Files
minstrel/internal/api/client_assets_test.go
bvandeusen 154f415f92 fix(server,web): auth-gate client APK + version endpoints + per-user rate limit (#397)
Closes the bandwidth-abuse vector on the in-app update flow. Both
endpoints now sit inside the authed.Group; APK additionally gets a
60s/user rate limit to suppress accidental hammering or scripted
abuse.

### Server

- internal/api/client_assets.go:
  - clientAPKAllowDownload(): in-memory map[userID]time.Time under
    a mutex. Returns 0 (allow) or wait duration (block).
  - handleClientAPK reads user from context, checks the limit,
    returns 429 + Retry-After header if blocked.
  - testResetClientAPKRateLimit() lets tests start clean.
- internal/api/api.go: routes moved from the root /api group into
  the authed.Group block (alongside /quarantine, /requests, etc.).
- Tests: added TestClientAPK_401WhenUnauthenticated and
  TestClientAPK_RateLimit_429OnRapidSecondCall (also verifies
  different user gets a fresh slot). Existing tests updated to use
  authedRequest() helper.

### Web

- MobileAppDownload.svelte: switched from bare fetch (no credentials)
  to api.get<>() which carries the session cookie. 404 / 401 /
  network errors all silently hide the download row.
- Removed the login-page mount entirely — pre-auth surfaces should
  never show this. Settings → Mobile app section keeps it for
  logged-in users.

Flutter unaffected: dio's Bearer interceptor already attaches the
token, and the polling only fires once the post-login shell mounts
the banner widget.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 20:28:27 -04:00

