Merge pull request #51 from docmost/private-attachments

make page attachments private
2025-11-12 15:52:32 +10:00 · 2024-07-05 00:47:51 +01:00
parent 0fc8edeb52 13f26f9c31
commit 3e7b2495c5
6 changed files with 63 additions and 9 deletions
--- a/apps/client/src/lib/api-client.ts
+++ b/apps/client/src/lib/api-client.ts
@ -5,6 +5,7 @@ import { getBackendUrl } from "@/lib/config.ts";

 const api: AxiosInstance = axios.create({
  baseURL: getBackendUrl(),
+  withCredentials: true,
 });

 api.interceptors.request.use(
--- a/apps/server/package.json
+++ b/apps/server/package.json
@ -31,6 +31,7 @@
    "@aws-sdk/client-s3": "^3.600.0",
    "@aws-sdk/s3-request-presigner": "^3.600.0",
    "@casl/ability": "^6.7.1",
+    "@fastify/cookie": "^9.3.1",
    "@fastify/multipart": "^8.3.0",
    "@fastify/static": "^7.0.4",
    "@nestjs/bullmq": "^10.1.1",
--- a/apps/server/src/core/attachment/attachment.controller.ts
+++ b/apps/server/src/core/attachment/attachment.controller.ts
@ -45,7 +45,6 @@ import {
 import WorkspaceAbilityFactory from '../casl/abilities/workspace-ability.factory';
 import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import { AttachmentRepo } from '@docmost/db/repos/attachment/attachment.repo';
-import { Public } from '../../common/decorators/public.decorator';
 import { validate as isValidUUID } from 'uuid';

@Controller()
@ -129,12 +128,11 @@ export class AttachmentController {
    }
  }

-  @Public()
  @UseGuards(JwtAuthGuard)
  @Get('/files/:fileId/:fileName')
  async getFile(
    @Res() res: FastifyReply,
-    //@AuthUser() user: User,
+    @AuthUser() user: User,
    @AuthWorkspace() workspace: Workspace,
    @Param('fileId') fileId: string,
    @Param('fileName') fileName?: string,
@ -144,18 +142,29 @@ export class AttachmentController {
    }

    const attachment = await this.attachmentRepo.findById(fileId);
-    if (attachment.workspaceId !== workspace.id) {
+    if (
+      !attachment ||
+      attachment.workspaceId !== workspace.id ||
+      !attachment.pageId ||
+      !attachment.spaceId
+    ) {
      throw new NotFoundException();
    }

-    if (!attachment || !attachment.pageId) {
-      throw new NotFoundException('File record not found');
+    const spaceAbility = await this.spaceAbility.createForUser(
+      user,
+      attachment.spaceId,
+    );
+
+    if (spaceAbility.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
+      throw new ForbiddenException();
    }

    try {
      const fileStream = await this.storageService.read(attachment.filePath);
      res.headers({
        'Content-Type': getMimeType(attachment.filePath),
+        'Cache-Control': 'public, max-age=3600',
      });
      return res.send(fileStream);
    } catch (err) {
@ -268,6 +277,7 @@ export class AttachmentController {
      const fileStream = await this.storageService.read(filePath);
      res.headers({
        'Content-Type': getMimeType(filePath),
+        'Cache-Control': 'public, max-age=86400',
      });
      return res.send(fileStream);
    } catch (err) {
--- a/apps/server/src/core/auth/strategies/jwt.strategy.ts
+++ b/apps/server/src/core/auth/strategies/jwt.strategy.ts
@ -4,11 +4,12 @@ import {
  UnauthorizedException,
 } from '@nestjs/common';
 import { PassportStrategy } from '@nestjs/passport';
-import { ExtractJwt, Strategy } from 'passport-jwt';
+import { Strategy } from 'passport-jwt';
 import { EnvironmentService } from '../../../integrations/environment/environment.service';
 import { JwtPayload, JwtType } from '../dto/jwt-payload';
 import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
 import { UserRepo } from '@docmost/db/repos/user/user.repo';
+import { FastifyRequest } from 'fastify';

@Injectable()
 export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
@ -18,7 +19,15 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
    private readonly environmentService: EnvironmentService,
  ) {
    super({
-      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      jwtFromRequest: (req: FastifyRequest) => {
+        let accessToken = null;
+
+        try {
+          accessToken = JSON.parse(req.cookies?.authTokens)?.accessToken;
+        } catch {}
+
+        return accessToken || this.extractTokenFromHeader(req);
+      },
      ignoreExpiration: false,
      secretOrKey: environmentService.getAppSecret(),
      passReqToCallback: true,
@ -50,4 +59,9 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {

    return { user, workspace };
  }
+
+  private extractTokenFromHeader(request: FastifyRequest): string | undefined {
+    const [type, token] = request.headers.authorization?.split(' ') ?? [];
+    return type === 'Bearer' ? token : undefined;
+  }
 }
--- a/apps/server/src/main.ts
+++ b/apps/server/src/main.ts
@ -9,6 +9,7 @@ import { TransformHttpResponseInterceptor } from './common/interceptors/http-res
 import fastifyMultipart from '@fastify/multipart';
 import { WsRedisIoAdapter } from './ws/adapter/ws-redis.adapter';
 import { InternalLogFilter } from './common/logger/internal-log-filter';
+import fastifyCookie from '@fastify/cookie';

 async function bootstrap() {
  const app = await NestFactory.create<NestFastifyApplication>(
@ -31,6 +32,7 @@ async function bootstrap() {
  app.useWebSocketAdapter(redisIoAdapter);

  await app.register(fastifyMultipart as any);
+  await app.register(fastifyCookie as any);

  app
    .getHttpAdapter()
@ -56,7 +58,16 @@ async function bootstrap() {
      transform: true,
    }),
  );
-  app.enableCors();
+
+  if (process.env.NODE_ENV !== 'production') {
+    // make development easy
+    app.enableCors({
+      origin: ['http://localhost:5173'],
+      credentials: true,
+    });
+  } else {
+    app.enableCors();
+  }

  app.useGlobalInterceptors(new TransformHttpResponseInterceptor());
  app.enableShutdownHooks();