fabi/Mangalord
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c686d6eb51c058dcfbd432db7084a7d2024909bc
Mangalord/backend/tests/api_mangas_metadata.rs
MechaCat02 8d34132883 bugfix: security & correctness bundle (0.34.1) 
Five fixes bundled into one release:

- preserve user-attached tags across crawler upserts
  (repo::crawler::sync_tags now scopes to added_by IS NULL; orphaned
  attachments from deleted users are reaped as crawler-owned)
- gate manga PATCH and cover endpoints on uploaded_by (require_can_edit
  in api::mangas; non-NULL uploaded_by must match the caller)
- equalise login response time across user-existence branches
  (run argon2 against a OnceLock-cached dummy hash on the no-user
  branch so timing doesn't leak username existence)
- crawler download defences (SSRF allowlist of host literals
  including IPv4-mapped IPv6 ranges, 32 MiB streamed size cap,
  reject non-whitelisted image types, three-way chapter-probe
  classifier replaces the binary #avatar_menu check)
- tighten validation and clean up dead unload path
  (attach_tag + create_token enforce 64-char caps; LocalStorage
  rejects NUL bytes explicitly; reader flushFinalProgress drops
  the always-405 sendBeacon path)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-28 20:24:51 +02:00

644 lines
20 KiB
Rust
Raw Blame History

mod common;
use axum::http::StatusCode;
use serde_json::{json, Value};
use sqlx::PgPool;
use tower::ServiceExt;
use uuid::Uuid;
use common::MultipartBuilder;
async fn genre_id_named(app: &axum::Router, name: &str) -> String {
let resp = app
.clone()
.oneshot(common::get("/api/v1/genres"))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = common::body_json(resp).await;
body.as_array()
.unwrap()
.iter()
.find(|g| g["name"].as_str() == Some(name))
.and_then(|g| g["id"].as_str().map(str::to_string))
.unwrap_or_else(|| panic!("expected seeded genre {name}"))
}
async fn create_manga(
app: &axum::Router,
cookie: &str,
metadata: Value,
) -> Value {
let resp = app
.clone()
.oneshot(common::post_multipart_with_cookie(
"/api/v1/mangas",
MultipartBuilder::new().add_json("metadata", metadata),
cookie,
))
.await
.unwrap();
assert_eq!(
resp.status(),
StatusCode::CREATED,
"create_manga failed: {:?}",
resp.status()
);
common::body_json(resp).await
}
fn id_of(body: &Value) -> Uuid {
Uuid::parse_str(body["id"].as_str().unwrap()).unwrap()
}
#[sqlx::test(migrations = "./migrations")]
async fn create_returns_enriched_detail_with_defaults(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let body = create_manga(&h.app, &cookie, json!({ "title": "Solo Manga" })).await;
assert_eq!(body["title"], "Solo Manga");
assert_eq!(body["status"], "ongoing");
assert_eq!(body["alt_titles"], json!([]));
assert_eq!(body["authors"], json!([]));
assert_eq!(body["genres"], json!([]));
assert_eq!(body["tags"], json!([]));
}
#[sqlx::test(migrations = "./migrations")]
async fn create_with_full_metadata_roundtrips(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let action_id = genre_id_named(&h.app, "Action").await;
let fantasy_id = genre_id_named(&h.app, "Fantasy").await;
let body = create_manga(
&h.app,
&cookie,
json!({
"title": "Berserk",
"status": "completed",
"authors": ["Kentaro Miura", "Studio Gaga"],
"alt_titles": ["ベルセルク"],
"genre_ids": [action_id, fantasy_id],
"description": "Guts wields a big sword."
}),
)
.await;
assert_eq!(body["status"], "completed");
assert_eq!(body["alt_titles"], json!(["ベルセルク"]));
let authors: Vec<&str> = body["authors"]
.as_array()
.unwrap()
.iter()
.map(|a| a["name"].as_str().unwrap())
.collect();
assert_eq!(authors, vec!["Kentaro Miura", "Studio Gaga"]);
let genres: Vec<&str> = body["genres"]
.as_array()
.unwrap()
.iter()
.map(|g| g["name"].as_str().unwrap())
.collect();
assert_eq!(genres, vec!["Action", "Fantasy"]);
// GET /mangas/:id returns the same shape.
