"""
app.py — QR Carrier PDF generator: single-item and CSV-driven multi-item workflows.
Serves the upload UI at /qr/add/ (Apache ProxyPass).
Environment variables:
QR_WATCH_DIR Root directory that contains job subfolders
(default: /var/www/html/qr)
QR_BASE_URL Public URL that maps to QR_WATCH_DIR
(default: http://fileshare.icastinc.com/qr)
PORT Port for the built-in dev server (default: 5001)
"""
import csv
import io
import json
import os
import re
import shutil
import sys
import threading
import uuid
import zipfile
from pathlib import Path
from urllib.parse import quote
from flask import Flask, abort, jsonify, render_template_string, request, send_file
from werkzeug.utils import secure_filename
import msal
import requests as _http_requests
from functools import wraps
from flask import redirect, session, url_for
# Allow importing qr_merge from the parent /var/www/html/qr/ directory
sys.path.insert(0, str(Path(__file__).resolve().parent.parent))
# Prefer merge_item (DVI-176 spec); fall back to build_carrier_pdf until it lands.
try:
from qr_merge import merge_item as _qr_merge_item # noqa: E402
def _merge_item(carrier_path: Path, shop_path: Path, output_folder: Path,
submittal_path: Path | None = None) -> Path:
generated = Path(_qr_merge_item(
carrier_sheet_path=str(carrier_path),
shop_drawing_path=str(shop_path),
output_folder=str(output_folder),
submittal_path=str(submittal_path) if submittal_path else None,
))
# Overwrite the carrier sheet with the merged output; remove generated file.
if generated.resolve() != carrier_path.resolve():
carrier_path.write_bytes(generated.read_bytes())
generated.unlink()
return carrier_path
except ImportError:
# merge_item not yet in qr_merge.py — use build_carrier_pdf directly.
from qr_merge import build_carrier_pdf as _build_carrier_pdf # noqa: E402
def _merge_item(carrier_path: Path, shop_path: Path, output_folder: Path,
submittal_path: Path | None = None) -> Path:
_base_url = os.environ.get("QR_BASE_URL", "http://fileshare.icastinc.com/qr")
folder_url = f"{_base_url.rstrip('/')}/{quote(output_folder.name)}"
shop_url = f"{folder_url}/{quote(shop_path.name)}"
submittal_url = f"{folder_url}/{quote(submittal_path.name)}" if submittal_path else ""
carrier_bytes = carrier_path.read_bytes() # read before overwriting
result_bytes = _build_carrier_pdf(carrier_bytes, submittal_url, shop_url)
carrier_path.write_bytes(result_bytes) # overwrite in place
return carrier_path
# Also keep build_carrier_pdf available for the legacy single-item route.
try:
from qr_merge import build_carrier_pdf # noqa: E402
except ImportError:
build_carrier_pdf = None # type: ignore[assignment]
app = Flask(__name__)
app.config["MAX_CONTENT_LENGTH"] = 500 * 1024 * 1024 # 500 MB (zip files with PDFs)
# ---------------------------------------------------------------------------
# Azure AD / Microsoft 365 SSO configuration
# ---------------------------------------------------------------------------
app.config["SECRET_KEY"] = os.environ["FLASK_SECRET_KEY"]
_AZ_CLIENT_ID = os.environ["AZURE_CLIENT_ID"]
_AZ_SECRET = os.environ["AZURE_CLIENT_SECRET"]
_AZ_TENANT = os.environ["AZURE_TENANT_ID"]
_AZ_GROUP = os.environ["AZURE_TOGEN_GROUP_ID"]
_AZ_AUTHORITY = f"https://login.microsoftonline.com/{_AZ_TENANT}"
_AZ_SCOPES = ["User.Read", "GroupMember.Read.All"]
_AZ_REDIRECT = "https://togen.icastinc.com/auth/callback"
WATCH_DIR = Path(os.environ.get("QR_WATCH_DIR", "/var/www/html/qr"))
SHARED_DIR = Path(os.environ.get("QR_SHARED_DIR", "/var/www/html/shared"))
BASE_URL = os.environ.get("QR_BASE_URL", "http://fileshare.icastinc.com/qr")
_SAFE_JOB_RE = re.compile(r"^[a-zA-Z0-9][a-zA-Z0-9 _\-\.]{0,79}$")
# ---------------------------------------------------------------------------
# Shared helpers
# ---------------------------------------------------------------------------
def _safe_job_folder(job_id: str) -> Path:
"""Return resolved Path for job_id; abort(400) if unsafe."""
