fix(media): remove application header requirement for getting public media

Author: AlbanSdl

src/auth/decorator/index.ts

@@ -2,3 +2,4 @@ export * from './get-user.decorator';
 export * from './require-permission.decorator';
 export * from './public.decorator';
 export * from './require-role.decorator';
+export * from './skip-application-check.decorator';

src/auth/decorator/skip-application-check.decorator.ts

@@ -0,0 +1,3 @@
+import { Reflector } from '@nestjs/core';
+
+export const SkipApplicationCheck = Reflector.createDecorator();

src/auth/guard/jwt.guard.ts

@@ -1,27 +1,33 @@
 import { ExecutionContext, Injectable } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
 import { AuthGuard } from '@nestjs/passport';
-import { IsPublic } from '../decorator';
+import { IsPublic, SkipApplicationCheck } from '../decorator';
 import { AppException, ERROR_CODE } from '../../exceptions';
 import { RequestAuthData } from '../interfaces/request-auth-data.interface';
 import { PrismaService } from '../../prisma/prisma.service';
 import { PermissionManager } from '../../utils';
+import { RawApiApplication } from '../../prisma/types';
 
 @Injectable()
 export class JwtGuard extends AuthGuard('jwt') {
-  constructor(private reflector: Reflector, private prisma: PrismaService) {
+  constructor(
+    private reflector: Reflector,
+    private prisma: PrismaService,
+  ) {
     super();
   }
 
   async canActivate(context: ExecutionContext) {
     const request = context.switchToHttp().getRequest() as { user: RequestAuthData };
+    const canSkipApplicationHeader = this.reflector.get(SkipApplicationCheck, context.getHandler());
     const applicationId = context.switchToHttp().getRequest().headers['x-application'];
-    if (!applicationId) throw new AppException(ERROR_CODE.APPLICATION_HEADER_MISSING);
-    const application = await this.prisma.apiApplication.findUnique({
-      where: { id: applicationId },
-    });
-    if (!application) {
-      throw new AppException(ERROR_CODE.NO_SUCH_APPLICATION, applicationId);
+    let application: RawApiApplication | null = null;
+    if (!applicationId && !canSkipApplicationHeader) throw new AppException(ERROR_CODE.APPLICATION_HEADER_MISSING);
+    else if (applicationId) {
+      application = await this.prisma.apiApplication.findUnique({
+        where: { id: applicationId },
+      });
+      if (!application) throw new AppException(ERROR_CODE.NO_SUCH_APPLICATION, applicationId);
     }
     // Check whether the user is logged in
     let loggedIn = true;

src/media/image/imagemedia.controller.ts

@@ -2,7 +2,7 @@ import { Controller, Get, Post, Query, Response } from '@nestjs/common';
 import { ApiConsumes, ApiCreatedResponse, ApiOkResponse, ApiOperation, ApiTags } from '@nestjs/swagger';
 import { Response as ExpressResponse } from 'express';
 import { FileSize, MulterWithMime, UploadRoute, UserFile } from '../../upload.interceptor';
-import { GetUser, IsPublic, RequireApiPermission } from '../../auth/decorator';
+import { GetUser, IsPublic, RequireApiPermission, SkipApplicationCheck } from '../../auth/decorator';
 import { AppException, ERROR_CODE } from '../../exceptions';
 import { ApiAppErrorResponse } from '../../app.dto';
 import { ImageMediaService } from './imagemedia.service';
@@ -17,7 +17,8 @@ import ImageMediaUploadResDto from './dto/res/imagemedia-upload-res.dto';
 export class ImageMediaController {
   constructor(readonly imageMediaService: ImageMediaService) {}
 
-  @Get('/:mediaId')
+  @Get('/:mediaId.webp')
+  @SkipApplicationCheck()
   @IsPublic()
   @ApiOperation({ description: 'Retrieve a media by its id.' })
   @ApiOkResponse({ description: 'The media is contained in the body of the response' })

test/e2e/media/image/get-media.e2e-spec.ts

@@ -29,15 +29,15 @@ export const GetMediaE2ESpec = e2eSuite('GET /media/image/:mediaId', (app) => {
   });
 
   it('should return a 404 as the media does not exist', () =>
-    pactum.spec().get(`/media/image/${Dummies.UUID}`).expectAppError(ERROR_CODE.NO_SUCH_MEDIA, Dummies.UUID));
+    pactum.spec().get(`/media/image/${Dummies.UUID}.webp`).expectAppError(ERROR_CODE.NO_SUCH_MEDIA, Dummies.UUID));
 
   it('should return a 401 as the media is not public', () =>
-    pactum.spec().get(`/media/image/${nonPublicMedia.id}`).expectAppError(ERROR_CODE.NOT_LOGGED_IN));
+    pactum.spec().get(`/media/image/${nonPublicMedia.id}.webp`).expectAppError(ERROR_CODE.NOT_LOGGED_IN));
 
   it('should return a 200 and the media (public)', () =>
     pactum
       .spec()
-      .get(`/media/image/${publicMedia.id}`)
+      .get(`/media/image/${publicMedia.id}.webp`)
       .expectStatus(200)
       .expectHeader('content-type', 'image/webp')
       .expectBodyContains('RIFF'));
@@ -46,11 +46,11 @@ export const GetMediaE2ESpec = e2eSuite('GET /media/image/:mediaId', (app) => {
     pactum
       .spec()
       .withBearerToken(user.token)
-      .get(`/media/image/${nonPublicMedia.id}`)
+      .get(`/media/image/${nonPublicMedia.id}.webp`)
       .expectStatus(200)
       .expectHeader('content-type', 'image/webp')
       .expectBodyContains('RIFF'));
 
   it('should return a 503 as there is an error reading the file', () =>
-    pactum.spec().get(`/media/image/${publicMediaInError.id}`).expectAppError(ERROR_CODE.SERVER_DISK_ERROR));
+    pactum.spec().get(`/media/image/${publicMediaInError.id}.webp`).expectAppError(ERROR_CODE.SERVER_DISK_ERROR));
 });