[#215] added server-side handlers for serving private files

2025-11-24 07:04:51 +02:00 · 2023-04-04 20:33:35 +03:00
parent 9f76ad234c
commit 64c3e3b3c5
21 changed files with 519 additions and 42 deletions
--- a/apis/file_test.go
+++ b/apis/file_test.go
@@ -8,9 +8,60 @@ import (
 	"runtime"
 	"testing"

+	"github.com/labstack/echo/v5"
+	"github.com/pocketbase/pocketbase/daos"
 	"github.com/pocketbase/pocketbase/tests"
+	"github.com/pocketbase/pocketbase/tools/types"
 )

+func TestFileToken(t *testing.T) {
+	scenarios := []tests.ApiScenario{
+		{
+			Name:            "unauthorized",
+			Method:          http.MethodPost,
+			Url:             "/api/files/token",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{`"data":{}`},
+		},
+		{
+			Name:   "auth record",
+			Method: http.MethodPost,
+			Url:    "/api/files/token",
+			RequestHeaders: map[string]string{
+				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6IjRxMXhsY2xtZmxva3UzMyIsInR5cGUiOiJhdXRoUmVjb3JkIiwiY29sbGVjdGlvbklkIjoiX3BiX3VzZXJzX2F1dGhfIiwiZXhwIjoyMjA4OTg1MjYxfQ.UwD8JvkbQtXpymT09d7J6fdA0aP9g4FJ1GPh_ggEkzc",
+			},
+			ExpectedStatus: 200,
+			ExpectedContent: []string{
+				`"token":"`,
+			},
+			ExpectedEvents: map[string]int{
+				"OnFileBeforeTokenRequest": 1,
+				"OnFileAfterTokenRequest":  1,
+			},
+		},
+		{
+			Name:   "admin",
+			Method: http.MethodPost,
+			Url:    "/api/files/token",
+			RequestHeaders: map[string]string{
+				"Authorization": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6InN5d2JoZWNuaDQ2cmhtMCIsInR5cGUiOiJhZG1pbiIsImV4cCI6MjIwODk4NTI2MX0.M1m--VOqGyv0d23eeUc0r9xE8ZzHaYVmVFw1VZW6gT8",
+			},
+			ExpectedStatus: 200,
+			ExpectedContent: []string{
+				`"token":"`,
+			},
+			ExpectedEvents: map[string]int{
+				"OnFileBeforeTokenRequest": 1,
+				"OnFileAfterTokenRequest":  1,
+			},
+		},
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}
+
 func TestFileDownload(t *testing.T) {
 	_, currentFile, _, _ := runtime.Caller(0)
 	dataDirRelPath := "../tests/data/"
@@ -176,6 +227,125 @@ func TestFileDownload(t *testing.T) {
 				"OnFileDownloadRequest": 1,
 			},
 		},
+
+		// private file access checks
+		{
+			Name:            "private file - expired token",
+			Method:          http.MethodGet,
+			Url:             "/api/files/_pb_users_auth_/oap640cot4yru2s/test_kfd2wYLxkz.txt?thumb=100x100",
+			ExpectedStatus:  200,
+			ExpectedContent: []string{string(testFile)},
+			ExpectedEvents: map[string]int{
+				"OnFileDownloadRequest": 1,
+			},
+		},
+		{
+			Name:            "private file - admin with expired file token",
+			Method:          http.MethodGet,
+			Url:             "/api/files/demo1/al1h9ijdeojtsjy/300_Jsjq7RdBgA.png?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6InN5d2JoZWNuaDQ2cmhtMCIsImV4cCI6MTY0MDk5MTY2MSwidHlwZSI6ImFkbWluIn0.g7Q_3UX6H--JWJ7yt1Hoe-1ugTX1KpbKzdt0zjGSe-E",
+			ExpectedStatus:  403,
+			ExpectedContent: []string{`"data":{}`},
+		},
+		{
+			Name:            "private file - admin with valid file token",
+			Method:          http.MethodGet,
+			Url:             "/api/files/demo1/al1h9ijdeojtsjy/300_Jsjq7RdBgA.png?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6InN5d2JoZWNuaDQ2cmhtMCIsImV4cCI6MTg5MzQ1MjQ2MSwidHlwZSI6ImFkbWluIn0.LyAMpSfaHVsuUqIlqqEbhDQSdFzoPz_EIDcb2VJMBsU",
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"PNG"},
+			ExpectedEvents: map[string]int{
+				"OnFileDownloadRequest": 1,
+			},
+		},
+		{
+			Name:            "private file - guest without view access",
+			Method:          http.MethodGet,
+			Url:             "/api/files/demo1/al1h9ijdeojtsjy/300_Jsjq7RdBgA.png",
+			ExpectedStatus:  403,
+			ExpectedContent: []string{`"data":{}`},
+		},
+		{