if not _SAFE_JOB_RE.match(job_id) or ".." in job_id:
abort(400)
folder = (WATCH_DIR / job_id).resolve()
if not str(folder).startswith(str(WATCH_DIR.resolve())):
abort(400)
return folder
def _find_generated(job_folder: Path) -> Path | None:
if not job_folder.is_dir():
return None
for f in job_folder.iterdir():
if f.is_file() and "generated" in f.name.lower() and f.suffix.lower() == ".pdf":
return f
return None
def _state_path(folder: Path) -> Path:
return folder / "state.json"
def _load_state(folder: Path) -> dict:
p = _state_path(folder)
return json.loads(p.read_text()) if p.exists() else {}
def _save_state(folder: Path, state: dict) -> None:
_state_path(folder).write_text(json.dumps(state, indent=2))
def _match_files_to_items(
folder: Path,
items: list[str],
item_refs: list[str],
item_cols_a: list[str],
) -> list[dict]:
"""Scan *folder* recursively for PDFs and match them to items by identifier presence + suffix.
Identifiers: col A (item_cols_a[i]), col H (item_refs[i]), col C (items[i]).
All non-empty identifiers must appear in the filename stem (case-insensitive).
Suffix determines file type:
stem ends with 'shop' → shop drawing
stem ends with 'submittal' → submittal document
stem ends with 'carrierqr' → QR carrier sheet
Submittal fallback: if no submittal matches all identifiers (common when the submittal is
a shared document not named per item), retry with only col A as the required identifier.
Paths stored are relative to *folder* so they work regardless of subdirectory depth.
Returns a list[dict] parallel to *items*; each dict maps 'shop'/'submittal'/'carrier'
to the relative path string from *folder* (key absent if no match found).
"""
# rglob so files inside subdirectories (e.g. zip-extracted sub-folder) are found
pdf_files = [f for f in folder.rglob("*.pdf")]
auto_files: list[dict] = []
for i, item_name in enumerate(items):
col_a = item_cols_a[i] if i < len(item_cols_a) else ""
col_h = item_refs[i] if i < len(item_refs) else ""
col_c = item_name
# All non-empty identifiers must appear in the stem (case-insensitive)
identifiers = [s.strip().lower() for s in [col_a, col_h, col_c] if s.strip()]
col_a_only = [col_a.strip().lower()] if col_a.strip() else []
matched: dict = {}
for pdf in pdf_files:
stem_lower = pdf.stem.lower()
rel = str(pdf.relative_to(folder))
if not all(ident in stem_lower for ident in identifiers):
continue
if stem_lower.endswith("shop"):
matched.setdefault("shop", rel)
elif stem_lower.endswith("submittal"):
matched.setdefault("submittal", rel)
elif stem_lower.endswith("carrierqr"):
matched.setdefault("carrier", rel)
# Submittal fallback: shared submittal files often omit item-specific identifiers.
# Only apply when a shop drawing was also matched — no shop means no submittal.
if "submittal" not in matched and "shop" in matched and col_a_only:
for pdf in pdf_files:
stem_lower = pdf.stem.lower()
if stem_lower.endswith("submittal") and all(ident in stem_lower for ident in col_a_only):
matched.setdefault("submittal", str(pdf.relative_to(folder)))
break
auto_files.append(matched)
return auto_files
# ---------------------------------------------------------------------------
# Legacy single-item background merge (unchanged from original)
# ---------------------------------------------------------------------------
def _run_merge_single(job_folder: Path) -> None:
"""Classify uploaded PDFs by filename and run the QR merge (legacy route)."""
