Update: extract validateUploadedFiles into individual utility file (fixes #78) (#79)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: taylortom

lib/MiddlewareModule.js

@@ -4,13 +4,13 @@ import bodyParser from 'body-parser'
 import bytes from 'bytes'
 import compression from 'compression'
 import { createWriteStream } from 'fs'
-import { fileTypeFromFile } from 'file-type'
 import formidable from 'formidable'
 import fs from 'fs/promises'
 import path from 'path'
 import helmet from 'helmet'
 import { RateLimiterMongo } from 'rate-limiter-flexible'
 import { unzip } from 'zipper'
+import { validateUploadedFiles } from './utils/validateUploadedFiles.js'
 /**
  * Adds useful Express middleware to the server stack
  * @memberof middleware
@@ -253,30 +253,5 @@ class MiddlewareModule extends AbstractModule {
     }
   }
 }
-/** @ignore */
-async function validateUploadedFiles (req, filesObj, options) {
-  const errors = App.instance.errors
-  const assetErrors = []
-  const filesArr = Object.values(filesObj).reduce((memo, f) => memo.concat(f), []) // flatten nested arrays
-  await Promise.all(filesArr.map(async f => {
-    if (!options.expectedFileTypes.includes(f.mimetype)) {
-      // formidable mimetype isn't allowed, try inspecting the file
-      f.mimetype = (await fileTypeFromFile(f.filepath))?.mime
-      if (!f.mimetype && path.extname(f.originalFilename) === '.srt') {
-        f.mimetype = 'application/x-subrip'
-      }
-      if (!options.expectedFileTypes.includes(f.mimetype)) {
-        assetErrors.push(errors.UNEXPECTED_FILE_TYPES.setData({ expectedFileTypes: options.expectedFileTypes, invalidFiles: [f.originalFilename], mimetypes: [f.mimetype] }))
-      }
-    }
-    if (f.size > options.maxFileSize) {
-      assetErrors.push(errors.FILE_EXCEEDS_MAX_SIZE.setData({ size: bytes(f.size), maxSize: bytes(options.maxFileSize) }))
-    }
-  }))
-  if (assetErrors.length) {
-    throw errors.VALIDATION_FAILED
-      .setData({ schemaName: 'fileupload', errors: assetErrors.map(req.translate).join(', ') })
-  }
-}
 
 export default MiddlewareModule

lib/utils.js

@@ -0,0 +1 @@
+export { validateUploadedFiles } from './utils/validateUploadedFiles.js'

lib/utils/validateUploadedFiles.js

@@ -0,0 +1,36 @@
+import { App } from 'adapt-authoring-core'
+import bytes from 'bytes'
+import { fileTypeFromFile } from 'file-type'
+import path from 'path'
+
+/**
+ * Validates uploaded files against expected types and size limits
+ * @param {external:ExpressRequest} req
+ * @param {Object} filesObj Files object from formidable
+ * @param {Object} options Upload options including expectedFileTypes and maxFileSize
+ * @memberof middleware
+ */
+export async function validateUploadedFiles (req, filesObj, options) {
+  const errors = App.instance.errors
+  const assetErrors = []
+  const filesArr = Object.values(filesObj).reduce((memo, f) => memo.concat(f), []) // flatten nested arrays
+  await Promise.all(filesArr.map(async f => {
+    if (!options.expectedFileTypes.includes(f.mimetype)) {
+      // formidable mimetype isn't allowed, try inspecting the file
+      f.mimetype = (await fileTypeFromFile(f.filepath))?.mime
+      if (!f.mimetype && path.extname(f.originalFilename) === '.srt') {
+        f.mimetype = 'application/x-subrip'
+      }
+      if (!options.expectedFileTypes.includes(f.mimetype)) {
+        assetErrors.push(errors.UNEXPECTED_FILE_TYPES.setData({ expectedFileTypes: options.expectedFileTypes, invalidFiles: [f.originalFilename], mimetypes: [f.mimetype] }))
+      }
+    }
+    if (f.size > options.maxFileSize) {
+      assetErrors.push(errors.FILE_EXCEEDS_MAX_SIZE.setData({ size: bytes(f.size), maxSize: bytes(options.maxFileSize) }))
+    }
+  }))
+  if (assetErrors.length) {
+    throw errors.VALIDATION_FAILED
+      .setData({ schemaName: 'fileupload', errors: assetErrors.map(req.translate).join(', ') })
+  }
+}

