| 128 | * @returns Promise<boolean> True if user has access, false otherwise |
| 129 | */ |
| 130 | export async function verifyFileAccess( |
| 131 | cloudKey: string, |
| 132 | userId: string, |
| 133 | customConfig?: StorageConfig, |
| 134 | context?: StorageContext | 'general', |
| 135 | isLocal?: boolean, |
| 136 | options?: { requireWrite?: boolean } |
| 137 | ): Promise<boolean> { |
| 138 | const requireWrite = options?.requireWrite ?? false |
| 139 | try { |
| 140 | if (context === 'general') { |
| 141 | return await verifyRegularFileAccess(cloudKey, userId, customConfig, isLocal, requireWrite) |
| 142 | } |
| 143 | |
| 144 | // Infer context from key if not explicitly provided |
| 145 | const inferredContext = context || inferContextFromKey(cloudKey) |
| 146 | |
| 147 | // 0. Public contexts: profile pictures, OG images, and workspace logos are world-readable, so reads short-circuit; writes require proof of ownership |
| 148 | if ( |
| 149 | inferredContext === 'profile-pictures' || |
| 150 | inferredContext === 'og-images' || |
| 151 | inferredContext === 'workspace-logos' |
| 152 | ) { |
| 153 | if (requireWrite) { |
| 154 | return await verifyPublicAssetWriteAccess(cloudKey, userId, inferredContext, customConfig) |
| 155 | } |
| 156 | logger.info('Public file access allowed', { cloudKey, context: inferredContext }) |
| 157 | return true |
| 158 | } |
| 159 | |
| 160 | // 1. Workspace / mothership files: Check database first (most reliable for both local and cloud) |
| 161 | if (inferredContext === 'workspace' || inferredContext === 'mothership') { |
| 162 | return await verifyWorkspaceFileAccess(cloudKey, userId, customConfig, isLocal, requireWrite) |
| 163 | } |
| 164 | |
| 165 | // 2. Execution files: workspace_id/workflow_id/execution_id/filename |
| 166 | if (inferredContext === 'execution') { |
| 167 | return await verifyExecutionFileAccess(cloudKey, userId, customConfig, requireWrite) |
| 168 | } |
| 169 | |
| 170 | // 3. Copilot files: Check database first, then metadata, then path pattern (legacy) |
| 171 | if (inferredContext === 'copilot') { |
| 172 | return await verifyCopilotFileAccess(cloudKey, userId, customConfig) |
| 173 | } |
| 174 | |
| 175 | // 4. KB files: kb/filename |
| 176 | if (inferredContext === 'knowledge-base') { |
| 177 | return await verifyKBFileAccess(cloudKey, userId, customConfig) |
| 178 | } |
| 179 | |
| 180 | // 5. Chat files: chat/filename |
| 181 | if (inferredContext === 'chat') { |
| 182 | return await verifyChatFileAccess(cloudKey, userId, customConfig, requireWrite) |
| 183 | } |
| 184 | |
| 185 | // 6. Regular uploads: UUID-filename or timestamp-filename |
| 186 | // Check metadata for userId/workspaceId, or database for workspace files |
| 187 | return await verifyRegularFileAccess(cloudKey, userId, customConfig, isLocal, requireWrite) |