Reduce backend data leakage on frontend (#211)

alexluckett · web-flow · commit 472db7477cc8 · 2025-10-03T16:04:05.000+01:00
* Log mimimum data for client-side to function for file upload

* Fix buildUploadStatusUrl so it works without a prefix

* restore missing test

* Test correct output for file upload status API
diff --git a/src/client/javascripts/file-upload.js b/src/client/javascripts/file-upload.js
@@ -230,13 +230,27 @@ function reloadPage() {
 
 /**
  * Build the upload status URL given the current pathname and the upload ID.
+ * This only works when called on a file upload page that has a maximum depth of 1 URL segments following the slug.
  * @param {string} pathname – e.g. window.location.pathname
  * @param {string} uploadId
  * @returns {string} e.g. "/form/upload-status/abc123"
  */
 export function buildUploadStatusUrl(pathname, uploadId) {
-  const pathSegments = pathname.split('/').filter((segment) => segment)
-  const prefix = pathSegments.length > 0 ? `/${pathSegments[0]}` : ''
+  // Remove preview markers and duplicate slashes
+  const normalisedPath = pathname
+    .replace(/\/preview\/(draft|live)/g, '')
+    .replace(/\/{2,}/g, '/')
+    .replace(/\/$/, '')
+
+  const segments = normalisedPath.split('/').filter(Boolean)
+
+  // The slug is always the second to last segment
+  // The prefix is everything before the slug
+  const prefix =
+    segments.length > 2
+      ? `/${segments.slice(0, segments.length - 2).join('/')}`
+      : ''
+
   return `${prefix}/upload-status/${uploadId}`
 }
 
diff --git a/src/server/index.test.ts b/src/server/index.test.ts
@@ -508,7 +508,9 @@ describe('Upload status route', () => {
     const res = await server.inject(options)
 
     expect(res.statusCode).toBe(StatusCodes.OK)
-    expect(res.result).toEqual(mockStatus)
+    expect(res.result).toEqual({
+      uploadStatus: UploadStatus.ready
+    })
     expect(getUploadStatus).toHaveBeenCalledWith(
       '123e4567-e89b-12d3-a456-426614174000'
     )
diff --git a/src/server/plugins/engine/routes/file-upload.ts b/src/server/plugins/engine/routes/file-upload.ts
@@ -22,7 +22,9 @@ export async function getHandler(
       return h.response({ error: 'Status check failed' }).code(400)
     }
 
-    return h.response(status)
+    return h.response({
+      uploadStatus: status.uploadStatus
+    })
   } catch (err) {
     request.logger.error(
       err,
diff --git a/test/client/javascripts/file-upload.test.js b/test/client/javascripts/file-upload.test.js
@@ -1345,21 +1345,61 @@ describe('File Upload Client JS', () => {
   })
 })
 
-describe('buildUploadStatusUrl()', () => {
-  it('builds URL with no prefix for root paths', () => {
-    expect(buildUploadStatusUrl('/', 'abc')).toBe('/upload-status/abc')
-    expect(buildUploadStatusUrl('', 'xyz')).toBe('/upload-status/xyz')
+describe('buildUploadStatusUrl', () => {
+  it('works with no prefix', () => {
+    expect(buildUploadStatusUrl('/my-form/file-upload-page', '123')).toBe(
+      '/upload-status/123'
+    )
+
+    expect(
+      buildUploadStatusUrl('/preview/draft/my-form/file-upload-page', '123')
+    ).toBe('/upload-status/123')
+
+    expect(
+      buildUploadStatusUrl('/preview/live/my-form/file-upload-page', '123')
+    ).toBe('/upload-status/123')
   })
 
-  it('uses the first segment as prefix', () => {
-    expect(buildUploadStatusUrl('/form/mypage', 'id1')).toBe(
-      '/form/upload-status/id1'
+  it('works with a prefix with a single level', () => {
+    expect(buildUploadStatusUrl('/form/my-form/file-upload-page', '123')).toBe(
+      '/form/upload-status/123'
     )
+
+    expect(
+      buildUploadStatusUrl(
+        '/form/preview/draft/my-form/file-upload-page',
+        '123'
+      )
+    ).toBe('/form/upload-status/123')
+
+    expect(
+      buildUploadStatusUrl('/form/preview/live/my-form/file-upload-page', '123')
+    ).toBe('/form/upload-status/123')
+  })
+
+  it('works with a prefix with multiple levels', () => {
+    expect(
+      buildUploadStatusUrl('/org/form/my-form/file-upload-page', '123')
+    ).toBe('/org/form/upload-status/123')
+
+    expect(
+      buildUploadStatusUrl(
+        '/org/form/preview/draft/my-form/file-upload-page',
+        '123'
+      )
+    ).toBe('/org/form/upload-status/123')
+
+    expect(
+      buildUploadStatusUrl(
+        '/org/form/preview/live/my-form/file-upload-page',
+        '123'
+      )
+    ).toBe('/org/form/upload-status/123')
   })
 
-  it('trims nested segments and trailing slashes', () => {
-    expect(buildUploadStatusUrl('/one/two/three/', 'id2')).toBe(
-      '/one/upload-status/id2'
+  it('trims trailing slashes', () => {
+    expect(buildUploadStatusUrl('/my-form/file-upload-page/', '123')).toBe(
+      '/upload-status/123'
     )
   })
 })
