"""Tests for files router (/api/files).""" import io import os import tempfile from pathlib import Path from unittest.mock import patch import pytest from httpx import AsyncClient from models.user import User from tests.conftest import auth_headers class TestUploadFile: """POST /api/files/upload tests.""" async def test_upload_image( self, client: AsyncClient, maker_user: User, tmp_path: Path ): """Maker can upload a valid image.""" # Create a minimal valid JPEG (1x1 pixel) jpeg_bytes = ( b"\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x00\x00\x01" b"\x00\x01\x00\x00\xff\xdb\x00C\x00\x08\x06\x06\x07\x06" b"\x05\x08\x07\x07\x07\t\t\x08\n\x0c\x14\r\x0c\x0b\x0b" b"\x0c\x19\x12\x13\x0f\x14\x1d\x1a\x1f\x1e\x1d\x1a\x1c" b"\x1c $.\' \",#\x1c\x1c(7),01444\x1f\'9=82<.342\xff\xc0" b"\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4" b"\x00\x1f\x00\x00\x01\x05\x01\x01\x01\x01\x01\x01\x00" b"\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06" b"\x07\x08\t\n\x0b\xff\xc4\x00\xb5\x10\x00\x02\x01\x03" b"\x03\x02\x04\x03\x05\x05\x04\x04\x00\x00\x01}\x01\x02" b"\x03\x00\x04\x11\x05\x12!1A\x06\x13Qa\x07\"q\x142\x81" b"\x91\xa1\x08#B\xb1\xc1\x15R\xd1\xf0$3br\x82\t\n\x16" b"\x17\x18\x19\x1a%&\'()*456789:CDEFGHIJSTUVWXYZcdefghij" b"stuvwxyz\x83\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94" b"\x95\x96\x97\x98\x99\x9a\xa2\xa3\xa4\xa5\xa6\xa7\xa8" b"\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xc2\xc3" b"\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5\xd6\xd7" b"\xd8\xd9\xda\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea" b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xff\xda\x00" b"\x08\x01\x01\x00\x00?\x00T\xdb\xae\x8e\xd3H\xa5(?" b"\xff\xd9" ) # Patch settings.upload_path to use tmp_path with patch("routers.files.settings") as mock_settings: mock_settings.upload_path = tmp_path mock_settings.max_upload_size_mb = 50 resp = await client.post( "/api/files/upload", headers=auth_headers(maker_user), files={"file": ("test.jpg", io.BytesIO(jpeg_bytes), "image/jpeg")}, ) assert resp.status_code == 200 data = resp.json() assert "file_path" in data assert data["file_type"] == "image/jpeg" assert data["file_size"] > 0 async def test_upload_invalid_type( self, client: AsyncClient, maker_user: User ): """Uploading a disallowed file type returns 400.""" resp = await client.post( "/api/files/upload", headers=auth_headers(maker_user), files={ "file": ("malware.exe", io.BytesIO(b"MZ\x00\x00"), "application/x-msdownload") }, ) assert resp.status_code == 400 assert "not allowed" in resp.json()["detail"] async def test_upload_too_large( self, client: AsyncClient, maker_user: User ): """Uploading a file that exceeds size limit returns 400.""" # Create a large file content large_content = b"\x00" * (51 * 1024 * 1024) # 51MB with patch("routers.files.settings") as mock_settings: mock_settings.max_upload_size_mb = 50 mock_settings.upload_path = Path(tempfile.mkdtemp()) resp = await client.post( "/api/files/upload", headers=auth_headers(maker_user), files={ "file": ("big.jpg", io.BytesIO(large_content), "image/jpeg") }, ) assert resp.status_code == 400 assert "exceeds" in resp.json()["detail"] class TestGetFile: """GET /api/files/{file_path} tests.""" async def test_get_file( self, client: AsyncClient, maker_user: User, tmp_path: Path ): """Authenticated user can retrieve an uploaded file.""" # Create a test file in tmp_path test_file = tmp_path / "testfile.txt" test_file.write_text("hello test") with patch("routers.files.settings") as mock_settings: mock_settings.upload_path = tmp_path resp = await client.get( "/api/files/testfile.txt", headers=auth_headers(maker_user), ) assert resp.status_code == 200 async def test_get_file_not_found( self, client: AsyncClient, maker_user: User, tmp_path: Path ): """Requesting a non-existent file returns 404.""" with patch("routers.files.settings") as mock_settings: mock_settings.upload_path = tmp_path resp = await client.get( "/api/files/nonexistent.png", headers=auth_headers(maker_user), ) assert resp.status_code == 404 class TestDeleteFile: """DELETE /api/files/{file_path} tests.""" async def test_delete_file( self, client: AsyncClient, maker_user: User, tmp_path: Path ): """Maker can delete a file.""" test_file = tmp_path / "deleteme.txt" test_file.write_text("delete me") with patch("routers.files.settings") as mock_settings: mock_settings.upload_path = tmp_path resp = await client.delete( "/api/files/deleteme.txt", headers=auth_headers(maker_user), ) assert resp.status_code == 204 assert not test_file.exists() class TestFilenameSanitization: """Path traversal protection tests.""" async def test_path_traversal_blocked( self, client: AsyncClient, maker_user: User, tmp_path: Path ): """Path traversal attempt returns 403 or 404.""" with patch("routers.files.settings") as mock_settings: mock_settings.upload_path = tmp_path resp = await client.get( "/api/files/../../etc/passwd", headers=auth_headers(maker_user), ) # Should be blocked by security check assert resp.status_code in (403, 404)