The File Manager module provides presigned URL operations against object storage (S3 / Digital Ocean Spaces) and listing/search utilities. The FileManagerController is mounted at /file-manager. For file uploads, use POST /v1/documents/upload in the document module — that endpoint does the upload server-side, validates MIME + size, and atomically creates a row in the Documents table. File Manager only exposes presigned read/delete operations + storage administration utilities.
Property Value Base URL {HOST}/v1Auth Bearer JWT (header Authorization) or cookie access_token Content-Type application/jsonError envelope { "message": string | string[], "statusCode": number, "error": string }Validation Global ValidationPipe · whitelist: true, forbidNonWhitelisted: true · unknown field → 400 Related modules document, users, organizations Document version v1 · 2026-05-20 Audience Internal FE devs (mobile + web)
For file upload use POST /v1/documents/upload (see the document module). File Manager provides operations after the file is in storage: a presigned view URL via GET /file-manager, a presigned delete URL via DELETE /file-manager/:file_key, or a public URL via GET /file-manager/public-url/:file_key. The list, list-all, folders, search, and storage-size endpoints are administrative (require the manage-storage permission).
Method Path Auth Summary GET /v1/file-managerbearer Get a presigned view URL for a file DELETE /v1/file-manager/:file_keybearer Get a presigned delete URL GET /v1/file-manager/public-url/:file_keybearer Get a public URL for a file GET /v1/file-manager/listbearer List files + folders at one level (admin) GET /v1/file-manager/list-allbearer List every file recursively (admin) GET /v1/file-manager/foldersbearer List every folder (admin) GET /v1/file-manager/searchbearer Search files by name pattern (admin) GET /v1/file-manager/storage-sizebearer Total storage size (admin)
All endpoints require Bearer JWT. There is no @Roles on the controller — gating is done via @Permissions.
Permissions used: read-document (view / public-url), delete-document (delete), manage-storage (list / search / size).
file_key is the S3 object key (e.g. uploads/2026/05/profile-abc.jpg). Pass it back as-is when calling view/delete/public endpoints.For new uploads, use POST /v1/documents/upload — the document module documents that upload flow in full.
Returns a presigned view URL for a file in object storage. Used when the file is stored privately; the URL has a limited lifetime (service TTL).
bearer
read-document
RESOURCE_FETCHED
Param Type Required Notes file_keystring ✓ Object key returned on upload (e.g. uploads/profile-images/abc-1729-profile.jpg)
"message" : " url to view file fetched successfully " ,
"url" : " https://moria-bucket.s3.ap-southeast-1.amazonaws.com/uploads/profile-images/abc-1729-profile.jpg?X-Amz-Algorithm=... " ,
"file_key" : " uploads/profile-images/abc-1729-profile.jpg "
Status When it occurs 401 UnauthorizedInvalid Bearer/cookie token 403 ForbiddenMissing read-document permission
Returns a presigned delete URL for a file. FE must then call that URL with the DELETE method to actually remove the object from the bucket.
bearer
delete-document
RESOURCE_DELETED
Param Type Notes file_keystring Object key to delete. Since / cannot appear in a single path param, encode subfolders as %2F
"message" : " url to delete file fetched successfully " ,
"url" : " https://moria-bucket.s3.ap-southeast-1.amazonaws.com/...?X-Amz-Algorithm=... " ,
"file_key" : " uploads/profile-images/abc-1729-profile.jpg "
Status When it occurs 401 UnauthorizedInvalid Bearer/cookie token 403 ForbiddenMissing delete-document permission
Returns the public URL of a file (no signature). Used for files that are genuinely public (e.g. organization logos, profile pictures). No TTL — the URL is valid as long as the object exists.
bearer
read-document
RESOURCE_FETCHED
Param Type Notes file_keystring File object key (encode / as %2F)
"message" : " public file url file fetched successfully " ,
"public_url" : " https://moria-bucket.s3.ap-southeast-1.amazonaws.com/uploads/profile-images/abc-1729-profile.jpg " ,
"file_key" : " uploads/profile-images/abc-1729-profile.jpg "
Status When it occurs 401 UnauthorizedInvalid Bearer/cookie token 403 ForbiddenMissing read-document permission
List files and subfolders at a single level inside the bucket. Administrative endpoint — requires the manage-storage permission. Supports limited pagination via maxKeys.
