Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(server): update user vs public user vs auth endpoints #9063

Closed
wants to merge 9 commits into from
Closed

refactor(server): update user vs public user vs auth endpoints #9063

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
cf18d2a
fix: restrict UserResponseDto
martabal Apr 24, 2024
e79ee7d
fix: tests
martabal Apr 24, 2024
c26ac1f
Merge branch 'main' into fix/restrict-userresponsedto
martabal Apr 24, 2024
c5bf0cf
pr feedback
martabal Apr 25, 2024
69de9c8
merge main
martabal Apr 25, 2024
812f2b4
fix: merge main
martabal Apr 25, 2024
3f2e91d
fix: tests
martabal Apr 25, 2024
304ee53
change endpoint
martabal Apr 25, 2024
23784ab
refactor: auth, user, and public user endpoints
jrasm91 Apr 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 3 additions & 1 deletion e2e/src/api/specs/asset.e2e-spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -852,7 +852,9 @@ describe('/asset', () => {
expect(body).toEqual({ id: expect.any(String), duplicate: false });
expect(status).toBe(201);

const { body: user } = await request(app).get('/user/me').set('Authorization', `Bearer ${quotaUser.accessToken}`);
const { body: user } = await request(app)
.get('/auth/user')
.set('Authorization', `Bearer ${quotaUser.accessToken}`);

expect(user).toEqual(expect.objectContaining({ quotaUsageInBytes: 70 }));
});
Expand Down
127 changes: 127 additions & 0 deletions e2e/src/api/specs/public-user.e2e-spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
import { LoginResponseDto, deleteUser, getUserById } from '@immich/sdk';
import { Socket } from 'socket.io-client';
import { createUserDto, userDto } from 'src/fixtures';
import { errorDto } from 'src/responses';
import { app, asBearerAuth, utils } from 'src/utils';
import request from 'supertest';
import { afterAll, beforeAll, describe, expect, it } from 'vitest';

describe('/public-users', () => {
let websocket: Socket;

let admin: LoginResponseDto;
let deletedUser: LoginResponseDto;
let nonAdmin: LoginResponseDto;

beforeAll(async () => {
await utils.resetDatabase();
admin = await utils.adminSetup({ onboarding: false });

[websocket, deletedUser, nonAdmin] = await Promise.all([
utils.connectWebsocket(admin.accessToken),
utils.userSetup(admin.accessToken, createUserDto.user1),
utils.userSetup(admin.accessToken, createUserDto.user2),
]);

await deleteUser({ id: deletedUser.userId, deleteUserDto: {} }, { headers: asBearerAuth(admin.accessToken) });
});

afterAll(() => {
utils.disconnectWebsocket(websocket);
});

describe('PUT /user', () => {
it('should require authentication', async () => {
const { status, body } = await request(app).put(`/public-users`);
expect(status).toBe(401);

Check failure on line 36 in e2e/src/api/specs/public-user.e2e-spec.ts

View workflow job for this annotation

GitHub Actions / End-to-End Tests

src/api/specs/public-user.e2e-spec.ts > /public-users > PUT /user > should require authentication 

AssertionError: expected 404 to be 401 // Object.is equality

- Expected
+ Received

- 401
+ 404

 ❯ src/api/specs/public-user.e2e-spec.ts:36:22
expect(body).toEqual(errorDto.unauthorized);
});

for (const key of Object.keys(userDto.admin)) {
it(`should not allow null ${key}`, async () => {
const { status, body } = await request(app)
.put(`/public-users`)
.set('Authorization', `Bearer ${admin.accessToken}`)
.send({ ...userDto.admin, [key]: null });
expect(status).toBe(400);

Check failure on line 46 in e2e/src/api/specs/public-user.e2e-spec.ts

View workflow job for this annotation

GitHub Actions / End-to-End Tests

src/api/specs/public-user.e2e-spec.ts > /public-users > PUT /user > should not allow null name 

AssertionError: expected 404 to be 400 // Object.is equality

- Expected
+ Received

- 400
+ 404

 ❯ src/api/specs/public-user.e2e-spec.ts:46:24

Check failure on line 46 in e2e/src/api/specs/public-user.e2e-spec.ts

View workflow job for this annotation

GitHub Actions / End-to-End Tests

src/api/specs/public-user.e2e-spec.ts > /public-users > PUT /user > should not allow null email 

AssertionError: expected 404 to be 400 // Object.is equality

- Expected
+ Received

- 400
+ 404

 ❯ src/api/specs/public-user.e2e-spec.ts:46:24

Check failure on line 46 in e2e/src/api/specs/public-user.e2e-spec.ts

View workflow job for this annotation

GitHub Actions / End-to-End Tests

src/api/specs/public-user.e2e-spec.ts > /public-users > PUT /user > should not allow null password 

AssertionError: expected 404 to be 400 // Object.is equality

- Expected
+ Received

- 400
+ 404

 ❯ src/api/specs/public-user.e2e-spec.ts:46:24

Check failure on line 46 in e2e/src/api/specs/public-user.e2e-spec.ts

View workflow job for this annotation

GitHub Actions / End-to-End Tests

src/api/specs/public-user.e2e-spec.ts > /public-users > PUT /user > should not allow null storageLabel 

