Brendan Chen
623a3374cf
Flips SESSION_COOKIE_NAME from 'token' to 'nanodrop_session' per the
family per-app naming convention (<app>_session). fastify-jwt's
cookieName in server.ts is now sourced from the constant so a future
rename only needs to touch constants.ts.
Hard-cut migration with no dual-cookie shim: the existing 'token'
cookie has no Max-Age so it dies on browser close anyway, and this
is a single-user deployment per CLAUDE.md. Users re-log in once
after deploy.
Test files updated mechanically: cookies: { token } → cookies: {
nanodrop_session: token } (variable name 'token' kept locally),
clearCookie regex updated, login response now also asserts
Max-Age=2592000 from the family TTL.
310 lines
10 KiB
TypeScript
310 lines
10 KiB
TypeScript
import { describe, it, expect, beforeEach, afterEach } from 'vitest';
|
|
import { createTestApp, type TestContext, loginAs, buildMultipart } from '../helpers/setup.ts';
|
|
import { createUser } from '../../src/db/users.ts';
|
|
import { hashPassword } from '../../src/services/auth.ts';
|
|
|
|
async function setup() {
|
|
const ctx = createTestApp();
|
|
const hash = await hashPassword('secret');
|
|
createUser(ctx.db, { username: 'alice', passwordHash: hash });
|
|
return ctx;
|
|
}
|
|
|
|
describe('GET /', () => {
|
|
let ctx: TestContext;
|
|
|
|
beforeEach(async () => { ctx = await setup(); });
|
|
afterEach(async () => { await ctx.app.close(); ctx.cleanup(); });
|
|
|
|
it('shows login page when unauthenticated', async () => {
|
|
const res = await ctx.app.inject({ method: 'GET', url: '/' });
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.headers['content-type']).toMatch(/text\/html/);
|
|
expect(res.body).toContain('Sign in');
|
|
});
|
|
|
|
it('redirects to /upload when authenticated', async () => {
|
|
const token = await loginAs(ctx.app, 'alice', 'secret');
|
|
const res = await ctx.app.inject({ method: 'GET', url: '/', cookies: { nanodrop_session: token } });
|
|
expect(res.statusCode).toBe(302);
|
|
expect(res.headers['location']).toBe('/upload');
|
|
});
|
|
});
|
|
|
|
describe('POST /login (page)', () => {
|
|
let ctx: TestContext;
|
|
|
|
beforeEach(async () => { ctx = await setup(); });
|
|
afterEach(async () => { await ctx.app.close(); ctx.cleanup(); });
|
|
|
|
it('redirects to /upload on valid credentials', async () => {
|
|
const res = await ctx.app.inject({
|
|
method: 'POST',
|
|
url: '/login',
|
|
headers: { 'content-type': 'application/x-www-form-urlencoded' },
|
|
payload: 'username=alice&password=secret',
|
|
});
|
|
expect(res.statusCode).toBe(302);
|
|
expect(res.headers['location']).toBe('/upload');
|
|
expect(res.headers['set-cookie']).toMatch(/nanodrop_session=/);
|
|
});
|
|
|
|
it('shows login page with error on invalid credentials', async () => {
|
|
const res = await ctx.app.inject({
|
|
method: 'POST',
|
|
url: '/login',
|
|
headers: { 'content-type': 'application/x-www-form-urlencoded' },
|
|
payload: 'username=alice&password=wrong',
|
|
});
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.body).toContain('Invalid');
|
|
});
|
|
});
|
|
|
|
describe('GET /upload + POST /upload', () => {
|
|
let ctx: TestContext;
|
|
let token: string;
|
|
|
|
beforeEach(async () => {
|
|
ctx = await setup();
|
|
token = await loginAs(ctx.app, 'alice', 'secret');
|
|
});
|
|
afterEach(async () => { await ctx.app.close(); ctx.cleanup(); });
|
|
|
|
it('shows upload form', async () => {
|
|
const res = await ctx.app.inject({ method: 'GET', url: '/upload', cookies: { nanodrop_session: token } });
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.body).toContain('Upload');
|
|
});
|
|
|
|
it('redirects to / when not authenticated', async () => {
|
|
const res = await ctx.app.inject({ method: 'GET', url: '/upload' });
|
|
expect(res.statusCode).toBe(302);
|
|
expect(res.headers['location']).toBe('/');
|
|
});
|
|
|
|
it('shows result page after upload', async () => {