bearer
manage-storage
RESOURCE_FETCHED
Param Type Default Notes prefixstring — Folder being opened (e.g. uploads/). Empty → bucket root maxKeysnumber 1000Maximum number of items returned
"key" : " uploads/profile-images/abc-1729-profile.jpg " ,
"lastModified" : " 2026-05-20T08:30:00.000Z " ,
"etag" : " \" abcdef0123456789 \" " ,
"publicUrl" : " https://moria-bucket.s3.ap-southeast-1.amazonaws.com/uploads/profile-images/abc-1729-profile.jpg "
" uploads/profile-images/ " ,
"nextContinuationToken" : null
Status When it occurs 401 UnauthorizedInvalid Bearer/cookie token 403 ForbiddenMissing manage-storage permission
List every file recursively under a given prefix. Administrative endpoint. Use with caution on a large bucket — the service paginates through S3 until exhausted.
bearer
manage-storage
RESOURCE_FETCHED
Param Type Default Notes prefixstring — Root folder of the traversal. Empty → every file in the bucket
"key" : " uploads/profile-images/abc-1729-profile.jpg " ,
"lastModified" : " 2026-05-20T08:30:00.000Z " ,
"etag" : " \" abcdef0123456789 \" " ,
"publicUrl" : " https://moria-bucket.s3.ap-southeast-1.amazonaws.com/uploads/profile-images/abc-1729-profile.jpg "
Status When it occurs 401 UnauthorizedInvalid Bearer/cookie token 403 ForbiddenMissing manage-storage permission
List folders at the bucket root. Parameterless administrative endpoint — returns an array of folder name strings and the count.
bearer
manage-storage
RESOURCE_FETCHED
Status When it occurs 401 UnauthorizedInvalid Bearer/cookie token 403 ForbiddenMissing manage-storage permission
Search files by name pattern (substring match, case-insensitive). Administrative endpoint. The server runs listAllFiles(prefix) and filters in memory — use prefix to narrow the scope.
bearer
manage-storage
RESOURCE_FETCHED
Param Type Required Notes termstring ✓ Name pattern to search for (e.g. profile). Required — if empty the server returns { status: "error", message: "Search term is required" } prefixstring optional Folder used to scope the search
"key" : " uploads/profile-images/abc-1729-profile.jpg " ,
"lastModified" : " 2026-05-20T08:30:00.000Z " ,
"etag" : " \" abcdef0123456789 \" " ,
"publicUrl" : " https://moria-bucket.s3.ap-southeast-1.amazonaws.com/uploads/profile-images/abc-1729-profile.jpg "
Status When it occurs 401 UnauthorizedInvalid Bearer/cookie token 403 ForbiddenMissing manage-storage permission
Returns total storage size (bytes / MB / GB) and file count under prefix. Administrative endpoint for the capacity dashboard.
bearer
manage-storage
RESOURCE_FETCHED
Param Type Default Notes prefixstring — Folder being measured. Empty → the entire bucket (label root)
"totalSizeMB" : " 5120.00 " ,
Status When it occurs 401 UnauthorizedInvalid Bearer/cookie token 403 ForbiddenMissing manage-storage permission
read-document — GET view URL, GET public URLdelete-document — DELETE :file_keymanage-storage — list / list-all / folders / search / storage-size
key — object key in the bucketsize — size in byteslastModified — ISO 8601 timestampetag — S3 etag (already includes the double-quotes)isFolder — booleanpublicUrl — public URL (if the bucket is public-read)
"message" : " Forbidden resource " ,
message can be a string or an array of strings (multi-field validation errors).
400 empty file / missing required parameter401 token expired / missing403 insufficient permission500 S3 / network error — show a generic toast
The document module — new upload flow (auth-required, MIME validation, atomic Documents row).
