feat(04-02): create POST /api/documents and GET /api/documents/[id]/file routes
- POST handles both form-data (custom upload) and JSON (template copy) paths
- Copies seed PDF or writes uploaded file to uploads/clients/{clientId}/{uuid}.pdf
- Path traversal guard on destPath before writing
- GET streams PDF bytes with Content-Type: application/pdf
- Path traversal guard on filePath before reading
- Both routes return 401 for unauthenticated requests
This commit is contained in:
Chandler Copeland
@@ -0,0 +1,39 @@
|
|||||||
|
import { auth } from '@/lib/auth';
|
||||||
|
import { db } from '@/lib/db';
|
||||||
|
import { documents } from '@/lib/db/schema';
|
||||||
|
import { eq } from 'drizzle-orm';
|
||||||
|
import { readFile } from 'node:fs/promises';
|
||||||
|
import path from 'node:path';
|
||||||
|
|
||||||
|
const UPLOADS_BASE = path.join(process.cwd(), 'uploads');
|
||||||
|
|
||||||
|
export async function GET(
|
||||||
|
_req: Request,
|
||||||
|
{ params }: { params: Promise<{ id: string }> }
|
||||||
|
) {
|
||||||
|
const session = await auth();
|
||||||
|
if (!session) return new Response('Unauthorized', { status: 401 });
|
||||||
|
|
||||||
|
const { id } = await params;
|
||||||
|
|
||||||
|
const doc = await db.query.documents.findFirst({
|
||||||
|
where: eq(documents.id, id),
|
||||||
|
});
|
||||||
|
if (!doc || !doc.filePath) return new Response('Not found', { status: 404 });
|
||||||
|
|
||||||
|
const filePath = path.join(UPLOADS_BASE, doc.filePath);
|
||||||
|
|
||||||
|
// Path traversal guard — critical security check
|
||||||
|
if (!filePath.startsWith(UPLOADS_BASE)) {
|
||||||
|
return new Response('Forbidden', { status: 403 });
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
const buffer = await readFile(filePath);
|
||||||
|
return new Response(buffer, {
|
||||||
|
headers: { 'Content-Type': 'application/pdf' },
|
||||||
|
});
|
||||||
|
} catch {
|
||||||
|
return new Response('File not found', { status: 404 });
|
||||||
|
}
|
||||||
|
}
|
||||||
77
teressa-copeland-homes/src/app/api/documents/route.ts
Normal file
77
teressa-copeland-homes/src/app/api/documents/route.ts
Normal file
@@ -0,0 +1,77 @@
|
|||||||
|
import { auth } from '@/lib/auth';
|
||||||
|
import { db } from '@/lib/db';
|
||||||
|
import { documents, formTemplates } from '@/lib/db/schema';
|
||||||
|
import { eq } from 'drizzle-orm';
|
||||||
|
import { copyFile, mkdir, writeFile } from 'node:fs/promises';
|
||||||
|
import path from 'node:path';
|
||||||
|
|
||||||
|
const SEEDS_DIR = path.join(process.cwd(), 'seeds', 'forms');
|
||||||
|
const UPLOADS_DIR = path.join(process.cwd(), 'uploads');
|
||||||
|
|
||||||
|
export async function POST(req: Request) {
|
||||||
|
const session = await auth();
|
||||||
|
if (!session) return new Response('Unauthorized', { status: 401 });
|
||||||
|
|
||||||
|
const contentType = req.headers.get('content-type') ?? '';
|
||||||
|
|
||||||
|
let clientId: string;
|
||||||
|
let name: string;
|
||||||
|
let formTemplateId: string | undefined;
|
||||||
|
let fileBuffer: ArrayBuffer | undefined;
|
||||||
|
|
||||||
|
if (contentType.includes('multipart/form-data')) {
|
||||||
|
// File picker path — custom PDF upload
|
||||||
|
const formData = await req.formData();
|
||||||
|
clientId = formData.get('clientId') as string;
|
||||||
|
name = formData.get('name') as string;
|
||||||
|
const file = formData.get('file') as File;
|
||||||
|
fileBuffer = await file.arrayBuffer();
|
||||||
|
} else {
|
||||||
|
// Library path — copy from seed template
|
||||||
|
const body = await req.json();
|
||||||
|
clientId = body.clientId;
|
||||||
|
name = body.name;
|
||||||
|
formTemplateId = body.formTemplateId;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!clientId || !name) {
|
||||||
|
return Response.json({ error: 'clientId and name are required' }, { status: 400 });
|
||||||
|
}
|
||||||
|
|
||||||
|
const docId = crypto.randomUUID();
|
||||||
|
const destDir = path.join(UPLOADS_DIR, 'clients', clientId);
|
||||||
|
const destPath = path.join(destDir, `${docId}.pdf`);
|
||||||
|
const relPath = `clients/${clientId}/${docId}.pdf`;
|
||||||
|
|
||||||
|
// Path traversal guard
|
||||||
|
if (!destPath.startsWith(UPLOADS_DIR)) {
|
||||||
|
return new Response('Forbidden', { status: 403 });
|
||||||
|
}
|
||||||
|
|
||||||
|
await mkdir(destDir, { recursive: true });
|
||||||
|
|
||||||
|
if (fileBuffer !== undefined) {
|
||||||
|
// Custom upload
|
||||||
|
await writeFile(destPath, Buffer.from(fileBuffer));
|
||||||
|
} else {
|
||||||
|
// Template copy
|
||||||
|
const template = await db.query.formTemplates.findFirst({
|
||||||
|
where: eq(formTemplates.id, formTemplateId!),
|
||||||
|
});
|
||||||
|
if (!template) return Response.json({ error: 'Template not found' }, { status: 404 });
|
||||||
|
|
||||||
|
const srcPath = path.join(SEEDS_DIR, template.filename);
|
||||||
|
await copyFile(srcPath, destPath);
|
||||||
|
}
|
||||||
|
|
||||||
|
const [doc] = await db.insert(documents).values({
|
||||||
|
id: docId,
|
||||||
|
clientId,
|
||||||
|
name,
|
||||||
|
formTemplateId: formTemplateId ?? null,
|
||||||
|
filePath: relPath,
|
||||||
|
status: 'Draft',
|
||||||
|
}).returning();
|
||||||
|
|
||||||
|
return Response.json(doc, { status: 201 });
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user