forked from UKSOURCE/cms.hailearning.edu.vn
token image , api key header
This commit is contained in:
18
server.js
18
server.js
@@ -121,14 +121,13 @@ app.use((req, res, next) => {
|
||||
|
||||
// Simple CORS middleware for API endpoints
|
||||
app.use((req, res, next) => {
|
||||
// Allow requests from configured FRONTEND_URL or allow all if not set
|
||||
const origin = req.headers.origin;
|
||||
const allowedOrigin = FRONTEND_URL || "*";
|
||||
|
||||
if (allowedOrigin === "*" || origin === allowedOrigin) {
|
||||
res.setHeader("Access-Control-Allow-Origin", allowedOrigin === "*" ? "*" : origin);
|
||||
res.setHeader("Access-Control-Allow-Methods", "GET,POST,PUT,DELETE,OPTIONS");
|
||||
res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
|
||||
res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-API-Key");
|
||||
res.setHeader("Access-Control-Allow-Credentials", "true");
|
||||
}
|
||||
|
||||
@@ -140,21 +139,24 @@ app.use((req, res, next) => {
|
||||
next();
|
||||
});
|
||||
|
||||
// Protected file serving — degree/certificate documents require API key
|
||||
// Protected file serving — degree/certificate documents via signed URLs
|
||||
const { verifySignedUrl } = require('./utils/signedUrl');
|
||||
app.get("/secure-files/:filename", (req, res) => {
|
||||
const apiKey = req.query.api_key;
|
||||
if (!apiKey || apiKey !== process.env.API_KEY) {
|
||||
return res.status(401).json({ error: "Unauthorized - Invalid API key" });
|
||||
const filename = path.basename(req.params.filename);
|
||||
const { token, expires } = req.query;
|
||||
|
||||
const result = verifySignedUrl(filename, token, expires);
|
||||
if (!result.valid) {
|
||||
return res.status(401).json({ error: result.reason || 'Unauthorized' });
|
||||
}
|
||||
|
||||
const filename = path.basename(req.params.filename); // prevent path traversal
|
||||
const filePath = path.join(__dirname, "private", "uploads", "degree", filename);
|
||||
|
||||
if (!fs.existsSync(filePath)) {
|
||||
return res.status(404).json({ error: "File not found" });
|
||||
}
|
||||
|
||||
res.setHeader("Access-Control-Allow-Origin", FRONTEND_URL || "*");
|
||||
res.setHeader("Cache-Control", "private, no-store"); // prevent caching of sensitive docs
|
||||
res.sendFile(filePath);
|
||||
});
|
||||
|
||||
|
||||
Reference in New Issue
Block a user