Merge branch 'hikka-io:main' into docker-uvicorn

app/client/schemas.py

@@ -1,6 +1,7 @@
-from pydantic import Field, HttpUrl
+from pydantic import Field, HttpUrl, field_validator
 
 from app.schemas import CustomModel, ClientResponse, PaginationResponse
+from app import constants, utils
 
 
 class ClientFullResponse(ClientResponse):
@@ -15,31 +16,77 @@ class ClientPaginationResponse(CustomModel):
 
 class ClientCreate(CustomModel):
     name: str = Field(
-        examples=["ThirdPartyWatchlistImporter"], description="Client name"
+        examples=["ThirdPartyWatchlistImporter"],
+        description="Client name",
+        min_length=3,
+        max_length=constants.MAX_CLIENT_NAME_LENGTH,
     )
     description: str = Field(
         examples=["Client that imports watchlist from third-party services"],
         description="Short clear description of the client",
+        min_length=3,
+        max_length=constants.MAX_CLIENT_DESCRIPTION_LENGTH,
     )
     endpoint: HttpUrl = Field(
         examples=["https://example.com", "http://localhost/auth/confirm"],
         description="Endpoint of the client. "
         "User will be redirected to that endpoint after successful "
         "authorization",
+        max_length=constants.MAX_CLIENT_ENDPOINT_LENGTH,
     )
 
+    @field_validator("name", "description", mode="before")
+    def validate_name(cls, v: str) -> str:
+        if not isinstance(v, str):
+            return v
+
+        return utils.remove_bad_characters(v).strip()
+
+    @field_validator("endpoint")
+    def validate_endpoint(cls, v: HttpUrl) -> HttpUrl:
+        if len(str(v)) > constants.MAX_CLIENT_ENDPOINT_LENGTH:
+            raise ValueError(
+                f"Endpoint length should be less than {constants.MAX_CLIENT_ENDPOINT_LENGTH}"
+            )
+
+        return v
+
 
 class ClientUpdate(CustomModel):
     name: str | None = Field(
         None,
         description="Client name",
+        max_length=constants.MAX_CLIENT_NAME_LENGTH,
+        min_length=3,
     )
     description: str | None = Field(
         None,
         description="Short clear description of the client",
+        max_length=constants.MAX_CLIENT_DESCRIPTION_LENGTH,
+        min_length=3,
+    )
+    endpoint: HttpUrl | None = Field(
+        None,
+        description="Endpoint of the client",
+        max_length=constants.MAX_CLIENT_ENDPOINT_LENGTH,
     )
-    endpoint: HttpUrl | None = Field(None, description="Endpoint of the client")
     revoke_secret: bool = Field(
         False,
         description="Create new client secret and revoke previous",
     )
+
+    @field_validator("name", "description", mode="before")
+    def validate_name(cls, v: str) -> str:
+        if not isinstance(v, str):
+            return v
+
+        return utils.remove_bad_characters(v).strip()
+
+    @field_validator("endpoint")
+    def validate_endpoint(cls, v: HttpUrl | None) -> HttpUrl | None:
+        if len(str(v)) > constants.MAX_CLIENT_ENDPOINT_LENGTH:
+            raise ValueError(
+                f"Endpoint length should be less than {constants.MAX_CLIENT_ENDPOINT_LENGTH}"
+            )
+
+        return v

app/constants.py

@@ -101,6 +101,10 @@
 
 MAX_USER_CLIENTS = 10
 
+MAX_CLIENT_NAME_LENGTH = 128
+MAX_CLIENT_DESCRIPTION_LENGTH = 512
+MAX_CLIENT_ENDPOINT_LENGTH = 128
+
 # Meilisearch index names
 SEARCH_INDEX_CHARACTERS = "content_characters"
 SEARCH_INDEX_COMPANIES = "content_companies"
@@ -316,7 +320,7 @@
 ROLE_USER = "user"
 ROLE_MODERATOR = "moderator"
 ROLE_ADMIN = "admin"
-ROLE_BANNED = "banned"
+ROLE_RESTRICTED = "restricted"
 ROLE_NOT_ACTIVATED = "not_activated"
 ROLE_DELETED = "deleted"
 