if build_carrier_pdf is None:
return
carrier = submittal = shop = None
for f in sorted(job_folder.iterdir()):
if not f.is_file() or f.suffix.lower() != ".pdf":
continue
name = f.name.lower()
if "generated" in name:
continue
if "carrier" in name and carrier is None:
carrier = f
elif "submittal" in name and submittal is None:
submittal = f
elif "shop" in name and shop is None:
shop = f
if not (carrier and submittal and shop):
return
folder_name = job_folder.name
folder_url = f"{BASE_URL.rstrip('/')}/{quote(folder_name)}"
submittal_url = f"{folder_url}/{quote(submittal.name)}"
shop_url = f"{folder_url}/{quote(shop.name)}"
blank_bytes = carrier.read_bytes()
result_bytes = build_carrier_pdf(blank_bytes, submittal_url, shop_url)
output_path = job_folder / f"{folder_name} CarrierQR generated.pdf"
output_path.write_bytes(result_bytes)
# ---------------------------------------------------------------------------
# HTML (multi-item CSV workflow at top; legacy single-item below)
# ---------------------------------------------------------------------------
_HTML = r"""
Togen — Pull it Forward
togen
Pull it Forward
Take-off Bridge Workflow
Shared Folder Selection
Select a published folder to load its CSV and files.
Loading folders…
Zip File Upload
Drop a ZIP file here, or click to browse
ZIP must contain a CSV file and the PDF files for each item
"""
# ---------------------------------------------------------------------------
# Authentication helpers — Azure AD SSO (DVI-194)
# ---------------------------------------------------------------------------
def login_required(f):
"""Redirect unauthenticated requests to /login."""
@wraps(f)
def _wrap(*args, **kwargs):
if not session.get("user"):
session["next"] = request.url
return redirect(url_for("login"))
return f(*args, **kwargs)
return _wrap
@app.route("/login")
def login():
"""Initiate Microsoft OAuth 2.0 Authorization Code flow."""
cl = msal.ConfidentialClientApplication(
_AZ_CLIENT_ID, authority=_AZ_AUTHORITY, client_credential=_AZ_SECRET)
auth_url = cl.get_authorization_request_url(
_AZ_SCOPES,
redirect_uri=_AZ_REDIRECT,
state=session.get("next", "/"),
)
return redirect(auth_url)
@app.route("/auth/callback")
def auth_callback():
"""Handle the redirect from Microsoft after login."""
code = request.args.get("code")
if not code:
return "Authentication failed: no code returned.", 401
cl = msal.ConfidentialClientApplication(
_AZ_CLIENT_ID, authority=_AZ_AUTHORITY, client_credential=_AZ_SECRET)
result = cl.acquire_token_by_authorization_code(
code, scopes=_AZ_SCOPES, redirect_uri=_AZ_REDIRECT)
if "error" in result:
return f"Login error: {result.get('error_description', result['error'])}", 401
# Verify the user is a member of the Togen Azure AD group.
# GET /me/memberOf/{groupId} returns 200 if member, 404 if not.
token = result["access_token"]
graph_resp = _http_requests.get(
f"https://graph.microsoft.com/v1.0/me/memberOf/{_AZ_GROUP}",
headers={"Authorization": f"Bearer {token}"},
timeout=10,
)
if graph_resp.status_code != 200:
return (
"Access denied: your account is not a member of the Togen group. "
"Contact your IT administrator to request access.",
403,
)
claims = result["id_token_claims"]
session["user"] = {
"name": claims.get("name"),
"email": claims.get("preferred_username"),
}
next_url = request.args.get("state", "/")
return redirect(next_url)
@app.route("/logout")
def logout():
"""Clear local session and sign out from Microsoft."""
