Merge pull request #1907 from betagouv/master

MEP TRELLO-2934 redirect old attachment endpoint to new one
betagouv · Mar 4, 2025 · f15d572 · f15d572
2 parents 5d0c130 + 777baeb
commit f15d572
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 9 deletions.
diff --git a/app/controllers/ReportFileController.scala b/app/controllers/ReportFileController.scala
@@ -43,20 +43,21 @@ class ReportFileController(
 
   val logger: Logger = Logger(this.getClass)
 
-  val reportFileMaxSizeInBytes = signalConsoConfiguration.reportFileMaxSize * 1024 * 1024
+  private val reportFileMaxSizeInBytes = signalConsoConfiguration.reportFileMaxSize * 1024 * 1024
 
   def legacyDownloadReportFile(uuid: ReportFileId, filename: String): Action[AnyContent] =
     Act.public.generousLimit.async { req =>
-      // Temporary to understand where the remaining calls are coming from : api calls by ReponseConso ? some frontend that was not updated?
-      logger.warnWithTitle(
+      logger.infoWithTitle(
         "legacyDownloadReportFile",
         s"call of legacyDownloadReportFile by user agent ${req.headers
-            .get(USER_AGENT)} and api key ${req.headers.get("X-Api-Key").map(_.slice(0, 4))}"
+            .get(USER_AGENT)}}"
+      )
+      Future.successful(
+        // This legacy endpoint was not secured and could serve any attachments.
+        // We think it's still used by some agents, so this new endpoint
+        // should do the trick (requires login and only works on attachments linked to a report)
+        Redirect(routes.ReportFileController.downloadFileUsedInReport(fileId = uuid, filename = filename))
       )
-
-      reportFileOrchestrator
-        .legacyDownloadReportAttachment(uuid, filename)
-        .map(signedUrl => Redirect(signedUrl))
     }
 
   def downloadFileNotYetUsedInReport(uuid: ReportFileId, filename: String): Action[AnyContent] =

diff --git a/conf/routes b/conf/routes
@@ -35,7 +35,11 @@ GET           /api/reports/files/temporary/:fileId/:filename          controller
 # for deleting an attachment that was uploaded but the report isn't submitted yet
 # also used in the dashboard for the pro when his response isn't submitted yet
 DELETE        /api/reports/files/temporary/:fileId/:filename          controllers.ReportFileController.deleteFileNotYetUsedInReport(fileId: ReportFileId, filename)
-# this next one is LEGACY, to be removed very soon, once the frontend is updated (was used both in website and dashboard)
+
+# Legacy endpoint. Redirects to another endpoint, that is more secure
+# It is not used in the frontends anymore, but we still see some calls in New Relic
+# We think it's DGCCRF agents who still have the URL from an Excel export
+# Could probably be removed in a few weeks/months
 GET           /api/reports/files/:uuid/:filename                      controllers.ReportFileController.legacyDownloadReportFile(uuid: ReportFileId, filename)
 
 # For the conso, to reattribute a report if the pro said he was not concerned