fix: address second round of PR review feedback

- Make content field optional when attachments are present (MMS-only messages)
- SanitizeFilename: strip all non-alphanumeric chars, replace spaces with dashes
- Add 3MB total attachment size limit in validation
- Update tests for new SanitizeFilename behavior

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: AchoArnold

api/pkg/repositories/attachment_repository.go

@@ -81,10 +81,16 @@ func ContentTypeFromExtension(ext string) string {
 // Returns "attachment-{index}" if the sanitized name is empty.
 func SanitizeFilename(name string, index int) string {
 	name = strings.TrimSuffix(name, filepath.Ext(name))
-	name = strings.ReplaceAll(name, "/", "")
-	name = strings.ReplaceAll(name, "\\", "")
-	name = strings.ReplaceAll(name, "..", "")
-	name = strings.TrimSpace(name)
+
+	var builder strings.Builder
+	for _, r := range strings.ToLower(name) {
+		if (r >= 'a' && r <= 'z') || (r >= '0' && r <= '9') {
+			builder.WriteRune(r)
+		} else if r == ' ' {
+			builder.WriteRune('-')
+		}
+	}
+	name = strings.Trim(builder.String(), "-")
 
 	if name == "" {
 		return fmt.Sprintf("attachment-%d", index)

api/pkg/repositories/attachment_repository_test.go

@@ -43,10 +43,14 @@ func TestSanitizeFilename(t *testing.T) {
 		{"photo.jpg", 0, "photo"},
 		{"../../etc/passwd", 0, "etcpasswd"},
 		{"hello/world\\test", 0, "helloworldtest"},
-		{"normal_file", 0, "normal_file"},
+		{"normal_file", 0, "normalfile"},
 		{"", 0, "attachment-0"},
 		{"   ", 0, "attachment-0"},
 		{"...", 1, "attachment-1"},
+		{"My Photo", 0, "my-photo"},
+		{"file name with spaces.png", 0, "file-name-with-spaces"},
+		{"UPPER_CASE", 0, "uppercase"},
+		{"special!@#chars", 0, "specialchars"},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

api/pkg/validators/message_handler_validator.go

@@ -48,8 +48,9 @@ func NewMessageHandlerValidator(
 }
 
 const (
-	maxAttachmentCount = 10
-	maxAttachmentSize  = (3 * 1024 * 1024) / 2 // 1.5 MB
+	maxAttachmentCount    = 10
+	maxAttachmentSize     = (3 * 1024 * 1024) / 2 // 1.5 MB per attachment
+	maxTotalAttachmentSize = 3 * 1024 * 1024       // 3 MB total
 )
 
 // ValidateMessageReceive validates the requests.MessageReceive request
@@ -64,11 +65,12 @@ func (validator MessageHandlerValidator) ValidateMessageReceive(_ context.Contex
 			"from": []string{
 				"required",
 			},
-			"content": []string{
-				"required",
-				"min:1",
-				"max:2048",
-			},
+			"content": func() []string {
+				if len(request.Attachments) > 0 {
+					return []string{"max:2048"}
+				}
+				return []string{"required", "min:1", "max:2048"}
+			}(),
 			"sim": []string{
 				"required",
 				"in:" + strings.Join([]string{
@@ -102,6 +104,7 @@ func (validator MessageHandlerValidator) validateAttachments(attachments []reque
 		return errors
 	}
 
+	totalSize := 0
 	for i, attachment := range attachments {
 		if !allowedTypes[attachment.ContentType] {
 			errors.Add("attachments", fmt.Sprintf("attachment [%d] has unsupported content type [%s]", i, attachment.ContentType))
@@ -117,6 +120,12 @@ func (validator MessageHandlerValidator) validateAttachments(attachments []reque
 		if len(decoded) > maxAttachmentSize {
 			errors.Add("attachments", fmt.Sprintf("attachment [%d] size [%d] exceeds maximum of [%d] bytes", i, len(decoded), maxAttachmentSize))
 		}
+
+		totalSize += len(decoded)
+	}
+
+	if totalSize > maxTotalAttachmentSize {
+		errors.Add("attachments", fmt.Sprintf("total attachment size [%d] exceeds maximum of [%d] bytes", totalSize, maxTotalAttachmentSize))
 	}
 
 	return errors