agatha
61d923d5be
Short IDs become the canonical identifier in URLs (/i/:short_id), MinIO/R2 storage keys, and all API responses. Hash-based deduplication is preserved. Includes two-phase Alembic migration (003 adds nullable column, 004 enforces NOT NULL) with a backfill script to copy storage objects and populate short_id for existing images. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
71 lines
2.1 KiB
Python
71 lines
2.1 KiB
Python
"""
|
|
US3 regression tests: all read endpoints must remain accessible without a token
|
|
even after require_auth is applied to write endpoints.
|
|
"""
|
|
import io
|
|
|
|
import pytest
|
|
|
|
|
|
def _minimal_jpeg() -> bytes:
|
|
return (
|
|
b"\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x03"
|
|
b"\xff\xd9"
|
|
)
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_list_images_without_token_is_200(authed_client):
|
|
client, _ = authed_client
|
|
response = await client.get("/api/v1/images")
|
|
assert response.status_code == 200
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_get_image_without_token_is_200(authed_client):
|
|
client, token = authed_client
|
|
data = _minimal_jpeg()
|
|
upload = await client.post(
|
|
"/api/v1/images",
|
|
files={"file": ("pub-test.jpg", io.BytesIO(data), "image/jpeg")},
|
|
headers={"Authorization": f"Bearer {token}"},
|
|
)
|
|
image_id = upload.json()["short_id"]
|
|
response = await client.get(f"/api/v1/i/{image_id}")
|
|
assert response.status_code == 200
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_serve_file_without_token_is_200(authed_client):
|
|
client, token = authed_client
|
|
data = _minimal_jpeg()
|
|
upload = await client.post(
|
|
"/api/v1/images",
|
|
files={"file": ("pub-file.jpg", io.BytesIO(data), "image/jpeg")},
|
|
headers={"Authorization": f"Bearer {token}"},
|
|
)
|
|
image_id = upload.json()["short_id"]
|
|
response = await client.get(f"/api/v1/i/{image_id}/file")
|
|
assert response.status_code == 200
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_serve_thumbnail_without_token_is_200(authed_client):
|
|
client, token = authed_client
|
|
data = _minimal_jpeg()
|
|
upload = await client.post(
|
|
"/api/v1/images",
|
|
files={"file": ("pub-thumb.jpg", io.BytesIO(data), "image/jpeg")},
|
|
headers={"Authorization": f"Bearer {token}"},
|
|
)
|
|
image_id = upload.json()["short_id"]
|
|
response = await client.get(f"/api/v1/i/{image_id}/thumbnail")
|
|
assert response.status_code == 200
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_list_tags_without_token_is_200(authed_client):
|
|
client, _ = authed_client
|
|
response = await client.get("/api/v1/tags")
|
|
assert response.status_code == 200
|