s3 widget

Author: gugu

backend/package.json

@@ -26,7 +26,9 @@
   },
   "dependencies": {
     "@amplitude/node": "1.10.2",
+    "@aws-sdk/client-s3": "^3.953.0",
     "@aws-sdk/lib-dynamodb": "^3.953.0",
+    "@aws-sdk/s3-request-presigner": "^3.953.0",
     "@electric-sql/pglite": "^0.3.14",
     "@faker-js/faker": "^10.1.0",
     "@nestjs/common": "11.1.9",

backend/src/app.module.ts

@@ -40,6 +40,7 @@ import { SharedJobsModule } from './entities/shared-jobs/shared-jobs.module.js';
 import { TableCategoriesModule } from './entities/table-categories/table-categories.module.js';
 import { UserSecretModule } from './entities/user-secret/user-secret.module.js';
 import { SignInAuditModule } from './entities/user-sign-in-audit/sign-in-audit.module.js';
+import { S3WidgetModule } from './entities/s3-widget/s3-widget.module.js';
 
 @Module({
   imports: [
@@ -84,6 +85,7 @@ import { SignInAuditModule } from './entities/user-sign-in-audit/sign-in-audit.m
     TableCategoriesModule,
     UserSecretModule,
     SignInAuditModule,
+    S3WidgetModule,
   ],
   controllers: [AppController],
   providers: [

backend/src/common/data-injection.tokens.ts

@@ -172,4 +172,7 @@ export enum UseCaseType {
   DELETE_SECRET = 'DELETE_SECRET',
   GET_SECRET_AUDIT_LOG = 'GET_SECRET_AUDIT_LOG',
   FIND_SIGN_IN_AUDIT_LOGS = 'FIND_SIGN_IN_AUDIT_LOGS',
+
+  GET_S3_FILE_URL = 'GET_S3_FILE_URL',
+  GET_S3_UPLOAD_URL = 'GET_S3_UPLOAD_URL',
 }

backend/src/entities/s3-widget/application/data-structures/s3-operation.ds.ts

@@ -0,0 +1,30 @@
+export class S3GetFileUrlDs {
+  connectionId: string;
+  tableName: string;
+  fieldName: string;
+  fileKey: string;
+  userId: string;
+  masterPwd: string;
+}
+
+export class S3GetUploadUrlDs {
+  connectionId: string;
+  tableName: string;
+  fieldName: string;
+  userId: string;
+  masterPwd: string;
+  filename: string;
+  contentType: string;
+}
+
+export class S3FileUrlResponseDs {
+  url: string;
+  key: string;
+  expiresIn: number;
+}
+
+export class S3UploadUrlResponseDs {
+  uploadUrl: string;
+  key: string;
+  expiresIn: number;
+}

backend/src/entities/s3-widget/application/data-structures/s3-widget-params.ds.ts

@@ -0,0 +1,7 @@
+export interface S3WidgetParams {
+  bucket: string;
+  prefix?: string;
+  region?: string;
+  aws_access_key_id_secret_name: string;
+  aws_secret_access_key_secret_name: string;
+}

backend/src/entities/s3-widget/s3-helper.service.ts

@@ -0,0 +1,51 @@
+import { S3Client, GetObjectCommand, PutObjectCommand } from '@aws-sdk/client-s3';
+import { getSignedUrl } from '@aws-sdk/s3-request-presigner';
+import { Injectable } from '@nestjs/common';
+
+@Injectable()
+export class S3HelperService {
+  public createS3Client(accessKeyId: string, secretAccessKey: string, region: string = 'us-east-1'): S3Client {
+    return new S3Client({
+      region,
+      credentials: {
+        accessKeyId,
+        secretAccessKey,
+      },
+    });
+  }
+
+  public async getSignedGetUrl(
+    client: S3Client,
+    bucket: string,
+    key: string,
+    expiresIn: number = 3600,
+  ): Promise<string> {
+    const command = new GetObjectCommand({ Bucket: bucket, Key: key });
+    return getSignedUrl(client, command, { expiresIn });
+  }
+
+  public async getSignedPutUrl(
+    client: S3Client,
+    bucket: string,
+    key: string,
+    contentType: string,
+    expiresIn: number = 3600,
+  ): Promise<string> {
+    const command = new PutObjectCommand({
+      Bucket: bucket,
+      Key: key,
+      ContentType: contentType,
+    });
+    return getSignedUrl(client, command, { expiresIn });
+  }
+
+  public generateFileKey(prefix: string | undefined, filename: string): string {
+    const timestamp = Date.now();
+    const sanitizedFilename = filename.replace(/[^a-zA-Z0-9._-]/g, '_');
+    if (prefix) {
+      const normalizedPrefix = prefix.replace(/\/$/, '');
+      return `${normalizedPrefix}/${timestamp}_${sanitizedFilename}`;
+    }
+    return `${timestamp}_${sanitizedFilename}`;
+  }
+}

