fabi/Mangalord
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: multipart manga + chapter uploads with magic-byte MIME sniff

Browse Source 
POST /api/v1/mangas and POST /api/v1/mangas/{id}/chapters now accept
multipart/form-data, gated by CurrentUser:

- /mangas: required `metadata` part (NewManga JSON) + optional `cover`
  image part.
- /mangas/{id}/chapters: required `metadata` (NewChapter JSON) + one or
  more `page` parts ordered by arrival. Returns 404 if the parent manga
  doesn't exist, 409 on duplicate (manga_id, number).

MIME is sniffed via the `infer` crate (magic bytes), not the
client-supplied filename or Content-Type. Whitelist:
jpeg / png / webp / gif / avif. Anything else → 415
unsupported_media_type. The stored key's extension is derived from the
sniffed type so a "page1.png" that's actually a JPEG lands as `.jpg`.

Size cap is two-layer:
- Request body cap (config.max_request_bytes, default 200 MiB) enforced
  by axum's DefaultBodyLimit before the handler sees the request.
- Per-image-part cap (config.max_file_bytes, default 20 MiB) enforced
  after reading the part, so a single oversized image can't pass even
  if the total request fits.

Storage keys follow the layout documented in CLAUDE.md:
- mangas/{manga_id}/cover.{ext}
- mangas/{manga_id}/chapters/{chapter_id}/pages/{nnnn}.{ext} (1-indexed).

AppError grows PayloadTooLarge/UnsupportedMediaType/ValidationFailed
(413 / 415 / 422). ValidationFailed carries a `details` JSON object the
client can use to highlight bad fields (e.g. {"title":"required"}).
Top-level matching in code() stays exhaustive.

Backend coverage in tests/api_uploads.rs (10 cases):
- create_manga_with_cover_stores_image — file is reachable via
  /api/v1/files/{key} with the right Content-Type.
- create_manga_without_cover_leaves_path_null.
- create_manga_rejects_non_image_cover_with_415 — PDF claimed as png.
- create_manga_rejects_oversized_cover_with_413.
- create_chapter_with_pages_stores_each — extension derived from
  sniffed MIME, files reachable in arrival order.
- create_chapter_rejects_when_no_pages_with_422 — details.page set.
- create_chapter_rejects_renamed_non_image_page → 415.
- create_chapter_returns_409_on_duplicate_number.
- create_chapter_requires_authentication → 401.
- create_chapter_under_unknown_manga_is_404.

Existing tests/api_mangas.rs is migrated to multipart; the create
response is now 201 Created. tests/common::MultipartBuilder builds the
body by hand so the test crate stays free of HTTP-client deps.

Frontend lib/api/mangas.ts: createManga now sends FormData (metadata +
optional cover Blob). Browser fills in the boundary header automatically.
Vitest asserts the FormData structure via FileReader (jsdom doesn't
implement Blob.text()).

E2E tests wait for the post-hydration nav-login link before
interacting with the login form, fixing a flake where pre-hydration
clicks would submit via the browser default and bypass our handler.

Lockstep version bump to 0.5.0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
2026-05-16 22:21:10 +02:00
parent 2f9912533f
commit a92f6f70e2
17 changed files with 931 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
backend/tests/api_chapters.rs
View File

@@ -5,27 +5,13 @@ use serde_json::json;
use sqlx::PgPool;
use tower::ServiceExt;
use uuid::Uuid;
#[allow(unused_imports)]
use serde_json as _;
/// Create a manga via the API (which requires auth) and return its id +
/// the session cookie of the user who owns it.
async fn seed_manga(h: &common::Harness, cookie: &str, title: &str) -> Uuid {
let resp = h
.app
.clone()
.oneshot(common::post_json_with_cookie(
"/api/v1/mangas",
json!({ "title": title }),
cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = common::body_json(resp).await;
Uuid::parse_str(body["id"].as_str().unwrap()).unwrap()
common::seed_manga_via_api(&h.app, cookie, title).await
}
/// Insert a chapter directly via the repo (the upload handler that does
/// this from HTTP lands in feat/uploads).
async fn seed_chapter(pool: &PgPool, manga_id: Uuid, number: i32, title: Option<&str>) {
mangalord::repo::chapter::create(pool, manga_id, number, title)
.await

