Jackie/rentall-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

removed dead code

Browse Source
This commit is contained in:
jackiettran
2026-01-15 17:32:44 -05:00
parent 826e4f2ed5
commit 35d5050286
2 changed files with 0 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
backend/routes/messages.js
View File

@@ -1,13 +1,10 @@
const express = require('express'); const express = require('express');
const helmet = require('helmet');
const { Message, User } = require('../models'); const { Message, User } = require('../models');
const { authenticateToken } = require('../middleware/auth'); const { authenticateToken } = require('../middleware/auth');
const logger = require('../utils/logger'); const logger = require('../utils/logger');
const { emitNewMessage, emitMessageRead } = require('../sockets/messageSocket'); const { emitNewMessage, emitMessageRead } = require('../sockets/messageSocket');
const { Op } = require('sequelize'); const { Op } = require('sequelize');
const emailServices = require('../services/email'); const emailServices = require('../services/email');
const fs = require('fs');
const path = require('path');
const { validateS3Keys } = require('../utils/s3KeyValidator'); const { validateS3Keys } = require('../utils/s3KeyValidator');
const { IMAGE_LIMITS } = require('../config/imageLimits'); const { IMAGE_LIMITS } = require('../config/imageLimits');
const router = express.Router(); const router = express.Router();
@@ -395,53 +392,4 @@ router.get('/unread/count', authenticateToken, async (req, res, next) => {
} }
}); });
// Get message image (authorized)
router.get('/images/:filename',
authenticateToken,
// Override Helmet's CORP header for cross-origin image loading
helmet.crossOriginResourcePolicy({ policy: "cross-origin" }),
async (req, res) => {
try {
// Sanitize filename to prevent path traversal attacks
const filename = path.basename(req.params.filename);
// Verify user is sender or receiver of a message with this image
const message = await Message.findOne({
where: {
imageFilename: filename,
[Op.or]: [
{ senderId: req.user.id },
{ receiverId: req.user.id }
]
}
});
if (!message) {
const reqLogger = logger.withRequestId(req.id);
reqLogger.warn('Unauthorized image access attempt', {
userId: req.user.id,
filename
});
return res.status(403).json({ error: 'Access denied' });
}
// Serve the image
const filePath = path.join(__dirname, '../uploads/messages', filename);
if (!fs.existsSync(filePath)) {
return res.status(404).json({ error: 'Image not found' });
}
res.sendFile(filePath);
} catch (error) {
const reqLogger = logger.withRequestId(req.id);
reqLogger.error('Image serve failed', {
error: error.message,
stack: error.stack,
filename: req.params.filename
});
res.status(500).json({ error: 'Failed to load image' });
}
});
module.exports = router; module.exports = router;

7
backend/server.js
View File

@@ -138,13 +138,6 @@ app.use(
// Apply input sanitization to all API routes (XSS prevention) // Apply input sanitization to all API routes (XSS prevention)
app.use("/api/", sanitizeInput); app.use("/api/", sanitizeInput);
// Serve static files from uploads directory with CORS headers
app.use(
"/uploads",
helmet.crossOriginResourcePolicy({ policy: "cross-origin" }),
express.static(path.join(__dirname, "uploads"))
);
// Health check endpoints (no auth, no rate limiting) // Health check endpoints (no auth, no rate limiting)
app.use("/health", healthRoutes); app.use("/health", healthRoutes);