k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-19 13:21:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7266ad99ae8a33b4e9d652be53772765948c6407
TREK/server/tests/e2e/share.e2e.test.ts
T
jubnl 3c040fab11 fix: miscellaneous bug fixes (#1139) 
* fix(share): serve place thumbnails in shared trip links (#1100)

Google-sourced place photos are stored as image_url pointing at the
JWT-guarded /api/maps/place-photo/:placeId/bytes endpoint, so they 401
for an unauthenticated shared-trip viewer and render as broken images.

Rewrite place image_url values in the shared payload to a public,
token-scoped proxy (/api/shared/:token/place-photo/:placeId/bytes) and
add an unguarded SharedController route that validates the token and that
the place belongs to its trip before streaming the cached bytes. Mirrors
the existing JourneyPublicController precedent. No client changes needed.

* fix(atlas): replace Natural Earth with geoBoundaries for up-to-date regions (#1119)

Atlas sourced country and sub-national boundaries from Natural Earth's GitHub
`master` at runtime. That data is stale (e.g. it still shows Norway's pre-2020
counties such as Oppland/Hordaland) and depicts some contested territory in
unwanted ways (nvkelso/natural-earth-vector#391), so Natural Earth is dropped
entirely.

- Country borders (admin0) now come from the geoBoundaries CGAZ composite;
  sub-national regions (admin1) from per-country gbOpen, which carries ISO 3166-2
  codes. A new script (server/scripts/build-atlas-geo.mjs) normalizes and quantizes
  them into committed gzipped bundles under server/assets/atlas, read server-side at
  runtime (no network at boot, no GitHub CSP allowlist entry).
- New GET /addons/atlas/countries/geo serves the country layer; the client fetches
  it from the API instead of GitHub.
- A migration reconciles manually-marked visited_regions against the new bundle
  (valid code -> keep; region name still matches -> re-code; curated merge crosswalk
  for renamed reforms; else leave intact), with UNIQUE-safe dedup. bucket_list and
  visited_countries hold only invariant alpha-2 country codes, so they are untouched.
- Attribution added (NOTICE.md + README) per geoBoundaries CC BY 4.0.

Closes #1119

* fix(packing): make templates admin-only to create, usable by members

Creating a packing-list template was gated only by trip access, so any
trip member could create one from the Lists feature, while applying a
template silently failed for non-admins because the apply dropdown was
populated from the AdminGuard-protected /api/admin/packing-templates
endpoint.

- save-as-template now returns 403 for non-admins; the Save-as-Template
  button is hidden unless the user is an admin (both the TripPlanner
  toolbar and the inline packing header).
- add member-accessible GET /api/trips/:tripId/packing/templates so the
  apply dropdown lists templates for any trip member; client fetches
  from it instead of the admin endpoint.

Closes #1120
Closes #1121

* fix(packing): show bag tracking to non-admin members

The global Bag Tracking toggle was only readable via the admin-gated
GET /api/admin/bag-tracking, so non-admin trip members got 403 and the
weight fields, bag circles, and BAGS sidebar never rendered (#1124).

Surface the flag through the already-authenticated GET /api/addons
(loaded into the client addon store on app start for every user); the
packing hook reads it from the store instead of the admin endpoint. The
admin write path stays admin-gated and unchanged.
2026-06-09 16:02:37 +02:00

