✨ Make view and deploy attachment endpoints public (as attachment id is unguessable and not disclosed)

Author: aurelien-brabant

.gitignore

@@ -4,3 +4,5 @@ node_modules
 
 gen-api
 caddy/data
+
+/attachments

server/openapi.yaml

@@ -606,6 +606,11 @@ paths:
       responses:
         "200":
           description: ""
+          content:
+            application/octet-stream:
+              schema:
+                type: string
+                format: binary
   /attachments/downloadById/{id}:
     get:
       operationId: downloadById
@@ -618,6 +623,11 @@ paths:
       responses:
         "200":
           description: ""
+          content:
+            application/octet-stream:
+              schema:
+                type: string
+                format: binary
   /conversations/getAllByProjectId:
     get:
       operationId: getAllConversations

server/src/attachments/attachments.controller.ts

@@ -2,6 +2,7 @@ import {
   BadRequestException,
   Controller,
   Get,
+  HttpStatus,
   NotFoundException,
   Param,
   Post,
@@ -11,6 +12,7 @@ import {
   UseInterceptors,
 } from '@nestjs/common';
 import { FileInterceptor } from '@nestjs/platform-express';
+import { ApiProduces, ApiResponse } from '@nestjs/swagger';
 import { Response } from 'express';
 import { RequireAuthMethod } from 'src/iam/iam.decorators';
 import { ServerSdkAuthenticatedRequest } from 'src/iam/iam.types';
@@ -59,18 +61,24 @@ export class AttachmentsController {
     });
   }
 
+  @ApiResponse({
+    schema: {
+      type: 'string',
+      format: 'binary',
+    },
+    status: HttpStatus.OK,
+  })
+  @ApiProduces('application/octet-stream')
   @Get('viewById/:id')
   async serveById(@Param('id') id: string, @Res() res: Response) {
     const attachment = await this.attachmentsService.findById(id);
 
-    if (!attachment || !attachment.isPublic) {
+    if (!attachment) {
       throw new NotFoundException('Attachment not found.');
     }
 
     const data = await this.storageService.download(attachment.id);
 
-    console.log('attachment.mimeType', attachment.mimeType);
-
     res.setHeader(
       'Content-Disposition',
       `inline; filename="${attachment.name}"`,
@@ -81,11 +89,19 @@ export class AttachmentsController {
     res.send(data);
   }
 
+  @ApiResponse({
+    schema: {
+      type: 'string',
+      format: 'binary',
+    },
+    status: HttpStatus.OK,
+  })
+  @ApiProduces('application/octet-stream')
   @Get('downloadById/:id')
   async downloadById(@Param('id') id: string, @Res() res: Response) {
     const attachment = await this.attachmentsService.findById(id);
 
-    if (!attachment || !attachment.isPublic) {
+    if (!attachment) {
       throw new NotFoundException('Attachment not found.');
     }