|
|
const res = await ctx.app.inject({
|
|
method: 'POST',
|
|
url: '/upload',
|
|
cookies: { nanodrop_session: token },
|
|
...buildMultipart({ file: { filename: 'doc.txt', contentType: 'text/plain', data: Buffer.from('content') } }),
|
|
});
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.body).toContain('doc.txt');
|
|
expect(res.body).toContain('/f/');
|
|
});
|
|
});
|
|
|
|
describe('GET /f/:id and GET /f/:id/raw', () => {
|
|
let ctx: TestContext;
|
|
let fileId: string;
|
|
|
|
beforeEach(async () => {
|
|
ctx = await setup();
|
|
const token = await loginAs(ctx.app, 'alice', 'secret');
|
|
const uploadRes = await ctx.app.inject({
|
|
method: 'POST',
|
|
url: '/upload',
|
|
cookies: { nanodrop_session: token },
|
|
...buildMultipart({ file: { filename: 'hello.txt', contentType: 'text/plain', data: Buffer.from('hello!') } }),
|
|
});
|
|
// Extract file id from response body
|
|
const match = uploadRes.body.match(/\/f\/([^/"]+)/);
|
|
fileId = match?.[1] ?? '';
|
|
});
|
|
afterEach(async () => { await ctx.app.close(); ctx.cleanup(); });
|
|
|
|
it('shows file view page', async () => {
|
|
const res = await ctx.app.inject({ method: 'GET', url: `/f/${fileId}` });
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.body).toContain('hello.txt');
|
|
});
|
|
|
|
it('serves raw file', async () => {
|
|
const res = await ctx.app.inject({ method: 'GET', url: `/f/${fileId}/raw` });
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.body).toBe('hello!');
|
|
expect(res.headers['accept-ranges']).toBe('bytes');
|
|
});
|
|
|
|
it('returns 206 for a byte range request', async () => {
|
|
const res = await ctx.app.inject({
|
|
method: 'GET',
|
|
url: `/f/${fileId}/raw`,
|
|
headers: { range: 'bytes=0-3' },
|
|
});
|
|
expect(res.statusCode).toBe(206);
|
|
expect(res.headers['content-range']).toBe('bytes 0-3/6');
|
|
expect(res.headers['content-length']).toBe('4');
|
|
expect(res.body).toBe('hell');
|
|
});
|
|
|
|
it('returns 206 for an open-ended range request', async () => {
|
|
const res = await ctx.app.inject({
|
|
method: 'GET',
|
|
url: `/f/${fileId}/raw`,
|
|
headers: { range: 'bytes=2-' },
|
|
});
|
|
expect(res.statusCode).toBe(206);
|
|
expect(res.headers['content-range']).toBe('bytes 2-5/6');
|
|
expect(res.body).toBe('llo!');
|
|
});
|
|
|
|
it('returns 206 for a suffix range request', async () => {
|
|
const res = await ctx.app.inject({
|
|
method: 'GET',
|
|
url: `/f/${fileId}/raw`,
|
|
headers: { range: 'bytes=-3' },
|
|
});
|
|
expect(res.statusCode).toBe(206);
|
|
expect(res.headers['content-range']).toBe('bytes 3-5/6');
|
|
expect(res.body).toBe('lo!');
|
|
});
|
|
|
|
it('returns 416 for an unsatisfiable range', async () => {
|
|
const res = await ctx.app.inject({
|
|
method: 'GET',
|
|
url: `/f/${fileId}/raw`,
|
|
headers: { range: 'bytes=100-200' },
|
|
});
|
|
expect(res.statusCode).toBe(416);
|
|
expect(res.headers['content-range']).toBe('bytes */6');
|
|
});
|
|
|
|
it('returns 404 for unknown file', async () => {
|
|
const res = await ctx.app.inject({ method: 'GET', url: '/f/doesnotexist' });
|
|
expect(res.statusCode).toBe(404);
|
|
});
|
|
});
|
|
|
|
describe('GET /f/:id — image inline', () => {
|
|
let ctx: TestContext;
|
|
let fileId: string;
|
|
|
|
beforeEach(async () => {
|
|
ctx = await setup();
|
|
const token = await loginAs(ctx.app, 'alice', 'secret');
|
|
const uploadRes = await ctx.app.inject({
|
|
method: 'POST',
|
|
url: '/upload',
|
|
cookies: { nanodrop_session: token },
|
|
...buildMultipart({ file: { filename: 'photo.png', contentType: 'image/png', data: Buffer.from('fakepng') } }),
|
|
});
|
|
const match = uploadRes.body.match(/\/f\/([^/"]+)/);
|
|
fileId = match?.[1] ?? '';
|
|
});
|
|
afterEach(async () => { await ctx.app.close(); ctx.cleanup(); });
|
|
|
|
it('shows <img> tag for image files', async () => {
|
|
const res = await ctx.app.inject({ method: 'GET', url: `/f/${fileId}` });
