {
+    return true;
+  }
+  return mime.length > 0 && ALLOWED_ATTACHMENT_MIME_TYPES.has(mime);
+}
+
+function toIssueAttachmentResponse(attachment: Record<string, unknown>, issueId: string) {
+  const id = String(attachment.id ?? "");
+  return {
+    ...attachment,
+    id,
+    downloadPath: `/issues/${issueId}/attachments/${id}/download`
+  };
+}
+
+function resolveWorkspacePath(companyId: string, projectId: string, workspaceLocalPath: string | null) {
+  if (workspaceLocalPath && workspaceLocalPath.trim().length > 0) {
+    return normalizeAbsolutePath(workspaceLocalPath);
+  }
+  return resolveProjectWorkspacePath(companyId, projectId);
+}
+
+async function getIssueContextForAttachment(ctx: AppContext, companyId: string, issueId: string) {
+  const [issue] = await ctx.db
+    .select({
+      issueId: issues.id,
+      companyId: issues.companyId,
+      projectId: issues.projectId
+    })
+    .from(issues)
+    .where(and(eq(issues.companyId, companyId), eq(issues.id, issueId)))
+    .limit(1);
+  if (!issue) {
+    return null;
+  }
+  const [project] = await ctx.db
+    .select({
+      id: projects.id,
+      workspaceLocalPath: projects.workspaceLocalPath
+    })
+    .from(projects)
+    .where(and(eq(projects.companyId, companyId), eq(projects.id, issue.projectId)))
+    .limit(1);
+  if (!project) {
+    return null;
+  }
+  return {
+    issueId: issue.issueId,
+    companyId: issue.companyId,
+    projectId: issue.projectId,
+    workspaceLocalPath: project.workspaceLocalPath
+  };
+}
+