package.json

@@ -20,7 +20,7 @@
     "zipper": "github:adapt-security/zipper"
   },
   "peerDependencies": {
-    "adapt-authoring-core": "^1.7.0",
+    "adapt-authoring-core": "^2.0.0",
     "adapt-authoring-mongodb": "^1.1.3",
     "adapt-authoring-server": "^1.2.1"
   },

tests/utils-validateUploadedFiles.spec.js

@@ -0,0 +1,146 @@
+import { describe, it, mock, before, after } from 'node:test'
+import assert from 'node:assert/strict'
+import fs from 'fs/promises'
+import path from 'path'
+import os from 'os'
+import App from 'adapt-authoring-core/lib/App.js'
+
+mock.getter(App, 'instance', () => ({
+  errors: {
+    UNEXPECTED_FILE_TYPES: {
+      setData (data) {
+        const e = new Error('UNEXPECTED_FILE_TYPES')
+        e.code = 'UNEXPECTED_FILE_TYPES'
+        e.data = data
+        return e
+      }
+    },
+    FILE_EXCEEDS_MAX_SIZE: {
+      setData (data) {
+        const e = new Error('FILE_EXCEEDS_MAX_SIZE')
+        e.code = 'FILE_EXCEEDS_MAX_SIZE'
+        e.data = data
+        return e
+      }
+    },
+    VALIDATION_FAILED: {
+      setData (data) {
+        const e = new Error('VALIDATION_FAILED')
+        e.code = 'VALIDATION_FAILED'
+        e.data = data
+        return e
+      }
+    }
+  }
+}))
+
+const { validateUploadedFiles } = await import('../lib/utils/validateUploadedFiles.js')
+
+describe('validateUploadedFiles()', () => {
+  const makeReq = () => ({ translate: (e) => e.message || String(e) })
+  let tmpDir
+
+  before(async () => {
+    tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), 'middleware-test-'))
+    // Create test files
+    await fs.writeFile(path.join(tmpDir, 'test.txt'), 'hello world')
+    await fs.writeFile(path.join(tmpDir, 'subtitle.srt'), '1\n00:00:00,000 --> 00:00:01,000\nHello')
+  })
+
+  after(async () => {
+    await fs.rm(tmpDir, { recursive: true })
+  })
+
+  it('should pass when file matches expected type', async () => {
+    const req = makeReq()
+    const files = { file: [{ mimetype: 'image/png', originalFilename: 'test.png', size: 100, filepath: path.join(tmpDir, 'test.txt') }] }
+    const options = { expectedFileTypes: ['image/png'], maxFileSize: 1000 }
+    await assert.doesNotReject(() => validateUploadedFiles(req, files, options))
+  })
+
+  it('should pass with multiple files all matching expected types', async () => {
+    const req = makeReq()
+    const files = {
+      file1: [{ mimetype: 'image/png', originalFilename: 'a.png', size: 100, filepath: path.join(tmpDir, 'test.txt') }],
+      file2: [{ mimetype: 'image/jpeg', originalFilename: 'b.jpg', size: 200, filepath: path.join(tmpDir, 'test.txt') }]
+    }
+    const options = { expectedFileTypes: ['image/png', 'image/jpeg'], maxFileSize: 1000 }
+    await assert.doesNotReject(() => validateUploadedFiles(req, files, options))
+  })
+
+  it('should throw VALIDATION_FAILED when file exceeds max size', async () => {
+    const req = makeReq()
+    const files = { file: [{ mimetype: 'image/png', originalFilename: 'big.png', size: 5000, filepath: path.join(tmpDir, 'test.txt') }] }
+    const options = { expectedFileTypes: ['image/png'], maxFileSize: 1000 }
+    await assert.rejects(
+      () => validateUploadedFiles(req, files, options),
+      (err) => err.code === 'VALIDATION_FAILED'