56
backend/tests/api_mangas.rs
View File

@@ -5,6 +5,12 @@ use serde_json::json;
use sqlx::PgPool;
use tower::ServiceExt;
use common::MultipartBuilder;
fn metadata(title: &str) -> serde_json::Value {
json!({ "title": title })
}
#[sqlx::test(migrations = "./migrations")]
async fn list_is_empty_initially(pool: PgPool) {
let h = common::harness(pool);
@@ -25,14 +31,17 @@ async fn create_then_list_roundtrip(pool: PgPool) {
let created = h
.app
.clone()
.oneshot(common::post_json_with_cookie(
.oneshot(common::post_multipart_with_cookie(
"/api/v1/mangas",
json!({ "title": "Berserk", "author": "Kentaro Miura", "description": null }),
MultipartBuilder::new().add_json(
"metadata",
json!({ "title": "Berserk", "author": "Kentaro Miura", "description": null }),
),
&cookie,
))
.await
.unwrap();
assert_eq!(created.status(), StatusCode::OK);
assert_eq!(created.status(), StatusCode::CREATED);
let body = common::body_json(created).await;
assert_eq!(body["title"], "Berserk");
assert_eq!(body["author"], "Kentaro Miura");
@@ -58,9 +67,10 @@ async fn search_filters_by_title_and_author(pool: PgPool) {
let _ = h
.app
.clone()
.oneshot(common::post_json_with_cookie(
.oneshot(common::post_multipart_with_cookie(
"/api/v1/mangas",
json!({ "title": title, "author": author }),
MultipartBuilder::new()
.add_json("metadata", json!({ "title": title, "author": author })),
&cookie,
))
.await
@@ -98,23 +108,41 @@ async fn search_filters_by_title_and_author(pool: PgPool) {
}
#[sqlx::test(migrations = "./migrations")]
async fn create_rejects_empty_title_with_envelope(pool: PgPool) {
async fn create_rejects_empty_title_with_validation_failed(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let resp = h
.app
.oneshot(common::post_json_with_cookie(
.oneshot(common::post_multipart_with_cookie(
"/api/v1/mangas",
json!({ "title": " ", "author": null }),
MultipartBuilder::new().add_json("metadata", metadata(" ")),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
assert_eq!(resp.status(), StatusCode::UNPROCESSABLE_ENTITY);
let body = common::body_json(resp).await;
assert_eq!(body["error"]["code"], "invalid_input");
let msg = body["error"]["message"].as_str().expect("message is string");
assert!(!msg.is_empty(), "message should be non-empty");
assert_eq!(body["error"]["code"], "validation_failed");
assert!(body["error"]["details"]["title"].is_string());
}
#[sqlx::test(migrations = "./migrations")]
async fn create_rejects_missing_metadata_part(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let resp = h
.app
.oneshot(common::post_multipart_with_cookie(
"/api/v1/mangas",
MultipartBuilder::new(), // no metadata part
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::UNPROCESSABLE_ENTITY);
let body = common::body_json(resp).await;
assert_eq!(body["error"]["code"], "validation_failed");
assert_eq!(body["error"]["details"]["metadata"], "required");
}
#[sqlx::test(migrations = "./migrations")]
@@ -122,9 +150,9 @@ async fn create_requires_authentication(pool: PgPool) {
let h = common::harness(pool);
let resp = h
.app
.oneshot(common::post_json(
.oneshot(common::post_multipart(
"/api/v1/mangas",
json!({ "title": "Berserk" }),
MultipartBuilder::new().add_json("metadata", metadata("Berserk")),
))
.await
.unwrap();

