eBooru/test/functional/application_controller_test.rb

# frozen_string_literal: true

require "test_helper"

class ApplicationControllerTest < ActionDispatch::IntegrationTest
  context "The application controller" do
    should "return 406 Not Acceptable for a bad file extension" do
      get posts_path, params: { format: :jpg }
      assert_response 406

      get posts_path, params: { format: :blah }
      assert_response 406

      get post_path("bad.json")
      assert_response 404

      get post_path("bad.jpg")
      assert_response 406

      get post_path("bad.blah")
      assert_response 406
    end

    context "on a PaginationError" do
      should "return 410 Gone even with a bad file extension" do
        get posts_path, params: { page: 999999999 }, as: :json
        assert_response 410

        get posts_path, params: { page: 999999999 }, as: :jpg
        assert_response 410

        get posts_path, params: { page: 999999999 }, as: :blah
        assert_response 410
      end
    end

    context "on api authentication" do
      setup do
        @user = create(:user, password: "6cQE!wbA")
        @api_key = ApiKey.generate!(@user)

        ActionController::Base.allow_forgery_protection = true
      end

      teardown do
        ActionController::Base.allow_forgery_protection = false
      end

      context "using http basic auth" do
        should "succeed for api key matches" do
          basic_auth_string = "Basic #{::Base64.encode64("#{@user.name}:#{@api_key.key}")}"
          get edit_user_path(@user), headers: { HTTP_AUTHORIZATION: basic_auth_string }
          assert_response :success
        end

        should "fail for api key mismatches" do
          basic_auth_string = "Basic #{::Base64.encode64("#{@user.name}:badpassword")}"
          get edit_user_path(@user), headers: { HTTP_AUTHORIZATION: basic_auth_string }
          assert_response 401
        end

        should "succeed for non-GET requests without a CSRF token" do
          assert_changes -> { @user.reload.enable_safe_mode }, from: false, to: true do
            basic_auth_string = "Basic #{::Base64.encode64("#{@user.name}:#{@api_key.key}")}"
            put user_path(@user), headers: { HTTP_AUTHORIZATION: basic_auth_string }, params: { user: { enable_safe_mode: "true" } }, as: :json
            assert_response :success
          end
        end
      end

      context "using the api_key parameter" do
        should "succeed for api key matches" do
          get edit_user_path(@user), params: { login: @user.name, api_key: @api_key.key }
          assert_response :success
        end

        should "fail for api key mismatches" do
          get edit_user_path(@user), params: { login: @user.name }
          assert_response 401

          get edit_user_path(@user), params: { api_key: @api_key.key }
          assert_response 401

          get edit_user_path(@user), params: { login: @user.name, api_key: "bad" }
          assert_response 401
        end

        should "succeed for non-GET requests without a CSRF token" do
          assert_changes -> { @user.reload.enable_safe_mode }, from: false, to: true do
            put user_path(@user), params: { login: @user.name, api_key: @api_key.key, user: { enable_safe_mode: "true" } }, as: :json
            assert_response :success
          end
        end
      end

      context "without any authentication" do
        should "redirect to the login page" do
          get edit_user_path(@user)
          assert_redirected_to new_session_path(url: edit_user_path(@user))
        end
      end

      context "with cookie-based authentication" do
        should "not allow non-GET requests without a CSRF token" do
          # get the csrf token from the login page so we can login
          get new_session_path
          assert_response :success
          token = css_select("form input[name=authenticity_token]").first["value"]

          # login
          post session_path, params: { authenticity_token: token, session: { name: @user.name, password: "6cQE!wbA" } }
          assert_redirected_to posts_path

          # try to submit a form with cookies but without the csrf token
          put user_path(@user), headers: { HTTP_COOKIE: headers["Set-Cookie"] }, params: { user: { enable_safe_mode: "true" } }
          assert_response 403
          assert_match(/ActionController::InvalidAuthenticityToken/, css_select("p").first.content)
          assert_equal(false, @user.reload.enable_safe_mode)
        end
      end
    end

    context "on session cookie authentication" do
      should "succeed" do
        user = create(:user, password: "6cQE!wbA")

        post session_path, params: { session: { name: user.name, password: "6cQE!wbA" } }
        get edit_user_path(user)

        assert_response :success
      end
    end

    context "when the api limit is exceeded" do
      should "fail with a 429 error" do
        user = create(:user)
        post = create(:post, rating: "s", uploader: user)
        UserThrottle.any_instance.stubs(:throttled?).returns(true)