191 lines
6.4 KiB
Go

package api
import (
"context"
"encoding/json"
"io"
"log/slog"
"net/http"
"net/http/httptest"
"os"
"path/filepath"
"testing"
"github.com/jackc/pgx/v5/pgtype"
"git.fabledsword.com/bvandeusen/minstrel/internal/auth"
"git.fabledsword.com/bvandeusen/minstrel/internal/db/dbq"
)
// authedRequest builds a request with a fake user in context, mirroring
// what the auth.RequireUser middleware injects in production.
// userIDByte fills every byte of the user's UUID, so two requests with
// different userIDByte values get distinct rate-limit slots.
func authedRequest(method, path string, userIDByte byte) *http.Request {
user := dbq.User{
ID: pgtype.UUID{
Bytes: [16]byte{userIDByte, userIDByte, userIDByte, userIDByte,
userIDByte, userIDByte, userIDByte, userIDByte,
userIDByte, userIDByte, userIDByte, userIDByte,
userIDByte, userIDByte, userIDByte, userIDByte},
Valid: true,
},
Username: "tester",
}
r := httptest.NewRequest(method, path, nil)
ctx := context.WithValue(r.Context(), auth.UserCtxKeyForTest(), user)
return r.WithContext(ctx)
}
// withClientAPKDir points the handlers at a fresh temp dir for each
// test and restores the env var on cleanup. Returns the dir.
func withClientAPKDir(t *testing.T) string {
t.Helper()
dir := t.TempDir()
prev, hadPrev := os.LookupEnv("MINSTREL_CLIENT_APK_DIR")
t.Setenv("MINSTREL_CLIENT_APK_DIR", dir)
t.Cleanup(func() {
if hadPrev {
t.Setenv("MINSTREL_CLIENT_APK_DIR", prev)
}
// t.Setenv auto-restores the prior empty/unset state at end of
// test, so the !hadPrev branch needs no explicit Unsetenv.
})
return dir
}
func TestClientVersion_404WhenNoAPK(t *testing.T) {
withClientAPKDir(t)
h := &handlers{logger: slog.New(slog.NewTextHandler(io.Discard, nil))}
rr := httptest.NewRecorder()
h.handleClientVersion(rr, httptest.NewRequest(http.MethodGet, "/api/client/version", nil))
if rr.Code != http.StatusNotFound {
t.Errorf("want 404, got %d", rr.Code)
}
}
func TestClientVersion_404WhenAPKButNoVersion(t *testing.T) {
dir := withClientAPKDir(t)
if err := os.WriteFile(filepath.Join(dir, clientAPKFilename), []byte("fake apk"), 0o644); err != nil {
t.Fatal(err)
}
h := &handlers{logger: slog.New(slog.NewTextHandler(io.Discard, nil))}
rr := httptest.NewRecorder()
h.handleClientVersion(rr, httptest.NewRequest(http.MethodGet, "/api/client/version", nil))
if rr.Code != http.StatusNotFound {
t.Errorf("want 404, got %d", rr.Code)
}
}
func TestClientVersion_200WithBothFiles(t *testing.T) {
dir := withClientAPKDir(t)
body := []byte("fake apk content")
if err := os.WriteFile(filepath.Join(dir, clientAPKFilename), body, 0o644); err != nil {
t.Fatal(err)
}
if err := os.WriteFile(filepath.Join(dir, clientVersionFile), []byte("v2026.05.10\n"), 0o644); err != nil {
t.Fatal(err)
}
h := &handlers{logger: slog.New(slog.NewTextHandler(io.Discard, nil))}
rr := httptest.NewRecorder()
h.handleClientVersion(rr, httptest.NewRequest(http.MethodGet, "/api/client/version", nil))
if rr.Code != http.StatusOK {
t.Fatalf("want 200, got %d (body: %s)", rr.Code, rr.Body.String())
}
var resp clientVersionResponse
if err := json.Unmarshal(rr.Body.Bytes(), &resp); err != nil {
t.Fatal(err)
}
if resp.Version != "v2026.05.10" {
t.Errorf("version: want trimmed v2026.05.10, got %q", resp.Version)
}
if resp.APKURL != "/api/client/apk" {
t.Errorf("apk_url: want /api/client/apk, got %q", resp.APKURL)
}
if resp.SizeBytes != int64(len(body)) {
t.Errorf("size_bytes: want %d, got %d", len(body), resp.SizeBytes)
}
}
func TestClientAPK_401WhenUnauthenticated(t *testing.T) {
withClientAPKDir(t)
testResetClientAPKRateLimit()
h := &handlers{logger: slog.New(slog.NewTextHandler(io.Discard, nil))}
rr := httptest.NewRecorder()
// No user in context — middleware would block in prod; handler also
// rejects defensively in case the route ever lands outside the
// authed group by accident.
h.handleClientAPK(rr, httptest.NewRequest(http.MethodGet, "/api/client/apk", nil))
if rr.Code != http.StatusUnauthorized {
t.Errorf("want 401, got %d", rr.Code)
}
}
func TestClientAPK_404WhenMissing(t *testing.T) {
withClientAPKDir(t)
testResetClientAPKRateLimit()
h := &handlers{logger: slog.New(slog.NewTextHandler(io.Discard, nil))}
rr := httptest.NewRecorder()
h.handleClientAPK(rr, authedRequest(http.MethodGet, "/api/client/apk", 0x01))
if rr.Code != http.StatusNotFound {
t.Errorf("want 404, got %d", rr.Code)
}
}
func TestClientAPK_StreamsWithCorrectContentType(t *testing.T) {
dir := withClientAPKDir(t)
testResetClientAPKRateLimit()
body := []byte("PK\x03\x04 fake apk bytes")
if err := os.WriteFile(filepath.Join(dir, clientAPKFilename), body, 0o644); err != nil {
t.Fatal(err)
}
h := &handlers{logger: slog.New(slog.NewTextHandler(io.Discard, nil))}
rr := httptest.NewRecorder()
h.handleClientAPK(rr, authedRequest(http.MethodGet, "/api/client/apk", 0x02))
if rr.Code != http.StatusOK {
t.Fatalf("want 200, got %d", rr.Code)
}
if got := rr.Header().Get("Content-Type"); got != "application/vnd.android.package-archive" {
t.Errorf("Content-Type: want application/vnd.android.package-archive, got %q", got)
}
if rr.Body.Len() != len(body) {
t.Errorf("body length: want %d, got %d", len(body), rr.Body.Len())
}
if got := rr.Body.Bytes(); string(got) != string(body) {
t.Errorf("body bytes mismatch")
}
}
func TestClientAPK_RateLimit_429OnRapidSecondCall(t *testing.T) {
dir := withClientAPKDir(t)
testResetClientAPKRateLimit()
if err := os.WriteFile(filepath.Join(dir, clientAPKFilename), []byte("apk"), 0o644); err != nil {
t.Fatal(err)
}
h := &handlers{logger: slog.New(slog.NewTextHandler(io.Discard, nil))}
// First call from user 0x03 — succeeds.
rr1 := httptest.NewRecorder()
h.handleClientAPK(rr1, authedRequest(http.MethodGet, "/api/client/apk", 0x03))
if rr1.Code != http.StatusOK {
t.Fatalf("first call: want 200, got %d", rr1.Code)
}
// Immediate second call from same user — rate-limited.
rr2 := httptest.NewRecorder()
h.handleClientAPK(rr2, authedRequest(http.MethodGet, "/api/client/apk", 0x03))
if rr2.Code != http.StatusTooManyRequests {
t.Fatalf("second call: want 429, got %d", rr2.Code)
}
if got := rr2.Header().Get("Retry-After"); got == "" {
t.Errorf("expected Retry-After header on 429 response")
}
// Different user — not rate-limited.
rr3 := httptest.NewRecorder()
h.handleClientAPK(rr3, authedRequest(http.MethodGet, "/api/client/apk", 0x04))
if rr3.Code != http.StatusOK {
t.Errorf("different user: want 200, got %d", rr3.Code)
}
}