Validate API request query (#4642)

* fix: refactor to accommodate authentication, transaction and pagination together into ctx.state * feat: allow passing response type to APIContext * feat: preliminary work for initial review * fix: use unknown for base types * fix: api/attachments * fix: api/documents * fix: jsdoc comment for input * fix: replace at() with index access for compatibility * fix: validation err message * fix: error handling * fix: remove unnecessary extend
2023-01-05 20:24:03 +05:30
parent 445d19f43e
commit b6141442b7
12 changed files with 297 additions and 192 deletions
--- a/server/routes/api/attachments/attachments.test.ts
+++ b/server/routes/api/attachments/attachments.test.ts
@@ -307,6 +307,24 @@ describe("#attachments.redirect", () => {
    expect(res.status).toEqual(302);
  });

+  it("should return a redirect for the attachment if id supplied via query params", async () => {
+    const user = await buildUser();
+    const attachment = await buildAttachment({
+      teamId: user.teamId,
+      userId: user.id,
+    });
+    const res = await server.post(
+      `/api/attachments.redirect?id=${attachment.id}`,
+      {
+        body: {
+          token: user.getJwtToken(),
+        },
+        redirect: "manual",
+      }
+    );
+    expect(res.status).toEqual(302);
+  });
+
  it("should return a redirect for an attachment belonging to a trashed document user has access to", async () => {
    const user = await buildUser();
    const collection = await buildCollection({
@@ -385,4 +403,16 @@ describe("#attachments.redirect", () => {
    });
    expect(res.status).toEqual(403);
  });
+
+  it("should fail in absence of id", async () => {
+    const user = await buildUser();
+    const res = await server.post("/api/attachments.redirect", {
+      body: {
+        token: user.getJwtToken(),
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(400);
+    expect(body.message).toEqual("id is required");
+  });
 });