feat: force downloading file when providing filename (#195)

Author: fenos

src/routes/object/getObject.ts

@@ -27,8 +27,17 @@ const getObjectParamsSchema = {
   },
   required: ['bucketName', '*'],
 } as const
+
+const getObjectQuerySchema = {
+  type: 'object',
+  properties: {
+    download: { type: 'string', examples: ['filename.jpg', null] },
+  },
+} as const
+
 interface getObjectRequestInterface extends AuthenticatedRangeRequest {
   Params: FromSchema<typeof getObjectParamsSchema>
+  Querystring: FromSchema<typeof getObjectQuerySchema>
 }
 
 async function requestHandler(
@@ -42,6 +51,7 @@ async function requestHandler(
   >
 ) {
   const { bucketName } = request.params
+  const { download } = request.query
   const objectName = request.params['*']
 
   if (!isValidKey(objectName) || !isValidKey(bucketName)) {
@@ -86,6 +96,20 @@ async function requestHandler(
     if (data.metadata.contentRange) {
       response.header('Content-Range', data.metadata.contentRange)
     }
+
+    if (typeof download !== 'undefined') {
+      if (download === '') {
+        response.header('Content-Disposition', 'attachment;')
+      } else {
+        const encodedFileName = encodeURIComponent(download)
+
+        response.header(
+          'Content-Disposition',
+          `attachment; filename=${encodedFileName}; filename*=UTF-8''${encodedFileName};`
+        )
+      }
+    }
+
     return response.send(data.body)
   } catch (err: any) {
     if (err.$metadata?.httpStatusCode === 304) {

src/routes/object/getPublicObject.ts

@@ -25,11 +25,20 @@ const getPublicObjectParamsSchema = {
   },
   required: ['bucketName', '*'],
 } as const
+
+const getObjectQuerySchema = {
+  type: 'object',
+  properties: {
+    download: { type: 'string', examples: ['filename.jpg', null] },
+  },
+} as const
+
 interface getObjectRequestInterface {
   Params: FromSchema<typeof getPublicObjectParamsSchema>
   Headers: {
     range?: string
   }
+  Querystring: FromSchema<typeof getObjectQuerySchema>
 }
 
 // eslint-disable-next-line @typescript-eslint/explicit-module-boundary-types
@@ -49,6 +58,7 @@ export default async function routes(fastify: FastifyInstance) {
     async (request, response) => {
       const { bucketName } = request.params
       const objectName = request.params['*']
+      const { download } = request.query
 
       const { error, status } = await request.superUserPostgrest
         .from<Bucket>('buckets')
@@ -81,6 +91,20 @@ export default async function routes(fastify: FastifyInstance) {
         if (data.metadata.contentRange) {
           response.header('Content-Range', data.metadata.contentRange)
         }
+
+        if (typeof download !== 'undefined') {
+          if (download === '') {
+            response.header('Content-Disposition', 'attachment;')
+          } else {
+            const encodedFileName = encodeURIComponent(download)
+
+            response.header(
+              'Content-Disposition',
+              `attachment; filename=${encodedFileName}; filename*=UTF-8''${encodedFileName};`
+            )
+          }
+        }
+
         return response.send(data.body)
       } catch (err: any) {
         if (err.$metadata?.httpStatusCode === 304) {

src/routes/object/getSignedObject.ts

@@ -26,9 +26,11 @@ const getSignedObjectParamsSchema = {
   },
   required: ['bucketName', '*'],
 } as const
+
 const getSignedObjectQSSchema = {
   type: 'object',
   properties: {
+    download: { type: 'string', examples: ['filename.jpg', null] },
     token: {
       type: 'string',
       examples: [
@@ -64,6 +66,8 @@ export default async function routes(fastify: FastifyInstance) {
     },
     async (request, response) => {
       const { token } = request.query
+      const { download } = request.query
+
       try {
         const jwtSecret = await getJwtSecret(request.tenantId)
         const payload = await verifyJWT(token, jwtSecret)
@@ -87,6 +91,20 @@ export default async function routes(fastify: FastifyInstance) {
         if (data.metadata.contentRange) {
           response.header('Content-Range', data.metadata.contentRange)
         }
+
+        if (typeof download !== 'undefined') {
+          if (download === '') {
+            response.header('Content-Disposition', 'attachment;')
+          } else {
+            const encodedFileName = encodeURIComponent(download)
+
+            response.header(
+              'Content-Disposition',
+              `attachment; filename=${encodedFileName}; filename*=UTF-8''${encodedFileName};`
+            )
+          }
+        }
+
         return response.send(data.body)
       } catch (err: any) {
         if (err.$metadata?.httpStatusCode === 304) {

src/test/object.test.ts

@@ -102,6 +102,38 @@ describe('testing GET object', () => {
     })
   })
 
+  test('force downloading file with default name', async () => {
+    const response = await app().inject({
+      method: 'GET',
+      url: '/object/authenticated/bucket2/authenticated/casestudy.png?download',
+      headers: {
+        authorization: `Bearer ${process.env.AUTHENTICATED_KEY}`,
+      },
+    })
+    expect(S3Backend.prototype.getObject).toBeCalled()
+    expect(response.headers).toEqual(
+      expect.objectContaining({
+        'content-disposition': `attachment;`,
+      })
+    )
+  })
+
+  test('force downloading file with a custom name', async () => {
+    const response = await app().inject({
+      method: 'GET',
+      url: '/object/authenticated/bucket2/authenticated/casestudy.png?download=testname.png',
+      headers: {
+        authorization: `Bearer ${process.env.AUTHENTICATED_KEY}`,
+      },
+    })
+    expect(S3Backend.prototype.getObject).toBeCalled()
+    expect(response.headers).toEqual(
+      expect.objectContaining({
+        'content-disposition': `attachment; filename=testname.png; filename*=UTF-8''testname.png;`,
+      })
+    )
+  })
+
   test('check if RLS policies are respected: anon user is not able to read authenticated resource', async () => {
     const response = await app().inject({
       method: 'GET',