Learn_System/backend/src/routes/files.js

const router  = require('express').Router();
const multer  = require('multer');
const path    = require('path');
const { v4: uuidv4 } = require('crypto').randomUUID ? { v4: () => require('crypto').randomBytes(16).toString('hex') } : {};
const { authMiddleware, requireRole, requirePermission } = require('../middleware/auth');
const ctrl    = require('../controllers/fileController');
const { fixUtf8Name } = require('../utils/fixUtf8');

/* ── multer config ─────────────────────────────────────────────────────── */
const UPLOADS_DIR = path.join(__dirname, '../../uploads');
const ALLOWED = ['application/pdf','image/png','image/jpeg','image/gif','image/webp',
  'application/msword',
  'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
  'application/vnd.ms-powerpoint',
  'application/vnd.openxmlformats-officedocument.presentationml.presentation',
  'application/vnd.ms-excel',
  'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
  'text/plain'];

const storage = multer.diskStorage({
  destination: UPLOADS_DIR,
  filename: (_req, file, cb) => {
    const ext  = path.extname(file.originalname);
    const name = require('crypto').randomBytes(16).toString('hex') + ext;
    cb(null, name);
  },
});

const SAFE_EXTS = new Set(['.pdf','.png','.jpg','.jpeg','.gif','.webp','.doc','.docx','.ppt','.pptx','.xls','.xlsx','.txt']);

const upload = multer({
  storage,
  limits: { fileSize: 50 * 1024 * 1024 }, // 50 MB
  fileFilter: (_req, file, cb) => {
    if (!ALLOWED.includes(file.mimetype)) return cb(null, false);
    // Reject double extensions (.php.jpg, .exe.pdf, etc.)
    const name = file.originalname;
    const parts = name.split('.');
    if (parts.length > 2) {
      const inner = '.' + parts[parts.length - 2].toLowerCase();
      if (['.php','.exe','.sh','.bat','.cmd','.ps1','.js','.html','.htm'].includes(inner)) return cb(null, false);
    }
    // Verify file extension is allowed
    const ext = path.extname(name).toLowerCase();
    if (ext && !SAFE_EXTS.has(ext)) return cb(null, false);
    cb(null, true);
  },
});

/* ── routes ─────────────────────────────────────────────────────────────── */
router.use(authMiddleware);

router.get('/',                                                      ctrl.listFiles);
router.post('/', requireRole('teacher','admin'), requirePermission('library.upload'), upload.single('file'), fixUtf8Name, ctrl.uploadFile);

/* ── folder routes (must be before /:id to avoid conflicts) ── */
router.get('/folders',                                                                         ctrl.listFolders);
router.post('/folders',   requireRole('teacher','admin'), requirePermission('library.folders'), ctrl.createFolder);
router.put('/folders/:id',requireRole('teacher','admin'), requirePermission('library.folders'), ctrl.renameFolder);
router.delete('/folders/:id', requireRole('teacher','admin'), requirePermission('library.folders'), ctrl.deleteFolder);
router.get('/folders/:id/access',    requireRole('teacher','admin'), requirePermission('library.folders'), ctrl.getFolderAccess);
router.delete('/folders/:id/access', requireRole('teacher','admin'), requirePermission('library.folders'), ctrl.clearFolderAccess);
router.post('/folders/:id/assign',   requireRole('teacher','admin'), requirePermission('library.folders'), ctrl.assignFolder);
router.delete('/folders/:id/assign/:type/:targetId', requireRole('teacher','admin'), requirePermission('library.folders'), ctrl.unassignFolder);

router.patch('/:id/move', requireRole('teacher','admin'), ctrl.moveFile);
router.get('/:id/download',                                          ctrl.downloadFile);
router.delete('/:id',        requireRole('teacher','admin'),          ctrl.deleteFile);
router.get('/:id/access',    requireRole('teacher','admin'),          ctrl.getFileAccess);
router.post('/:id/assign',   requireRole('teacher','admin'),          ctrl.assignFile);
router.delete('/:id/assign/:type/:targetId', requireRole('teacher','admin'), ctrl.unassignFile);

module.exports = router;