Add fileFilter to the journey photo multer config (shared by entry photo upload and gallery upload routes): - Rejects any non-image MIME type (including SVG which carries XSS risk) - Checks the extension against the admin-configured allowed_file_types setting (same getAllowedExtensions() used by the trip file upload route) - Returns HTTP 400 with a descriptive message on rejection Also fix the global error handler to return err.message for 4xx responses instead of the generic 'Internal server error', so fileFilter rejections produce a readable error on the client. |
||
|---|---|---|
| .. | ||
| assets | ||
| public | ||
| scripts | ||
| src | ||
| tests | ||
| .env.example | ||
| package-lock.json | ||
| package.json | ||
| reset-admin.js | ||
| tsconfig.json | ||
| vitest.config.ts | ||