let id = id_of(&body);
let resp = h
.app
.oneshot(common::get(&format!("/api/v1/mangas/{id}")))
.await
.unwrap();
let detail = common::body_json(resp).await;
assert_eq!(detail["status"], "completed");
assert_eq!(detail["authors"].as_array().unwrap().len(), 2);
}
#[sqlx::test(migrations = "./migrations")]
async fn invalid_status_rejected_with_422(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let resp = h
.app
.oneshot(common::post_multipart_with_cookie(
"/api/v1/mangas",
MultipartBuilder::new()
.add_json("metadata", json!({ "title": "Foo", "status": "hiatus" })),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::UNPROCESSABLE_ENTITY);
let body = common::body_json(resp).await;
assert_eq!(body["error"]["code"], "validation_failed");
assert!(body["error"]["details"]["status"].is_string());
}
#[sqlx::test(migrations = "./migrations")]
async fn unknown_genre_id_rejected_with_422(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let unknown = Uuid::new_v4();
let resp = h
.app
.oneshot(common::post_multipart_with_cookie(
"/api/v1/mangas",
MultipartBuilder::new().add_json(
"metadata",
json!({ "title": "Foo", "genre_ids": [unknown.to_string()] }),
),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::UNPROCESSABLE_ENTITY);
let body = common::body_json(resp).await;
assert_eq!(body["error"]["code"], "validation_failed");
}
#[sqlx::test(migrations = "./migrations")]
async fn author_dedups_case_insensitively(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let a = create_manga(
&h.app,
&cookie,
json!({ "title": "Berserk", "authors": ["Kentaro Miura"] }),
)
.await;
let b = create_manga(
&h.app,
&cookie,
json!({ "title": "Berserk Prelude", "authors": ["kentaro miura"] }),
)
.await;
// Both mangas resolve the same author id even though the casing differed.
let id_a = a["authors"][0]["id"].as_str().unwrap();
let id_b = b["authors"][0]["id"].as_str().unwrap();
assert_eq!(id_a, id_b);
}
#[sqlx::test(migrations = "./migrations")]
async fn filter_by_status_returns_only_matches(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let _ongoing = create_manga(&h.app, &cookie, json!({ "title": "Ongoing One" })).await;
let _done = create_manga(
&h.app,
&cookie,
json!({ "title": "Wrapped Up", "status": "completed" }),
)
.await;
let resp = h
.app
.oneshot(common::get("/api/v1/mangas?status=completed"))
.await
.unwrap();
let body = common::body_json(resp).await;
let titles: Vec<&str> = body["items"]
.as_array()
.unwrap()
.iter()
.map(|m| m["title"].as_str().unwrap())
.collect();
assert_eq!(titles, vec!["Wrapped Up"]);
assert_eq!(body["page"]["total"], 1);
}
#[sqlx::test(migrations = "./migrations")]
async fn filter_by_multiple_genres_is_and(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let action = genre_id_named(&h.app, "Action").await;
let fantasy = genre_id_named(&h.app, "Fantasy").await;
let comedy = genre_id_named(&h.app, "Comedy").await;
let _both = create_manga(
&h.app,
&cookie,
json!({ "title": "Action+Fantasy", "genre_ids": [action.clone(), fantasy.clone()] }),
)
.await;
let _action_only = create_manga(
&h.app,
&cookie,
json!({ "title": "Action Only", "genre_ids": [action.clone()] }),
)
.await;
let _other = create_manga(
&h.app,
&cookie,
json!({ "title": "Comedy Only", "genre_ids": [comedy] }),
)
.await;
let url = format!("/api/v1/mangas?genre_id={action},{fantasy}");
let resp = h.app.oneshot(common::get(&url)).await.unwrap();
let body = common::body_json(resp).await;
let titles: Vec<&str> = body["items"]
.as_array()
.unwrap()
.iter()
.map(|m| m["title"].as_str().unwrap())
.collect();
// Only the manga tagged with BOTH genres matches — pure AND.