@@ -390,7 +394,7 @@
         PERMISSION_UPLOAD_AVATAR,
         PERMISSION_UPLOAD_COVER,
     ],
-    ROLE_BANNED: [],
+    ROLE_RESTRICTED: [],
     ROLE_DELETED: [],
 }
 

tests/client/test_client_create.py

@@ -1,6 +1,7 @@
 from starlette import status
 
 from tests.client_requests import request_client_create
+from app import constants
 
 
 async def test_client_create(client, test_token, test_user):
@@ -51,3 +52,83 @@ async def test_client_create_double(client, test_token):
     )
     assert response.status_code == status.HTTP_400_BAD_REQUEST
     assert response.json()["code"] == "client:already_exists"
+
+
+async def test_too_long_fields(client, test_token):
+    error_message_format = "Invalid field {field} in request body"
+    error_code = "system:validation_error"
+
+    response = await request_client_create(
+        client,
+        test_token,
+        "a" * (constants.MAX_CLIENT_NAME_LENGTH + 1),
+        "description",
+        "http://localhost/",
+    )
+
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.json()["code"] == error_code
+    assert response.json()["message"] == error_message_format.format(
+        field="name"
+    )
+
+    response = await request_client_create(
+        client,
+        test_token,
+        "name",
+        "a" * (constants.MAX_CLIENT_DESCRIPTION_LENGTH + 1),
+        "http://localhost/",
+    )
+
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.json()["code"] == error_code
+    assert response.json()["message"] == error_message_format.format(
+        field="description"
+    )
+
+    response = await request_client_create(
+        client,
+        test_token,
+        "name",
+        "description",
+        "http://localhost/" + "a" * (constants.MAX_CLIENT_ENDPOINT_LENGTH + 1),
+    )
+
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.json()["code"] == error_code
+    assert response.json()["message"] == error_message_format.format(
+        field="endpoint"
+    )
+
+
+async def test_too_short_fields(client, test_token):
+    error_message_format = "Invalid field {field} in request body"
+    error_code = "system:validation_error"
+
+    response = await request_client_create(
+        client,
+        test_token,
+        "a",
+        "description",
+        "http://localhost/",
+    )
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+
+    assert response.json()["code"] == error_code
+    assert response.json()["message"] == error_message_format.format(
+        field="name"
+    )
+
+    response = await request_client_create(
+        client,
+        test_token,
+        "name",
+        "a",
+        "http://localhost/",
+    )
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+
+    assert response.json()["code"] == error_code
+    assert response.json()["message"] == error_message_format.format(
+        field="description"
+    )

tests/client/test_client_update.py

@@ -3,6 +3,7 @@
 from starlette import status
 
 from tests.client_requests import request_client_create, request_client_update
+from app import constants
 
 
 async def test_client_update(client, test_token):
@@ -52,3 +53,95 @@ async def test_client_update_nonexistent(client, test_token):
     assert response.status_code == status.HTTP_404_NOT_FOUND
 
