fix: Improve FileProxy Handling, set Content-Type

[nmagedman]

When proxying an asset file from Amazon S3 or Google Storage, we previously failed to copy forward important headers such as

• Content-Type
• Content-Length
• Cache-Control

We also ignored the storage service's HTTP status response, effectively assuming 200, and just blindly passed on the content body. In the case of any errors or redirects, we would interpret that (empty or meaningless) body as the asset itself.

Instead, we now proxy those HTTP headers and treat any non-200 as an error.

Proposed changes (including videos or screenshots)

• When proxying an asset file from Amazon S3 or Google Storage, forward on several HTTP headers in our response, most notably Content-Type.
• If the asset file status code is not 200, return an error, since simply piping (forwarding) the body will not properly proxy the file.

Issue(s)

Fixes #18312 by proxying the Content-Type header

Steps to test or reproduce

• Configure your RC installation to use Amazon S3 as the File Upload Storage Type.

• Post a message in a chat room, along with an image attachment.

• View the post with the image attachment.

• Right-Click on the image and choose "Open Image in New Tab". (Wording is from Chrome. Other browsers will have the same functionality, albeit with different wording.)

• Instead of an image, the browser will show text similar to:

  ‰PNG
  �
  ���
  IHDR���4���Ö�����¹²ÃÉ��
  

Further comments

• This problem was first identified in Attached files are rendered as text #18312. The repro instructions in that bug report said to "Click on the image title", which in those days opened the image in its own tab. When the UI changed to make image titles no longer clickable, the issue was closed without addressing the underlying problem. However there are other ways to open an image in its own tab, namely using the browser's native context menu. As it turns out, many of our users frequently use that functionality.
• The underlying problem is the combination of:
  • failing to provide the browser with a Content-Type header when proxying from S3
  • adding an X-Content-Type-Options: nosniff header (in apps/meteor/app/cors/server/cors.ts)
• Together the above forces the browser to render the image using the default content type (text/plain)
• I have not attempted to test this using other File Upload Storage Types, such as Google Storage.

[changeset-bot]

🦋 Changeset detected

Latest commit: 2f933d7

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 30 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/stream-hub-service	Patch
@rocket.chat/api-client	Patch
@rocket.chat/license	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/models	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/instance-status	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[codecov]

Codecov Report

Merging #30427 (2f933d7) into develop (ae71e31) will decrease coverage by 0.16%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##           develop   #30427      +/-   ##
===========================================
- Coverage    51.29%   51.14%   -0.16%     
===========================================
  Files          811      805       -6     
  Lines        15059    15074      +15     
  Branches      2751     2785      +34     
===========================================
- Hits          7725     7709      -16     
- Misses        6926     6931       +5     
- Partials       408      434      +26     

Flag	Coverage Δ
e2e	48.45% <ø> (-0.12%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.