chore: Security Improvements to the API (#2893)

- Devise auth tokens are reset on password update - Avatar attachment file type is limited to jpeg,gif and png - Avatar attachment file size is limited to 15 mb - Widget Message attachments are limited to types ['image/png', 'image/jpeg', 'image/gif', 'image/bmp', 'image/tiff', 'application/pdf', 'audio/mpeg', 'video/mp4', 'audio/ogg', 'text/csv'] - Widget Message attachments are limited to 40Mb size limit.
2021-09-01 15:08:05 +05:30
parent 06d8916341
commit 6fdd4a2996
9 changed files with 60 additions and 23 deletions
--- a/app/builders/messages/message_builder.rb
+++ b/app/builders/messages/message_builder.rb
@@ -15,21 +15,25 @@ class Messages::MessageBuilder

  def perform
    @message = @conversation.messages.build(message_params)
-    if @attachments.present?
-      @attachments.each do |uploaded_attachment|
-        attachment = @message.attachments.new(
-          account_id: @message.account_id,
-          file_type: file_type(uploaded_attachment&.content_type)
-        )
-        attachment.file.attach(uploaded_attachment)
-      end
-    end
-    @message.save
+    process_attachments
+    @message.save!
    @message
  end

  private

+  def process_attachments
+    return if @attachments.blank?
+
+    @attachments.each do |uploaded_attachment|
+      @message.attachments.build(
+        account_id: @message.account_id,
+        file_type: file_type(uploaded_attachment&.content_type),
+        file: uploaded_attachment
+      )
+    end
+  end
+
  def message_type
    if @conversation.inbox.channel_type != 'Channel::Api' && @message_type == 'incoming'
      raise StandardError, 'Incoming messages are only allowed in Api inboxes'