backend/src/entities/s3-widget/s3-widget.controller.ts

@@ -0,0 +1,131 @@
+import {
+  Body,
+  Controller,
+  Get,
+  HttpStatus,
+  Inject,
+  Injectable,
+  Post,
+  Query,
+  UseGuards,
+  UseInterceptors,
+} from '@nestjs/common';
+import { HttpException } from '@nestjs/common/exceptions/http.exception.js';
+import { ApiBearerAuth, ApiBody, ApiOperation, ApiQuery, ApiResponse, ApiTags } from '@nestjs/swagger';
+import { UseCaseType } from '../../common/data-injection.tokens.js';
+import { MasterPassword, QueryTableName, SlugUuid, UserId } from '../../decorators/index.js';
+import { InTransactionEnum } from '../../enums/index.js';
+import { Messages } from '../../exceptions/text/messages.js';
+import { ConnectionEditGuard, ConnectionReadGuard } from '../../guards/index.js';
+import { SentryInterceptor } from '../../interceptors/index.js';
+import { S3FileUrlResponseDs, S3UploadUrlResponseDs } from './application/data-structures/s3-operation.ds.js';
+import { IGetS3FileUrl, IGetS3UploadUrl } from './use-cases/s3-use-cases.interface.js';
+
+@UseInterceptors(SentryInterceptor)
+@Controller()
+@ApiBearerAuth()
+@ApiTags('S3 Widget')
+@Injectable()
+export class S3WidgetController {
+  constructor(
+    @Inject(UseCaseType.GET_S3_FILE_URL)
+    private readonly getS3FileUrlUseCase: IGetS3FileUrl,
+    @Inject(UseCaseType.GET_S3_UPLOAD_URL)
+    private readonly getS3UploadUrlUseCase: IGetS3UploadUrl,
+  ) {}
+
+  @UseGuards(ConnectionReadGuard)
+  @ApiOperation({ summary: 'Get pre-signed URL for S3 file download' })
+  @ApiResponse({
+    status: 200,
+    description: 'Pre-signed URL generated successfully.',
+  })
+  @ApiQuery({ name: 'tableName', required: true })
+  @ApiQuery({ name: 'fieldName', required: true })
+  @ApiQuery({ name: 'fileKey', required: true })
+  @Get('/s3/file/:connectionId')
+  async getFileUrl(
+    @SlugUuid('connectionId') connectionId: string,
+    @UserId() userId: string,
+    @MasterPassword() masterPwd: string,
+    @QueryTableName() tableName: string,
+    @Query('fieldName') fieldName: string,
+    @Query('fileKey') fileKey: string,
+  ): Promise<S3FileUrlResponseDs> {
+    if (!connectionId) {
+      throw new HttpException({ message: Messages.CONNECTION_ID_MISSING }, HttpStatus.BAD_REQUEST);
+    }
+    if (!fieldName) {
+      throw new HttpException({ message: 'Field name is required' }, HttpStatus.BAD_REQUEST);
+    }
+    if (!fileKey) {
+      throw new HttpException({ message: 'File key is required' }, HttpStatus.BAD_REQUEST);
+    }
+
+    return await this.getS3FileUrlUseCase.execute(
+      {
+        connectionId,
+        tableName,
+        fieldName,
+        fileKey,
+        userId,
+        masterPwd,
+      },
+      InTransactionEnum.OFF,
+    );
+  }
+
+  @UseGuards(ConnectionEditGuard)
+  @ApiOperation({ summary: 'Get pre-signed URL for S3 file upload' })
+  @ApiResponse({
+    status: 201,
+    description: 'Pre-signed upload URL generated successfully.',
+  })
+  @ApiQuery({ name: 'tableName', required: true })
+  @ApiQuery({ name: 'fieldName', required: true })
+  @ApiBody({
+    schema: {
+      type: 'object',
+      properties: {
+        filename: { type: 'string', description: 'Name of the file to upload' },
+        contentType: { type: 'string', description: 'MIME type of the file' },
+      },
+      required: ['filename', 'contentType'],
+    },
+  })
+  @Post('/s3/upload-url/:connectionId')
+  async getUploadUrl(
+    @SlugUuid('connectionId') connectionId: string,
+    @UserId() userId: string,
+    @MasterPassword() masterPwd: string,
+    @QueryTableName() tableName: string,
+    @Query('fieldName') fieldName: string,
+    @Body() body: { filename: string; contentType: string },
+  ): Promise<S3UploadUrlResponseDs> {
+    if (!connectionId) {
+      throw new HttpException({ message: Messages.CONNECTION_ID_MISSING }, HttpStatus.BAD_REQUEST);
+    }
+    if (!fieldName) {
+      throw new HttpException({ message: 'Field name is required' }, HttpStatus.BAD_REQUEST);
+    }
+    if (!body.filename) {
+      throw new HttpException({ message: 'Filename is required' }, HttpStatus.BAD_REQUEST);
+    }
+    if (!body.contentType) {
+      throw new HttpException({ message: 'Content type is required' }, HttpStatus.BAD_REQUEST);
+    }
+
+    return await this.getS3UploadUrlUseCase.execute(
+      {
+        connectionId,
+        tableName,
+        fieldName,
+        userId,
+        masterPwd,
+        filename: body.filename,
+        contentType: body.contentType,
+      },
+      InTransactionEnum.OFF,
+    );
+  }
+}

