Merge pull request #2504 from bluewave-labs/feature/file-manager-backend

Feature/file manager backend

Author: MuhammadKhalilzadeh

Servers/controllers/fileManager.ctrl.ts

@@ -55,6 +55,7 @@ export interface FileManagerMetadata {
   uploaded_by: number;
   uploader_name?: string;
   uploader_surname?: string;
+  existsOnDisk?: boolean;
 }
 
 @Table({

Servers/domain.layer/models/fileManager/fileManager.model.ts

@@ -53,6 +53,9 @@ const swaggerDoc = YAML.load("./swagger.yaml");
 
 const app = express();
 
+// Trust proxy to correctly interpret X-Forwarded-For headers for rate limiting
+app.set('trust proxy', 1);
+
 const DEFAULT_PORT = "3000";
 const DEFAULT_HOST = "localhost";
 

Servers/index.ts

@@ -0,0 +1,96 @@
+/**
+ * @fileoverview Rate Limiting Middleware
+ *
+ * Provides production-ready rate limiting for API endpoints to prevent abuse and DoS attacks.
+ * Uses express-rate-limit with IPv6-safe IP normalization.
+ *
+ * Rate Limiters:
+ * - fileOperationsLimiter: 15 requests/15min (for file uploads, downloads, deletions)
+ * - generalApiLimiter: 100 requests/15min (for standard API endpoints)
+ * - authLimiter: 5 requests/15min (for authentication to prevent brute force)
+ *
+ * @module middleware/rateLimit
+ */
+
+import rateLimit, { Options } from 'express-rate-limit';
+import { STATUS_CODE } from '../utils/statusCode.utils';
+import { Request, Response } from 'express';
+import logger from '../utils/logger/fileLogger';
+
+/**
+ * Rate limit configuration with time window and request limits
+ */
+interface RateLimitConfig {
+  windowMinutes: number;
+  maxRequests: number;
+  message: string;
+}
+
+/**
+ * Predefined rate limit configurations for different endpoint types
+ */
+const RATE_LIMIT_CONFIGS: Record<string, RateLimitConfig> = {
+  fileOperations: {
+    windowMinutes: 15,
+    maxRequests: 15,
+    message: 'Too many file operation requests from this IP, please try again after 15 minutes',
+  },
+  generalApi: {
+    windowMinutes: 15,
+    maxRequests: 100,
+    message: 'Too many requests from this IP, please try again after 15 minutes',
+  },
+  auth: {
+    windowMinutes: 15,
+    maxRequests: 5,
+    message: 'Too many authentication attempts from this IP, please try again after 15 minutes',
+  },
+};
+
+/**
+ * Creates a standardized rate limit error handler
+ * Returns consistent error format using STATUS_CODE utility
+ */
+const createRateLimitHandler = (message: string) => {
+  return (req: Request, res: Response) => {
+    const clientIp = req.ip || req.socket?.remoteAddress || 'unknown';
+    logger.warn(`Rate limit exceeded for IP ${clientIp} on ${req.path}: ${message}`);
+    res.status(429).json(STATUS_CODE[429](message));
+  };
+};
+
+/**
+ * Creates a rate limiter with the specified configuration
+ * Uses express-rate-limit's built-in IP extraction and IPv6 normalization
+ */
+const createRateLimiter = (config: RateLimitConfig) => {
+  const options: Partial<Options> = {
+    windowMs: config.windowMinutes * 60 * 1000,
+    max: config.maxRequests,
+    standardHeaders: true, // Send rate limit info in RateLimit-* headers
+    legacyHeaders: false, // Disable X-RateLimit-* headers
+    handler: createRateLimitHandler(config.message),
+    // Let express-rate-limit handle IP extraction with IPv6 support
+    // This automatically uses req.ip with proper IPv6 normalization
+  };
+
+  return rateLimit(options);
+};
+
+/**
+ * Rate limiter for file operations (upload, download, delete)
+ * Restrictive limits due to expensive I/O operations
+ */
+export const fileOperationsLimiter = createRateLimiter(RATE_LIMIT_CONFIGS.fileOperations);
+
+/**
+ * General API rate limiter for standard CRUD endpoints
+ * Moderate limits for typical operations
+ */
+export const generalApiLimiter = createRateLimiter(RATE_LIMIT_CONFIGS.generalApi);
+
+/**
+ * Strict rate limiter for authentication endpoints
+ * Very restrictive to prevent brute force attacks
+ */
+export const authLimiter = createRateLimiter(RATE_LIMIT_CONFIGS.auth);

Servers/middleware/rateLimit.middleware.ts

@@ -29,6 +29,7 @@
     "crypto": "^1.0.1",
     "dotenv": "^16.4.5",
     "express": "^4.21.2",
+    "express-rate-limit": "^8.1.0",
     "express-validator": "^7.2.1",
     "helmet": "^8.0.0",
     "html-to-docx": "^1.8.0",