session.clear()
post_logout = "https://togen.icastinc.com"
return redirect(
f"{_AZ_AUTHORITY}/oauth2/v2.0/logout"
f"?post_logout_redirect_uri={post_logout}"
)
# ---------------------------------------------------------------------------
# Routes — multi-item CSV workflow
# ---------------------------------------------------------------------------
@app.route("/")
@login_required
def index():
return render_template_string(_HTML)
@app.route("/upload-csv", methods=["POST"])
@login_required
def upload_csv():
if "csv" not in request.files:
return jsonify({"error": "No CSV file provided"}), 400
f = request.files["csv"]
if not f.filename or not f.filename.lower().endswith(".csv"):
return jsonify({"error": "File must be a .csv"}), 400
safe_name = secure_filename(f.filename)
stem = Path(safe_name).stem
folder = WATCH_DIR / stem
folder.mkdir(parents=True, exist_ok=True)
csv_path = folder / safe_name
f.save(str(csv_path))
# Skip header row; use column C (index 2) as item name, column H (index 7) as part reference
items: list[str] = []
item_refs: list[str] = []
with open(csv_path, newline="", encoding="utf-8-sig") as fh:
reader = csv.reader(fh)
next(reader, None) # header
for row in reader:
if len(row) >= 3 and row[2].strip():
items.append(row[2].strip())
item_refs.append(row[7].strip() if len(row) >= 8 else "")
if not items:
return jsonify({"error": "No items found — expected data in column C from row 2 onward"}), 400
state: dict = {
"csv_filename": safe_name,
"stem": stem,
"items": items,
"item_refs": item_refs,
"files": {str(i): {} for i in range(len(items))},
"results": {},
}
_save_state(folder, state)
return jsonify({"folder": stem, "items": items, "item_refs": item_refs})
@app.route("/upload-zip", methods=["POST"])
@login_required
def upload_zip():
if "zip" not in request.files:
return jsonify({"error": "No zip file provided"}), 400
f = request.files["zip"]
if not f.filename or not f.filename.lower().endswith(".zip"):
return jsonify({"error": "File must be a .zip"}), 400
safe_name = secure_filename(f.filename)
stem = Path(safe_name).stem
folder = WATCH_DIR / stem
folder.mkdir(parents=True, exist_ok=True)
# Extract zip, rejecting any entries that would escape the target folder
with zipfile.ZipFile(f.stream) as zf:
for member in zf.namelist():
dest = (folder / member).resolve()
if not str(dest).startswith(str(folder.resolve())):
return jsonify({"error": f"Unsafe path in zip entry: {member}"}), 400
zf.extractall(str(folder))
# Find the CSV file (search root first, then subdirectories)
csv_files = sorted(folder.glob("*.csv")) or sorted(folder.glob("**/*.csv"))
if not csv_files:
return jsonify({"error": "No CSV file found in zip"}), 400
csv_path = csv_files[0]
# Parse same as upload_csv: skip header, col A = identifier, col C = item name, col H = ref
items: list[str] = []
item_refs: list[str] = []
item_cols_a: list[str] = []
with open(csv_path, newline="", encoding="utf-8-sig") as fh:
reader = csv.reader(fh)
next(reader, None)
for row in reader:
if len(row) >= 3 and row[2].strip():
items.append(row[2].strip())
item_refs.append(row[7].strip() if len(row) >= 8 else "")
item_cols_a.append(row[0].strip() if row else "")
if not items:
return jsonify({"error": "CSV in zip has no items (expected data in column C from row 2 onward)"}), 400
# Auto-match extracted PDF files to CSV rows
auto_files = _match_files_to_items(folder, items, item_refs, item_cols_a)
# Pre-populate state["files"] with matched filenames
files_state: dict = {}
for i, matched in enumerate(auto_files):
files_state[str(i)] = dict(matched) # copy; user uploads will override
state: dict = {
"csv_filename": str(csv_path.relative_to(folder)),
"stem": stem,
"items": items,
"item_refs": item_refs,
"item_cols_a": item_cols_a,
"files": files_state,
"results": {},
}
_save_state(folder, state)
return jsonify({"folder": stem, "items": items, "item_refs": item_refs, "auto_files": auto_files})
@app.route("/upload-file", methods=["POST"])
@login_required
def upload_file():
if "file" not in request.files:
return jsonify({"error": "No file provided"}), 400
f = request.files["file"]