backend/src/entities/s3-widget/s3-widget.module.ts

@@ -0,0 +1,42 @@
+import { MiddlewareConsumer, Module, RequestMethod } from '@nestjs/common';
+import { TypeOrmModule } from '@nestjs/typeorm';
+import { AuthMiddleware } from '../../authorization/index.js';
+import { GlobalDatabaseContext } from '../../common/application/global-database-context.js';
+import { BaseType, UseCaseType } from '../../common/data-injection.tokens.js';
+import { LogOutEntity } from '../log-out/log-out.entity.js';
+import { UserEntity } from '../user/user.entity.js';
+import { S3WidgetController } from './s3-widget.controller.js';
+import { S3HelperService } from './s3-helper.service.js';
+import { GetS3FileUrlUseCase } from './use-cases/get-s3-file-url.use.case.js';
+import { GetS3UploadUrlUseCase } from './use-cases/get-s3-upload-url.use.case.js';
+
+@Module({
+  imports: [TypeOrmModule.forFeature([UserEntity, LogOutEntity])],
+  providers: [
+    S3HelperService,
+    {
+      provide: BaseType.GLOBAL_DB_CONTEXT,
+      useClass: GlobalDatabaseContext,
+    },
+    {
+      provide: UseCaseType.GET_S3_FILE_URL,
+      useClass: GetS3FileUrlUseCase,
+    },
+    {
+      provide: UseCaseType.GET_S3_UPLOAD_URL,
+      useClass: GetS3UploadUrlUseCase,
+    },
+  ],
+  controllers: [S3WidgetController],
+  exports: [S3HelperService],
+})
+export class S3WidgetModule {
+  public configure(consumer: MiddlewareConsumer): any {
+    consumer
+      .apply(AuthMiddleware)
+      .forRoutes(
+        { path: '/s3/file/:connectionId', method: RequestMethod.GET },
+        { path: '/s3/upload-url/:connectionId', method: RequestMethod.POST },
+      );
+  }
+}

