knee-cola/evidencija-rezija
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f4793fa6d3ac4238b713e374ec9c3067aff40f0c
evidencija-rezija/app/[locale]/share/proof-of-payment/combined/[id]/route.tsx
Knee Cola f19e1bc023 feat: secure proof-of-payment download routes with shareId validation 
Changes:
- Update download links in UI to use shareId instead of locationID
- Add shareId validation to per-bill proof download route
- Add shareId validation to combined proof download route
- Validate TTL before allowing downloads
- Extract locationId from shareId using extractShareId helper

Security:
- Download routes now validate checksum and TTL
- Prevents unauthorized access to proof-of-payment files
- Returns 404 for invalid/expired share links

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-08 01:01:38 +01:00

55 lines
1.8 KiB
TypeScript
Raw Blame History

import { getDbClient } from '@/app/lib/dbClient';
import { BillingLocation } from '@/app/lib/db-types';
import { notFound } from 'next/navigation';
import { extractShareId, validateShareChecksum } from '@/app/lib/shareChecksum';
export async function GET(request: Request, { params: { id } }: { params: { id: string } }) {
const shareId = id;
// Validate shareId and extract locationId
const extracted = extractShareId(shareId);
if (!extracted) {
notFound();
}
const { locationId: locationID, checksum } = extracted;
// Validate checksum
if (!validateShareChecksum(locationID, checksum)) {
notFound();
}
const dbClient = await getDbClient();
const location = await dbClient.collection<BillingLocation>("lokacije")
.findOne({ _id: locationID }, {
projection: {
utilBillsProofOfPayment: 1,
shareTTL: 1,
}
});
if (!location?.utilBillsProofOfPayment) {
notFound();
}
// Check if sharing is active and not expired
if (!location.shareTTL || new Date() > location.shareTTL) {
notFound();
}
// Convert fileContentsBase64 from Base64 string to binary
const fileContentsBuffer = Buffer.from(location.utilBillsProofOfPayment.fileContentsBase64, 'base64');
// Convert fileContentsBuffer to format that can be sent to the client
const fileContents = new Uint8Array(fileContentsBuffer);
return new Response(fileContents, {
status: 200,
headers: {
'Content-Type': 'application/pdf',
'Content-Disposition': `attachment; filename="${location.utilBillsProofOfPayment.fileName}"`,
'Last-Modified': `${location.utilBillsProofOfPayment.fileLastModified}`
}
});
}
Reference in New Issue View Git Blame Copy Permalink