fix(secure): fix upload file secure problem #1

Author: maslow

packages/app-server/src/config.ts

@@ -48,10 +48,18 @@ export default class Config {
   }
 
   /**
-   * the file system driver: 'local', 'gridfs'
+   * the file system driver: 'localfs', 'gridfs'
    */
-  static get FILE_SYSTEM_DRIVER(): string {
-    return process.env['FILE_SYSTEM_DRIVER'] ?? 'gridfs'
+  static get FILE_SYSTEM_DRIVER(): 'gridfs' | 'localfs' {
+    return process.env['FILE_SYSTEM_DRIVER'] as any ?? 'gridfs'
+  }
+
+  /**
+   * if enable the unauthorized upload operation in `public` bucket: 'on' | 'off'.
+   * default is 'on'
+   */
+  static get FILE_SYSTEM_ENABLE_UNAUTHORIZED_UPLOAD(): 'on' | 'off' {
+    return process.env['FILE_SYSTEM_ENABLE_UNAUTHORIZED_UPLOAD'] as any ?? 'on'
   }
 
   /**
@@ -72,8 +80,8 @@ export default class Config {
   /**
    * the logger level : 'fatal', 'error', 'warning', 'info', 'debug', 'trace'
    */
-  static get LOG_LEVEL(): string {
-    return process.env['LOG_LEVEL'] ?? (this.isProd ? 'info' : 'debug')
+  static get LOG_LEVEL(): 'fatal' | 'error' | 'warning' | 'info' | 'debug' | 'trace' {
+    return process.env['LOG_LEVEL'] as any ?? (this.isProd ? 'info' : 'debug')
   }
 
   /**
@@ -89,8 +97,8 @@ export default class Config {
    * - `debug` means that only logging for debug invokes
    * - `never` no logging any case
    */
-  static get ENABLE_CLOUD_FUNCTION_LOG(): string {
-    return (process.env.ENABLE_CLOUD_FUNCTION_LOG ?? 'always')
+  static get ENABLE_CLOUD_FUNCTION_LOG(): 'always' | 'debug' | 'never' {
+    return (process.env.ENABLE_CLOUD_FUNCTION_LOG as any ?? 'always')
   }
 
   /**

packages/devops-admin/src/views/database/files.vue

@@ -54,8 +54,7 @@
       </el-table-column>
       <el-table-column label="类型" align="center">
         <template slot-scope="{row}">
-          <span v-if="row.contentType">{{ row.contentType }}</span>
-          <span v-else>-</span>
+          <span>{{ getContentType(row) }}</span>
         </template>
       </el-table-column>
       <el-table-column label="更新时间" width="180" align="center">
@@ -209,8 +208,7 @@ export default {
     getFileUrl(file) {
       assert(file && file.filename, 'invalid file or filename')
       const base_url = process.env.VUE_APP_BASE_API_APP + '/file'
-      const bucket = this.bucket
-      const file_url = `${base_url}/${bucket}/${file.filename}`
+      const file_url = `${base_url}/${this.bucket}/${file.filename}`
       if (this.bucket === 'public') {
         return file_url
       }
@@ -221,21 +219,20 @@ export default {
     getUploadUrl() {
       assert(this.bucket, 'empty bucket name got')
       const base_url = process.env.VUE_APP_BASE_API_APP + '/file'
-      const bucket = this.bucket
-      const file_url = `${base_url}/upload/${bucket}`
-      if (this.bucket === 'public') {
-        return file_url
-      }
+      const file_url = `${base_url}/upload/${this.bucket}`
       const token = getFileToken()
       return file_url + `?token=${token}`
     },
+    getContentType(row) {
+      return row?.metadata?.contentType ?? row?.contentType ?? 'unknown'
+    },
     // 判断是否为图片类型
     isImage(row) {
-      return row?.contentType?.startsWith('image/')
+      return this.getContentType(row)?.startsWith('image/')
     },
     // 判断是否为视频类型
     isVideo(row) {
-      return row?.contentType?.startsWith('video/')
+      return this.getContentType(row).startsWith('video/')
     },
     // 获取文件显示大小
     getFileSize(file) {