S3 service for resume upload / download

.github/workflows/build.yml

@@ -12,7 +12,7 @@ jobs:
             - uses: actions/setup-node@v4
               with:
                   node-version: "18.x"
-                  cache: 'yarn'
+                  cache: "yarn"
             - name: Install dependencies
               run: yarn
             - name: Build

.github/workflows/lint.yml

@@ -12,7 +12,7 @@ jobs:
             - uses: actions/setup-node@v4
               with:
                   node-version: "18.x"
-                  cache: 'yarn'
+                  cache: "yarn"
             - name: Install dependencies
               run: yarn
             - name: Run ESLint

.github/workflows/prettier.yml

@@ -12,7 +12,7 @@ jobs:
             - uses: actions/setup-node@v4
               with:
                   node-version: "18.x"
-                  cache: 'yarn'
+                  cache: "yarn"
             - name: Install dependencies
               run: yarn
             - name: Run Prettier

package.json

@@ -32,8 +32,12 @@
         "prettier": "3.2.5"
     },
     "dependencies": {
+        "@aws-sdk/client-s3": "^3.496.0",
+        "@aws-sdk/s3-presigned-post": "^3.499.0",
+        "@aws-sdk/s3-request-presigner": "^3.496.0",
         "@paralleldrive/cuid2": "^2.2.2",
         "@types/cors": "^2.8.17",
+        "aws-sdk": "^2.1604.0",
         "body-parser": "^1.20.2",
         "cors": "^2.8.5",
         "dotenv": "^16.4.5",

src/app.ts

@@ -10,8 +10,9 @@ import errorHandler from "./middleware/error-handler";
 
 import attendeeRouter from "./services/attendees/attendee-router";
 import authRouter from "./services/auth/auth-router";
-import eventRouter from "./services/events/event-router";
+import eventRouter from "./services/events/events-router";
 import registrationRouter from "./services/registration/registration-router";
+import s3Router from "./services/s3/s3-router";
 import subscriptionRouter from "./services/subscription/subscription-router";
 
 const app = express();
@@ -32,6 +33,7 @@ app.use("/attendee", attendeeRouter);
 app.use("/auth", authRouter);
 app.use("/event", eventRouter);
 app.use("/registration", registrationRouter);
+app.use("/s3", s3Router);
 app.use("/subscription", subscriptionRouter);
 
 app.get("/status", (_, res) => {

src/config.ts

@@ -25,6 +25,13 @@ export const Config = {
 
     JWT_SIGNING_SECRET: getEnv("JWT_SIGNING_SECRET"),
     JWT_EXPIRATION_TIME: "1 day",
+
+    S3_ACCESS_KEY: getEnv("S3_ACCESS_KEY"),
+    S3_SECRET_KEY: getEnv("S3_SECRET_KEY"),
+    S3_BUCKET_NAME: getEnv("S3_BUCKET_NAME"),
+    S3_REGION: getEnv("S3_REGION"),
+    MAX_RESUME_SIZE_BYTES: 6 * 1024 * 1024,
+    RESUME_URL_EXPIRY_SECONDS: 60,
 };
 
 export const DeviceRedirects: Record<string, string> = {

src/middleware/role-checker.ts

@@ -14,7 +14,7 @@ export default function RoleChecker(
 
         if (jwt == undefined) {
             if (weakVerification) {
-                next();
+                return next();
             }
 
             return res.status(StatusCodes.BAD_REQUEST).json({ error: "NoJWT" });
@@ -33,29 +33,29 @@ export default function RoleChecker(
             const userRoles = payload.roles;
 
             if (weakVerification) {
-                next();
+                return next();
             }
 
             if (requiredRoles.length == 0) {
-                next();
+                return next();
             }
 
             // Admins (staff) can access any endpoint
             if (userRoles.includes(Role.Enum.ADMIN)) {
-                next();
+                return next();
             }
 
