photoprism/internal/api/download_file_test.go
Michael Mayer 884dea17de Security: Use individual preview tokens for each user account
Signed-off-by: Michael Mayer <michael@photoprism.app>
2022-10-13 22:11:02 +02:00

36 lines
1.1 KiB
Go

package api
import (
"net/http"
"testing"
"github.com/stretchr/testify/assert"
"github.com/tidwall/gjson"
"github.com/photoprism/photoprism/internal/config"
)
func TestGetDownload(t *testing.T) {
t.Run("NotFound", func(t *testing.T) {
app, router, conf := NewApiTest()
GetDownload(router)
r := PerformRequest(app, "GET", "/api/v1/dl/123xxx?t="+conf.DownloadToken())
val := gjson.Get(r.Body.String(), "error")
assert.Equal(t, "record not found", val.String())
assert.Equal(t, http.StatusNotFound, r.Code)
})
t.Run("MissingOriginal", func(t *testing.T) {
app, router, conf := NewApiTest()
GetDownload(router)
r := PerformRequest(app, "GET", "/api/v1/dl/3cad9168fa6acc5c5c2965ddf6ec465ca42fd818?t="+conf.DownloadToken())
assert.Equal(t, http.StatusNotFound, r.Code)
})
t.Run("InvalidDownloadToken", func(t *testing.T) {
app, router, conf := NewApiTest()
conf.SetAuthMode(config.AuthModePasswd)
defer conf.SetAuthMode(config.AuthModePublic)
GetDownload(router)
r := PerformRequest(app, "GET", "/api/v1/dl/3cad9168fa6acc5c5c2965ddf6ec465ca42fd818?t=xxx")
assert.Equal(t, http.StatusForbidden, r.Code)
})
}