275
backend/tests/api_uploads.rs Normal file
View File

@@ -0,0 +1,275 @@
mod common;
use axum::http::StatusCode;
use serde_json::json;
use sqlx::PgPool;
use tower::ServiceExt;
use uuid::Uuid;
use common::MultipartBuilder;
#[sqlx::test(migrations = "./migrations")]
async fn create_manga_with_cover_stores_image(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let resp = h
.app
.clone()
.oneshot(common::post_multipart_with_cookie(
"/api/v1/mangas",
MultipartBuilder::new()
.add_json("metadata", json!({ "title": "Berserk" }))
.add_file("cover", "cover.png", "image/png", &common::fake_png_bytes()),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::CREATED);
let body = common::body_json(resp).await;
let manga_id = Uuid::parse_str(body["id"].as_str().unwrap()).unwrap();
let cover_path = body["cover_image_path"]
.as_str()
.expect("cover_image_path set after upload");
assert_eq!(cover_path, &format!("mangas/{manga_id}/cover.png"));
// The blob is reachable via the files endpoint and round-trips byte-for-byte.
let file_resp = h
.app
.oneshot(common::get(&format!("/api/v1/files/{cover_path}")))
.await
.unwrap();
assert_eq!(file_resp.status(), StatusCode::OK);
let ct = file_resp
.headers()
.get(axum::http::header::CONTENT_TYPE)
.unwrap();
assert_eq!(ct, "image/png");
}
#[sqlx::test(migrations = "./migrations")]
async fn create_manga_without_cover_leaves_path_null(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let resp = h
.app
.oneshot(common::post_multipart_with_cookie(
"/api/v1/mangas",
MultipartBuilder::new().add_json("metadata", json!({ "title": "Solo Manga" })),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::CREATED);
let body = common::body_json(resp).await;
assert!(body["cover_image_path"].is_null());
}
#[sqlx::test(migrations = "./migrations")]
async fn create_manga_rejects_non_image_cover_with_415(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let pdf = b"%PDF-1.4\n%\xc4\xe5".to_vec();
let resp = h
.app
.oneshot(common::post_multipart_with_cookie(
"/api/v1/mangas",
MultipartBuilder::new()
.add_json("metadata", json!({ "title": "Bad Cover" }))
.add_file("cover", "cover.png", "image/png", &pdf),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::UNSUPPORTED_MEDIA_TYPE);
let body = common::body_json(resp).await;
assert_eq!(body["error"]["code"], "unsupported_media_type");
}
#[sqlx::test(migrations = "./migrations")]
async fn create_manga_rejects_oversized_cover_with_413(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
// Test harness max_file_bytes is 256 KiB. Build a "PNG" that's 300 KiB.
let mut big = common::fake_png_bytes();
big.resize(300 * 1024, 0);
let resp = h
.app
.oneshot(common::post_multipart_with_cookie(
"/api/v1/mangas",
MultipartBuilder::new()
.add_json("metadata", json!({ "title": "Heavy Cover" }))
.add_file("cover", "cover.png", "image/png", &big),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::PAYLOAD_TOO_LARGE);
let body = common::body_json(resp).await;
assert_eq!(body["error"]["code"], "payload_too_large");
}
#[sqlx::test(migrations = "./migrations")]
async fn create_chapter_with_pages_stores_each(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let manga_id = common::seed_manga_via_api(&h.app, &cookie, "Berserk").await;
let resp = h
.app
.clone()
.oneshot(common::post_multipart_with_cookie(
&format!("/api/v1/mangas/{manga_id}/chapters"),
MultipartBuilder::new()
.add_json("metadata", json!({ "number": 1, "title": "The Brand" }))
.add_file("page", "1.png", "image/png", &common::fake_png_bytes())
.add_file("page", "2.jpg", "image/jpeg", &common::fake_jpeg_bytes())
.add_file("page", "3.png", "image/png", &common::fake_png_bytes()),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::CREATED);
let body = common::body_json(resp).await;
assert_eq!(body["number"], 1);
assert_eq!(body["title"], "The Brand");
assert_eq!(body["page_count"], 3);
let chapter_id = Uuid::parse_str(body["id"].as_str().unwrap()).unwrap();