if not f.filename or not f.filename.lower().endswith(".pdf"):
return jsonify({"error": "Only PDF files are accepted"}), 400
folder_name = request.form.get("folder", "")
item_index = request.form.get("item_index", "")
file_type = request.form.get("file_type", "")
if file_type not in ("shop", "submittal", "carrier"):
return jsonify({"error": "Invalid file_type"}), 400
if not _SAFE_JOB_RE.match(folder_name) or ".." in folder_name:
return jsonify({"error": "Invalid folder"}), 400
folder = WATCH_DIR / folder_name
if not folder.exists():
return jsonify({"error": "Session not found — please re-upload CSV"}), 400
save_name = secure_filename(f.filename)
f.save(str(folder / save_name))
state = _load_state(folder)
state.setdefault("files", {}).setdefault(item_index, {})[file_type] = save_name
_save_state(folder, state)
return jsonify({"ok": True})
@app.route("/submit", methods=["POST"])
@login_required
def submit():
data = request.get_json(silent=True) or {}
folder_name = data.get("folder", "")
if not _SAFE_JOB_RE.match(folder_name) or ".." in folder_name:
return jsonify({"error": "Invalid folder"}), 400
folder = WATCH_DIR / folder_name
state = _load_state(folder)
items = state.get("items", [])
if not items:
return jsonify({"error": "No items in session — please re-upload CSV"}), 400
# Load CSV rows to append URL columns
csv_path = folder / state["csv_filename"]
with open(csv_path, newline="", encoding="utf-8-sig") as fh:
rows = list(csv.reader(fh))
# Map item index → CSV row index (skip header; only count populated col-C rows)
item_row_map: dict[int, int] = {}
item_count = 0
for row_idx, row in enumerate(rows):
if row_idx == 0:
continue
if len(row) >= 3 and row[2].strip():
item_row_map[item_count] = row_idx
item_count += 1
results: list[dict] = []
for i, item_name in enumerate(items):
files = state.get("files", {}).get(str(i), {})
shop_name = files.get("shop")
carrier_name = files.get("carrier")
submittal_name = files.get("submittal")
# No shop drawing → skip this line (no merge, no CSV URLs written)
if not shop_name:
results.append({"skipped": True})
continue
# Shop provided without carrier → validation error
if not carrier_name:
results.append({"error": f'Shop Drawing uploaded for "{item_name}" but QR Carrier Sheet is required'})
continue
shop_path = folder / shop_name
carrier_path = folder / carrier_name
submittal_path = (folder / submittal_name) if submittal_name else None
try:
output_path = _merge_item(carrier_path, shop_path, folder, submittal_path)
# shop_name / carrier_name / submittal_name are relative paths from folder
# (either just "file.pdf" for manual uploads or "subdir/file.pdf" for zip auto-matches).
# Use safe='/' so subdirectory separators survive URL encoding.
folder_url = f"{BASE_URL.rstrip('/')}/{quote(folder_name, safe='')}"
shop_url = f"{folder_url}/{quote(shop_name, safe='/')}"
carrier_url = f"{folder_url}/{quote(carrier_name, safe='/')}"
submittal_url = f"{folder_url}/{quote(submittal_name, safe='/')}" if submittal_name else ""
# Write URLs into columns J (9), K (10), L (11)
if i in item_row_map:
row = rows[item_row_map[i]]
while len(row) < 12:
row.append("")
row[9] = shop_url
row[10] = submittal_url
row[11] = carrier_url
state.setdefault("results", {})[str(i)] = {"output": carrier_name}
results.append({
"ok": True,
"download_url": f"download-file?folder={quote(folder_name, safe='')}&file={quote(carrier_name, safe='/')}",
"preview_url": f"preview-file?folder={quote(folder_name, safe='')}&file={quote(carrier_name, safe='/')}",
})
except Exception as exc:
results.append({"error": str(exc)})
# Overwrite the original CSV with the updated rows (URLs now in columns J/K/L)
with open(csv_path, "w", newline="", encoding="utf-8") as fh:
csv.writer(fh).writerows(rows)
_save_state(folder, state)
return jsonify({"results": results})
@app.route("/download-file")
@login_required
def download_file():
folder_name = request.args.get("folder", "")
filename = request.args.get("file", "")
if not folder_name or not filename:
return "Missing parameters", 400
if not _SAFE_JOB_RE.match(folder_name) or ".." in folder_name:
return "Invalid folder", 400
# Use path resolution for safety instead of secure_filename, which mangles spaces.
folder = (WATCH_DIR / folder_name).resolve()
file_path = (folder / filename).resolve()
if not str(file_path).startswith(str(folder) + os.sep) and file_path != folder:
return "Invalid path", 400
if not file_path.exists():
return "File not found", 404
return send_file(str(file_path), as_attachment=True)
@app.route("/download-csv")
@login_required
def download_csv():
folder_name = request.args.get("folder", "")
if not _SAFE_JOB_RE.match(folder_name) or ".." in folder_name:
return "Invalid folder", 400
folder = WATCH_DIR / folder_name
state = _load_state(folder)
csv_path = folder / state.get("csv_filename", "")
if not csv_path.exists():
return "CSV not found", 404
return send_file(str(csv_path), as_attachment=True)
@app.route("/list-shared-folders")
@login_required
def list_shared_folders():
"""Return sorted list of subdirectory names in SHARED_DIR."""
if not SHARED_DIR.is_dir():
return jsonify({"folders": []})
folders = sorted(
(f.name for f in SHARED_DIR.iterdir() if f.is_dir() and not f.name.startswith(".")),
reverse=True,
)
return jsonify({"folders": folders})
@app.route("/select-shared-folder", methods=["POST"])
@login_required
def select_shared_folder():
"""Load a shared folder: copy to WATCH_DIR if needed, parse CSV, auto-match files."""
data = request.get_json(silent=True) or {}
folder_name = data.get("folder", "")
if not _SAFE_JOB_RE.match(folder_name) or ".." in folder_name:
return jsonify({"error": "Invalid folder name"}), 400
src = (SHARED_DIR / folder_name).resolve()
if not str(src).startswith(str(SHARED_DIR.resolve())) or not src.is_dir():
return jsonify({"error": "Folder not found in shared directory"}), 404
# Use or create a working copy in WATCH_DIR
dst = WATCH_DIR / folder_name
if not dst.exists():
shutil.copytree(str(src), str(dst))
# Find CSV (root first, then subdirectories)
csv_files = sorted(dst.glob("*.csv")) or sorted(dst.glob("**/*.csv"))
if not csv_files:
return jsonify({"error": "No CSV file found in folder"}), 400
csv_path = csv_files[0]
# Parse same as upload-zip: col A=identifier, col C=item name, col H=ref
items: list[str] = []
item_refs: list[str] = []
item_cols_a: list[str] = []
with open(csv_path, newline="", encoding="utf-8-sig") as fh:
reader = csv.reader(fh)
next(reader, None)
for row in reader:
if len(row) >= 3 and row[2].strip():
items.append(row[2].strip())
item_refs.append(row[7].strip() if len(row) >= 8 else "")
item_cols_a.append(row[0].strip() if row else "")
if not items:
return jsonify({"error": "CSV has no items (expected data in column C from row 2 onward)"}), 400
auto_files = _match_files_to_items(dst, items, item_refs, item_cols_a)
files_state = {str(i): dict(m) for i, m in enumerate(auto_files)}
state: dict = {
"csv_filename": str(csv_path.relative_to(dst)),
"stem": folder_name,
"items": items,
"item_refs": item_refs,
"item_cols_a": item_cols_a,
"files": files_state,
"results": {},
}
_save_state(dst, state)
return jsonify({"folder": folder_name, "items": items, "item_refs": item_refs, "auto_files": auto_files})
@app.route("/preview-file")
@login_required
def preview_file():
"""Serve a job file inline (no download prompt) for PDF preview."""
folder_name = request.args.get("folder", "")
filename = request.args.get("file", "")
if not folder_name or not filename:
return "Missing parameters", 400
if not _SAFE_JOB_RE.match(folder_name) or ".." in folder_name:
return "Invalid folder", 400
folder = (WATCH_DIR / folder_name).resolve()
file_path = (folder / filename).resolve()
if not str(file_path).startswith(str(folder) + os.sep) and file_path != folder:
return "Invalid path", 400
if not file_path.exists():
return "File not found", 404
return send_file(str(file_path), mimetype="application/pdf") # inline, no as_attachment
@app.route("/download-job-zip")
@login_required
def download_job_zip():
"""Zip the entire job folder (excluding state.json) and stream it as a download."""
