bugfix: second-pass audit follow-ups (N1-N4)

Four small follow-ups from the second-pass audit: - N1: `manga_upload_rolls_back_when_cover_storage_fails` covers the manga-side of the transactional rollback path. The chapter case had a `FailingStorage` regression test already; this completes the symmetric pair. With fail-on-put-index=0, the cover put fails on the first call, the transaction aborts, and `SELECT count(*) FROM mangas WHERE title = 'Berserk'` is 0. - N2: The SvelteKit proxy now catches network-layer failures from the upstream `fetch` (DNS / connection refused / TLS handshake) and returns a 502 with the standard error envelope (`code: 'upstream_unavailable'`) instead of letting SvelteKit's generic 500 HTML page through. `client.ts` can `.json()` the result cleanly so callers see a real ApiError with a meaningful code. The underlying cause is logged via `console.error` for the operator. Test in hooks.server.test.ts asserts the 502, the JSON envelope, and that `resolve` is not called (the proxy short-circuits). - N3: `GET /api/v1/files/*key` now sets `X-Content-Type-Options: nosniff`. The upload-time magic-byte sniff is authoritative for what we declare as Content-Type; `nosniff` makes the contract explicit so older user-agents can't try to re-detect HTML/JS in a polyglot file that survived the sniff. Test in api_uploads.rs asserts the header. - N4: The /bookmarks page used `{#if b.page}` to gate the "— page N" display, which falsy-elided a legitimate `page == 0`. Backend now rejects `page < 1` for new bookmarks (already shipped in 0.9.4), but any pre-0.9.4 row with page=0 still rendered without its number. Strengthened to `{#if b.page != null && b.page > 0}`. Lockstep version bump to 0.10.1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 23:55:53 +02:00
parent 69eca21fb5
commit a8d6da167c
8 changed files with 95 additions and 6 deletions
--- a/backend/tests/api_uploads.rs
+++ b/backend/tests/api_uploads.rs
@@ -162,6 +162,12 @@ async fn files_endpoint_streams_in_multiple_frames(pool: PgPool) {
        resp.headers().get(header::CONTENT_LENGTH).unwrap(),
        big.len().to_string().as_str()
    );
+    // Browsers must trust the declared Content-Type rather than sniff
+    // the body — the upload-time magic-byte check is authoritative.
+    assert_eq!(
+        resp.headers().get("x-content-type-options").unwrap(),
+        "nosniff"
+    );

    let mut body = resp.into_body();
    let mut frames = 0usize;
@@ -323,6 +329,41 @@ async fn create_chapter_requires_authentication(pool: PgPool) {
    assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
 }

+#[sqlx::test(migrations = "./migrations")]
+async fn manga_upload_rolls_back_when_cover_storage_fails(pool: PgPool) {
+    // First `put` call errors. The manga create handler is the only
+    // thing that hits storage here, so the cover put on the first
+    // request triggers the injected failure and the transaction must
+    // roll back.
+    let h = common::harness_with_failing_storage(pool.clone(), 0);
+    let (_, cookie) = common::register_user(&h.app).await;
+
+    let resp = h
+        .app
+        .oneshot(common::post_multipart_with_cookie(
+            "/api/v1/mangas",
+            MultipartBuilder::new()
+                .add_json("metadata", json!({ "title": "Berserk" }))
+                .add_file("cover", "cover.png", "image/png", &common::fake_png_bytes()),
+            &cookie,
+        ))
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), StatusCode::INTERNAL_SERVER_ERROR);
+    let body = common::body_json(resp).await;
+    assert_eq!(body["error"]["code"], "internal_error");
+
+    // No manga row with that title — the INSERT inside the tx was
+    // rolled back when the cover put failed.
+    let (count,): (i64,) =
+        sqlx::query_as("SELECT count(*) FROM mangas WHERE title = $1")
+            .bind("Berserk")
+            .fetch_one(&pool)
+            .await
+            .unwrap();
+    assert_eq!(count, 0, "rolled-back manga must not persist");
+}
+
 #[sqlx::test(migrations = "./migrations")]
 async fn chapter_upload_rolls_back_when_storage_fails_mid_loop(pool: PgPool) {
    // Configure storage so the second `put` call (0-indexed: index 1)