fbc_uploader/backend/tests/test_download_url_security.py at 048676dc795ebb348541e3e7242ae8d221b087e4 · arabcoders/fbc_uploader · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
"""
Test that API responses don't expose admin API key in download URLs.
The frontend should append the API key when needed.
"""

import pytest
from fastapi import status
from httpx import ASGITransport, AsyncClient

from backend.app.config import settings
from backend.app.main import app
from backend.tests.utils import create_token, initiate_upload, upload_file_via_tus


@pytest.mark.asyncio
async def test_list_token_uploads_does_not_expose_api_key():
    """Test that list_token_uploads returns clean download URLs without API key."""
    transport = ASGITransport(app=app)
    async with AsyncClient(transport=transport, base_url="http://testserver") as client:
        token_data = await create_token(client)
        upload_data = await initiate_upload(
            client, token_data["token"], filename="test.txt", size_bytes=11, filetype="text/plain", meta_data={}
        )
        await upload_file_via_tus(client, upload_data["upload_id"], b"hello world", token_data["token"])

        # Get uploads list as admin
        response = await client.get(
            app.url_path_for("list_token_uploads", token_value=token_data["token"]),
            headers={"Authorization": f"Bearer {settings.admin_api_key}"},
        )
        assert response.status_code == status.HTTP_200_OK, "Should return uploads list"
        uploads = response.json()
        assert len(uploads) > 0, "Should have at least one upload"

        # Verify download_url does NOT contain api_key
        download_url = uploads[0]["download_url"]
        assert "api_key" not in download_url, "Download URL should not contain api_key"
        assert "?api_key=" not in download_url, "Download URL should not have api_key query param"


@pytest.mark.asyncio
async def test_get_file_info_does_not_expose_api_key():
    """Test that get_file_info returns clean download URLs without API key."""
    transport = ASGITransport(app=app)
    async with AsyncClient(transport=transport, base_url="http://testserver") as client:
        # Create token and upload a file
        token_data = await create_token(client)
        upload_data = await initiate_upload(
            client, token_data["token"], filename="test.txt", size_bytes=11, filetype="text/plain", meta_data={}
        )
        await upload_file_via_tus(client, upload_data["upload_id"], b"hello world", token_data["token"])

        response = await client.get(
            app.url_path_for(
                "get_file_info",
                download_token=token_data["download_token"],
                upload_id=upload_data["upload_id"],
            ),
            headers={"Authorization": f"Bearer {settings.admin_api_key}"},
        )
        assert response.status_code == status.HTTP_200_OK, "Should return file info"
        file_info = response.json()

        # Verify download_url does NOT contain api_key
        download_url = file_info["download_url"]
        assert "api_key" not in download_url, "Download URL should not contain api_key"
        assert "?api_key=" not in download_url, "Download URL should not have api_key query param"