AssertionError: expected 404 to be 400 // Object.is equality

- Expected
+ Received

- 400
+ 404

 ❯ src/api/specs/public-user.e2e-spec.ts:46:24

Check failure on line 46 in e2e/src/api/specs/public-user.e2e-spec.ts

View workflow job for this annotation

GitHub Actions / End-to-End Tests

src/api/specs/public-user.e2e-spec.ts > /public-users > PUT /user > should not allow null oauthId 

AssertionError: expected 404 to be 400 // Object.is equality

- Expected
+ Received

- 400
+ 404

 ❯ src/api/specs/public-user.e2e-spec.ts:46:24

Check failure on line 46 in e2e/src/api/specs/public-user.e2e-spec.ts

View workflow job for this annotation

GitHub Actions / End-to-End Tests

src/api/specs/public-user.e2e-spec.ts > /public-users > PUT /user > should not allow null shouldChangePassword 

AssertionError: expected 404 to be 400 // Object.is equality

- Expected
+ Received

- 400
+ 404

 ❯ src/api/specs/public-user.e2e-spec.ts:46:24

Check failure on line 46 in e2e/src/api/specs/public-user.e2e-spec.ts

View workflow job for this annotation

GitHub Actions / End-to-End Tests

src/api/specs/public-user.e2e-spec.ts > /public-users > PUT /user > should not allow null profileImagePath 

AssertionError: expected 404 to be 400 // Object.is equality

- Expected
+ Received

- 400
+ 404

 ❯ src/api/specs/public-user.e2e-spec.ts:46:24

Check failure on line 46 in e2e/src/api/specs/public-user.e2e-spec.ts

View workflow job for this annotation

GitHub Actions / End-to-End Tests

src/api/specs/public-user.e2e-spec.ts > /public-users > PUT /user > should not allow null createdAt 

AssertionError: expected 404 to be 400 // Object.is equality

- Expected
+ Received

- 400
+ 404

 ❯ src/api/specs/public-user.e2e-spec.ts:46:24

Check failure on line 46 in e2e/src/api/specs/public-user.e2e-spec.ts

View workflow job for this annotation

GitHub Actions / End-to-End Tests

src/api/specs/public-user.e2e-spec.ts > /public-users > PUT /user > should not allow null deletedAt 

AssertionError: expected 404 to be 400 // Object.is equality

- Expected
+ Received

- 400
+ 404

 ❯ src/api/specs/public-user.e2e-spec.ts:46:24
expect(body).toEqual(errorDto.badRequest());
});
}

it('should not allow a non-admin to become an admin', async () => {
const { status, body } = await request(app)
.put(`/public-users`)
.send({ isAdmin: true, id: nonAdmin.userId })
.set('Authorization', `Bearer ${admin.accessToken}`);

expect(status).toBe(400);
expect(body).toEqual(errorDto.alreadyHasAdmin);
});

it('ignores updates to profileImagePath', async () => {
const { status, body } = await request(app)
.put(`/public-users`)
.send({ id: admin.userId, profileImagePath: 'invalid.jpg' })
.set('Authorization', `Bearer ${admin.accessToken}`);

expect(status).toBe(200);
expect(body).toMatchObject({ id: admin.userId, profileImagePath: '' });
});

it('should ignore updates to createdAt, updatedAt and deletedAt', async () => {
const before = await getUserById({ id: admin.userId }, { headers: asBearerAuth(admin.accessToken) });

const { status, body } = await request(app)
.put(`/public-users`)
.send({
id: admin.userId,
createdAt: '2023-01-01T00:00:00.000Z',
updatedAt: '2023-01-01T00:00:00.000Z',
deletedAt: '2023-01-01T00:00:00.000Z',
})
.set('Authorization', `Bearer ${admin.accessToken}`);

expect(status).toBe(200);
expect(body).toStrictEqual(before);
});

it('should update first and last name', async () => {
const before = await getUserById({ id: admin.userId }, { headers: asBearerAuth(admin.accessToken) });

const { status, body } = await request(app)
.put(`/public-users`)
.send({
id: admin.userId,
name: 'Name',
})
.set('Authorization', `Bearer ${admin.accessToken}`);

expect(status).toBe(200);
expect(body).toEqual({
...before,
updatedAt: expect.any(String),
name: 'Name',
});
expect(before.updatedAt).not.toEqual(body.updatedAt);
});

it('should update memories enabled', async () => {
const before = await getUserById({ id: admin.userId }, { headers: asBearerAuth(admin.accessToken) });
const { status, body } = await request(app)
.put(`/public-users`)
.send({
id: admin.userId,
memoriesEnabled: false,
})
.set('Authorization', `Bearer ${admin.accessToken}`);

expect(status).toBe(200);
expect(body).toMatchObject({
...before,
updatedAt: expect.anything(),
memoriesEnabled: false,
});
expect(before.updatedAt).not.toEqual(body.updatedAt);
});
});
});