toannt/uldp-degree-mangement-system
1
0
Fork 0
forked from UKSOURCE/cms.hailearning.edu.vn
Code Pull Requests Activity

first commit

Browse Source
This commit is contained in:
nthanhtoan61
2026-04-11 14:08:27 +07:00
parent e86e5d2c46
commit 6b7655aa16
389 changed files with 5387 additions and 60861 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
server.js
View File

@@ -51,16 +51,8 @@ app.use("/assets/img", express.static(path.join(__dirname, "public", "img")));
app.use(express.static(path.join(__dirname, "public")));
// Serve uploads folder
app.use(
"/uploads",
(req, res, next) => {
// Cho phép mọi domain truy cập tài nguyên tĩnh
res.header("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Methods", "GET");
next();
},
express.static(path.join(__dirname, "public", "uploads")),
);
// REMOVED: public static serve for uploads — degree documents are protected
// app.use("/uploads", express.static(...)) ← intentionally disabled
// Serve other public files
app.use(express.static(path.join(__dirname, "public")));
@@ -148,6 +140,24 @@ app.use((req, res, next) => {
next();
});
// Protected file serving — degree/certificate documents require API key
app.get("/secure-files/:filename", (req, res) => {
const apiKey = req.query.api_key;
if (!apiKey || apiKey !== process.env.API_KEY) {
return res.status(401).json({ error: "Unauthorized - Invalid API key" });
}
const filename = path.basename(req.params.filename); // prevent path traversal
const filePath = path.join(__dirname, "private", "uploads", "degree", filename);
if (!fs.existsSync(filePath)) {
return res.status(404).json({ error: "File not found" });
}
res.setHeader("Access-Control-Allow-Origin", FRONTEND_URL || "*");
res.sendFile(filePath);
});
// Routes
const authRoutes = require("./routes/auth");
const adminRoutes = require("./routes/admin");
@@ -161,10 +171,7 @@ app.use("/", indexRoutes);
app.use((req, res) => {
res.status(404);
if (req.accepts("html"))
return res.render("page/404", {
title: "404 - Page Not Found",
layout: "layouts/main",
});
return res.render("page/404", { layout: false });
if (req.accepts("json")) return res.json({ error: "Not found" });
res.type("txt").send("Not found");
});