+			Name:   "private file - guest with view access",
+			Method: http.MethodGet,
+			Url:    "/api/files/demo1/al1h9ijdeojtsjy/300_Jsjq7RdBgA.png",
+			BeforeTestFunc: func(t *testing.T, app *tests.TestApp, e *echo.Echo) {
+				dao := daos.New(app.Dao().DB())
+
+				// mock public view access
+				c, err := dao.FindCollectionByNameOrId("demo1")
+				if err != nil {
+					t.Fatalf("Failed to fetch mock collection: %v", err)
+				}
+				c.ViewRule = types.Pointer("")
+				if err := dao.SaveCollection(c); err != nil {
+					t.Fatalf("Failed to update mock collection: %v", err)
+				}
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"PNG"},
+			ExpectedEvents: map[string]int{
+				"OnFileDownloadRequest": 1,
+			},
+		},
+		{
+			Name:   "private file - auth record without view access",
+			Method: http.MethodGet,
+			Url:    "/api/files/demo1/al1h9ijdeojtsjy/300_Jsjq7RdBgA.png?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjRxMXhsY2xtZmxva3UzMyIsImV4cCI6MTg5MzQ1MjQ2MSwiY29sbGVjdGlvbklkIjoiX3BiX3VzZXJzX2F1dGhfIiwidHlwZSI6ImF1dGhSZWNvcmQifQ.0d_0EO6kfn9ijZIQWAqgRi8Bo1z7MKcg1LQpXhQsEPk",
+			BeforeTestFunc: func(t *testing.T, app *tests.TestApp, e *echo.Echo) {
+				dao := daos.New(app.Dao().DB())
+
+				// mock restricted user view access
+				c, err := dao.FindCollectionByNameOrId("demo1")
+				if err != nil {
+					t.Fatalf("Failed to fetch mock collection: %v", err)
+				}
+				c.ViewRule = types.Pointer("@request.auth.verified = true")
+				if err := dao.SaveCollection(c); err != nil {
+					t.Fatalf("Failed to update mock collection: %v", err)
+				}
+			},
+			ExpectedStatus:  403,
+			ExpectedContent: []string{`"data":{}`},
+		},
+		{
+			Name:   "private file - auth record with view access",
+			Method: http.MethodGet,
+			Url:    "/api/files/demo1/al1h9ijdeojtsjy/300_Jsjq7RdBgA.png?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjRxMXhsY2xtZmxva3UzMyIsImV4cCI6MTg5MzQ1MjQ2MSwiY29sbGVjdGlvbklkIjoiX3BiX3VzZXJzX2F1dGhfIiwidHlwZSI6ImF1dGhSZWNvcmQifQ.0d_0EO6kfn9ijZIQWAqgRi8Bo1z7MKcg1LQpXhQsEPk",
+			BeforeTestFunc: func(t *testing.T, app *tests.TestApp, e *echo.Echo) {
+				dao := daos.New(app.Dao().DB())
+
+				// mock user view access
+				c, err := dao.FindCollectionByNameOrId("demo1")
+				if err != nil {
+					t.Fatalf("Failed to fetch mock collection: %v", err)
+				}
+				c.ViewRule = types.Pointer("@request.auth.verified = false")
+				if err := dao.SaveCollection(c); err != nil {
+					t.Fatalf("Failed to update mock collection: %v", err)
+				}
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"PNG"},
+			ExpectedEvents: map[string]int{
+				"OnFileDownloadRequest": 1,
+			},
+		},
+		{
+			Name:            "private file in view (view's View API rule failure)",
+			Method:          http.MethodGet,
+			Url:             "/api/files/view1/al1h9ijdeojtsjy/300_Jsjq7RdBgA.png?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjRxMXhsY2xtZmxva3UzMyIsImV4cCI6MTg5MzQ1MjQ2MSwiY29sbGVjdGlvbklkIjoiX3BiX3VzZXJzX2F1dGhfIiwidHlwZSI6ImF1dGhSZWNvcmQifQ.0d_0EO6kfn9ijZIQWAqgRi8Bo1z7MKcg1LQpXhQsEPk",
+			ExpectedStatus:  403,
+			ExpectedContent: []string{`"data":{}`},
+		},
+		{
+			Name:            "private file in view (view's View API rule success)",
+			Method:          http.MethodGet,
+			Url:             "/api/files/view1/84nmscqy84lsi1t/test_d61b33QdDU.txt?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjRxMXhsY2xtZmxva3UzMyIsImV4cCI6MTg5MzQ1MjQ2MSwiY29sbGVjdGlvbklkIjoiX3BiX3VzZXJzX2F1dGhfIiwidHlwZSI6ImF1dGhSZWNvcmQifQ.0d_0EO6kfn9ijZIQWAqgRi8Bo1z7MKcg1LQpXhQsEPk",
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"test"},
+			ExpectedEvents: map[string]int{
+				"OnFileDownloadRequest": 1,
+			},
+		},
 	}

 	for _, scenario := range scenarios {