fix(http-code): return 406 for invalid file extensions

Author: chertik77

app/app.ts

@@ -3,6 +3,7 @@ import type { NextFunction, Request, Response } from 'express'
 import express from 'express'
 import { PrismaClient } from '@prisma/client'
 import cors from 'cors'
+import { HttpError } from 'http-errors'
 import logger from 'morgan'
 import swaggerUi from 'swagger-ui-express'
 
@@ -17,15 +18,10 @@ import {
   userRouter
 } from './routes/api'
 
-export type ResponseError = Error & {
-  status?: number
-  code?: number | string
-}
+export const prisma = new PrismaClient()
 
 const app = express()
 
-export const prisma = new PrismaClient()
-
 app.listen(Number(process.env.PORT) || 5432, () => {
   console.log(`Server started on port ${process.env.PORT || 5432}`)
 })
@@ -50,7 +46,7 @@ app.use((_, res) => {
   res.status(404).json({ message: 'Not found' })
 })
 
-app.use((err: ResponseError, _: Request, res: Response, __: NextFunction) => {
+app.use((err: HttpError, _: Request, res: Response, __: NextFunction) => {
   const { status = 500, message = 'Server error' } = err
   res.status(status).json({ statusCode: status, message })
 })

app/middlewares/authenticate.ts

@@ -1,8 +1,8 @@
 import type { NextFunction, Request, Response } from 'express'
 
 import { prisma } from 'app'
-import createHttpError from 'http-errors'
-import jwt from 'jsonwebtoken'
+import { Unauthorized } from 'http-errors'
+import { verify } from 'jsonwebtoken'
 
 export const authenticate = async (
   req: Request,
@@ -12,28 +12,24 @@ export const authenticate = async (
   const { authorization = '' } = req.headers
   const [bearer, token] = authorization.split(' ')
 
-  if (bearer !== 'Bearer') {
-    return next(createHttpError(401))
-  }
+  if (bearer !== 'Bearer') return next(Unauthorized())
 
   try {
-    const { id, sid } = jwt.verify(token, process.env.ACCESS_JWT_SECRET!) as {
+    const { id, sid } = verify(token, process.env.ACCESS_JWT_SECRET!) as {
       id: string
       sid: string
     }
 
     const user = await prisma.user.findFirst({ where: { id } })
     const session = await prisma.session.findFirst({ where: { id: sid } })
 
-    if (!user || !session) {
-      return next(createHttpError(401))
-    }
+    if (!user || !session) return next(Unauthorized())
 
     req.user = user
     req.session = session.id
 
     next()
   } catch {
-    return next(createHttpError(401))
+    return next(Unauthorized())
   }
 }

app/middlewares/index.ts

@@ -1,3 +1,2 @@
 export * from './authenticate'
-export * from './multer'
 export * from './validateRequest'

app/routes/api/board.ts

@@ -61,15 +61,15 @@ boardRouter.put(
   '/:boardId',
   validateRequest({ body: EditBoardSchema, params: BoardParamsSchema }),
   async ({ body, params, user }, res, next) => {
-    const updatedBoard = await prisma.board.update({
+    const updatedBoard = await prisma.board.updateMany({
       where: { id: params.boardId, userId: user.id },
       data: {
         ...body,
         background: body.background && boardImages[body.background]
       }
     })
 
-    if (!updatedBoard) return next(NotFound('Board not found'))
+    if (!updatedBoard.count) return next(NotFound('Board not found'))
 
     res.json(updatedBoard)
   }
@@ -79,11 +79,11 @@ boardRouter.delete(
   '/:boardId',
   validateRequest({ params: BoardParamsSchema }),
   async ({ params, user }, res, next) => {
-    const deletedBoard = await prisma.board.delete({
+    const deletedBoard = await prisma.board.deleteMany({
       where: { id: params.boardId, userId: user.id }
     })
 
-    if (!deletedBoard) return next(NotFound('Board not found'))
+    if (!deletedBoard.count) return next(NotFound('Board not found'))
 
     res.status(204).send()
   }

app/routes/api/card.ts

@@ -42,12 +42,12 @@ cardRouter.put(
   '/:cardId',
   validateRequest({ body: EditCardSchema, params: CardParamsSchema }),
   async ({ params, body }, res, next) => {
-    const updatedCard = await prisma.card.update({
+    const updatedCard = await prisma.card.updateMany({
       where: { id: params.cardId },
       data: body
     })
 