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.body).toContain('<img');
|
|
});
|
|
});
|
|
|
|
describe('GET /files — copy link', () => {
|
|
let ctx: TestContext;
|
|
let token: string;
|
|
|
|
beforeEach(async () => {
|
|
ctx = await setup();
|
|
token = await loginAs(ctx.app, 'alice', 'secret');
|
|
await ctx.app.inject({
|
|
method: 'POST',
|
|
url: '/upload',
|
|
cookies: { nanodrop_session: token },
|
|
...buildMultipart({ file: { filename: 'test.txt', contentType: 'text/plain', data: Buffer.from('hi') } }),
|
|
});
|
|
});
|
|
afterEach(async () => { await ctx.app.close(); ctx.cleanup(); });
|
|
|
|
it('shows Copy link button for each file', async () => {
|
|
const res = await ctx.app.inject({ method: 'GET', url: '/files', cookies: { nanodrop_session: token } });
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.body).toContain('Copy link');
|
|
expect(res.body).toContain('class="table-wrap"');
|
|
});
|
|
});
|
|
|
|
describe('GET /f/:id — owner-aware header', () => {
|
|
let ctx: TestContext;
|
|
let aliceToken: string;
|
|
let bobToken: string;
|
|
let fileId: string;
|
|
|
|
beforeEach(async () => {
|
|
ctx = createTestApp();
|
|
const hash = await hashPassword('secret');
|
|
createUser(ctx.db, { username: 'alice', passwordHash: hash });
|
|
createUser(ctx.db, { username: 'bob', passwordHash: hash });
|
|
|
|
aliceToken = await loginAs(ctx.app, 'alice', 'secret');
|
|
bobToken = await loginAs(ctx.app, 'bob', 'secret');
|
|
|
|
const uploadRes = await ctx.app.inject({
|
|
method: 'POST',
|
|
url: '/upload',
|
|
cookies: { nanodrop_session: aliceToken },
|
|
...buildMultipart({ file: { filename: 'owned.txt', contentType: 'text/plain', data: Buffer.from('data') } }),
|
|
});
|
|
const match = uploadRes.body.match(/\/f\/([^/"]+)/);
|
|
fileId = match?.[1] ?? '';
|
|
});
|
|
afterEach(async () => { await ctx.app.close(); ctx.cleanup(); });
|
|
|
|
it('shows nav when owner views their file', async () => {
|
|
const res = await ctx.app.inject({ method: 'GET', url: `/f/${fileId}`, cookies: { nanodrop_session: aliceToken } });
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.body).toContain('My Files');
|
|
});
|
|
|
|
it('shows delete button when owner views', async () => {
|
|
const res = await ctx.app.inject({ method: 'GET', url: `/f/${fileId}`, cookies: { nanodrop_session: aliceToken } });
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.body).toContain('delete');
|
|
});
|
|
|
|
it('no header when non-owner views', async () => {
|
|
const res = await ctx.app.inject({ method: 'GET', url: `/f/${fileId}`, cookies: { nanodrop_session: bobToken } });
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.body).not.toContain('<header');
|
|
});
|
|
|
|
it('no header when unauthenticated', async () => {
|
|
const res = await ctx.app.inject({ method: 'GET', url: `/f/${fileId}` });
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.body).not.toContain('<header');
|
|
});
|
|
});
|
|
|
|
describe('POST /files/:id/delete', () => {
|
|
let ctx: TestContext;
|
|
let token: string;
|
|
let fileId: string;
|
|
|
|
beforeEach(async () => {
|
|
ctx = await setup();
|
|
token = await loginAs(ctx.app, 'alice', 'secret');
|
|
const uploadRes = await ctx.app.inject({
|
|
method: 'POST',
|
|
url: '/upload',
|
|
cookies: { nanodrop_session: token },
|
|
...buildMultipart({ file: { filename: 'del.txt', contentType: 'text/plain', data: Buffer.from('bye') } }),
|
|
});
|
|
const match = uploadRes.body.match(/\/f\/([^/"]+)/);
|
|
fileId = match?.[1] ?? '';
|
|
});
|
|
afterEach(async () => { await ctx.app.close(); ctx.cleanup(); });
|
|
|
|
it('deletes and redirects to /files', async () => {
|
|
const res = await ctx.app.inject({
|
|
method: 'POST',
|
|
url: `/files/${fileId}/delete`,
|
|
cookies: { nanodrop_session: token },
|
|
});
|
|
expect(res.statusCode).toBe(302);
|
|
expect(res.headers['location']).toBe('/files');
|
|
});
|
|
});
|