port-nimara-client-portal/server/api/files/download.ts

import { requireAuth } from '~/server/utils/auth';
import { getDownloadUrl } from '~/server/utils/minio';

export default defineEventHandler(async (event) => {
  // Check authentication (x-tag header OR Keycloak session)
  await requireAuth(event);
  
  try {
    const query = getQuery(event);
    const fileName = query.fileName as string;
    
    if (!fileName) {
      throw createError({
        statusCode: 400,
        statusMessage: 'File name is required',
      });
    }
    
    // Generate presigned URL valid for 1 hour
    const url = await getDownloadUrl(fileName);
    
    // Log audit event
    await logAuditEvent(event, 'download', fileName);
    
    return {
      success: true,
      url,
      fileName,
    };
  } catch (error: any) {
    console.error('Failed to generate download URL:', error);
    throw createError({
      statusCode: 500,
      statusMessage: error.message || 'Failed to generate download URL',
    });
  }
});

// Audit logging helper
async function logAuditEvent(event: any, action: string, filePath: string) {
  try {
    const user = event.context.user || { email: 'anonymous' };
    const auditLog = {
      user_email: user.email,
      action,
      file_path: filePath,
      timestamp: new Date().toISOString(),
      ip_address: getClientIP(event),
      success: true,
    };
    
    // You can store this in your database or logging system
    console.log('Audit log:', auditLog);
  } catch (error) {
    console.error('Failed to log audit event:', error);
  }
}

function getClientIP(event: any): string {
  return event.node.req.headers['x-forwarded-for'] || 
         event.node.req.connection.remoteAddress || 
         'unknown';
}
KEYCLOAK AUTH FIX: Phase 4 - Email & Files Endpoints UPDATED ENDPOINTS (11 additional): - email/send.ts (CRITICAL: was using old auth) - email/fetch-thread.ts (CRITICAL: was using old auth) - email/fetch-thread-v2.ts (CRITICAL: was using old auth) - email/generate-eoi-document.ts (CRITICAL: was using old auth) - files/upload.ts (CRITICAL: was using old auth) - files/list.ts (SECURITY ISSUE: had NO auth) - files/download.ts (SECURITY ISSUE: had NO auth) - files/delete.ts (SECURITY ISSUE: had NO auth) - files/create-folder.ts (SECURITY ISSUE: had NO auth) - files/preview.ts (SECURITY ISSUE: had NO auth) - files/rename.ts (SECURITY ISSUE: had NO auth) AUTHENTICATION: All now support dual auth: - x-tag header (webhooks/external calls) - Keycloak session (logged-in users) PROGRESS: 28/47 endpoints completed (~60%) NEXT: Continue with remaining proxy, test & debug endpoints CRITICAL SECURITY FIXES: Found 6 file endpoints with NO authentication - major vulnerability patched! 2025-06-15 16:32:34 +02:00			`import { requireAuth } from '~/server/utils/auth';`
Add MinIO file browser with upload, preview, and management features - Implement file browser UI with upload/download capabilities - Add API endpoints for file operations (list, upload, delete, preview) - Create FileUploader and FilePreviewModal components - Configure MinIO integration with environment variables - Add documentation for MinIO file browser setup 2025-06-04 16:32:50 +02:00			`import { getDownloadUrl } from '~/server/utils/minio';`

			`export default defineEventHandler(async (event) => {`
KEYCLOAK AUTH FIX: Phase 4 - Email & Files Endpoints UPDATED ENDPOINTS (11 additional): - email/send.ts (CRITICAL: was using old auth) - email/fetch-thread.ts (CRITICAL: was using old auth) - email/fetch-thread-v2.ts (CRITICAL: was using old auth) - email/generate-eoi-document.ts (CRITICAL: was using old auth) - files/upload.ts (CRITICAL: was using old auth) - files/list.ts (SECURITY ISSUE: had NO auth) - files/download.ts (SECURITY ISSUE: had NO auth) - files/delete.ts (SECURITY ISSUE: had NO auth) - files/create-folder.ts (SECURITY ISSUE: had NO auth) - files/preview.ts (SECURITY ISSUE: had NO auth) - files/rename.ts (SECURITY ISSUE: had NO auth) AUTHENTICATION: All now support dual auth: - x-tag header (webhooks/external calls) - Keycloak session (logged-in users) PROGRESS: 28/47 endpoints completed (~60%) NEXT: Continue with remaining proxy, test & debug endpoints CRITICAL SECURITY FIXES: Found 6 file endpoints with NO authentication - major vulnerability patched! 2025-06-15 16:32:34 +02:00			`// Check authentication (x-tag header OR Keycloak session)`
			`await requireAuth(event);`

Add MinIO file browser with upload, preview, and management features - Implement file browser UI with upload/download capabilities - Add API endpoints for file operations (list, upload, delete, preview) - Create FileUploader and FilePreviewModal components - Configure MinIO integration with environment variables - Add documentation for MinIO file browser setup 2025-06-04 16:32:50 +02:00			`try {`
			`const query = getQuery(event);`
			`const fileName = query.fileName as string;`

			`if (!fileName) {`
			`throw createError({`
			`statusCode: 400,`
			`statusMessage: 'File name is required',`
			`});`
			`}`

			`// Generate presigned URL valid for 1 hour`
			`const url = await getDownloadUrl(fileName);`

			`// Log audit event`
			`await logAuditEvent(event, 'download', fileName);`

			`return {`
			`success: true,`
			`url,`
			`fileName,`
			`};`
			`} catch (error: any) {`
			`console.error('Failed to generate download URL:', error);`
			`throw createError({`
			`statusCode: 500,`
			`statusMessage: error.message \|\| 'Failed to generate download URL',`
			`});`
			`}`
			`});`

			`// Audit logging helper`
			`async function logAuditEvent(event: any, action: string, filePath: string) {`
			`try {`
			`const user = event.context.user \|\| { email: 'anonymous' };`
			`const auditLog = {`
			`user_email: user.email,`
			`action,`
			`file_path: filePath,`
			`timestamp: new Date().toISOString(),`
			`ip_address: getClientIP(event),`
			`success: true,`
			`};`

			`// You can store this in your database or logging system`
			`console.log('Audit log:', auditLog);`
			`} catch (error) {`
			`console.error('Failed to log audit event:', error);`
			`}`
			`}`

			`function getClientIP(event: any): string {`
			`return event.node.req.headers['x-forwarded-for'] \|\|`
			`event.node.req.connection.remoteAddress \|\|`
			`'unknown';`
			`}`