folder_name = request.args.get("folder", "")
if not _SAFE_JOB_RE.match(folder_name) or ".." in folder_name:
return "Invalid folder", 400
folder = (WATCH_DIR / folder_name).resolve()
if not folder.is_dir():
return "Folder not found", 404
buf = io.BytesIO()
with zipfile.ZipFile(buf, "w", zipfile.ZIP_DEFLATED) as zf:
for f in sorted(folder.rglob("*")):
if f.is_file() and f.name != "state.json":
zf.write(f, f.relative_to(folder))
buf.seek(0)
return send_file(
buf,
as_attachment=True,
download_name=f"{folder_name}.zip",
mimetype="application/zip",
)
@app.route("/publish", methods=["POST"])
@login_required
def publish():
"""Copy job folder to SHARED_DIR. Errors if destination already exists."""
data = request.get_json(silent=True) or {}
folder_name = data.get("folder", "")
overwrite = bool(data.get("overwrite", False))
if not _SAFE_JOB_RE.match(folder_name) or ".." in folder_name:
return jsonify({"error": "Invalid folder"}), 400
src = (WATCH_DIR / folder_name).resolve()
if not src.is_dir():
return jsonify({"error": "Source folder not found"}), 400
SHARED_DIR.mkdir(parents=True, exist_ok=True)
dst = (SHARED_DIR / folder_name).resolve()
if not str(dst).startswith(str(SHARED_DIR.resolve())):
return jsonify({"error": "Invalid destination path"}), 400
if dst.exists():
if not overwrite:
return jsonify({"error": f'A folder named "{folder_name}" already exists in the shared directory', "exists": True}), 409
shutil.rmtree(str(dst))
shutil.copytree(str(src), str(dst))
return jsonify({"ok": True})
# ---------------------------------------------------------------------------
# Routes — single-item legacy workflow (unchanged)
# ---------------------------------------------------------------------------
@app.route("/upload", methods=["POST"])
@login_required
def upload():
shop = request.files.get("shop")
submittal = request.files.get("submittal")
carrier = request.files.get("carrier")
csv_file = request.files.get("csv")
job_name = request.form.get("job_name", "").strip()
if not (shop and shop.filename and submittal and submittal.filename
and carrier and carrier.filename):
return jsonify(error="shop, submittal, and carrier PDFs are required"), 400
for label, f in [("shop", shop), ("submittal", submittal), ("carrier", carrier)]:
if not f.filename.lower().endswith(".pdf"):
return jsonify(error=f"'{label}' must be a PDF file"), 400
if csv_file and csv_file.filename and not csv_file.filename.lower().endswith(".csv"):
return jsonify(error="csv must be a .csv file"), 400
job_id = re.sub(r"[^\w\s\-\.]", "_", job_name)[:80].strip() if job_name else str(uuid.uuid4())[:8]
job_folder = _safe_job_folder(job_id)
if _find_generated(job_folder):
return jsonify(job_id=job_id)
job_folder.mkdir(parents=True, exist_ok=True)
shop.save(job_folder / secure_filename(shop.filename))
submittal.save(job_folder / secure_filename(submittal.filename))
carrier.save(job_folder / secure_filename(carrier.filename))
if csv_file and csv_file.filename:
csv_file.save(job_folder / secure_filename(csv_file.filename))
t = threading.Thread(target=_run_merge_single, args=(job_folder,), daemon=True)
t.start()
return jsonify(job_id=job_id)
@app.route("/status/")
@login_required
def status(job_id):
job_folder = _safe_job_folder(job_id)
if not job_folder.is_dir():
abort(404)
generated = _find_generated(job_folder)
if generated:
return jsonify(status="done", filename=generated.name)
return jsonify(status="pending")
@app.route("/preview/")
@login_required
def preview(job_id):
job_folder = _safe_job_folder(job_id)
generated = _find_generated(job_folder)
if not generated:
abort(404)
return send_file(generated, mimetype="application/pdf")
@app.route("/download/")
@login_required
def download_pdf(job_id):
job_folder = _safe_job_folder(job_id)
generated = _find_generated(job_folder)
if not generated:
abort(404)
return send_file(generated, as_attachment=True, download_name=generated.name)
# ---------------------------------------------------------------------------
# Entry point
# ---------------------------------------------------------------------------
if __name__ == "__main__":
port = int(os.environ.get("PORT", 5001))
app.run(host="0.0.0.0", port=port, debug=False)