        put_auth post_path(post), user, params: { post: { rating: "e" } }

        assert_response 429
        assert_equal("s", post.reload.rating)
      end
    end

    context "when the user has an invalid username" do
      setup do
        @user = build(:user, name: "12345")
        @user.save(validate: false)
      end

      should "redirect for html requests" do
        get_auth posts_path, @user, params: { format: :html }
        assert_redirected_to new_user_name_change_request_path
      end

      should "not redirect for json requests" do
        get_auth posts_path, @user, params: { format: :json }
        assert_response :success
      end
    end
  end
end
[RuboCop] Enable `Style/FrozenStringLiteralComment` This reduces allocations on the posts page by about 5%, from basic testing 2024-02-25 12:15:55 -05:00			`# frozen_string_literal: true`

application controller: fix bad file extension errors. Fix requests with bad file extensions not always returning errors correctly: * https://danbooru.donmai.us/posts.jpg * https://danbooru.donmai.us/posts.blah * https://danbooru.donmai.us/posts/bad.jpg * https://danbooru.donmai.us/posts/bad.blah 2019-08-08 23:16:39 -04:00			`require "test_helper"`

			`class ApplicationControllerTest < ActionDispatch::IntegrationTest`
			`context "The application controller" do`
			`should "return 406 Not Acceptable for a bad file extension" do`
			`get posts_path, params: { format: :jpg }`
			`assert_response 406`

			`get posts_path, params: { format: :blah }`
			`assert_response 406`

[Misc] Return 406 for 404 requests with invalid format 2022-09-17 11:17:29 -04:00			`get post_path("bad.json")`
			`assert_response 404`
application controller: fix bad file extension errors. Fix requests with bad file extensions not always returning errors correctly: * https://danbooru.donmai.us/posts.jpg * https://danbooru.donmai.us/posts.blah * https://danbooru.donmai.us/posts/bad.jpg * https://danbooru.donmai.us/posts/bad.blah 2019-08-08 23:16:39 -04:00
[Misc] Return 406 for 404 requests with invalid format 2022-09-17 11:17:29 -04:00			`get post_path("bad.jpg")`
			`assert_response 406`
application controller: fix bad file extension errors. Fix requests with bad file extensions not always returning errors correctly: * https://danbooru.donmai.us/posts.jpg * https://danbooru.donmai.us/posts.blah * https://danbooru.donmai.us/posts/bad.jpg * https://danbooru.donmai.us/posts/bad.blah 2019-08-08 23:16:39 -04:00
[Misc] Return 406 for 404 requests with invalid format 2022-09-17 11:17:29 -04:00			`get post_path("bad.blah")`
			`assert_response 406`
application controller: fix bad file extension errors. Fix requests with bad file extensions not always returning errors correctly: * https://danbooru.donmai.us/posts.jpg * https://danbooru.donmai.us/posts.blah * https://danbooru.donmai.us/posts/bad.jpg * https://danbooru.donmai.us/posts/bad.blah 2019-08-08 23:16:39 -04:00			`end`

			`context "on a PaginationError" do`
			`should "return 410 Gone even with a bad file extension" do`
			`get posts_path, params: { page: 999999999 }, as: :json`
			`assert_response 410`

			`get posts_path, params: { page: 999999999 }, as: :jpg`
			`assert_response 410`

			`get posts_path, params: { page: 999999999 }, as: :blah`
			`assert_response 410`
			`end`
			`end`
tests: move authentication tests out of post tests. 2019-08-24 23:55:35 -04:00
			`context "on api authentication" do`
			`setup do`
[Users] Rework login pages and increase password requirements (#825) 2024-12-14 20:37:53 -05:00			`@user = create(:user, password: "6cQE!wbA")`
tests: move authentication tests out of post tests. 2019-08-24 23:55:35 -04:00			`@api_key = ApiKey.generate!(@user)`
api: disable csrf protection for api requests. Fixes POST/PUT API requests failing with InvalidAuthenticityToken errors due to missing CSRF tokens. CSRF protection is only necessary for cookie-based authentication. For non-cookie-based authentication we can safely disable it. That is, if the user is already passing their login + api_key, then we don't need to additionally verify the request with a CSRF token. ref: https://github.com/r888888888/danbooru/commit/2e407fa47680eb05b91d20440d498b6a204bf307#comments 2019-08-24 23:55:35 -04:00
			`ActionController::Base.allow_forgery_protection = true`
			`end`