assert_eq!(titles, vec!["Action+Fantasy"]);
}
#[sqlx::test(migrations = "./migrations")]
async fn filter_by_author_id_matches_only_works_by_that_author(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let miura_manga = create_manga(
&h.app,
&cookie,
json!({ "title": "Berserk", "authors": ["Kentaro Miura"] }),
)
.await;
let miura_id = miura_manga["authors"][0]["id"].as_str().unwrap();
let _oda = create_manga(
&h.app,
&cookie,
json!({ "title": "One Piece", "authors": ["Eiichiro Oda"] }),
)
.await;
let resp = h
.app
.oneshot(common::get(&format!("/api/v1/mangas?author_id={miura_id}")))
.await
.unwrap();
let body = common::body_json(resp).await;
let titles: Vec<&str> = body["items"]
.as_array()
.unwrap()
.iter()
.map(|m| m["title"].as_str().unwrap())
.collect();
assert_eq!(titles, vec!["Berserk"]);
}
#[sqlx::test(migrations = "./migrations")]
async fn patch_updates_status_authors_and_genres(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let drama = genre_id_named(&h.app, "Drama").await;
let created = create_manga(
&h.app,
&cookie,
json!({ "title": "WIP", "authors": ["Old Name"] }),
)
.await;
let id = id_of(&created);
let resp = h
.app
.oneshot(common::patch_json_with_cookie(
&format!("/api/v1/mangas/{id}"),
json!({
"status": "completed",
"authors": ["Old Name", "New Coauthor"],
"genre_ids": [drama]
}),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = common::body_json(resp).await;
assert_eq!(body["status"], "completed");
let names: Vec<&str> = body["authors"]
.as_array()
.unwrap()
.iter()
.map(|a| a["name"].as_str().unwrap())
.collect();
assert_eq!(names, vec!["Old Name", "New Coauthor"]);
assert_eq!(body["genres"][0]["name"], "Drama");
}
#[sqlx::test(migrations = "./migrations")]
async fn patch_404_on_unknown_id(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let resp = h
.app
.oneshot(common::patch_json_with_cookie(
&format!("/api/v1/mangas/{}", Uuid::new_v4()),
json!({ "status": "completed" }),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
}
#[sqlx::test(migrations = "./migrations")]
async fn filter_by_unknown_uuid_returns_empty_not_error(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let _ = create_manga(&h.app, &cookie, json!({ "title": "Anything" })).await;
let unknown = Uuid::new_v4();
let resp = h
.app
.oneshot(common::get(&format!("/api/v1/mangas?genre_id={unknown}")))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = common::body_json(resp).await;
assert_eq!(body["items"], json!([]));
assert_eq!(body["page"]["total"], 0);
}
#[sqlx::test(migrations = "./migrations")]
async fn filter_combining_status_author_genre_and_tag_is_and(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let action = genre_id_named(&h.app, "Action").await;
// The "winner" matches every facet; the other rows each miss at
// least one so the combined filter must reject them.
let winner = create_manga(
&h.app,
&cookie,
json!({
"title": "Winner",
"status": "completed",
"authors": ["Solo Author"],
"genre_ids": [action.clone()],
}),
)
.await;
let solo_author_id = winner["authors"][0]["id"].as_str().unwrap().to_string();
let winner_id = id_of(&winner);
let _missing_status = create_manga(
&h.app,
&cookie,
json!({
"title": "Wrong Status",
"authors": ["Solo Author"],
"genre_ids": [action.clone()],
}),
)
.await;
let _missing_author = create_manga(
&h.app,
&cookie,
json!({
"title": "Wrong Author",
"status": "completed",
"authors": ["Other"],
"genre_ids": [action.clone()],
}),
)
.await;
let _missing_genre = create_manga(
&h.app,
&cookie,
json!({
"title": "Missing Genre",
"status": "completed",
"authors": ["Solo Author"],
}),
)
.await;
// Attach a tag to the winner so we can hit all four facets at once.
let tag_attach = h
.app
.clone()
.oneshot(common::post_json_with_cookie(
&format!("/api/v1/mangas/{winner_id}/tags"),
json!({ "name": "Pinned" }),
&cookie,
))
.await
.unwrap();
let tag_id = common::body_json(tag_attach).await["id"].as_str().unwrap().to_string();
let url = format!(
"/api/v1/mangas?status=completed&author_id={solo_author_id}&genre_id={action}&tag_id={tag_id}"
);
let resp = h.app.oneshot(common::get(&url)).await.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = common::body_json(resp).await;
let titles: Vec<&str> = body["items"]
.as_array()
.unwrap()
.iter()
.map(|m| m["title"].as_str().unwrap())
.collect();
assert_eq!(titles, vec!["Winner"]);
assert_eq!(body["page"]["total"], 1);
}
#[sqlx::test(migrations = "./migrations")]
async fn duplicate_genre_ids_accepted_not_treated_as_unknown(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let action = genre_id_named(&h.app, "Action").await;
let body = create_manga(
&h.app,
&cookie,
json!({
"title": "Dup Genres",
"genre_ids": [action.clone(), action]
}),
)
.await;
// The repeated id resolves to a single attachment (the join table
// de-dupes via the composite PK + `ON CONFLICT DO NOTHING`), so
// the response carries one genre, not two.