// Each page is reachable in arrival order, with the correct extension
// derived from the sniffed MIME (not the client filename).
for (idx, expected_ct) in [
(1, "image/png"),
(2, "image/jpeg"),
(3, "image/png"),
] {
let ext = match expected_ct {
"image/png" => "png",
"image/jpeg" => "jpg",
_ => unreachable!(),
};
let key = format!("mangas/{manga_id}/chapters/{chapter_id}/pages/{idx:04}.{ext}");
let file_resp = h
.app
.clone()
.oneshot(common::get(&format!("/api/v1/files/{key}")))
.await
.unwrap();
assert_eq!(file_resp.status(), StatusCode::OK, "missing page {idx}");
let ct = file_resp
.headers()
.get(axum::http::header::CONTENT_TYPE)
.unwrap();
assert_eq!(ct, expected_ct);
}
}
#[sqlx::test(migrations = "./migrations")]
async fn create_chapter_rejects_when_no_pages_with_422(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let manga_id = common::seed_manga_via_api(&h.app, &cookie, "Berserk").await;
let resp = h
.app
.oneshot(common::post_multipart_with_cookie(
&format!("/api/v1/mangas/{manga_id}/chapters"),
MultipartBuilder::new().add_json("metadata", json!({ "number": 1 })),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::UNPROCESSABLE_ENTITY);
let body = common::body_json(resp).await;
assert_eq!(body["error"]["code"], "validation_failed");
assert!(body["error"]["details"]["page"].is_string());
}
#[sqlx::test(migrations = "./migrations")]
async fn create_chapter_rejects_renamed_non_image_page(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let manga_id = common::seed_manga_via_api(&h.app, &cookie, "Berserk").await;
// Client claims it's an image; bytes are a PDF.
let pdf = b"%PDF-1.4\n%\xc4\xe5".to_vec();
let resp = h
.app
.oneshot(common::post_multipart_with_cookie(
&format!("/api/v1/mangas/{manga_id}/chapters"),
MultipartBuilder::new()
.add_json("metadata", json!({ "number": 1 }))
.add_file("page", "page1.png", "image/png", &pdf),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::UNSUPPORTED_MEDIA_TYPE);
let body = common::body_json(resp).await;
assert_eq!(body["error"]["code"], "unsupported_media_type");
}
#[sqlx::test(migrations = "./migrations")]
async fn create_chapter_returns_409_on_duplicate_number(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let manga_id = common::seed_manga_via_api(&h.app, &cookie, "Berserk").await;
let make = || {
common::post_multipart_with_cookie(
&format!("/api/v1/mangas/{manga_id}/chapters"),
MultipartBuilder::new()
.add_json("metadata", json!({ "number": 1 }))
.add_file("page", "1.png", "image/png", &common::fake_png_bytes()),
&cookie,
)
};
let first = h.app.clone().oneshot(make()).await.unwrap();
assert_eq!(first.status(), StatusCode::CREATED);
let second = h.app.oneshot(make()).await.unwrap();
assert_eq!(second.status(), StatusCode::CONFLICT);
let body = common::body_json(second).await;
assert_eq!(body["error"]["code"], "conflict");
}
#[sqlx::test(migrations = "./migrations")]
async fn create_chapter_requires_authentication(pool: PgPool) {
let h = common::harness(pool.clone());
let (_, cookie) = common::register_user(&h.app).await;
let manga_id = common::seed_manga_via_api(&h.app, &cookie, "Berserk").await;
let resp = h
.app
.oneshot(common::post_multipart(
&format!("/api/v1/mangas/{manga_id}/chapters"),
MultipartBuilder::new()
.add_json("metadata", json!({ "number": 1 }))
.add_file("page", "1.png", "image/png", &common::fake_png_bytes()),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
}
#[sqlx::test(migrations = "./migrations")]
async fn create_chapter_under_unknown_manga_is_404(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let unknown = Uuid::nil();
let resp = h
.app
.oneshot(common::post_multipart_with_cookie(
&format!("/api/v1/mangas/{unknown}/chapters"),
MultipartBuilder::new()
.add_json("metadata", json!({ "number": 1 }))
.add_file("page", "1.png", "image/png", &common::fake_png_bytes()),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
}