			`teardown do`
			`ActionController::Base.allow_forgery_protection = false`
tests: move authentication tests out of post tests. 2019-08-24 23:55:35 -04:00			`end`

			`context "using http basic auth" do`
			`should "succeed for api key matches" do`
			`basic_auth_string = "Basic #{::Base64.encode64("#{@user.name}:#{@api_key.key}")}"`
			`get edit_user_path(@user), headers: { HTTP_AUTHORIZATION: basic_auth_string }`
			`assert_response :success`
			`end`

			`should "fail for api key mismatches" do`
			`basic_auth_string = "Basic #{::Base64.encode64("#{@user.name}:badpassword")}"`
			`get edit_user_path(@user), headers: { HTTP_AUTHORIZATION: basic_auth_string }`
			`assert_response 401`
			`end`
api: disable csrf protection for api requests. Fixes POST/PUT API requests failing with InvalidAuthenticityToken errors due to missing CSRF tokens. CSRF protection is only necessary for cookie-based authentication. For non-cookie-based authentication we can safely disable it. That is, if the user is already passing their login + api_key, then we don't need to additionally verify the request with a CSRF token. ref: https://github.com/r888888888/danbooru/commit/2e407fa47680eb05b91d20440d498b6a204bf307#comments 2019-08-24 23:55:35 -04:00
			`should "succeed for non-GET requests without a CSRF token" do`
			`assert_changes -> { @user.reload.enable_safe_mode }, from: false, to: true do`
			`basic_auth_string = "Basic #{::Base64.encode64("#{@user.name}:#{@api_key.key}")}"`
			`put user_path(@user), headers: { HTTP_AUTHORIZATION: basic_auth_string }, params: { user: { enable_safe_mode: "true" } }, as: :json`
			`assert_response :success`
			`end`
			`end`
tests: move authentication tests out of post tests. 2019-08-24 23:55:35 -04:00			`end`

			`context "using the api_key parameter" do`
			`should "succeed for api key matches" do`
			`get edit_user_path(@user), params: { login: @user.name, api_key: @api_key.key }`
			`assert_response :success`
			`end`

			`should "fail for api key mismatches" do`
			`get edit_user_path(@user), params: { login: @user.name }`
			`assert_response 401`

			`get edit_user_path(@user), params: { api_key: @api_key.key }`
			`assert_response 401`

			`get edit_user_path(@user), params: { login: @user.name, api_key: "bad" }`
			`assert_response 401`
			`end`
api: disable csrf protection for api requests. Fixes POST/PUT API requests failing with InvalidAuthenticityToken errors due to missing CSRF tokens. CSRF protection is only necessary for cookie-based authentication. For non-cookie-based authentication we can safely disable it. That is, if the user is already passing their login + api_key, then we don't need to additionally verify the request with a CSRF token. ref: https://github.com/r888888888/danbooru/commit/2e407fa47680eb05b91d20440d498b6a204bf307#comments 2019-08-24 23:55:35 -04:00
			`should "succeed for non-GET requests without a CSRF token" do`
			`assert_changes -> { @user.reload.enable_safe_mode }, from: false, to: true do`
			`put user_path(@user), params: { login: @user.name, api_key: @api_key.key, user: { enable_safe_mode: "true" } }, as: :json`
			`assert_response :success`
			`end`
			`end`
tests: move authentication tests out of post tests. 2019-08-24 23:55:35 -04:00			`end`

			`context "without any authentication" do`
			`should "redirect to the login page" do`
			`get edit_user_path(@user)`
			`assert_redirected_to new_session_path(url: edit_user_path(@user))`
			`end`
			`end`
api: disable csrf protection for api requests. Fixes POST/PUT API requests failing with InvalidAuthenticityToken errors due to missing CSRF tokens. CSRF protection is only necessary for cookie-based authentication. For non-cookie-based authentication we can safely disable it. That is, if the user is already passing their login + api_key, then we don't need to additionally verify the request with a CSRF token. ref: https://github.com/r888888888/danbooru/commit/2e407fa47680eb05b91d20440d498b6a204bf307#comments 2019-08-24 23:55:35 -04:00
			`context "with cookie-based authentication" do`
			`should "not allow non-GET requests without a CSRF token" do`
			`# get the csrf token from the login page so we can login`
			`get new_session_path`
			`assert_response :success`
			`token = css_select("form input[name=authenticity_token]").first["value"]`

