Secure File Upload Validation in Node.js with Multer

const express = require('express');
const multer = require('multer');
const path = require('path');

const app = express();

// Configure storage for Multer
const storage = multer.diskStorage({
    destination: (req, file, cb) => {
        cb(null, 'uploads/'); // Store files in an 'uploads' directory
    },
    filename: (req, file, cb) => {
        // Sanitize filename to prevent directory traversal or other attacks
        const sanitizedFilename = file.originalname.replace(/[^a-zA-Z0-9.\-_]/g, '');
        cb(null, Date.now() + '-' + sanitizedFilename);
    }
});

// File filter function to check file types
const fileFilter = (req, file, cb) => {
    const allowedMimeTypes = ['image/jpeg', 'image/png', 'application/pdf'];
    if (allowedMimeTypes.includes(file.mimetype)) {
        cb(null, true); // Accept file
    } else {
        cb(new Error('Invalid file type. Only JPEG, PNG, and PDF are allowed.'), false); // Reject file
    }
};

// Initialize Multer upload with configurations
const upload = multer({
    storage: storage,
    limits: { fileSize: 5 * 1024 * 1024 }, // Limit file size to 5MB
    fileFilter: fileFilter
});

// Define an upload route
app.post('/upload', upload.single('myFile'), (req, res) => {
    if (req.file) {
        res.status(200).send(`File uploaded successfully: ${req.file.filename}`);
    } else {
        res.status(400).send('File upload failed.');
    }
});

// Error handling middleware for Multer
app.use((err, req, res, next) => {
    if (err instanceof multer.MulterError) {
        res.status(400).send(`Multer error: ${err.message}`);
    } else if (err) {
        res.status(400).send(`Error: ${err.message}`);
    } else {
        next(err);
    }
});

const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
    console.log(`Server running on port ${PORT}`);
});