From 35d505028623771d717a4018f0a5e21985dcb6bf Mon Sep 17 00:00:00 2001 From: jackiettran <41605212+jackiettran@users.noreply.github.com> Date: Thu, 15 Jan 2026 17:32:44 -0500 Subject: [PATCH] removed dead code --- backend/routes/messages.js | 52 -------------------------------------- backend/server.js | 7 ----- 2 files changed, 59 deletions(-) diff --git a/backend/routes/messages.js b/backend/routes/messages.js index 0733b55..312c732 100644 --- a/backend/routes/messages.js +++ b/backend/routes/messages.js @@ -1,13 +1,10 @@ const express = require('express'); -const helmet = require('helmet'); const { Message, User } = require('../models'); const { authenticateToken } = require('../middleware/auth'); const logger = require('../utils/logger'); const { emitNewMessage, emitMessageRead } = require('../sockets/messageSocket'); const { Op } = require('sequelize'); const emailServices = require('../services/email'); -const fs = require('fs'); -const path = require('path'); const { validateS3Keys } = require('../utils/s3KeyValidator'); const { IMAGE_LIMITS } = require('../config/imageLimits'); const router = express.Router(); @@ -395,53 +392,4 @@ router.get('/unread/count', authenticateToken, async (req, res, next) => { } }); -// Get message image (authorized) -router.get('/images/:filename', - authenticateToken, - // Override Helmet's CORP header for cross-origin image loading - helmet.crossOriginResourcePolicy({ policy: "cross-origin" }), - async (req, res) => { - try { - // Sanitize filename to prevent path traversal attacks - const filename = path.basename(req.params.filename); - - // Verify user is sender or receiver of a message with this image - const message = await Message.findOne({ - where: { - imageFilename: filename, - [Op.or]: [ - { senderId: req.user.id }, - { receiverId: req.user.id } - ] - } - }); - - if (!message) { - const reqLogger = logger.withRequestId(req.id); - reqLogger.warn('Unauthorized image access attempt', { - userId: req.user.id, - filename - }); - return res.status(403).json({ error: 'Access denied' }); - } - - // Serve the image - const filePath = path.join(__dirname, '../uploads/messages', filename); - - if (!fs.existsSync(filePath)) { - return res.status(404).json({ error: 'Image not found' }); - } - - res.sendFile(filePath); - } catch (error) { - const reqLogger = logger.withRequestId(req.id); - reqLogger.error('Image serve failed', { - error: error.message, - stack: error.stack, - filename: req.params.filename - }); - res.status(500).json({ error: 'Failed to load image' }); - } -}); - module.exports = router; \ No newline at end of file diff --git a/backend/server.js b/backend/server.js index cc56c1b..1fd3894 100644 --- a/backend/server.js +++ b/backend/server.js @@ -138,13 +138,6 @@ app.use( // Apply input sanitization to all API routes (XSS prevention) app.use("/api/", sanitizeInput); -// Serve static files from uploads directory with CORS headers -app.use( - "/uploads", - helmet.crossOriginResourcePolicy({ policy: "cross-origin" }), - express.static(path.join(__dirname, "uploads")) -); - // Health check endpoints (no auth, no rate limiting) app.use("/health", healthRoutes);