			`# login`
[Users] Consolidate password confirmation into singular route (#813) 2024-12-18 09:02:02 -05:00			`post session_path, params: { authenticity_token: token, session: { name: @user.name, password: "6cQE!wbA" } }`
api: disable csrf protection for api requests. Fixes POST/PUT API requests failing with InvalidAuthenticityToken errors due to missing CSRF tokens. CSRF protection is only necessary for cookie-based authentication. For non-cookie-based authentication we can safely disable it. That is, if the user is already passing their login + api_key, then we don't need to additionally verify the request with a CSRF token. ref: https://github.com/r888888888/danbooru/commit/2e407fa47680eb05b91d20440d498b6a204bf307#comments 2019-08-24 23:55:35 -04:00			`assert_redirected_to posts_path`

			`# try to submit a form with cookies but without the csrf token`
			`put user_path(@user), headers: { HTTP_COOKIE: headers["Set-Cookie"] }, params: { user: { enable_safe_mode: "true" } }`
			`assert_response 403`
[Misc] Show a better error message when not authorized This previously just showed that an unexpected error occured which isn't very helpful. See #509 2023-05-07 09:00:26 -04:00			`assert_match(/ActionController::InvalidAuthenticityToken/, css_select("p").first.content)`
api: disable csrf protection for api requests. Fixes POST/PUT API requests failing with InvalidAuthenticityToken errors due to missing CSRF tokens. CSRF protection is only necessary for cookie-based authentication. For non-cookie-based authentication we can safely disable it. That is, if the user is already passing their login + api_key, then we don't need to additionally verify the request with a CSRF token. ref: https://github.com/r888888888/danbooru/commit/2e407fa47680eb05b91d20440d498b6a204bf307#comments 2019-08-24 23:55:35 -04:00			`assert_equal(false, @user.reload.enable_safe_mode)`
			`end`
			`end`
tests: move authentication tests out of post tests. 2019-08-24 23:55:35 -04:00			`end`

			`context "on session cookie authentication" do`
			`should "succeed" do`
[Users] Rework login pages and increase password requirements (#825) 2024-12-14 20:37:53 -05:00			`user = create(:user, password: "6cQE!wbA")`
tests: move authentication tests out of post tests. 2019-08-24 23:55:35 -04:00
[Users] Consolidate password confirmation into singular route (#813) 2024-12-18 09:02:02 -05:00			`post session_path, params: { session: { name: user.name, password: "6cQE!wbA" } }`
tests: move authentication tests out of post tests. 2019-08-24 23:55:35 -04:00			`get edit_user_path(user)`

			`assert_response :success`
			`end`
			`end`

			`context "when the api limit is exceeded" do`
			`should "fail with a 429 error" do`
			`user = create(:user)`
Fix up users being broken in tests and fix a few basic tests 2019-09-09 14:49:47 -04:00			`post = create(:post, rating: "s", uploader: user)`
			`UserThrottle.any_instance.stubs(:throttled?).returns(true)`
tests: move authentication tests out of post tests. 2019-08-24 23:55:35 -04:00
			`put_auth post_path(post), user, params: { post: { rating: "e" } }`

			`assert_response 429`
			`assert_equal("s", post.reload.rating)`
			`end`
			`end`
[Users] Redirect to name changes when name is invalid The more or less unintrusive message has been there for a few months now. Start forcing a name change when accessing through a browser, ignore api for now 2024-04-05 11:33:09 -04:00
			`context "when the user has an invalid username" do`
			`setup do`
			`@user = build(:user, name: "12345")`
			`@user.save(validate: false)`
			`end`

			`should "redirect for html requests" do`
			`get_auth posts_path, @user, params: { format: :html }`
			`assert_redirected_to new_user_name_change_request_path`
			`end`

			`should "not redirect for json requests" do`
			`get_auth posts_path, @user, params: { format: :json }`
			`assert_response :success`
			`end`
			`end`
application controller: fix bad file extension errors. Fix requests with bad file extensions not always returning errors correctly: * https://danbooru.donmai.us/posts.jpg * https://danbooru.donmai.us/posts.blah * https://danbooru.donmai.us/posts/bad.jpg * https://danbooru.donmai.us/posts/bad.blah 2019-08-08 23:16:39 -04:00			`end`
			`end`