How to use an auth middleware with upload (express-fileupload) before the upload starts?

[rottmann]

Currently, the check is done after the file is uploaded.

When adding a custom middleware with addMiddleware to an endpoint, e.g. a bearer token check, the check is called after the file upload has finished.

Using beforeRouting in server config doesn't work ether, the upload with express-filepload is done before.

Is this only possible when we use our own express server and separate the upload endpoint from express-zod-api?

For this (special) use case, would it be a good idea to have a separate function in the server config?
beforeProcessing or onConnection handler.

Or an endpoint Middlware, that could be executed first .addMiddleware(myMiddlware, /* force executed first */ true)

[RobinTail]

As per my understanding, you would like to restrict the ability to create even temporary files.

Related issue richardgirges/express-fileupload#153

It seems that currently that can only be achieved by the order of the applied middlewares.
Need to think on it a bit more...

[rottmann]

In the comments this is the matching example richardgirges/express-fileupload#153 (comment)

const checkAuth = (req, res, next) => {
  ...
  if (auth === 'fail') {
    res.writeHead(404, { Connection: 'close' });
    res.end('Forbidden');
  }
  next();
}

app.use(checkauth); // <---- this must be run before the upload middleware
app.use('/post/uploadfile', fileUpload());

Before the fileUpload-Handler (express-fileupload) handles the file, it should be possible the check the header, e.g. if a valid auth-token is set.

With .addMiddleware all checks are done after the upload.

[RobinTail]

Yes, that's right. I'm thinking on how to organize that properly, taking into account the current architecture where express-fileupload is considered more like one of the body parsers.

[RobinTail]

The problem with moving uploads handler after the middlewares is that we don't actually know what those middlewares are.
Assuming that they are only involved into authentication is still a just a particular case, not a generic solution.
It's possible that some middlewares do need files in place.

[RobinTail]

I'm going to add beforeUpload option instead, @rottmann
#1601

[RobinTail]

@rottmann , you can do it like this in the upcoming v17.2.0

import createHttpError from "http-errors";
import { createConfig } from "express-zod-api";

const config = createConfig({
  server: {
    upload: {
      beforeUpload: ({ app, logger }) => {
        app.use((req, res, next) => {
          if (req.is("multipart/form-data") && !canUpload(req)) {
            return next(createHttpError(403, "Not authorized"));
          }
          next();
        });
      },
    },
  },
});

[rottmann]

@RobinTail Awesome, thank you!