138 lines
5.9 KiB
TypeScript
Raw Blame History

/**
* Share-link e2e — exercises the migrated /api/trips/:tripId/share-link and the
* public /api/shared/:token endpoints through the real JwtAuthGuard against a
* temp SQLite db. The share service + permission check are mocked; this focuses
* on auth, trip-access 404, permission 403, the create-201-vs-update-200 split
* and the unguarded public read.
*/
import { describe, it, expect, beforeAll, afterAll, beforeEach, vi } from 'vitest';
import request from 'supertest';
import cookieParser from 'cookie-parser';
import os from 'node:os';
import path from 'node:path';
import fs from 'node:fs';
import type { Server } from 'http';
import { Test } from '@nestjs/testing';
import { seedUser, sessionCookie } from './harness';
const { db, canAccessTrip } = vi.hoisted(() => {
// eslint-disable-next-line @typescript-eslint/no-require-imports
const Database = require('better-sqlite3');
const tmp = new Database(':memory:');
tmp.exec('PRAGMA journal_mode = WAL');
tmp.exec(`CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT NOT NULL,
email TEXT NOT NULL UNIQUE, role TEXT NOT NULL DEFAULT 'user', password_version INTEGER NOT NULL DEFAULT 0);`);
return { db: tmp, canAccessTrip: vi.fn() };
});
vi.mock('../../src/db/database', () => ({ db, canAccessTrip, closeDb: () => {}, reinitialize: () => {} }));
const { checkPermission } = vi.hoisted(() => ({ checkPermission: vi.fn() }));
vi.mock('../../src/services/permissions', () => ({ checkPermission }));
const { shareSvc } = vi.hoisted(() => ({
shareSvc: { createOrUpdateShareLink: vi.fn(), getShareLink: vi.fn(), deleteShareLink: vi.fn(), getSharedTripData: vi.fn(), getSharedPlacePhotoPath: vi.fn() },
}));
vi.mock('../../src/services/shareService', () => shareSvc);
import { ShareModule } from '../../src/nest/share/share.module';
import { TrekExceptionFilter } from '../../src/nest/common/trek-exception.filter';
describe('Share-link e2e (real auth guard + temp SQLite)', () => {
let server: Server;
let app: Awaited<ReturnType<typeof build>>;
async function build() {
const moduleRef = await Test.createTestingModule({ imports: [ShareModule] }).compile();
const nest = moduleRef.createNestApplication();
nest.use(cookieParser());
nest.useGlobalFilters(new TrekExceptionFilter());
await nest.init();
return nest;
}
beforeAll(async () => {
seedUser(db as never, { id: 1 });
app = await build();
server = app.getHttpServer();
shareSvc.getSharedTripData.mockReturnValue({ trip: { id: 9 } });
});
beforeEach(() => {
canAccessTrip.mockReturnValue({ user_id: 1 });
checkPermission.mockReturnValue(true);
});
afterAll(async () => {
await app.close();
});
it('401 without a session cookie', async () => {
expect((await request(server).get('/api/trips/5/share-link')).status).toBe(401);
});
it('201 on first create, 200 on a subsequent update', async () => {
shareSvc.createOrUpdateShareLink.mockReturnValueOnce({ token: 't', created: true });
const created = await request(server).post('/api/trips/5/share-link').set('Cookie', sessionCookie(1)).send({ share_map: true });
expect(created.status).toBe(201);
expect(created.body).toEqual({ token: 't' });
shareSvc.createOrUpdateShareLink.mockReturnValueOnce({ token: 't', created: false });
const updated = await request(server).post('/api/trips/5/share-link').set('Cookie', sessionCookie(1)).send({});
expect(updated.status).toBe(200);
expect(updated.body).toEqual({ token: 't' });
});
it('403 without share_manage', async () => {
checkPermission.mockReturnValue(false);
const res = await request(server).post('/api/trips/5/share-link').set('Cookie', sessionCookie(1)).send({});
expect(res.status).toBe(403);
expect(res.body).toEqual({ error: 'No permission' });
});
it('404 when the trip is not accessible', async () => {
canAccessTrip.mockReturnValue(undefined);
const res = await request(server).get('/api/trips/5/share-link').set('Cookie', sessionCookie(1));
expect(res.status).toBe(404);
expect(res.body).toEqual({ error: 'Trip not found' });
});
it('public shared read is unguarded (200, no cookie)', async () => {
const res = await request(server).get('/api/shared/tok');
expect(res.status).toBe(200);
expect(res.body).toEqual({ trip: { id: 9 } });
});
it('public shared read 404 for an invalid token', async () => {
shareSvc.getSharedTripData.mockReturnValueOnce(null);
const res = await request(server).get('/api/shared/bad');
expect(res.status).toBe(404);
expect(res.body).toEqual({ error: 'Invalid or expired link' });
});
describe('public place-photo proxy (/api/shared/:token/place-photo/:placeId/bytes)', () => {
const photoFile = path.join(os.tmpdir(), 'trek-share-photo.e2e.jpg');
const photoBytes = Buffer.from([0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10]); // JPEG-ish header
beforeAll(() => fs.writeFileSync(photoFile, photoBytes));
afterAll(() => { try { fs.unlinkSync(photoFile); } catch { /* ignore */ } });
it('streams cached bytes with no cookie (unguarded) for a valid token + place', async () => {
shareSvc.getSharedPlacePhotoPath.mockReturnValueOnce(photoFile);
const res = await request(server).get('/api/shared/tok/place-photo/ChIJabc/bytes');
expect(res.status).toBe(200);
expect(res.headers['content-type']).toContain('image/jpeg');
expect(res.headers['cache-control']).toContain('immutable');
expect(Buffer.from(res.body)).toEqual(photoBytes);
expect(shareSvc.getSharedPlacePhotoPath).toHaveBeenCalledWith('tok', 'ChIJabc');
});
it('404 when the token/place does not resolve to a cached photo', async () => {
shareSvc.getSharedPlacePhotoPath.mockReturnValueOnce(null);
const res = await request(server).get('/api/shared/bad/place-photo/ChIJabc/bytes');
expect(res.status).toBe(404);
expect(res.body).toEqual({ error: 'Photo not cached' });
});
});
});
Reference in New Issue View Git Blame Copy Permalink