             // Corporate role can access corporate only endpoints
             if (requiredRoles.includes(Role.Enum.CORPORATE)) {
                 if (userRoles.includes(Role.Enum.CORPORATE)) {
-                    next();
+                    return next();
                 }
             }
 
             // Need to be a user to access user endpoints (app users)
             if (requiredRoles.includes(Role.Enum.USER)) {
                 if (userRoles.includes(Role.Enum.USER)) {
-                    next();
+                    return next();
                 }
             }
 

src/middleware/s3.ts

@@ -0,0 +1,20 @@
+import { NextFunction, Request, Response } from "express";
+import { S3 } from "@aws-sdk/client-s3";
+import { Config } from "../config";
+
+export function s3ClientMiddleware(
+    _: Request,
+    res: Response,
+    next: NextFunction
+): void {
+    res.locals.s3 = new S3({
+        apiVersion: "2006-03-01",
+        credentials: {
+            accessKeyId: Config.S3_ACCESS_KEY,
+            secretAccessKey: Config.S3_SECRET_KEY,
+        },
+        region: Config.S3_REGION,
+    });
+
+    return next();
+}

src/services/s3/s3-router.ts

@@ -0,0 +1,85 @@
+import { Request, Response, Router } from "express";
+import RoleChecker from "../../middleware/role-checker";
+import { s3ClientMiddleware } from "../../middleware/s3";
+import { StatusCodes } from "http-status-codes";
+import { Config } from "../../config";
+import { Role } from "../auth/auth-models";
+
+import { GetObjectCommand, S3 } from "@aws-sdk/client-s3";
+import { createPresignedPost } from "@aws-sdk/s3-presigned-post";
+import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
+
+const s3Router: Router = Router();
+
+s3Router.get(
+    "/upload/",
+    RoleChecker([Role.enum.USER], false),
+    s3ClientMiddleware,
+    async (_req: Request, res: Response) => {
+        const payload = res.locals.payload;
+
+        const s3 = res.locals.s3 as S3;
+        const userId: string = payload.userId;
+
+        const { url, fields } = await createPresignedPost(s3, {
+            Bucket: Config.S3_BUCKET_NAME,
+            Key: `${userId}.pdf`,
+            Conditions: [
+                ["content-length-range", 0, Config.MAX_RESUME_SIZE_BYTES], // 6 MB max
+            ],
+            Fields: {
+                success_action_status: "201",
+                "Content-Type": "application/pdf",
+            },
+            Expires: Config.RESUME_URL_EXPIRY_SECONDS,
+        });
+
+        return res.status(StatusCodes.OK).send({ url: url, fields: fields });
+    }
+);
+
+s3Router.get(
+    "/download/",
+    RoleChecker([Role.enum.USER], false),
+    s3ClientMiddleware,
+    async (_req: Request, res: Response) => {
+        const payload = res.locals.payload;
+
+        const s3 = res.locals.s3 as S3;
+        const userId: string = payload.userId;
+
+        const command = new GetObjectCommand({
+            Bucket: Config.S3_BUCKET_NAME,
+            Key: `${userId}.pdf`,
+        });
+
+        const downloadUrl = await getSignedUrl(s3, command, {
+            expiresIn: Config.RESUME_URL_EXPIRY_SECONDS,
+        });
+
+        return res.status(StatusCodes.OK).send({ url: downloadUrl });
+    }
+);
+
+s3Router.get(
+    "/download/:USERID",
+    RoleChecker([Role.enum.ADMIN], false),
+    s3ClientMiddleware,
+    async (req: Request, res: Response) => {
+        const userId: string = req.params.USERID;
+        const s3 = res.locals.s3 as S3;
+
+        const command = new GetObjectCommand({
+            Bucket: Config.S3_BUCKET_NAME,
+            Key: `${userId}.pdf`,
+        });
+
+        const downloadUrl = await getSignedUrl(s3, command, {
+            expiresIn: Config.RESUME_URL_EXPIRY_SECONDS,
+        });
+
+        return res.status(StatusCodes.OK).send({ url: downloadUrl });
+    }
+);
+
+export default s3Router;