let names: Vec<&str> = body["genres"]
.as_array()
.unwrap()
.iter()
.map(|g| g["name"].as_str().unwrap())
.collect();
assert_eq!(names, vec!["Action"]);
}
#[sqlx::test(migrations = "./migrations")]
async fn patch_explicit_null_description_clears_it(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let created = create_manga(
&h.app,
&cookie,
json!({ "title": "With desc", "description": "Original" }),
)
.await;
let id = id_of(&created);
assert_eq!(created["description"], "Original");
let resp = h
.app
.oneshot(common::patch_json_with_cookie(
&format!("/api/v1/mangas/{id}"),
json!({ "description": null }),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = common::body_json(resp).await;
assert!(body["description"].is_null(), "expected description cleared");
}
#[sqlx::test(migrations = "./migrations")]
async fn patch_omitting_description_leaves_it_alone(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let created = create_manga(
&h.app,
&cookie,
json!({ "title": "With desc", "description": "Keep me" }),
)
.await;
let id = id_of(&created);
let resp = h
.app
.oneshot(common::patch_json_with_cookie(
&format!("/api/v1/mangas/{id}"),
json!({ "status": "completed" }),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = common::body_json(resp).await;
assert_eq!(body["description"], "Keep me");
assert_eq!(body["status"], "completed");
}
#[sqlx::test(migrations = "./migrations")]
async fn patch_empty_alt_titles_clears_them(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let created = create_manga(
&h.app,
&cookie,
json!({ "title": "Has alts", "alt_titles": ["a", "b"] }),
)
.await;
let id = id_of(&created);
assert_eq!(created["alt_titles"], json!(["a", "b"]));
let resp = h
.app
.oneshot(common::patch_json_with_cookie(
&format!("/api/v1/mangas/{id}"),
json!({ "alt_titles": [] }),
&cookie,
))
.await
.unwrap();
let body = common::body_json(resp).await;
assert_eq!(body["alt_titles"], json!([]));
}
#[sqlx::test(migrations = "./migrations")]
async fn patch_requires_authentication(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let created = create_manga(&h.app, &cookie, json!({ "title": "Auth Check" })).await;
let id = id_of(&created);
let resp = h
.app
.oneshot(common::patch_json(
&format!("/api/v1/mangas/{id}"),
json!({ "status": "completed" }),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
}
/// A signed-in user who didn't upload the manga must not be able to
/// PATCH it. Without the uploader-gate this returned 200 — see
/// REVIEW.md "manga PATCH / cover endpoints don't check ownership".
#[sqlx::test(migrations = "./migrations")]
async fn patch_forbidden_for_non_uploader(pool: PgPool) {
let h = common::harness(pool);
let (_, owner_cookie) = common::register_user(&h.app).await;
let (_, intruder_cookie) = common::register_user(&h.app).await;
let created = create_manga(&h.app, &owner_cookie, json!({ "title": "Mine" })).await;
let id = id_of(&created);
let resp = h
.app
.oneshot(common::patch_json_with_cookie(
&format!("/api/v1/mangas/{id}"),
json!({ "status": "completed" }),
&intruder_cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::FORBIDDEN);
}
/// Owner can still edit their own manga (regression guard for the
/// authz fix).
#[sqlx::test(migrations = "./migrations")]
async fn patch_allowed_for_uploader(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let created = create_manga(&h.app, &cookie, json!({ "title": "Owned" })).await;
let id = id_of(&created);
let resp = h
.app
.oneshot(common::patch_json_with_cookie(
&format!("/api/v1/mangas/{id}"),
json!({ "status": "completed" }),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
}
/// Legacy rows with `uploaded_by IS NULL` (created before migration
/// 0011) remain editable by any signed-in user. Without this carve-out
/// the historical-data note in 0011 would be broken.
#[sqlx::test(migrations = "./migrations")]
async fn patch_allowed_on_legacy_null_uploader(pool: PgPool) {
let h = common::harness(pool.clone());
let (_, cookie) = common::register_user(&h.app).await;
let created = create_manga(&h.app, &cookie, json!({ "title": "Legacy" })).await;
let id = id_of(&created);
// Simulate a row uploaded before the column existed: clear
// uploaded_by directly via SQL.
sqlx::query("UPDATE mangas SET uploaded_by = NULL WHERE id = $1")
.bind(id)
.execute(&pool)
.await
.unwrap();
let (_, other_cookie) = common::register_user(&h.app).await;
let resp = h
.app
.oneshot(common::patch_json_with_cookie(
&format!("/api/v1/mangas/{id}"),
json!({ "status": "completed" }),
&other_cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
}
Reference in New Issue View Git Blame Copy Permalink