a92f6f70e2
POST /api/v1/mangas and POST /api/v1/mangas/{id}/chapters now accept
multipart/form-data, gated by CurrentUser:
- /mangas: required `metadata` part (NewManga JSON) + optional `cover`
image part.
- /mangas/{id}/chapters: required `metadata` (NewChapter JSON) + one or
more `page` parts ordered by arrival. Returns 404 if the parent manga
doesn't exist, 409 on duplicate (manga_id, number).
MIME is sniffed via the `infer` crate (magic bytes), not the
client-supplied filename or Content-Type. Whitelist:
jpeg / png / webp / gif / avif. Anything else → 415
unsupported_media_type. The stored key's extension is derived from the
sniffed type so a "page1.png" that's actually a JPEG lands as `.jpg`.
Size cap is two-layer:
- Request body cap (config.max_request_bytes, default 200 MiB) enforced
by axum's DefaultBodyLimit before the handler sees the request.
- Per-image-part cap (config.max_file_bytes, default 20 MiB) enforced
after reading the part, so a single oversized image can't pass even
if the total request fits.
Storage keys follow the layout documented in CLAUDE.md:
- mangas/{manga_id}/cover.{ext}
- mangas/{manga_id}/chapters/{chapter_id}/pages/{nnnn}.{ext} (1-indexed).
AppError grows PayloadTooLarge/UnsupportedMediaType/ValidationFailed
(413 / 415 / 422). ValidationFailed carries a `details` JSON object the
client can use to highlight bad fields (e.g. {"title":"required"}).
Top-level matching in code() stays exhaustive.
Backend coverage in tests/api_uploads.rs (10 cases):
- create_manga_with_cover_stores_image — file is reachable via
/api/v1/files/{key} with the right Content-Type.
- create_manga_without_cover_leaves_path_null.
- create_manga_rejects_non_image_cover_with_415 — PDF claimed as png.
- create_manga_rejects_oversized_cover_with_413.
- create_chapter_with_pages_stores_each — extension derived from
sniffed MIME, files reachable in arrival order.
- create_chapter_rejects_when_no_pages_with_422 — details.page set.
- create_chapter_rejects_renamed_non_image_page → 415.
- create_chapter_returns_409_on_duplicate_number.
- create_chapter_requires_authentication → 401.
- create_chapter_under_unknown_manga_is_404.
Existing tests/api_mangas.rs is migrated to multipart; the create
response is now 201 Created. tests/common::MultipartBuilder builds the
body by hand so the test crate stays free of HTTP-client deps.
Frontend lib/api/mangas.ts: createManga now sends FormData (metadata +
optional cover Blob). Browser fills in the boundary header automatically.
Vitest asserts the FormData structure via FileReader (jsdom doesn't
implement Blob.text()).
E2E tests wait for the post-hydration nav-login link before
interacting with the login form, fixing a flake where pre-hydration
clicks would submit via the browser default and bypass our handler.
Lockstep version bump to 0.5.0.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
110 lines
3.9 KiB
TypeScript
110 lines
3.9 KiB
TypeScript
import { test, expect, type Page } from '@playwright/test';
|
|
|
|
// Mocks the auth endpoints at the network level so the journey is
|
|
// deterministic and doesn't require a live backend.
|
|
|
|
const userFixture = {
|
|
id: 'user-1',
|
|
username: 'alice',
|
|
created_at: '2026-01-01T00:00:00Z'
|
|
};
|
|
const emptyPage = { items: [], page: { limit: 50, offset: 0, total: null } };
|
|
|
|
async function stubAnonymousThenAuthenticated(page: Page) {
|
|
let loggedIn = false;
|
|
await page.route('**/api/v1/auth/me', async (route) => {
|
|
if (loggedIn) {
|
|
await route.fulfill({
|
|
status: 200,
|
|
contentType: 'application/json',
|
|
body: JSON.stringify({ user: userFixture })
|
|
});
|
|
} else {
|
|
await route.fulfill({
|
|
status: 401,
|
|
contentType: 'application/json',
|
|
body: JSON.stringify({
|
|
error: { code: 'unauthenticated', message: 'unauthenticated' }
|
|
})
|
|
});
|
|
}
|
|
});
|
|
await page.route('**/api/v1/auth/login', async (route) => {
|
|
loggedIn = true;
|
|
await route.fulfill({
|
|
status: 200,
|
|
contentType: 'application/json',
|
|
body: JSON.stringify({ user: userFixture })
|
|
});
|
|
});
|
|
await page.route('**/api/v1/auth/logout', async (route) => {
|
|
loggedIn = false;
|
|
await route.fulfill({ status: 204 });
|
|
});
|
|
await page.route('**/api/v1/mangas*', async (route) => {
|
|
await route.fulfill({
|
|
status: 200,
|
|
contentType: 'application/json',
|
|
body: JSON.stringify(emptyPage)
|
|
});
|
|
});
|
|
}
|
|
|
|
test('login then logout flips the layout between authenticated and anonymous', async ({
|
|
page
|
|
}) => {
|
|
await stubAnonymousThenAuthenticated(page);
|
|
|
|
await page.goto('/');
|
|
// Initially anonymous → Login / Register links visible.
|
|
await expect(page.getByTestId('nav-login')).toBeVisible();
|
|
|
|
// Log in.
|
|
await page.goto('/login');
|
|
// Wait for hydration to finish before interacting — the nav-login link
|
|
// is only rendered once /me resolves, so it doubles as a hydration
|
|
// signal. Clicking before hydration would submit the form via the
|
|
// browser default (action="javascript:void(0)") and our handler would
|
|
// never run.
|
|
await expect(page.getByTestId('nav-login')).toBeVisible();
|
|
await page.getByTestId('login-username').fill('alice');
|
|
await page.getByTestId('login-password').fill('hunter2hunter2');
|
|
await page.getByTestId('login-submit').click();
|
|
|
|
// Authenticated → username + Logout button.
|
|
await expect(page.getByTestId('session-user')).toContainText('alice');
|
|
await expect(page.getByRole('button', { name: 'Logout' })).toBeVisible();
|
|
|
|
// Log out.
|
|
await page.getByRole('button', { name: 'Logout' }).click();
|
|
await expect(page).toHaveURL(/\/login$/);
|
|
await expect(page.getByTestId('nav-login')).toBeVisible();
|
|
});
|
|
|
|
test('login surfaces the API error message on bad credentials', async ({ page }) => {
|
|
await page.route('**/api/v1/auth/me', async (route) => {
|
|
await route.fulfill({
|
|
status: 401,
|
|
contentType: 'application/json',
|
|
body: JSON.stringify({ error: { code: 'unauthenticated', message: 'unauthenticated' } })
|
|
});
|
|
});
|
|
await page.route('**/api/v1/auth/login', async (route) => {
|
|
await route.fulfill({
|
|
status: 401,
|
|
contentType: 'application/json',
|
|
body: JSON.stringify({
|
|
error: { code: 'unauthenticated', message: 'unauthenticated' }
|
|
})
|
|
});
|
|
});
|
|
|
|
await page.goto('/login');
|
|
await expect(page.getByTestId('nav-login')).toBeVisible();
|
|
await page.getByTestId('login-username').fill('alice');
|
|
await page.getByTestId('login-password').fill('wrongpassword');
|
|
await page.getByTestId('login-submit').click();
|
|
|
|
await expect(page.getByTestId('login-error')).toBeVisible();
|
|
});
|