Update routes and file paths, fix authentication and security issues

routes/Dpanel/API/MoveFile.js

@@ -0,0 +1,119 @@
+const express = require('express');
+const fs = require('fs');
+const path = require('path');
+const router = express.Router();
+const fileUpload = require('express-fileupload');
+const authMiddleware = require('../../../Middlewares/authMiddleware');
+const { loggers } = require('winston');
+const ncp = require('ncp');
+const util = require('util');
+const ncpAsync = util.promisify(ncp.ncp);
+const configFile = fs.readFileSync(path.join(__dirname, '../../../data', 'setup.json'), 'utf-8')
+const config = JSON.parse(configFile);
+const bodyParser = require('body-parser');
+const crypto = require('crypto');
+const os = require('os');
+const { getUserData, getSetupData } = require('../../../Middlewares/watcherMiddleware');
+const { logger, logRequestInfo, ErrorLogger, authLogger } = require('../../../config/logs');
+
+let setupData = getSetupData();
+let userData = getUserData();
+router.use(bodyParser.json());
+
+router.get('/', (req, res) => {
+    res.status(400).json({ error: 'Bad Request. The request cannot be fulfilled due to bad syntax or missing parameters.' });
+});
+
+router.post('/', authMiddleware, async (req, res) => {
+    const fileName = req.body.fileName;
+    const folderName = req.body.folderName;
+
+    const data = await fs.readFileSync(path.join(__dirname, '../../../data', 'user.json'), 'utf-8')
+    const users = JSON.parse(data);
+    const user = users.find(user => user.id === req.user.id);
+
+    if (!user) {
+        console.error('User not found in user.json');
+        return res.status(500).send('Erreur lors du déplacement du fichier.');
+    }
+
+    const userId = user.name;
+
+    if (!fileName || !userId) {
+        console.error('fileName or userId is undefined');
+        return res.status(500).send('Erreur lors du déplacement du fichier.');
+    }
+
+    const sourcePath = path.join('cdn-files', userId, fileName);
+
+    let destinationDir;
+    if (folderName && folderName.trim() !== '') {
+        destinationDir = path.join('cdn-files', userId, folderName);
+    } else {
+        destinationDir = path.join('cdn-files', userId);
+    }
+
+    const destinationPath = path.join(destinationDir, fileName);
+
+    try {
+        const normalizedSourcePath = path.normalize(sourcePath);
+        console.log('Full Source Path:', normalizedSourcePath);
+        
+        if (fs.existsSync(normalizedSourcePath)) {
+            await fs.promises.access(destinationDir);
+            
+            await ncpAsync(normalizedSourcePath, destinationPath);
+            
+            await fs.promises.unlink(normalizedSourcePath);
+        } else {
+            console.log('File does not exist');
+        }
+
+        res.redirect('/dpanel/dashboard');
+    } catch (err) {
+        console.error(err);
+        return res.status(500).send('Erreur lors du déplacement du fichier.');
+    }
+});
+
+router.post('/:folderName', authMiddleware, async (req, res) => {
+    const fileName = req.body.fileName;
+    const newFolderName = req.body.folderName;
+    const oldFolderName = req.params.folderName; 
+    const userId = req.user && req.user._json ? req.userData.name : undefined;
+
+    if (!fileName || !userId || !oldFolderName || !newFolderName) {
+        console.error('fileName, userId, oldFolderName, or newFolderName is undefined');
+        return res.status(500).send('Erreur lors du déplacement du fichier.');
+    }
+
+    const userDir = path.join(process.cwd(), 'cdn-files', userId);
+    const sourcePath = path.join(userDir, oldFolderName, fileName);
+    const destinationDir = path.join(userDir, newFolderName);
+    const destinationPath = path.join(destinationDir, fileName);
+
+    if (!sourcePath.startsWith(userDir) || !destinationPath.startsWith(userDir)) {
+        ErrorLogger.error('Unauthorized directory access attempt');
+        return res.status(403).send('Unauthorized directory access attempt');
+    }
+
+    try {
+        const normalizedSourcePath = path.normalize(sourcePath);
+        console.log('Full Source Path:', normalizedSourcePath);
+        
+        if (fs.existsSync(normalizedSourcePath)) {
+            await fs.promises.access(destinationDir, fs.constants.W_OK);
+            
+            await fs.promises.rename(normalizedSourcePath, destinationPath);
+        } else {
+            console.log('File does not exist');
+        }
+
+        res.redirect('/dpanel/dashboard');
+    } catch (err) {
+        console.error(err);
+        return res.status(500).send('Erreur lors du déplacement du fichier.');
+    }
+});
+
+module.exports = router;