fix: substitution of content when sending an image to a profile (#3869)

* fix: Limit public uploads to basic image types

* test

server/routes/api/attachments.test.ts

@@ -13,9 +13,46 @@ import { flushdb } from "@server/test/support";
 const app = webService();
 const server = new TestServer(app.callback());
 
+jest.mock("@server/utils/s3");
+
 beforeEach(() => flushdb());
 afterAll(() => server.close());
 
+describe("#attachments.create", () => {
+  it("should require authentication", async () => {
+    const res = await server.post("/api/attachments.create");
+    expect(res.status).toEqual(401);
+  });
+
+  it("should allow simple image upload for public attachments", async () => {
+    const user = await buildUser();
+    const res = await server.post("/api/attachments.create", {
+      body: {
+        name: "test.png",
+        contentType: "image/png",
+        size: 1000,
+        public: true,
+        token: user.getJwtToken(),
+      },
+    });
+    expect(res.status).toEqual(200);
+  });
+
+  it("should not allow file upload for public attachments", async () => {
+    const user = await buildUser();
+    const res = await server.post("/api/attachments.create", {
+      body: {
+        name: "test.pdf",
+        contentType: "application/pdf",
+        size: 1000,
+        public: true,
+        token: user.getJwtToken(),
+      },
+    });
+    expect(res.status).toEqual(400);
+  });
+});
+
 describe("#attachments.delete", () => {
   it("should require authentication", async () => {
     const res = await server.post("/api/attachments.delete");