From 8e0df7feb8b16afb1360dde4130749cec779e08e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dafydd=20Ll=C5=B7r=20Pearson?= Date: Wed, 15 Nov 2023 18:58:34 +0000 Subject: [PATCH] fix: Apply auth to public upload, not private (#2427) * fix: Apply auth to public upload, not private * test: Update test cases --- api.planx.uk/modules/file/file.test.ts | 33 +++++++++++++------------- api.planx.uk/modules/file/routes.ts | 2 +- api.planx.uk/server.ts | 1 - 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/api.planx.uk/modules/file/file.test.ts b/api.planx.uk/modules/file/file.test.ts index 5364319cb8..4495281c63 100644 --- a/api.planx.uk/modules/file/file.test.ts +++ b/api.planx.uk/modules/file/file.test.ts @@ -43,23 +43,10 @@ describe("File upload", () => { describe("Private", () => { const ENDPOINT = "/file/private/upload"; - const auth = authHeader({ role: "teamEditor" }); - - it("returns an error if authorization headers are not set", async () => { - await supertest(app) - .post("/flows/1/move/new-team") - .expect(401) - .then((res) => { - expect(res.body).toEqual({ - error: "No authorization token was found", - }); - }); - }); it("should not upload without filename", async () => { await supertest(app) .post(ENDPOINT) - .set(auth) .field("filename", "") .attach("file", Buffer.from("some data"), "some_file.txt") .expect(400) @@ -73,7 +60,6 @@ describe("File upload", () => { it("should not upload without file", async () => { await supertest(app) .post(ENDPOINT) - .set(auth) .field("filename", "some filename") .expect(500) .then((res) => { @@ -85,7 +71,6 @@ describe("File upload", () => { it("should upload file", async () => { await supertest(app) .post(ENDPOINT) - .set(auth) .field("filename", "some_file.txt") .attach("file", Buffer.from("some data"), "some_file.txt") .then((res) => { @@ -107,7 +92,6 @@ describe("File upload", () => { await supertest(app) .post("/file/private/upload") - .set(auth) .field("filename", "some_file.txt") .attach("file", Buffer.from("some data"), "some_file.txt") .expect(500) @@ -121,9 +105,23 @@ describe("File upload", () => { describe("Public", () => { const ENDPOINT = "/file/public/upload"; + const auth = authHeader({ role: "teamEditor" }); + + it("returns an error if authorization headers are not set", async () => { + await supertest(app) + .post("/flows/1/move/new-team") + .expect(401) + .then((res) => { + expect(res.body).toEqual({ + error: "No authorization token was found", + }); + }); + }); + it("should not upload without filename", async () => { await supertest(app) .post(ENDPOINT) + .set(auth) .field("filename", "") .attach("file", Buffer.from("some data"), "some_file.txt") .expect(400) @@ -137,6 +135,7 @@ describe("File upload", () => { it("should not upload without file", async () => { await supertest(app) .post(ENDPOINT) + .set(auth) .field("filename", "some filename") .expect(500) .then((res) => { @@ -148,6 +147,7 @@ describe("File upload", () => { it("should upload file", async () => { await supertest(app) .post(ENDPOINT) + .set(auth) .field("filename", "some_file.txt") .attach("file", Buffer.from("some data"), "some_file.txt") .then((res) => { @@ -169,6 +169,7 @@ describe("File upload", () => { await supertest(app) .post(ENDPOINT) + .set(auth) .field("filename", "some_file.txt") .attach("file", Buffer.from("some data"), "some_file.txt") .expect(500) diff --git a/api.planx.uk/modules/file/routes.ts b/api.planx.uk/modules/file/routes.ts index 239687f474..6c556e3ed3 100644 --- a/api.planx.uk/modules/file/routes.ts +++ b/api.planx.uk/modules/file/routes.ts @@ -17,6 +17,7 @@ const router = Router(); router.post( "/public/upload", multer().single("file"), + useTeamEditorAuth, validate(uploadFileSchema), publicUploadController, ); @@ -24,7 +25,6 @@ router.post( router.post( "/private/upload", multer().single("file"), - useTeamEditorAuth, validate(uploadFileSchema), privateUploadController, ); diff --git a/api.planx.uk/server.ts b/api.planx.uk/server.ts index b21b55d8dc..0886e7ec98 100644 --- a/api.planx.uk/server.ts +++ b/api.planx.uk/server.ts @@ -178,7 +178,6 @@ app.use("/webhooks", webhookRoutes); app.use("/analytics", analyticsRoutes); app.use("/admin", adminRoutes); app.use(ordnanceSurveyRoutes); -app.use(fileRoutes); app.use("/file", fileRoutes); app.use("/gis", router);