fix: Apply auth to public upload, not private (#2427)

* fix: Apply auth to public upload, not private

* test: Update test cases

api.planx.uk/modules/file/file.test.ts

@@ -43,23 +43,10 @@ describe("File upload", () => {
 
   describe("Private", () => {
     const ENDPOINT = "/file/private/upload";
-    const auth = authHeader({ role: "teamEditor" });
-
-    it("returns an error if authorization headers are not set", async () => {
-      await supertest(app)
-        .post("/flows/1/move/new-team")
-        .expect(401)
-        .then((res) => {
-          expect(res.body).toEqual({
-            error: "No authorization token was found",
-          });
-        });
-    });
 
     it("should not upload without filename", async () => {
       await supertest(app)
         .post(ENDPOINT)
-        .set(auth)
         .field("filename", "")
         .attach("file", Buffer.from("some data"), "some_file.txt")
         .expect(400)
@@ -73,7 +60,6 @@ describe("File upload", () => {
     it("should not upload without file", async () => {
       await supertest(app)
         .post(ENDPOINT)
-        .set(auth)
         .field("filename", "some filename")
         .expect(500)
         .then((res) => {
@@ -85,7 +71,6 @@ describe("File upload", () => {
     it("should upload file", async () => {
       await supertest(app)
         .post(ENDPOINT)
-        .set(auth)
         .field("filename", "some_file.txt")
         .attach("file", Buffer.from("some data"), "some_file.txt")
         .then((res) => {
@@ -107,7 +92,6 @@ describe("File upload", () => {
 
       await supertest(app)
         .post("/file/private/upload")
-        .set(auth)
         .field("filename", "some_file.txt")
         .attach("file", Buffer.from("some data"), "some_file.txt")
         .expect(500)
@@ -121,9 +105,23 @@ describe("File upload", () => {
   describe("Public", () => {
     const ENDPOINT = "/file/public/upload";
 
+    const auth = authHeader({ role: "teamEditor" });
+
+    it("returns an error if authorization headers are not set", async () => {
+      await supertest(app)
+        .post("/flows/1/move/new-team")
+        .expect(401)
+        .then((res) => {
+          expect(res.body).toEqual({
+            error: "No authorization token was found",
+          });
+        });
+    });
+
     it("should not upload without filename", async () => {
       await supertest(app)
         .post(ENDPOINT)
+        .set(auth)
         .field("filename", "")
         .attach("file", Buffer.from("some data"), "some_file.txt")
         .expect(400)
@@ -137,6 +135,7 @@ describe("File upload", () => {
     it("should not upload without file", async () => {
       await supertest(app)
         .post(ENDPOINT)
+        .set(auth)
         .field("filename", "some filename")
         .expect(500)
         .then((res) => {
@@ -148,6 +147,7 @@ describe("File upload", () => {
     it("should upload file", async () => {
       await supertest(app)
         .post(ENDPOINT)
+        .set(auth)
         .field("filename", "some_file.txt")
         .attach("file", Buffer.from("some data"), "some_file.txt")
         .then((res) => {
@@ -169,6 +169,7 @@ describe("File upload", () => {
 
       await supertest(app)
         .post(ENDPOINT)
+        .set(auth)
         .field("filename", "some_file.txt")
         .attach("file", Buffer.from("some data"), "some_file.txt")
         .expect(500)

api.planx.uk/modules/file/routes.ts

@@ -17,14 +17,14 @@ const router = Router();
 router.post(
   "/public/upload",
   multer().single("file"),
+  useTeamEditorAuth,
   validate(uploadFileSchema),
   publicUploadController,
 );
 
 router.post(
   "/private/upload",
   multer().single("file"),
-  useTeamEditorAuth,
   validate(uploadFileSchema),
   privateUploadController,
 );

api.planx.uk/server.ts

@@ -178,7 +178,6 @@ app.use("/webhooks", webhookRoutes);
 app.use("/analytics", analyticsRoutes);
 app.use("/admin", adminRoutes);
 app.use(ordnanceSurveyRoutes);
-app.use(fileRoutes);
 app.use("/file", fileRoutes);
 
 app.use("/gis", router);