🧪 test(uploads): Cover fetching originals from client.

make-github-pseudonymous-again · make-github-pseudonymous-again · commit d99cb6e35b8b · 2025-07-05T21:37:34.000Z
diff --git a/imports/_test/png.ts b/imports/_test/png.ts
@@ -24,3 +24,5 @@ export const randomPNGBlob = async (): Promise<Blob> => {
 	const response = await randomPNGResponse();
 	return response.blob();
 };
+
+export const magic = [137, 80, 78, 71, 13, 10, 26, 10];
diff --git a/imports/api/uploads.app-tests.ts b/imports/api/uploads.app-tests.ts
@@ -0,0 +1,67 @@
+import {assert} from 'chai';
+
+import {type FileObj} from 'meteor/ostrio:files';
+
+import {client, randomPassword, randomUserId} from '../_test/fixtures';
+import {magic} from '../_test/png';
+import absoluteURL from '../app/absoluteURL';
+import head from '../util/stream/head';
+
+import {newUpload} from './_dev/populate/uploads';
+import {type MetadataType} from './uploads';
+import createUserWithPasswordAndLogin from './user/createUserWithPasswordAndLogin';
+import logout from './user/logout';
+
+const uploads = (path: string) => absoluteURL(`cdn/storage/uploads/${path}`);
+const original = (upload: FileObj<MetadataType>) =>
+	uploads(`${upload._id}/original/${upload.name}`);
+
+client(__filename, () => {
+	it('should not be possible to download a document when unauthenticated', async () => {
+		const username = randomUserId();
+		const password = randomPassword();
+		await createUserWithPasswordAndLogin(username, password);
+		const upload = await newUpload(undefined, {type: 'image/png'});
+		await logout();
+
+		const response = await fetch(original(upload));
+
+		assert.strictEqual(response.status, 401);
+		assert.strictEqual(await response.text(), 'Access denied!');
+	});
+
+	it('should be possible for the owner of a document to download it', async () => {
+		const username = randomUserId();
+		const password = randomPassword();
+		await createUserWithPasswordAndLogin(username, password);
+		const upload = await newUpload(undefined, {type: 'image/png'});
+
+		const response = await fetch(original(upload));
+
+		assert.strictEqual(response.status, 200);
+
+		const body = response.body;
+		assert.isNotNull(body);
+
+		const firstBytes = await head(body, magic.length);
+
+		assert.deepEqual(firstBytes, magic);
+	});
+
+	it('should not be possible for someone other than the owner of a document to download it', async () => {
+		const usernameA = randomUserId();
+		const passwordA = randomPassword();
+		await createUserWithPasswordAndLogin(usernameA, passwordA);
+		const upload = await newUpload(undefined, {type: 'image/png'});
+		await logout();
+
+		const usernameB = randomUserId();
+		const passwordB = randomPassword();
+		await createUserWithPasswordAndLogin(usernameB, passwordB);
+
+		const response = await fetch(original(upload));
+
+		assert.strictEqual(response.status, 401);
+		assert.strictEqual(await response.text(), 'Access denied!');
+	});
+});
diff --git a/imports/util/stream/head.ts b/imports/util/stream/head.ts
@@ -0,0 +1,21 @@
+import {asyncIterableToArray} from '@async-iterable-iterator/async-iterable-to-array';
+
+const _head = async function* (reader: ReadableStreamDefaultReader, n: number) {
+	while (n > 0) {
+		// eslint-disable-next-line no-await-in-loop
+		const {value, done} = await reader.read();
+		if (done) break;
+		yield value;
+		n -= value.length;
+	}
+};
+
+const head = async (stream: ReadableStream, n: number) => {
+	const reader = stream.getReader();
+	const chunks = await asyncIterableToArray(_head(reader, n));
+	reader.releaseLock();
+
+	return chunks.flatMap((chunk) => Array.from(chunk)).slice(0, n);
+};
+
+export default head;