+    )
+  })
+
+  it('should throw VALIDATION_FAILED for unexpected file type', async () => {
+    // fileTypeFromFile returns null for plain text files, so mimetype stays unmatched
+    const req = makeReq()
+    const files = { file: [{ mimetype: 'text/plain', originalFilename: 'test.txt', size: 100, filepath: path.join(tmpDir, 'test.txt') }] }
+    const options = { expectedFileTypes: ['image/png'], maxFileSize: 1000 }
+    await assert.rejects(
+      () => validateUploadedFiles(req, files, options),
+      (err) => err.code === 'VALIDATION_FAILED'
+    )
+  })
+
+  it('should treat .srt files as application/x-subrip when file inspection returns null', async () => {
+    const req = makeReq()
+    const files = { file: [{ mimetype: 'text/plain', originalFilename: 'subtitle.srt', size: 100, filepath: path.join(tmpDir, 'subtitle.srt') }] }
+    const options = { expectedFileTypes: ['application/x-subrip'], maxFileSize: 1000 }
+    await assert.doesNotReject(() => validateUploadedFiles(req, files, options))
+  })
+
+  it('should handle empty files object', async () => {
+    const req = makeReq()
+    const files = {}
+    const options = { expectedFileTypes: ['image/png'], maxFileSize: 1000 }
+    await assert.doesNotReject(() => validateUploadedFiles(req, files, options))
+  })
+
+  it('should flatten nested file arrays', async () => {
+    const req = makeReq()
+    const files = {
+      images: [
+        { mimetype: 'image/png', originalFilename: 'a.png', size: 100, filepath: path.join(tmpDir, 'test.txt') },
+        { mimetype: 'image/png', originalFilename: 'b.png', size: 200, filepath: path.join(tmpDir, 'test.txt') }
+      ]
+    }
+    const options = { expectedFileTypes: ['image/png'], maxFileSize: 1000 }
+    await assert.doesNotReject(() => validateUploadedFiles(req, files, options))
+  })
+
+  it('should include both type and size errors in VALIDATION_FAILED', async () => {
+    const req = makeReq()
+    const files = { file: [{ mimetype: 'text/plain', originalFilename: 'test.txt', size: 5000, filepath: path.join(tmpDir, 'test.txt') }] }
+    const options = { expectedFileTypes: ['image/png'], maxFileSize: 1000 }
+    await assert.rejects(
+      () => validateUploadedFiles(req, files, options),
+      (err) => {
+        return err.code === 'VALIDATION_FAILED' && err.data.schemaName === 'fileupload'
+      }
+    )
+  })
+
+  it('should pass when file size equals max size', async () => {
+    const req = makeReq()
+    const files = { file: [{ mimetype: 'image/png', originalFilename: 'exact.png', size: 1000, filepath: path.join(tmpDir, 'test.txt') }] }
+    const options = { expectedFileTypes: ['image/png'], maxFileSize: 1000 }
+    await assert.doesNotReject(() => validateUploadedFiles(req, files, options))
+  })
+
+  it('should fail when file size is one byte over max', async () => {
+    const req = makeReq()
+    const files = { file: [{ mimetype: 'image/png', originalFilename: 'over.png', size: 1001, filepath: path.join(tmpDir, 'test.txt') }] }
+    const options = { expectedFileTypes: ['image/png'], maxFileSize: 1000 }
+    await assert.rejects(
+      () => validateUploadedFiles(req, files, options),
+      (err) => err.code === 'VALIDATION_FAILED'
+    )
+  })
+})