server side validation

NishantGupt786 · NishantGupt786 · commit fcdc04a086fb · 2024-10-12T14:49:52.000+05:30
diff --git a/src/app/api/mail/route.ts b/src/app/api/mail/route.ts
@@ -14,58 +14,26 @@ type MailOptions = {
   }[];
 };
 
-const RATE_LIMIT_WINDOW_MS = 60 * 60 * 1000;
-const RATE_LIMIT_MAX_REQUESTS = 3;
-
-const rateLimitStore: Record<string, { count: number; lastRequest: number }> =
-  {};
-function isRateLimited(ip: string) {
-  const currentTime = Date.now();
-  const record = rateLimitStore[ip];
-
-  if (record) {
-    if (currentTime - record.lastRequest > RATE_LIMIT_WINDOW_MS) {
-      rateLimitStore[ip] = { count: 1, lastRequest: currentTime };
-      return false;
-    } else {
-      if (record.count >= RATE_LIMIT_MAX_REQUESTS) {
-        return true;
-      } else {
-        record.count++;
-        record.lastRequest = currentTime;
-        return false;
-      }
-    }
-  } else {
-    rateLimitStore[ip] = { count: 1, lastRequest: currentTime };
-    return false;
-  }
-}
+// Allowed MIME types for PDF and image files
+const ALLOWED_MIME_TYPES = ["application/pdf", "image/jpeg", "image/png", "image/gif"];
+const MAX_FILE_SIZE_MB = 5; // Limit file size to 5 MB
 
 export async function POST(request: Request) {
   try {
     const formData = await request.formData();
 
     const ip =
-      request.headers.get("x-real-ip") ?? 
-      request.headers.get("x-forwarded-for") ?? 
+      request.headers.get("x-real-ip") ??
+      request.headers.get("x-forwarded-for") ??
       request.headers.get("remote-addr");
 
     if (!ip) {
       return NextResponse.json(
-        { message: "IP address not found" }, 
-        { status: 400 },
+        { message: "IP address not found" },
+        { status: 400 }
       );
     }
 
-    // Uncomment to enable rate-limiter
-    // if (isRateLimited(ip)) {
-    //   return NextResponse.json(
-    //     { message: "Too many requests. Please try again later." },
-    //     { status: 429 },
-    //   );
-    // }
-
     const transporter = nodemailer.createTransport({
       host: process.env.EMAIL_HOST,
       port: parseInt(process!.env.EMAIL_PORT as string),
@@ -76,11 +44,10 @@ export async function POST(request: Request) {
       },
     });
 
-    const zipFile = formData.get("zipFile");
-    const slot = formData.get("slot")?.toString() ?? '';
-    const subject = formData.get("subject")?.toString() ?? '';
-    const exam = formData.get("exam")?.toString() ?? '';
-    const year = formData.get("year")?.toString() ?? '';
+    const slot = formData.get("slot")?.toString() ?? "";
+    const subject = formData.get("subject")?.toString() ?? "";
+    const exam = formData.get("exam")?.toString() ?? "";
+    const year = formData.get("year")?.toString() ?? "";
 
     const htmlContent = `
       <div style="font-family: Arial, sans-serif; line-height: 1.5;">
@@ -92,32 +59,52 @@ export async function POST(request: Request) {
       </div>
     `;
 
+    const attachments: { filename: string; content: Buffer }[] = [];
+    const files = formData.getAll("files");
+
+    // Validate files and prepare attachments
+    for (const file of files) {
+      if (file instanceof Blob) {
+        const fileType = file.type;
+        const fileSizeMB = file.size / (1024 * 1024); // Convert size to MB
+
+        if (!ALLOWED_MIME_TYPES.includes(fileType)) {
+          return NextResponse.json(
+            { message: `File type not allowed: ${fileType}` },
+            { status: 400 }
+          );
+        }
+
+        if (fileSizeMB > MAX_FILE_SIZE_MB) {
+          return NextResponse.json(
+            { message: `File ${file.name} exceeds the 5MB size limit` },
+            { status: 400 }
+          );
+        }
+
+        const buffer = await file.arrayBuffer();
+        attachments.push({
+          filename: (file as any).name,
+          content: Buffer.from(buffer),
+        });
+      }
+    }
+
     const mailOptions: MailOptions = {
       from: process.env.EMAIL_USER!,
       to: process.env.EMAIL_USER!,
       subject: subject,
       html: htmlContent,
-      attachments: [],
+      attachments,
     };
 
-    if (zipFile instanceof Blob) {
-      const buffer = await zipFile.arrayBuffer();
-      const content = Buffer.from(buffer);
-
-      mailOptions.attachments!.push({
-        filename: "files.zip",
-        content: content,
-      });
-    }
-
     await transporter.sendMail(mailOptions);
 
     return NextResponse.json({ message: "Email sent successfully!" }, { status: 200 });
   } catch (error) {
     return NextResponse.json(
       { message: "Error sending email", error: error },
-      { status: 422 },
+      { status: 422 }
     );
   }
 }
-
diff --git a/src/app/upload/page.tsx b/src/app/upload/page.tsx
@@ -1,6 +1,5 @@
 "use client";
 import React, { useRef, useState } from "react";
-import JSZip from "jszip";
 import axios from "axios";
 import { slots, courses } from "./select_options";
 import toast, { Toaster } from "react-hot-toast";
@@ -61,22 +60,16 @@ const Page = () => {
         return;
       }
     }
-    const zip = new JSZip();
+  
     const formData = new FormData();
-
     for (const file of files) {
-      zip.file(file.name, file);
-      const content = await zip.generateAsync({ type: "blob" });
-
-      const arrayBuffer = await new Response(content).arrayBuffer();
-      const uint8Array = new Uint8Array(arrayBuffer);
-
-      formData.append("zipFile", new Blob([uint8Array]), "files.zip");
-      formData.append("slot", slot);
-      formData.append("subject", subject);
-      formData.append("exam", exam);
-      formData.append("year", year);
+      formData.append("files", file);  // append each file
     }
+    formData.append("slot", slot);
+    formData.append("subject", subject);
+    formData.append("exam", exam);
+    formData.append("year", year);
+  
     try {
       const result = await toast.promise(
         (async () => {
@@ -88,7 +81,7 @@ const Page = () => {
                 headers: {
                   "Content-Type": "multipart/form-data",
                 },
-              },
+              }
             );
             return response.data;
           } catch (error) {
@@ -99,16 +92,16 @@ const Page = () => {
           loading: "Sending papers",
           success: "Papers successfully sent",
           error: (err: ApiError) => err.message,
-        },
+        }
       );
       if (result?.message === "Email sent successfully!") {
-        setTimeout(() => {
-          router.push("/");
-        }, 1500);
+        // setTimeout(() => {
+        //   router.push("/");
+        // }, 1500);
       }
-    } catch (e) {
-    }
+    } catch (e) {}
   };
+  
 
   const handleSubjectSelect = (value: string) => {
     setSubject(value);