143
backend/tests/common/mod.rs
View File

@@ -15,7 +15,7 @@ use tempfile::TempDir;
use tower::ServiceExt;
use mangalord::app::{router, AppState};
use mangalord::config::AuthConfig;
use mangalord::config::{AuthConfig, UploadConfig};
use mangalord::storage::LocalStorage;
pub struct Harness {
@@ -30,6 +30,12 @@ pub fn harness(pool: PgPool) -> Harness {
db: pool,
storage: Arc::new(LocalStorage::new(storage_dir.path())),
auth: AuthConfig { cookie_secure: false, ..AuthConfig::default() },
upload: UploadConfig {
// Keep file caps small in tests so the size-cap path is cheap to
// exercise without producing tens of MBs of bytes.
max_request_bytes: 4 * 1024 * 1024,
max_file_bytes: 256 * 1024,
},
};
Harness { app: router(state), _storage_dir: storage_dir }
}
@@ -124,6 +130,141 @@ pub fn extract_session_cookie(response: &axum::response::Response) -> Option<Str
})
}
/// Minimal multipart builder for tests. Real clients would use a real
/// library; we hand-roll a small one so the test crate stays free of
/// http-client dependencies.
pub struct MultipartBuilder {
boundary: String,
body: Vec<u8>,
}
impl Default for MultipartBuilder {
fn default() -> Self {
Self::new()
}
}
impl MultipartBuilder {
pub fn new() -> Self {
Self {
boundary: format!("----mangalord-test-{}", uuid::Uuid::new_v4().simple()),
body: Vec::new(),
}
}
pub fn add_json(mut self, name: &str, value: serde_json::Value) -> Self {
self.write_part_header(name, None, Some("application/json"));
self.body.extend(value.to_string().as_bytes());
self.body.extend(b"\r\n");
self
}
pub fn add_file(
mut self,
name: &str,
filename: &str,
content_type: &str,
bytes: &[u8],
) -> Self {
self.write_part_header(name, Some(filename), Some(content_type));
self.body.extend(bytes);
self.body.extend(b"\r\n");
self
}
fn write_part_header(
&mut self,
name: &str,
filename: Option<&str>,
ct: Option<&str>,
) {
self.body
.extend(format!("--{}\r\n", self.boundary).as_bytes());
let disposition = if let Some(fname) = filename {
format!(
"Content-Disposition: form-data; name=\"{name}\"; filename=\"{fname}\"\r\n"
)
} else {
format!("Content-Disposition: form-data; name=\"{name}\"\r\n")
};
self.body.extend(disposition.as_bytes());
if let Some(ct) = ct {
self.body.extend(format!("Content-Type: {ct}\r\n").as_bytes());
}
self.body.extend(b"\r\n");
}
fn finalize(self) -> (String, Vec<u8>) {
let mut body = self.body;
body.extend(format!("--{}--\r\n", self.boundary).as_bytes());
(self.boundary, body)
}
}
pub fn post_multipart(uri: &str, builder: MultipartBuilder) -> Request<Body> {
let (boundary, body) = builder.finalize();
Request::builder()
.method("POST")
.uri(uri)
.header(
header::CONTENT_TYPE,
format!("multipart/form-data; boundary={boundary}"),
)
.body(Body::from(body))
.unwrap()
}
pub fn post_multipart_with_cookie(
uri: &str,
builder: MultipartBuilder,
cookie: &str,
) -> Request<Body> {
let (boundary, body) = builder.finalize();
Request::builder()
.method("POST")
.uri(uri)
.header(
header::CONTENT_TYPE,
format!("multipart/form-data; boundary={boundary}"),
)
.header(header::COOKIE, cookie)
.body(Body::from(body))
.unwrap()
}
/// Realistic PNG file header bytes — enough for `infer` to identify.
pub fn fake_png_bytes() -> Vec<u8> {
vec![0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a, 0, 0, 0, 0]
}
/// Realistic JPEG file header bytes — enough for `infer` to identify.
pub fn fake_jpeg_bytes() -> Vec<u8> {
vec![
0xff, 0xd8, 0xff, 0xe0, 0, 0x10, b'J', b'F', b'I', b'F', 0, 0,
]
}
/// Create a manga via the upload API and return its id. Used by tests
/// that need a manga to exist before they exercise chapters / etc.
pub async fn seed_manga_via_api(app: &Router, cookie: &str, title: &str) -> uuid::Uuid {
let resp = app
.clone()
.oneshot(post_multipart_with_cookie(
"/api/v1/mangas",
MultipartBuilder::new().add_json("metadata", serde_json::json!({ "title": title })),
cookie,
))
.await
.unwrap();
assert_eq!(
resp.status(),
axum::http::StatusCode::CREATED,
"seed_manga_via_api failed"
);
let body = body_json(resp).await;
uuid::Uuid::parse_str(body["id"].as_str().unwrap()).unwrap()
}
/// Register a brand-new user and return (username, session cookie value).
/// The username is unique per call so tests can run in parallel against a
/// single DB without colliding.