backend/src/entities/s3-widget/use-cases/get-s3-file-url.use.case.ts

@@ -0,0 +1,83 @@
+import { HttpStatus, Inject, Injectable, NotFoundException, BadRequestException } from '@nestjs/common';
+import { HttpException } from '@nestjs/common/exceptions/http.exception.js';
+import AbstractUseCase from '../../../common/abstract-use.case.js';
+import { IGlobalDatabaseContext } from '../../../common/application/global-database-context.interface.js';
+import { BaseType } from '../../../common/data-injection.tokens.js';
+import { Messages } from '../../../exceptions/text/messages.js';
+import { Encryptor } from '../../../helpers/encryption/encryptor.js';
+import { S3FileUrlResponseDs, S3GetFileUrlDs } from '../application/data-structures/s3-operation.ds.js';
+import { S3WidgetParams } from '../application/data-structures/s3-widget-params.ds.js';
+import { S3HelperService } from '../s3-helper.service.js';
+import { IGetS3FileUrl } from './s3-use-cases.interface.js';
+import { WidgetTypeEnum } from '../../../enums/index.js';
+import JSON5 from 'json5';
+
+@Injectable()
+export class GetS3FileUrlUseCase extends AbstractUseCase<S3GetFileUrlDs, S3FileUrlResponseDs> implements IGetS3FileUrl {
+  constructor(
+    @Inject(BaseType.GLOBAL_DB_CONTEXT)
+    protected _dbContext: IGlobalDatabaseContext,
+    private readonly s3Helper: S3HelperService,
+  ) {
+    super();
+  }
+
+  protected async implementation(inputData: S3GetFileUrlDs): Promise<S3FileUrlResponseDs> {
+    const { connectionId, tableName, fieldName, fileKey, userId, masterPwd } = inputData;
+
+    const user = await this._dbContext.userRepository.findOneUserByIdWithCompany(userId);
+    if (!user || !user.company) {
+      throw new HttpException(
+        { message: Messages.USER_NOT_FOUND_OR_NOT_IN_COMPANY },
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    const foundTableWidgets = await this._dbContext.tableWidgetsRepository.findTableWidgets(connectionId, tableName);
+    const widget = foundTableWidgets.find((w) => w.field_name === fieldName);
+
+    if (!widget || widget.widget_type !== WidgetTypeEnum.S3) {
+      throw new HttpException(
+        { message: 'S3 widget not configured for this field' },
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const params: S3WidgetParams =
+      typeof widget.widget_params === 'string' ? JSON5.parse(widget.widget_params) : widget.widget_params;
+
+    const accessKeySecret = await this._dbContext.userSecretRepository.findSecretBySlugAndCompanyId(
+      params.aws_access_key_id_secret_name,
+      user.company.id,
+    );
+
+    const secretKeySecret = await this._dbContext.userSecretRepository.findSecretBySlugAndCompanyId(
+      params.aws_secret_access_key_secret_name,
+      user.company.id,
+    );
+
+    if (!accessKeySecret || !secretKeySecret) {
+      throw new HttpException(
+        { message: 'AWS credentials secrets not found' },
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    let accessKeyId = Encryptor.decryptData(accessKeySecret.encryptedValue);
+    let secretAccessKey = Encryptor.decryptData(secretKeySecret.encryptedValue);
+
+    if (accessKeySecret.masterEncryption && masterPwd) {
+      accessKeyId = Encryptor.decryptDataMasterPwd(accessKeyId, masterPwd);
+    }
+    if (secretKeySecret.masterEncryption && masterPwd) {
+      secretAccessKey = Encryptor.decryptDataMasterPwd(secretAccessKey, masterPwd);
+    }
+
+    const client = this.s3Helper.createS3Client(accessKeyId, secretAccessKey, params.region || 'us-east-1');
+
+    const expiresIn = 3600;
+    const url = await this.s3Helper.getSignedGetUrl(client, params.bucket, fileKey, expiresIn);
+
+    return { url, key: fileKey, expiresIn };
+  }
+}