Improve FileProxy Handling

When proxying an asset file from Amazon S3 or Google Storage, we previously ignored important headers such as - Content-Type - Content-Length - Cache-Control We also ignored the storage service's HTTP response, effectively assuming 200, and just blindly passed on the content body. In the case of any errors or redirects, we would interpret that (empty or meaningless) body as the asset itself. Instead, we now proxy those HTTP headers and treat any non-200 as an error.
RocketChat · Sep 18, 2023 · 8e501c1 · 8e501c1
1 parent 3826f7e
commit 8e501c1
Showing 1 changed file with 26 additions and 1 deletion.
diff --git a/apps/meteor/app/file-upload/server/lib/FileUpload.ts b/apps/meteor/app/file-upload/server/lib/FileUpload.ts
@@ -562,7 +562,32 @@ export const FileUpload = {
 	) {
 		res.setHeader('Content-Disposition', `${forceDownload ? 'attachment' : 'inline'}; filename="${encodeURI(fileName)}"`);
 
-		request.get(fileUrl, (fileRes) => fileRes.pipe(res));
+		request.get(fileUrl, (fileRes) => {
+			if (fileRes.statusCode !== 200) {
+				res.setHeader('x-rc-proxyfile-status', String(fileRes.statusCode));
+				res.setHeader('content-length', 0);
+				res.writeHead(500);
+				res.end();
+				return;
+			}
+
+			// eslint-disable-next-line prettier/prettier
+			const headersToProxy = [
+				'age',
+				'cache-control',
+				'content-length',
+				'content-type',
+				'date',
+				'expired',
+				'last-modified',
+			];
+
+			headersToProxy.forEach((header) => {
+				fileRes.headers[header] && res.setHeader(header, String(fileRes.headers[header]));
+			});
+
+			fileRes.pipe(res);
+		});
 	},
 
 	generateJWTToFileUrls({ rid, userId, fileId }: { rid: string; userId: string; fileId: string }) {