From f686902cd3a9bd9a0d8abbab7ce625f3a5ad2d62 Mon Sep 17 00:00:00 2001
From: Marek Maslowski <marek1.maslowski@gmail.com>
Date: Tue, 14 Apr 2026 11:22:20 +0200
Subject: [PATCH 1/3] adding default value of small when getting thumbnail

---
 server/src/services/memories/synologyService.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/server/src/services/memories/synologyService.ts b/server/src/services/memories/synologyService.ts
index 4df4e0a9..48d52c47 100644
--- a/server/src/services/memories/synologyService.ts
+++ b/server/src/services/memories/synologyService.ts
@@ -585,7 +585,6 @@ export async function streamSynologyAsset(
     targetUserId: number,
     photoId: string,
     kind: 'thumbnail' | 'original',
-    size?: string,
 ): Promise<void> {
     const parsedId = _splitPackedSynologyId(photoId);
     if (!parsedId) {
@@ -609,6 +608,8 @@ export async function streamSynologyAsset(
         return;
     }
 
+    
+    //size: 'sm' 240px| 'm' 320px| 'xl' 1280px| 'preview' ?
     const params = kind === 'thumbnail'
         ? new URLSearchParams({
             api: 'SYNO.Foto.Thumbnail',
@@ -617,7 +618,7 @@ export async function streamSynologyAsset(
             mode: 'download',
             id: parsedId.id,
             type: 'unit',
-            size: size,
+            size: 'sm',
             cache_key: parsedId.cacheKey,
             _sid: sid.data,
         })

From 1d4f18bdf9df5ec59dfe2c8924f93a306558e512 Mon Sep 17 00:00:00 2001
From: Marek Maslowski <marek1.maslowski@gmail.com>
Date: Tue, 14 Apr 2026 17:40:40 +0200
Subject: [PATCH 2/3] adding test

---
 .../integration/memories-synology.test.ts     | 28 +++++++++++++++++--
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/server/tests/integration/memories-synology.test.ts b/server/tests/integration/memories-synology.test.ts
index 11371bea..a21690ee 100644
--- a/server/tests/integration/memories-synology.test.ts
+++ b/server/tests/integration/memories-synology.test.ts
@@ -51,14 +51,16 @@ vi.mock('../../src/utils/ssrfGuard', async () => {
     // Determine which API was called from the URL query param (e.g. ?api=SYNO.API.Auth)
     // or from the body for POST requests.
     let apiName = '';
+    let params = new URLSearchParams();
     try {
-      apiName = new URL(u).searchParams.get('api') || '';
+      params = new URL(u).searchParams;
+      apiName = params.get('api') || '';
     } catch {}
     if (!apiName && init?.body) {
-      const body = init.body instanceof URLSearchParams
+      apiName = params.get('api') || '';
+      params = init.body instanceof URLSearchParams
         ? init.body
         : new URLSearchParams(String(init.body));
-      apiName = body.get('api') || '';
     }
 
     // Auth login — used by settings save, status, test-connection
@@ -154,6 +156,8 @@ vi.mock('../../src/utils/ssrfGuard', async () => {
 
     // Thumbnail stream
     if (apiName === 'SYNO.Foto.Thumbnail') {
+      if (!(['sm', 'm', 'xl', 'preview'].includes(params.get('size') || '')))
+        return Promise.reject(new Error(`Unexpected thumbnail size: ${params.get('size')}`));
       const imageBytes = Buffer.from('fake-synology-thumbnail');
       return Promise.resolve({
         ok: true, status: 200,
@@ -437,6 +441,24 @@ describe('Synology asset access', () => {
     expect(res.headers['content-type']).toContain('image/jpeg');
   });
 
+  it('SYNO-032b — GET /api/photos/:id/thumbnail uses an allowed Synology thumbnail size', async () => {
+    const { user } = createUser(testDb);
+    setSynologyCredentials(testDb, user.id, 'https://synology.example.com', 'admin', 'pass');
+
+    const insert = testDb.prepare(
+      'INSERT INTO trek_photos (provider, asset_id, owner_id) VALUES (?, ?, ?)'
+    ).run('synologyphotos', '101_cachekey', user.id);
+    const trekPhotoId = Number(insert.lastInsertRowid);
+
+    vi.mocked(safeFetch).mockClear();
+
+    const res = await request(app)
+      .get(`/api/photos/${trekPhotoId}/thumbnail`)
+      .set('Cookie', authCookie(user.id));
+
+    expect(res.status).toBe(200);
+  });
+
   it('SYNO-033 — GET /assets/original streams image data for shared photo', async () => {
     const { user: owner } = createUser(testDb);
     const { user: member } = createUser(testDb);

From d04a4bcbf81cf7af13acdbe52a95ccdecbb1a8f3 Mon Sep 17 00:00:00 2001
From: Marek Maslowski <marek1.maslowski@gmail.com>
Date: Tue, 14 Apr 2026 17:45:51 +0200
Subject: [PATCH 3/3] fix for test suit

---
 server/tests/integration/memories-synology.test.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/tests/integration/memories-synology.test.ts b/server/tests/integration/memories-synology.test.ts
index a21690ee..3c7d0f22 100644
--- a/server/tests/integration/memories-synology.test.ts
+++ b/server/tests/integration/memories-synology.test.ts
@@ -57,10 +57,10 @@ vi.mock('../../src/utils/ssrfGuard', async () => {
       apiName = params.get('api') || '';
     } catch {}
     if (!apiName && init?.body) {
-      apiName = params.get('api') || '';
       params = init.body instanceof URLSearchParams
         ? init.body
         : new URLSearchParams(String(init.body));
+      apiName = params.get('api') || '';
     }
 
     // Auth login — used by settings save, status, test-connection