61 lines
1.5 KiB
PHP
61 lines
1.5 KiB
PHP
<?php
|
|
/**
|
|
* Secure File Proxy for Invoices
|
|
*/
|
|
|
|
use App\Core\Database;
|
|
use App\Middleware\AuthMiddleware;
|
|
|
|
// Extract token from header OR query string
|
|
$headers = getallheaders();
|
|
$authHeader = $headers['Authorization'] ?? $headers['authorization'] ?? '';
|
|
$token = '';
|
|
|
|
if (preg_match('/Bearer\s(\S+)/', $authHeader, $matches)) {
|
|
$token = $matches[1];
|
|
} elseif (isset($_GET['token'])) {
|
|
$token = $_GET['token'];
|
|
}
|
|
|
|
if (!$token) die('Forbidden: No token provided');
|
|
|
|
$decoded = \App\Core\JWT::decode($token);
|
|
if (!$decoded) die('Forbidden: Invalid token');
|
|
|
|
$db = Database::getInstance();
|
|
|
|
$id = input('id');
|
|
if (!$id) die('Forbidden');
|
|
|
|
$stmt = $db->prepare("SELECT tenant_id, original_file_path FROM invoices WHERE id = ?");
|
|
$stmt->execute([$id]);
|
|
$invoice = $stmt->fetch();
|
|
|
|
if (!$invoice) die('Not found');
|
|
|
|
// Authorization
|
|
if ($decoded['role'] !== 'super_admin' && $invoice['tenant_id'] !== $decoded['tenant_id']) {
|
|
die('Unauthorized');
|
|
}
|
|
|
|
$filePath = $invoice['original_file_path'];
|
|
|
|
if (!file_exists($filePath)) {
|
|
error_log("FILE PROXY ERROR: File not found at " . $filePath);
|
|
header("HTTP/1.0 404 Not Found");
|
|
exit('File missing');
|
|
}
|
|
|
|
if (!is_readable($filePath)) {
|
|
error_log("FILE PROXY ERROR: File not readable at " . $filePath);
|
|
header("HTTP/1.0 403 Forbidden");
|
|
exit('Permission denied');
|
|
}
|
|
|
|
$mime = mime_content_type($filePath);
|
|
header("Content-Type: $mime");
|
|
header("Content-Length: " . filesize($filePath));
|
|
header("Cache-Control: public, max-age=3600"); // Add caching for speed
|
|
readfile($filePath);
|
|
exit;
|