chore: import upstream snapshot with attribution
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,192 @@
|
||||
/**
|
||||
* @vitest-environment node
|
||||
*/
|
||||
import { NextRequest } from 'next/server'
|
||||
import { beforeEach, describe, expect, it, vi } from 'vitest'
|
||||
|
||||
const {
|
||||
mockResolveActiveShareByToken,
|
||||
mockEnforceRateLimit,
|
||||
mockValidateDeploymentAuth,
|
||||
mockSetDeploymentAuthCookie,
|
||||
} = vi.hoisted(() => ({
|
||||
mockResolveActiveShareByToken: vi.fn(),
|
||||
mockEnforceRateLimit: vi.fn(),
|
||||
mockValidateDeploymentAuth: vi.fn(),
|
||||
mockSetDeploymentAuthCookie: vi.fn(),
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/public-shares/share-manager', () => ({
|
||||
resolveActiveShareByToken: mockResolveActiveShareByToken,
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/public-shares/rate-limit', () => ({
|
||||
enforcePublicFileRateLimit: mockEnforceRateLimit,
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/core/security/deployment-auth', () => ({
|
||||
validateDeploymentAuth: mockValidateDeploymentAuth,
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/core/security/deployment', () => ({
|
||||
setDeploymentAuthCookie: mockSetDeploymentAuthCookie,
|
||||
}))
|
||||
|
||||
import { NextResponse } from 'next/server'
|
||||
import { GET, POST } from '@/app/api/files/public/[token]/route'
|
||||
|
||||
const params = (token = 'tok_1') => ({ params: Promise.resolve({ token }) })
|
||||
const request = (token = 'tok_1') => new NextRequest(`http://localhost/api/files/public/${token}`)
|
||||
const postRequest = (password: string, token = 'tok_1') =>
|
||||
new NextRequest(`http://localhost/api/files/public/${token}`, {
|
||||
method: 'POST',
|
||||
headers: { 'content-type': 'application/json' },
|
||||
body: JSON.stringify({ password }),
|
||||
})
|
||||
|
||||
const publicShare = {
|
||||
share: { id: 'sh_1', token: 'tok_1', authType: 'public', password: null },
|
||||
file: {
|
||||
id: 'wf_1',
|
||||
key: 'workspace/ws/secret-key.pdf',
|
||||
workspaceId: 'ws-secret',
|
||||
originalName: 'report.pdf',
|
||||
contentType: 'application/pdf',
|
||||
size: 2048,
|
||||
},
|
||||
workspaceName: 'Acme Workspace',
|
||||
ownerName: 'Jane Doe',
|
||||
}
|
||||
|
||||
const passwordShare = {
|
||||
...publicShare,
|
||||
share: { id: 'sh_1', token: 'tok_1', authType: 'password', password: 'enc:secret' },
|
||||
}
|
||||
|
||||
describe('GET /api/files/public/[token]', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks()
|
||||
mockEnforceRateLimit.mockResolvedValue(null) // allow by default
|
||||
mockValidateDeploymentAuth.mockResolvedValue({ authorized: true }) // public by default
|
||||
})
|
||||
|
||||
it('returns 429 when the per-IP rate limit is exceeded', async () => {
|
||||
mockEnforceRateLimit.mockResolvedValueOnce(
|
||||
NextResponse.json({ error: 'Too many requests. Please try again later.' }, { status: 429 })
|
||||
)
|
||||
const res = await GET(request(), params())
|
||||
expect(res.status).toBe(429)
|
||||
expect(mockResolveActiveShareByToken).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('returns 404 for an unknown or inactive token', async () => {
|
||||
mockResolveActiveShareByToken.mockResolvedValueOnce(null)
|
||||
const res = await GET(request(), params())
|
||||
expect(res.status).toBe(404)
|
||||
})
|
||||
|
||||
it('returns public-safe metadata without leaking the key or workspace id', async () => {
|
||||
mockResolveActiveShareByToken.mockResolvedValueOnce(publicShare)
|
||||
const res = await GET(request(), params())
|
||||
expect(res.status).toBe(200)
|
||||
const body = await res.json()
|
||||
expect(body).toEqual({
|
||||
token: 'tok_1',
|
||||
name: 'report.pdf',
|
||||
type: 'application/pdf',
|
||||
size: 2048,
|
||||
workspaceName: 'Acme Workspace',
