fix: upload and auth endpoints are mounted for all collections (#11231)

This PR ensures, that collections that don't have `auth: true` don't mount authentication related endpoints like `/me`, the same for uploads. Additionally, moves upload-related endpoints to `uploads/endpoints/*`.
2025-02-17 21:11:40 +02:00
parent 3229b9a4a6
commit 749962a1db
6 changed files with 101 additions and 16 deletions
--- a/test/collections-rest/int.spec.ts
+++ b/test/collections-rest/int.spec.ts
@@ -17,8 +17,8 @@ import {
  errorOnHookSlug,
  methods,
  pointSlug,
-  relationSlug,
  postsSlug,
+  relationSlug,
 } from './config.js'

 const filename = fileURLToPath(import.meta.url)
@@ -1454,7 +1454,7 @@ describe('collections-rest', () => {
          for (let i = 0; i < 10; i++) {
            await createPost({
              number: i,
-              relationField: relatedDoc.id as string,
+              relationField: relatedDoc.id,
              title: 'paginate-test',
            })
          }
@@ -1733,6 +1733,73 @@ describe('collections-rest', () => {
      }
    })
  })
+
+  it('should not mount auth endpoints for collection without auth', async () => {
+    const authEndpoints = [
+      {
+        method: 'post',
+        path: '/forgot-password',
+      },
+      {
+        method: 'post',
+        path: '/login',
+      },
+      {
+        method: 'post',
+        path: '/logout',
+      },
+      {
+        method: 'post',
+        path: '/refresh-token',
+      },
+      {
+        method: 'post',
+        path: '/first-register',
+      },
+      {
+        method: 'post',
+        path: '/reset-password',
+      },
+      {
+        method: 'post',
+        path: '/unlock',
+      },
+    ]
+
+    for (const endpoint of authEndpoints) {
+      const result = await restClient[endpoint.method.toUpperCase()](
+        `/${endpointsSlug}${endpoint.path}`,
+      )
+
+      expect(result.status).toBe(404)
+      const json = await result.json()
+
+      expect(json.message.startsWith('Route not found')).toBeTruthy()
+    }
+  })
+
+  it('should not mount upload endpoints for collection without auth', async () => {
+    const uploadEndpoints = [
+      {
+        method: 'get',
+        path: '/paste-url/some-id',
+      },
+      {
+        method: 'get',
+        path: '/file/some-filename.png',
+      },
+    ]
+
+    for (const endpoint of uploadEndpoints) {
+      const result = await restClient[endpoint.method.toUpperCase()](
+        `/${endpointsSlug}${endpoint.path}`,
+      )
+
+      expect(result.status).toBe(404)
+
+      expect((await result.json()).message.startsWith('Route not found')).toBeTruthy()
+    }
+  })
 })

 async function createPost(overrides?: Partial<Post>) {