ci: Integrate getAppConfig into remaining tests

api/server/middleware/spec/validateImages.spec.js

@@ -1,13 +1,18 @@
 const jwt = require('jsonwebtoken');
 const validateImageRequest = require('~/server/middleware/validateImageRequest');
 
+jest.mock('~/server/services/Config/getAppConfig', () => ({
+  getAppConfig: jest.fn(),
+}));
+
 describe('validateImageRequest middleware', () => {
   let req, res, next;
   const validObjectId = '65cfb246f7ecadb8b1e8036b';
+  const { getAppConfig } = require('~/server/services/Config/getAppConfig');
 
   beforeEach(() => {
+    jest.clearAllMocks();
     req = {
-      app: { locals: { secureImageLinks: true } },
       headers: {},
       originalUrl: '',
     };
@@ -17,79 +22,86 @@ describe('validateImageRequest middleware', () => {
     };
     next = jest.fn();
     process.env.JWT_REFRESH_SECRET = 'test-secret';
+
+    // Mock getAppConfig to return secureImageLinks: true by default
+    getAppConfig.mockResolvedValue({
+      secureImageLinks: true,
+    });
   });
 
   afterEach(() => {
     jest.clearAllMocks();
   });
 
-  test('should call next() if secureImageLinks is false', () => {
-    req.app.locals.secureImageLinks = false;
-    validateImageRequest(req, res, next);
+  test('should call next() if secureImageLinks is false', async () => {
+    getAppConfig.mockResolvedValue({
+      secureImageLinks: false,
+    });
+    await validateImageRequest(req, res, next);
     expect(next).toHaveBeenCalled();
   });
 
-  test('should return 401 if refresh token is not provided', () => {
-    validateImageRequest(req, res, next);
+  test('should return 401 if refresh token is not provided', async () => {
+    await validateImageRequest(req, res, next);
     expect(res.status).toHaveBeenCalledWith(401);
     expect(res.send).toHaveBeenCalledWith('Unauthorized');
   });
 
-  test('should return 403 if refresh token is invalid', () => {
+  test('should return 403 if refresh token is invalid', async () => {
     req.headers.cookie = 'refreshToken=invalid-token';
-    validateImageRequest(req, res, next);
+    await validateImageRequest(req, res, next);
     expect(res.status).toHaveBeenCalledWith(403);
     expect(res.send).toHaveBeenCalledWith('Access Denied');
   });
 
-  test('should return 403 if refresh token is expired', () => {
+  test('should return 403 if refresh token is expired', async () => {
     const expiredToken = jwt.sign(
       { id: validObjectId, exp: Math.floor(Date.now() / 1000) - 3600 },
       process.env.JWT_REFRESH_SECRET,
     );
     req.headers.cookie = `refreshToken=${expiredToken}`;
-    validateImageRequest(req, res, next);
+    await validateImageRequest(req, res, next);
     expect(res.status).toHaveBeenCalledWith(403);
     expect(res.send).toHaveBeenCalledWith('Access Denied');
   });
 
-  test('should call next() for valid image path', () => {
+  test('should call next() for valid image path', async () => {
     const validToken = jwt.sign(
       { id: validObjectId, exp: Math.floor(Date.now() / 1000) + 3600 },
       process.env.JWT_REFRESH_SECRET,
     );
     req.headers.cookie = `refreshToken=${validToken}`;
     req.originalUrl = `/images/${validObjectId}/example.jpg`;
-    validateImageRequest(req, res, next);
+    await validateImageRequest(req, res, next);
     expect(next).toHaveBeenCalled();
   });
 
-  test('should return 403 for invalid image path', () => {
+  test('should return 403 for invalid image path', async () => {
     const validToken = jwt.sign(
       { id: validObjectId, exp: Math.floor(Date.now() / 1000) + 3600 },
       process.env.JWT_REFRESH_SECRET,
     );
     req.headers.cookie = `refreshToken=${validToken}`;
     req.originalUrl = '/images/65cfb246f7ecadb8b1e8036c/example.jpg'; // Different ObjectId
-    validateImageRequest(req, res, next);
+    await validateImageRequest(req, res, next);
     expect(res.status).toHaveBeenCalledWith(403);
     expect(res.send).toHaveBeenCalledWith('Access Denied');
   });
 
-  test('should return 403 for invalid ObjectId format', () => {
+  test('should return 403 for invalid ObjectId format', async () => {
     const validToken = jwt.sign(
       { id: validObjectId, exp: Math.floor(Date.now() / 1000) + 3600 },
       process.env.JWT_REFRESH_SECRET,
     );
     req.headers.cookie = `refreshToken=${validToken}`;
     req.originalUrl = '/images/123/example.jpg'; // Invalid ObjectId
-    validateImageRequest(req, res, next);
+    await validateImageRequest(req, res, next);
     expect(res.status).toHaveBeenCalledWith(403);
     expect(res.send).toHaveBeenCalledWith('Access Denied');
   });
 
   // File traversal tests
-  test('should prevent file traversal attempts', () => {
+  test('should prevent file traversal attempts', async () => {
     const validToken = jwt.sign(
       { id: validObjectId, exp: Math.floor(Date.now() / 1000) + 3600 },
       process.env.JWT_REFRESH_SECRET,
@@ -103,23 +115,23 @@ describe('validateImageRequest middleware', () => {
       `/images/${validObjectId}/%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd`,
     ];
 
-    traversalAttempts.forEach((attempt) => {
+    for (const attempt of traversalAttempts) {
       req.originalUrl = attempt;
-      validateImageRequest(req, res, next);
+      await validateImageRequest(req, res, next);
       expect(res.status).toHaveBeenCalledWith(403);
       expect(res.send).toHaveBeenCalledWith('Access Denied');
       jest.clearAllMocks();
-    });
+    }
   });
 
-  test('should handle URL encoded characters in valid paths', () => {
+  test('should handle URL encoded characters in valid paths', async () => {
     const validToken = jwt.sign(
       { id: validObjectId, exp: Math.floor(Date.now() / 1000) + 3600 },
       process.env.JWT_REFRESH_SECRET,
     );
     req.headers.cookie = `refreshToken=${validToken}`;
     req.originalUrl = `/images/${validObjectId}/image%20with%20spaces.jpg`;
-    validateImageRequest(req, res, next);
+    await validateImageRequest(req, res, next);
     expect(next).toHaveBeenCalled();
   });
 });