chore: Security Improvements to the API (#2893)

- Devise auth tokens are reset on password update
- Avatar attachment file type is limited to jpeg,gif and png
- Avatar attachment file size is limited to 15 mb
- Widget Message attachments are limited to types ['image/png', 'image/jpeg', 'image/gif', 'image/bmp', 'image/tiff', 'application/pdf', 'audio/mpeg', 'video/mp4', 'audio/ogg', 'text/csv']
- Widget Message attachments are limited to 40Mb size limit.

app/models/attachment.rb

@@ -20,6 +20,7 @@ class Attachment < ApplicationRecord
   belongs_to :account
   belongs_to :message
   has_one_attached :file
+  validate :acceptable_file
 
   enum file_type: [:image, :audio, :video, :file, :location, :fallback]
 
@@ -76,4 +77,22 @@ class Attachment < ApplicationRecord
       account_id: account_id
     }
   end
+
+  def should_validate_file?
+    return unless file.attached?
+    # we are only limiting attachment types in case of website widget
+    return unless message.inbox.channel_type == 'Channel::WebWidget'
+
+    true
+  end
+
+  def acceptable_file
+    should_validate_file?
+
+    errors.add(:file, 'is too big') if file.byte_size > 40.megabytes
+
+    acceptable_types = ['image/png', 'image/jpeg', 'image/gif', 'image/bmp', 'image/tiff', 'application/pdf', 'audio/mpeg', 'video/mp4', 'audio/ogg',
+                        'text/csv'].freeze
+    errors.add(:file, 'filetype not supported') unless acceptable_types.include?(file.content_type)
+  end
 end

app/models/concerns/avatarable.rb

@@ -6,6 +6,7 @@ module Avatarable
 
   included do
     has_one_attached :avatar
+    validate :acceptable_avatar
   end
 
   def avatar_url
@@ -18,4 +19,13 @@ module Avatarable
 
     ''
   end
+
+  def acceptable_avatar
+    return unless avatar.attached?
+
+    errors.add(:avatar, 'is too big') if avatar.byte_size > 15.megabytes
+
+    acceptable_types = ['image/jpeg', 'image/png', 'image/gif'].freeze
+    errors.add(:avatar, 'filetype not supported') unless acceptable_types.include?(avatar.content_type)
+  end
 end