0

I am using express as server for micro-services rest api. Endpoints are built from directory structure. There are few downloadable pdf files which are currently at client side. And it can be downloadable (with the href URL) even if user is not logged into the portal. So, I put all the pdf files to server.

Directory structure on server: directory structure on server

pdf files are inside docs directory. Please find below the code of server:

/* global __dirname */
import morgan from 'morgan';
import logger, { webStream } from './services/logger';
import { socket } from './services';

// set env variables before all else
import { GATEWAY_PORT, CORS_ORIGINS } from './config';

const express = require('express');
const bodyParser = require('body-parser');
const cookieParser = require('cookie-parser')();
const version = require('./services/utils').version();
const authentication = require('./services/authentication');
const utils = require('./services/utils');


// set up app and middleware
const app = express();

app.use(morgan('User::req[user-id] Correlation::req[x-correlation-id] Method::method URL::url Status::status :res[content-length] - :response-time ms', { stream: webStream }));

logger.info('Starting...');

app.use(cookieParser);
app.use(bodyParser.json({ limit: '50mb' }));
app.disable('x-powered-by');

// CORS headers to allow running client/server on different ports
app.use((req, res, next) => {
  // Check if the origin is whitelisted in the env vars
  const actual = req.headers.origin || '';
  if (utils.matchCors(actual, CORS_ORIGINS.split(','))) {
    res.set({ 'Access-Control-Allow-Origin': actual });
  }

  res.set({
    // standard CORS headers
    'Access-Control-Allow-Headers': 'Content-Type, Authorization, Accept, Accept-Language',
    'Access-Control-Allow-Credentials': true,
    'Access-Control-Allow-Methods': 'PATCH,POST,GET,DELETE',

    // addresses security issues identified by automated pen testing
    'X-Frame-Options': 'DENY',
    'X-Content-Type-Options': 'nosniff',
    'X-XSS-Protection': 1,
  });
  next();
});

// set the user property of the request object
app.use((req, res, next) => {
  const token = req.cookies[authentication.cookieName];
  if (!token) {
    req.user = false;
  } else {
    req.user = authentication.decodeJWT(token);
    authentication.setCookie(res, token, req.user);
  }
  utils.setCorrelationId(req.headers['x-correlation-id']);
  req.correlationId = req.headers['x-correlation-id'];
  next();
});

// helper function returning middleware to reject unauthorised users
function requiredRoles(roles, abcOnly) {
  return function requireRolesHandler(req, res, next) {
    if (
      !req.user
      || (abcOnly && !req.user.isabc)
      || !authentication.hasRole(req.user, roles)) {
      const error = new Error('UNAUTHORISED');
      error.status = 403;
      next(error);
    } else {
      next();
    }
  };
}

// Add the endpoints to express.
// Reversed to get literal routes before @ capture groups.
utils.parseDirectory(`${__dirname}/rest`, [], true).reverse().forEach((endpoint) => {
  const { auth, functions } = endpoint.handler;
  if (auth) {
    functions.unshift(requiredRoles(auth.roles, auth.abcOnly));
  }
  app[endpoint.method](
    endpoint.url,
    functions,
  );
});


// setup server
const server = app.listen(GATEWAY_PORT, () => {
  logger.info(`Allowed CORS: ${CORS_ORIGINS}`);
  logger.info(`Started ${version.name} (${version.number}) listening on ${GATEWAY_PORT}`);
});

socket.createServer(server);

How do I serve pdf files from server to client only to authorized user when user clicks on link on a page ?

Valay
  • 1,991
  • 2
  • 43
  • 98

1 Answers1

3

Have a route to download file e.g. GET /api/download?file=abc.pdf

Now in the middleware,

  1. Check if the req.user exists or not.

  2. Check if the user has sufficient rights to download the file or not

  3. If 1 and 2 satisfy, then serve the file


Code would look more or less like this:

app.get('/api/download', (req, res, next) => {
  // Check if the request had valid token or not
  if(!req.user) {
    const error = new Error('UNAUTHORISED');
    error.status = 403;
    return next(error);
  }

  const { user } = req;
  const { file } = req.query;

  // If you want to have some additional logic wherein
  // you want to restrict the download of the file, 
  // you can put that logic in this function
  const isAllowed = canDownload(user, file);

  if(isAllowed) {
    return res.sendFile(path.join(__dirname, 'docs', path.sep, file));
  }
  const error = new Error('UNAUTHORISED');
  error.status = 403;
  return next(error);

})

You might need to require path, implement canDownload or solve no such file or directory errors because of __dirname usage. All of those are trivial. If you need help for those as well, let me know in the comments.

Here is the reference to response.sendFile()
And this might be helpful too.

Anand Undavia
  • 3,493
  • 5
  • 19
  • 33