|
||||
ownerName: 'Jane Doe',
|
||||
})
|
||||
expect(JSON.stringify(body)).not.toContain('secret-key')
|
||||
expect(JSON.stringify(body)).not.toContain('ws-secret')
|
||||
})
|
||||
|
||||
it('returns 401 auth_required_password for a password share without a valid cookie', async () => {
|
||||
mockResolveActiveShareByToken.mockResolvedValueOnce(passwordShare)
|
||||
mockValidateDeploymentAuth.mockResolvedValueOnce({
|
||||
authorized: false,
|
||||
error: 'auth_required_password',
|
||||
})
|
||||
const res = await GET(request(), params())
|
||||
expect(res.status).toBe(401)
|
||||
expect((await res.json()).error).toBe('auth_required_password')
|
||||
expect(mockValidateDeploymentAuth).toHaveBeenCalledWith(
|
||||
expect.any(String),
|
||||
passwordShare.share,
|
||||
expect.anything(),
|
||||
undefined,
|
||||
'file'
|
||||
)
|
||||
})
|
||||
|
||||
it('serves metadata for a password share once authorized by cookie', async () => {
|
||||
mockResolveActiveShareByToken.mockResolvedValueOnce(passwordShare)
|
||||
mockValidateDeploymentAuth.mockResolvedValueOnce({ authorized: true })
|
||||
const res = await GET(request(), params())
|
||||
expect(res.status).toBe(200)
|
||||
expect((await res.json()).name).toBe('report.pdf')
|
||||
})
|
||||
})
|
||||
|
||||
describe('POST /api/files/public/[token]', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks()
|
||||
mockResolveActiveShareByToken.mockResolvedValue(passwordShare)
|
||||
})
|
||||
|
||||
it('sets the file_auth cookie and returns the authType on a correct password', async () => {
|
||||
mockValidateDeploymentAuth.mockResolvedValueOnce({ authorized: true })
|
||||
const res = await POST(postRequest('hunter2'), params())
|
||||
expect(res.status).toBe(200)
|
||||
expect(await res.json()).toEqual({ authType: 'password' })
|
||||
expect(mockSetDeploymentAuthCookie).toHaveBeenCalledWith(
|
||||
expect.anything(),
|
||||
'file',
|
||||
'sh_1',
|
||||
'password',
|
||||
'enc:secret'
|
||||
)
|
||||
})
|
||||
|
||||
it('refuses to mint a cookie for a non-password (e.g. public) share', async () => {
|
||||
mockResolveActiveShareByToken.mockResolvedValueOnce({
|
||||
...passwordShare,
|
||||
share: { id: 'sh_1', token: 'tok_1', authType: 'public', password: null },
|
||||
})
|
||||
const res = await POST(postRequest('whatever'), params())
|
||||
expect(res.status).toBe(400)
|
||||
expect(mockValidateDeploymentAuth).not.toHaveBeenCalled()
|
||||
expect(mockSetDeploymentAuthCookie).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('returns 401 Invalid password on mismatch without setting a cookie', async () => {
|
||||
mockValidateDeploymentAuth.mockResolvedValueOnce({
|
||||
authorized: false,
|
||||
error: 'Invalid password',
|
||||
})
|
||||
const res = await POST(postRequest('wrong'), params())
|
||||
expect(res.status).toBe(401)
|
||||
expect((await res.json()).error).toBe('Invalid password')
|
||||
expect(mockSetDeploymentAuthCookie).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('returns 429 with Retry-After when password attempts are rate-limited', async () => {
|
||||
mockValidateDeploymentAuth.mockResolvedValueOnce({
|
||||
authorized: false,
|
||||
error: 'Too many attempts. Please try again later.',
|
||||
status: 429,
|
||||
retryAfterMs: 60_000,
|
||||
})
|
||||
const res = await POST(postRequest('wrong'), params())
|
||||
expect(res.status).toBe(429)
|
||||
expect(res.headers.get('Retry-After')).toBe('60')
|
||||
expect(mockSetDeploymentAuthCookie).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('returns 404 for an unknown token', async () => {
|
||||
mockResolveActiveShareByToken.mockResolvedValueOnce(null)
|
||||
const res = await POST(postRequest('hunter2'), params())
|
||||
expect(res.status).toBe(404)
|
||||
})
|
||||
})
|
||||
Reference in New Issue
Block a user