chore: Security Improvements to the API (#2893)

- Devise auth tokens are reset on password update - Avatar attachment file type is limited to jpeg,gif and png - Avatar attachment file size is limited to 15 mb - Widget Message attachments are limited to types ['image/png', 'image/jpeg', 'image/gif', 'image/bmp', 'image/tiff', 'application/pdf', 'audio/mpeg', 'video/mp4', 'audio/ogg', 'text/csv'] - Widget Message attachments are limited to 40Mb size limit.
2021-09-01 15:08:05 +05:30 · 2021-09-01 15:08:05 +05:30 · 6fdd4a2996
commit 6fdd4a2996
parent 06d8916341
9 changed files with 60 additions and 23 deletions
--- a/app/controllers/api/v1/widget/messages_controller.rb
+++ b/app/controllers/api/v1/widget/messages_controller.rb
@ -8,8 +8,8 @@ class Api::V1::Widget::MessagesController < Api::V1::Widget::BaseController

  def create
    @message = conversation.messages.new(message_params)
-    @message.save
    build_attachment
+    @message.save!
  end

  def update
@ -29,13 +29,12 @@ class Api::V1::Widget::MessagesController < Api::V1::Widget::BaseController
    return if params[:message][:attachments].blank?

    params[:message][:attachments].each do |uploaded_attachment|
-      attachment = @message.attachments.new(
+      @message.attachments.new(
        account_id: @message.account_id,
-        file_type: helpers.file_type(uploaded_attachment&.content_type)
+        file_type: helpers.file_type(uploaded_attachment&.content_type),
+        file: uploaded_attachment
      )
-      attachment.file.attach(uploaded_attachment)
    end
-    @message.save!
  end

  def set_conversation
--- a/app/controllers/public/api/v1/inboxes/messages_controller.rb
+++ b/app/controllers/public/api/v1/inboxes/messages_controller.rb
@ -7,8 +7,8 @@ class Public::Api::V1::Inboxes::MessagesController < Public::Api::V1::InboxesCon

  def create
    @message = @conversation.messages.new(message_params)
-    @message.save
    build_attachment
+    @message.save!
  end

  def update
@ -23,13 +23,12 @@ class Public::Api::V1::Inboxes::MessagesController < Public::Api::V1::InboxesCon
    return if params[:attachments].blank?

    params[:attachments].each do |uploaded_attachment|
-      attachment = @message.attachments.new(
+      @message.attachments.new(
        account_id: @message.account_id,
-        file_type: helpers.file_type(uploaded_attachment&.content_type)
+        file_type: helpers.file_type(uploaded_attachment&.content_type),
+        file: uploaded_attachment
      )
-      attachment.file.attach(uploaded_attachment)
    end
-    @message.save!
  end

  def message_finder_params