feat: generate secret function and replaced few instances (#7810)

This PR fixes #4588

---------

Co-authored-by: Félix Malfait <felix@twenty.com>
Co-authored-by: Charles Bochet <charles@twenty.com>

packages/twenty-server/src/engine/core-modules/file/file-upload/services/file-upload.service.ts

@@ -8,8 +8,8 @@ import { v4 as uuidV4 } from 'uuid';
 import { FileFolder } from 'src/engine/core-modules/file/interfaces/file-folder.interface';
 
 import { settings } from 'src/engine/constants/settings';
-import { FileService } from 'src/engine/core-modules/file/services/file.service';
 import { FileStorageService } from 'src/engine/core-modules/file-storage/file-storage.service';
+import { FileService } from 'src/engine/core-modules/file/services/file.service';
 import { getCropSize } from 'src/utils/image';
 
 @Injectable()
@@ -83,7 +83,7 @@ export class FileUploadService {
     });
 
     const signedPayload = await this.fileService.encodeFileToken({
-      workspace_id: workspaceId,
+      workspaceId: workspaceId,
     });
 
     return {

packages/twenty-server/src/engine/core-modules/file/guards/file-path-guard.ts

@@ -7,40 +7,43 @@ import {
 } from '@nestjs/common';
 
 import { JwtWrapperService } from 'src/engine/core-modules/jwt/services/jwt-wrapper.service';
-import { EnvironmentService } from 'src/engine/core-modules/environment/environment.service';
 
 @Injectable()
 export class FilePathGuard implements CanActivate {
-  constructor(
-    private readonly jwtWrapperService: JwtWrapperService,
-    private readonly environmentService: EnvironmentService,
-  ) {}
+  constructor(private readonly jwtWrapperService: JwtWrapperService) {}
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
     const request = context.switchToHttp().getRequest();
     const query = request.query;
 
-    if (query && query['token']) {
-      const payloadToDecode = query['token'];
-      const decodedPayload = await this.jwtWrapperService.decode(
-        payloadToDecode,
-        {
-          secret: this.environmentService.get('FILE_TOKEN_SECRET'),
-        } as any,
-      );
-
-      const expirationDate = decodedPayload?.['expiration_date'];
-      const workspaceId = decodedPayload?.['workspace_id'];
-
-      const isExpired = await this.isExpired(expirationDate);
-
-      if (isExpired) {
-        return false;
-      }
-
-      request.workspaceId = workspaceId;
+    if (!query || !query['token']) {
+      return false;
     }
 
+    const payload = await this.jwtWrapperService.verifyWorkspaceToken(
+      query['token'],
+      'FILE',
+    );
+
+    if (!payload.workspaceId) {
+      return false;
+    }
+
+    const decodedPayload = await this.jwtWrapperService.decode(query['token'], {
+      json: true,
+    });
+
+    const expirationDate = decodedPayload?.['expirationDate'];
+    const workspaceId = decodedPayload?.['workspaceId'];
+
+    const isExpired = await this.isExpired(expirationDate);
+
+    if (isExpired) {
+      return false;
+    }
+
+    request.workspaceId = workspaceId;
+
     return true;
   }
 

packages/twenty-server/src/engine/core-modules/file/services/file.service.ts

@@ -5,9 +5,9 @@ import { Stream } from 'stream';
 import { addMilliseconds } from 'date-fns';
 import ms from 'ms';
 
-import { JwtWrapperService } from 'src/engine/core-modules/jwt/services/jwt-wrapper.service';
 import { EnvironmentService } from 'src/engine/core-modules/environment/environment.service';
 import { FileStorageService } from 'src/engine/core-modules/file-storage/file-storage.service';
+import { JwtWrapperService } from 'src/engine/core-modules/jwt/services/jwt-wrapper.service';
 
 @Injectable()
 export class FileService {
@@ -34,13 +34,16 @@ export class FileService {
     const fileTokenExpiresIn = this.environmentService.get(
       'FILE_TOKEN_EXPIRES_IN',
     );
-    const secret = this.environmentService.get('FILE_TOKEN_SECRET');
+    const secret = this.jwtWrapperService.generateAppSecret(
+      'FILE',
+      payloadToEncode.workspaceId,
+    );
 
     const expirationDate = addMilliseconds(new Date(), ms(fileTokenExpiresIn));
 
     const signedPayload = this.jwtWrapperService.sign(
       {
-        expiration_date: expirationDate,
+        expirationDate: expirationDate,
         ...payloadToEncode,
       },
       {