Server: Fixed error handling when no session is provided

packages/server/src/middleware/routeHandler.ts

@@ -16,10 +16,14 @@ export default async function(ctx: AppContext) {
 			let responseObject = null;
 
 			const routeHandler = match.route.findEndPoint(ctx.request.method as HttpMethod, match.subPath.schema);
-			responseObject = await routeHandler(match.subPath, ctx);
 
+			// This is a generic catch-all for all private end points - if we
+			// couldn't get a valid session, we exit now. Individual end points
+			// might have additional permission checks depending on the action.
 			if (!match.route.public && !ctx.owner) throw new ErrorForbidden();
 
+			responseObject = await routeHandler(match.subPath, ctx);
+
 			if (responseObject instanceof Response) {
 				ctx.response = responseObject.response;
 			} else if (isView(responseObject)) {

packages/server/src/routes/api/files.test.ts

@@ -416,4 +416,9 @@ describe('api_files', function() {
 		expect(page3.items.length).toBe(0);
 	});
 
+	test('should not allow creating file without auth', async function() {
+		const context = await putFileContentContext('', 'root:/photo.jpg:', testFilePath());
+		expect(context.response.status).toBe(ErrorForbidden.httpCode);
+	});
+
 });

packages/server/src/utils/testing/apiUtils.ts

@@ -15,7 +15,7 @@ import { AppContext } from '../types';
 import { koaAppContext } from './testUtils';
 
 export function checkContextError(context: AppContext) {
-	if (context.response.status >= 400) throw new Error(`Cannot create directory: ${JSON.stringify(context.response)}`);
+	if (context.response.status >= 400) throw new Error(JSON.stringify(context.response));
 }
 
 export async function getFileMetadataContext(sessionId: string, path: string): Promise<AppContext> {