Servers/package-lock.json

@@ -7,24 +7,27 @@
  * - POST   /file-manager       - Upload file (Admin, Reviewer, Editor only)
  * - GET    /file-manager       - List all files (All authenticated users)
  * - GET    /file-manager/:id   - Download file (All authenticated users)
+ * - DELETE /file-manager/:id   - Delete file (Admin, Reviewer, Editor only)
  *
  * Access Control:
  * - All routes require JWT authentication
- * - Upload restricted to Admin, Reviewer, Editor (enforced by authorize middleware)
+ * - Upload and Delete restricted to Admin, Reviewer, Editor (enforced by authorize middleware)
  * - List and Download available to all authenticated users
  *
  * @module routes/fileManager
  */
 
 import express, { Request, Response, NextFunction } from "express";
-import { uploadFile, listFiles, downloadFile } from "../controllers/fileManager.ctrl";
+import { uploadFile, listFiles, downloadFile, removeFile } from "../controllers/fileManager.ctrl";
 import authenticateJWT from "../middleware/auth.middleware";
 import authorize from "../middleware/accessControl.middleware";
+import { fileOperationsLimiter } from "../middleware/rateLimit.middleware";
 import multer from "multer";
 import { STATUS_CODE } from "../utils/statusCode.utils";
 import * as path from "path";
 import * as fs from "fs";
 import { ALLOWED_MIME_TYPES } from "../utils/validations/fileManagerValidation.utils";
+import logger from "../utils/logger/fileLogger";
 
 const router = express.Router();
 
@@ -81,12 +84,34 @@ const upload = multer({
  * Catches file size limit errors and file type rejection errors
  */
 const handleMulterError = (err: any, req: Request, res: Response, next: NextFunction) => {
-  // Clean up temporary file if it exists
+  // Clean up temporary file if it exists (async, non-blocking)
   if (req.file?.path) {
+    // Secure containment validation using realpathSync to resolve symlinks
+    let resolvedPath: string;
+    let resolvedTempDir: string;
+
     try {
-      fs.unlinkSync(req.file.path);
-    } catch (cleanupError) {
-      console.error("Failed to clean up temporary file:", cleanupError);
+      // Resolve real paths (follows symlinks) to prevent directory traversal via symlinks
+      resolvedTempDir = fs.realpathSync(tempDir);
+      resolvedPath = fs.realpathSync(req.file.path);
+
+      // Only clean up if the file is strictly within the temp directory
+      if (resolvedPath.startsWith(resolvedTempDir + path.sep)) {
+        // Fire-and-forget async cleanup to avoid blocking
+        fs.promises.unlink(resolvedPath).catch((cleanupError) => {
+          // Ignore ENOENT (file already deleted), but log other errors
+          if (cleanupError.code !== 'ENOENT') {
+            logger.error("Failed to clean up temporary file:", cleanupError);
+          }
+        });
+      } else {
+        // Log security violation attempt
+        logger.warn(`Security: Blocked cleanup attempt outside temp directory. Path: ${resolvedPath}, Allowed: ${resolvedTempDir}`);
+      }
+    } catch (e) {
+      // Unable to resolve file/directory (file may not exist), skip cleanup and continue
+      logger.warn(`Failed to resolve path for cleanup: ${req.file.path}`, e);
+      // Do not return - continue to error handling below
     }
   }
 
@@ -121,10 +146,12 @@ const handleMulterError = (err: any, req: Request, res: Response, next: NextFunc
  * @returns {403} Access denied (unauthorized role)
  * @returns {413} File size exceeds maximum allowed size
  * @returns {415} Unsupported file type
+ * @returns {429} Too many requests - rate limit exceeded
  * @returns {500} Server error
  */
 router.post(
   "/",
+  fileOperationsLimiter,
   authenticateJWT,
   authorize(["Admin", "Reviewer", "Editor"]),
   upload.single("file"),
@@ -139,9 +166,10 @@ router.post(
  * @query   page - Page number (optional)
  * @query   pageSize - Items per page (optional)
  * @returns {200} List of files with metadata and pagination
+ * @returns {429} Too many requests - rate limit exceeded
  * @returns {500} Server error
  */
-router.get("/", authenticateJWT, listFiles);
+router.get("/", fileOperationsLimiter, authenticateJWT, listFiles);
 
 /**
  * @route   GET /file-manager/:id
@@ -151,8 +179,28 @@ router.get("/", authenticateJWT, listFiles);
  * @returns {200} File content with download headers
  * @returns {403} Access denied (file from different organization)
  * @returns {404} File not found
+ * @returns {429} Too many requests - rate limit exceeded
  * @returns {500} Server error
  */
-router.get("/:id", authenticateJWT, downloadFile);
+router.get("/:id", fileOperationsLimiter, authenticateJWT, downloadFile);
+
+/**
+ * @route   DELETE /file-manager/:id
+ * @desc    Delete a file by ID
+ * @access  Admin, Reviewer, Editor only
+ * @param   id - File ID
+ * @returns {200} File deleted successfully
+ * @returns {403} Access denied (file from different organization or unauthorized role)
+ * @returns {404} File not found
+ * @returns {429} Too many requests - rate limit exceeded
+ * @returns {500} Server error
+ */
+router.delete(
+  "/:id",
+  fileOperationsLimiter,
+  authenticateJWT,
+  authorize(["Admin", "Reviewer", "Editor"]),
+  removeFile
+);
 
 export default router;