Add signed URLs for file access, fix unauthorized file viewing

New /files/signed-url/:id endpoint generates a 15-minute JWT-signed URL for any file. New /files/s/* endpoint serves files using the token from the query string without requiring auth headers. This allows files to open in new browser tabs without authentication issues. Photos and documents in repair tickets now use signed URLs when clicked.
2026-03-29 11:02:24 -05:00
parent 77e56b7837
commit bf2091365d
2 changed files with 71 additions and 12 deletions
--- a/packages/backend/src/routes/v1/files.ts
+++ b/packages/backend/src/routes/v1/files.ts
@@ -112,6 +112,61 @@ export const fileRoutes: FastifyPluginAsync = async (app) => {
    return reply.send({ ...file, url })
  })

+  // Generate signed URL for a file (short-lived token in query string)
+  app.get('/files/signed-url/:id', { preHandler: [app.authenticate, app.requirePermission('files.view')] }, async (request, reply) => {
+    const { id } = request.params as { id: string }
+    const file = await FileService.getById(app.db, request.companyId, id)
+    if (!file) return reply.status(404).send({ error: { message: 'File not found', statusCode: 404 } })
+
+    // Sign a short-lived token with the file path
+    const token = app.jwt.sign(
+      { path: file.path, companyId: request.companyId, purpose: 'file-access' } as any,
+      { expiresIn: '15m' },
+    )
+
+    const signedUrl = `/v1/files/s/${file.path}?token=${token}`
+    return reply.send({ url: signedUrl })
+  })
+
+  // Serve file via signed URL (no auth header required — token in query string)
+  app.get('/files/s/*', async (request, reply) => {
+    const filePath = (request.params as { '*': string })['*']
+    const { token } = request.query as { token?: string }
+
+    if (!filePath || !token) {
+      return reply.status(400).send({ error: { message: 'Path and token required', statusCode: 400 } })
+    }
+
+    // Verify the signed token
+    try {
+      const payload = app.jwt.verify(token) as { path: string; companyId: string; purpose: string }
+      if (payload.purpose !== 'file-access' || payload.path !== filePath) {
+        return reply.status(403).send({ error: { message: 'Invalid token', statusCode: 403 } })
+      }
+    } catch {
+      return reply.status(403).send({ error: { message: 'Token expired or invalid', statusCode: 403 } })
+    }
+
+    // Path traversal protection
+    if (filePath.includes('..')) {
+      return reply.status(403).send({ error: { message: 'Access denied', statusCode: 403 } })
+    }
+
+    try {
+      const data = await app.storage.get(filePath)
+      const ext = filePath.split('.').pop()?.toLowerCase()
+      const contentTypeMap: Record<string, string> = {
+        jpg: 'image/jpeg', jpeg: 'image/jpeg', png: 'image/png', webp: 'image/webp', pdf: 'application/pdf',
+      }
+      return reply
+        .header('Content-Type', contentTypeMap[ext ?? ''] ?? 'application/octet-stream')
+        .header('Cache-Control', 'private, max-age=900')
+        .send(data)
+    } catch {
+      return reply.status(404).send({ error: { message: 'File not found', statusCode: 404 } })
+    }
+  })
+
  // Delete a file
  app.delete('/files/:id', { preHandler: [app.authenticate, app.requirePermission('files.delete')] }, async (request, reply) => {
    const { id } = request.params as { id: string }