letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
9305c030de429e6d59fb5158588d6c3be17b7c23
pn-new-crm/src/app/api/v1/berths/[id]/pdf-upload-url/handlers.ts

95 lines
3.9 KiB
TypeScript
Raw Blame History

/**
* Returns a presigned URL the browser can use to PUT a PDF directly to the
* active storage backend. `maxBytes` (from `system_settings.berth_pdf_max_upload_mb`,
* default 15 MB per §11.1) is returned to the client as a hint and used to
* early-reject an oversized `sizeBytes` before a URL is minted.
*
* NOTE (audit M16/M17): the S3 presigned-PUT path does NOT sign a
* content-length-range or Content-Type condition, so the cap is enforced
* server-side at register time (`uploadBerthPdf` re-HEADs + magic-byte
* probes and rejects over-cap bytes). The filesystem proxy path embeds the
* cap in the HMAC token (`b` field) and enforces it in the proxy PUT.
*
* For S3 backends this is a true signed URL; for filesystem backends it's a
* CRM-internal proxy URL with an HMAC token (see `FilesystemBackend`).
*/
import { NextResponse } from 'next/server';
import { z } from 'zod';
import { type RouteHandler } from '@/lib/api/helpers';
import { parseBody } from '@/lib/api/route-helpers';
import { db } from '@/lib/db';
import { berths } from '@/lib/db/schema/berths';
import { and, eq } from 'drizzle-orm';
import { errorResponse, NotFoundError, ValidationError } from '@/lib/errors';
import { getMaxUploadMb } from '@/lib/services/berth-pdf.service';
import { getStorageBackend } from '@/lib/storage';
const postBodySchema = z.object({
fileName: z.string().min(1).max(255),
/** Size hint in bytes - used to early-reject oversized uploads before we
* burn a presigned URL. */
sizeBytes: z.number().int().nonnegative().optional(),
});
export const postHandler: RouteHandler = async (req, ctx, params) => {
try {
const body = await parseBody(req, postBodySchema);
const fileName = body.fileName.trim();
if (!fileName) throw new ValidationError('fileName is required');
// Tenant-scoped berth lookup. Without `eq(berths.portId, ctx.portId)` a
// rep with berths:edit on port A could mint an upload URL targeting a
// port-B berth (the storage key namespace would land under that berth's
// id, leaking access).
const berthRow = await db.query.berths.findFirst({
where: and(eq(berths.id, params.id!), eq(berths.portId, ctx.portId)),
});
if (!berthRow) throw new NotFoundError('Berth');
const maxMb = await getMaxUploadMb(berthRow.portId);
const maxBytes = maxMb * 1024 * 1024;
if (typeof body.sizeBytes === 'number' && body.sizeBytes > maxBytes) {
throw new ValidationError(
`File exceeds ${maxMb} MB upload cap (got ${(body.sizeBytes / 1024 / 1024).toFixed(1)} MB).`,
);
}
// Provisional version number: the actual row insert happens in POST
// /pdf-versions and re-computes via SELECT max+1 inside a transaction,
// so a race between two reps just shifts which one wins the version
// slot. The storage key is gen_random_uuid()-namespaced so collisions
// in the storage layer are impossible.
//
// storage-pathing-auditor H1: prefix the port slug so the
// filesystem-proxy port-binding token (`p` field) can be wired and
// the namespace matches `buildStoragePath` (which always leads with
// the port slug).
const sanitized = fileName.replace(/[^a-zA-Z0-9._-]/g, '_').slice(0, 200) || 'berth.pdf';
const storageKey = `${ctx.portSlug}/berths/${params.id!}/uploads/${crypto.randomUUID()}_${sanitized}`;
const backend = await getStorageBackend();
const presigned = await backend.presignUpload(storageKey, {
contentType: 'application/pdf',
expirySeconds: 900,
portSlug: ctx.portSlug,
// Embed the per-port cap in the filesystem proxy token so the proxy
// PUT enforces the advertised 15 MB (not the global 50 MB) - audit M17.
maxBytes,
});
return NextResponse.json({
data: {
url: presigned.url,
method: presigned.method,
storageKey,
maxBytes,
backend: backend.name,
},
});
} catch (error) {
return errorResponse(error);
}
};
Reference in New Issue View Git Blame Copy Permalink