     assert response.json()["code"] == "client:not_found"
+
+
+async def test_too_long_fields(client, test_token):
+    error_message_format = "Invalid field {field} in request body"
+    error_code = "system:validation_error"
+
+    name = "test-client"
+    description = "test client description"
+    endpoint = "http://localhost/"
+
+    response = await request_client_create(
+        client, test_token, name, description, endpoint
+    )
+    assert response.status_code == status.HTTP_200_OK
+
+    client_reference = response.json()["reference"]
+
+    response = await request_client_update(
+        client,
+        test_token,
+        client_reference,
+        name="a" * (constants.MAX_CLIENT_NAME_LENGTH + 1),
+    )
+
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.json()["code"] == error_code
+    assert response.json()["message"] == error_message_format.format(
+        field="name"
+    )
+
+    response = await request_client_update(
+        client,
+        test_token,
+        client_reference,
+        description="a" * (constants.MAX_CLIENT_DESCRIPTION_LENGTH + 1),
+    )
+
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.json()["code"] == error_code
+    assert response.json()["message"] == error_message_format.format(
+        field="description"
+    )
+
+    response = await request_client_update(
+        client,
+        test_token,
+        client_reference,
+        endpoint="http://localhost/"
+        + "a" * (constants.MAX_CLIENT_ENDPOINT_LENGTH + 1),
+    )
+
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.json()["code"] == error_code
+    assert response.json()["message"] == error_message_format.format(
+        field="endpoint"
+    )
+
+
+async def test_too_short_fields(client, test_token):
+    error_message_format = "Invalid field {field} in request body"
+    error_code = "system:validation_error"
+
+    name = "test-client"
+    description = "test client description"
+    endpoint = "http://localhost/"
+
+    response = await request_client_create(
+        client, test_token, name, description, endpoint
+    )
+    assert response.status_code == status.HTTP_200_OK
+
+    client_reference = response.json()["reference"]
+
+    response = await request_client_update(
+        client, test_token, client_reference, name="a"
+    )
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+
+    assert response.json()["code"] == error_code
+    assert response.json()["message"] == error_message_format.format(
+        field="name"
+    )
+
+    response = await request_client_update(
+        client, test_token, client_reference, description="a"
+    )
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+
+    assert response.json()["code"] == error_code
+    assert response.json()["message"] == error_message_format.format(
+        field="description"
+    )

tests/comments/test_comments_write.py

@@ -115,3 +115,18 @@ async def test_comments_write_empty_markdown(
 
     assert response.status_code == status.HTTP_400_BAD_REQUEST
     assert response.json()["code"] == "system:validation_error"
+
+
+async def test_comments_write_bad_permission(
+    client,
+    aggregator_anime,
+    aggregator_anime_info,
+    create_dummy_user_restricted,
+    get_dummy_token,
+):
+    response = await request_comments_write(
+        client, get_dummy_token, "edit", "17", "First comment, yay!"
+    )
+
+    assert response.status_code == status.HTTP_403_FORBIDDEN
+    assert response.json()["code"] == "permission:denied"

tests/conftest.py

@@ -139,12 +139,12 @@ async def create_dummy_user(test_session):
 
 
 @pytest.fixture
-async def create_dummy_user_banned(test_session):
+async def create_dummy_user_restricted(test_session):
     return await helpers.create_user(
         test_session,
         username="dummy",
         email="[email protected]",
-        role=constants.ROLE_BANNED,
+        role=constants.ROLE_RESTRICTED,
     )
 
 

tests/edit/test_edit_close.py

@@ -99,7 +99,7 @@ async def test_edit_close_bad_permission(
     aggregator_anime,
     aggregator_anime_info,
     create_test_user,
-    create_dummy_user_banned,
+    create_dummy_user_restricted,
     get_test_token,
     get_dummy_token,
     test_session,

tests/edit/test_edit_create.py

@@ -149,7 +149,7 @@ async def test_edit_create_bad_permission(
     client,
     aggregator_anime,
     aggregator_anime_info,
-    create_dummy_user_banned,
+    create_dummy_user_restricted,
     get_dummy_token,
     test_session,
 ):

tests/upload/test_upload_avatar.py

@@ -31,7 +31,7 @@ async def test_upload_avatar(
 
 async def test_upload_avatar_bad_permission(
     client,
-    create_dummy_user_banned,
+    create_dummy_user_restricted,
     get_dummy_token,
     mock_s3_upload_file,
 ):

tests/upload/test_upload_cover.py

@@ -34,7 +34,7 @@ async def test_upload_cover(
 
 async def test_upload_cover_bad_permission(
     client,
-    create_dummy_user_banned,
+    create_dummy_user_restricted,
     get_dummy_token,
     mock_s3_upload_file,
 ):