-    if (!updatedCard) return next(NotFound('Card not found'))
+    if (!updatedCard.count) return next(NotFound('Card not found'))
 
     res.json(updatedCard)
   }
@@ -83,11 +83,11 @@ cardRouter.delete(
   '/:cardId',
   validateRequest({ params: CardParamsSchema }),
   async ({ params }, res, next) => {
-    const deletedCard = await prisma.card.delete({
+    const deletedCard = await prisma.card.deleteMany({
       where: { id: params.cardId }
     })
 
-    if (!deletedCard) return next(NotFound('Card not found'))
+    if (!deletedCard.count) return next(NotFound('Card not found'))
 
     res.status(204).send()
   }

app/routes/api/column.ts

@@ -45,12 +45,12 @@ columnRouter.put(
   '/:columnId',
   validateRequest({ body: EditColumnSchema, params: ColumnParamsSchema }),
   async ({ params, body }, res, next) => {
-    const updatedColumn = await prisma.column.update({
+    const updatedColumn = await prisma.column.updateMany({
       where: { id: params.columnId },
       data: body
     })
 
-    if (!updatedColumn) return next(NotFound('Column not found'))
+    if (!updatedColumn.count) return next(NotFound('Column not found'))
 
     res.json(updatedColumn)
   }
@@ -86,11 +86,11 @@ columnRouter.delete(
   '/:columnId',
   validateRequest({ params: ColumnParamsSchema }),
   async ({ params }, res, next) => {
-    const deletedColumn = await prisma.column.delete({
+    const deletedColumn = await prisma.column.deleteMany({
       where: { id: params.columnId }
     })
 
-    if (!deletedColumn) return next(NotFound('Column not found'))
+    if (!deletedColumn.count) return next(NotFound('Column not found'))
 
     res.status(204).send()
   }

app/routes/api/user.ts

@@ -5,9 +5,11 @@ import { hash } from 'bcrypt'
 import cloudinary from 'config/cloudinary.config'
 import { transport } from 'config/nodemailer.config'
 import defaultAvatars from 'data/default-avatars.json'
-import { BadRequest, Conflict, InternalServerError } from 'http-errors'
+import { Conflict, InternalServerError, NotAcceptable } from 'http-errors'
+import { Options } from 'nodemailer/lib/mailer'
 
-import { authenticate, upload, validateRequest } from 'middlewares'
+import { authenticate, validateRequest } from 'middlewares'
+import { upload } from 'middlewares/multer'
 
 import { EditUserSchema, NeedHelpSchema, ThemeSchema } from 'schemas/user'
 
@@ -50,7 +52,7 @@ userRouter.put(
       const ext = file.mimetype.split('/').pop()
 
       if (!extArr.includes(ext!)) {
-        return next(BadRequest('File must have .jpeg or .png extension'))
+        return next(NotAcceptable('File must have .jpeg or .png extension'))
       }
 
       try {
@@ -86,7 +88,7 @@ userRouter.post(
   '/help',
   validateRequest({ body: NeedHelpSchema }),
   async (req, res, next) => {
-    const emailBody = {
+    const emailBody: Options = {
       from: process.env.EMAIL_USER,
       to: process.env.EMAIL_RECEIVER,
       subject: 'Need help',
@@ -110,12 +112,7 @@ userRouter.put(
   '/theme',
   validateRequest({ body: ThemeSchema }),
   async (req, res) => {
-    const user = await prisma.user.findFirst({
-      where: { id: req.user.id },
-      omit: { password: true }
-    })
-
-    const updateData = !user?.avatarPublicId
+    const updateData = !req.user.avatarPublicId
       ? {
           ...req.body,
           avatar: defaultAvatars[req.body.theme],
@@ -125,7 +122,8 @@ userRouter.put(
 
     const editedUser = await prisma.user.update({
       where: { id: req.user.id },
-      data: updateData
+      data: updateData,
+      omit: { password: true }
     })
 
     res.json(editedUser)

swagger.json

@@ -233,15 +233,15 @@
         "requestBody": {
           "required": true,
           "content": {
+            "application/json": { "example": { "password": "123456789" } },
             "multipart/form-data": {
               "schema": {
                 "type": "object",
                 "properties": {
                   "avatar": { "type": "string", "format": "binary" }
                 }
               }
-            },
-            "application/json": { "example": { "password": "123456789" } }
+            }
           }
         },
         "responses": {
@@ -259,6 +259,16 @@
               }
             }
           },
+          "406": {
+            "content": {
+              "application/json": {
+                "example": {
+                  "statusCode": 406,
+                  "message": "File must have .jpeg or .png extension"
+                }
+              }
+            }
+          },
           "401": { "$ref": "#/components/responses/Unauthorized" },
           "409": { "$ref": "#/components/responses/Conflict" }
         }