GenarrativeAI/Genarrative
6
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

feat: 支持创作入口公告配置

Browse Source
This commit is contained in:
kdletters
2026-06-03 03:31:45 +08:00
parent 1cb11bc1dd
commit 70ff18ad90
52 changed files with 3045 additions and 504 deletions
Download Patch File Download Diff File Expand all files Collapse all files

119
server-rs/crates/api-server/src/app.rs
View File

@@ -518,6 +518,40 @@ mod tests {
.to_string()
}
/// 中文注释:后台路由测试通过真实登录流程取 token避免绕过鉴权中间件。
async fn read_admin_access_token(app: Router) -> String {
let response = app
.oneshot(
Request::builder()
.method("POST")
.uri("/admin/api/login")
.header("content-type", "application/json")
.body(Body::from(
serde_json::json!({
"username": "root",
"password": "secret123"
})
.to_string(),
))
.expect("admin login request should build"),
)
.await
.expect("admin login request should succeed");
let body = response
.into_body()
.collect()
.await
.expect("admin login body should collect")
.to_bytes();
let payload: Value =
serde_json::from_slice(&body).expect("admin login payload should be json");
payload["token"]
.as_str()
.expect("admin token should exist")
.to_string()
}
async fn password_login_request(
app: Router,
phone_number: &str,
@@ -3980,6 +4014,91 @@ mod tests {
assert_eq!(response.status(), StatusCode::FORBIDDEN);
}
/// 中文注释:验证入口公告表单提交的 HTML 会保存进独立公告配置。
#[tokio::test]
async fn admin_creation_entry_banners_route_saves_html_form_payload() {
let mut config = AppConfig::default();
config.admin_username = Some("root".to_string());
config.admin_password = Some("secret123".to_string());
let app = build_router(AppState::new(config).expect("state should build"));
let admin_token = read_admin_access_token(app.clone()).await;
let response = app
.oneshot(
Request::builder()
.method("POST")
.uri("/admin/api/creation-entry/config/banners")
.header("authorization", format!("Bearer {admin_token}"))
.header("content-type", "application/json")
.body(Body::from(
serde_json::json!({
"eventBannersJson": serde_json::json!([
{
"title": "后台表单公告",
"htmlCode": "<section>入口公告 HTML</section>"
}
]).to_string()
})
.to_string(),
))
.expect("banners request should build"),
)
.await
.expect("banners request should succeed");
assert_eq!(response.status(), StatusCode::OK);
let body = response
.into_body()
.collect()
.await
.expect("banners body should collect")
.to_bytes();
let payload: Value =
serde_json::from_slice(&body).expect("banners payload should be json");
assert_eq!(payload["eventBanners"][0]["title"], "后台表单公告");
assert_eq!(payload["eventBanners"][0]["renderMode"], "html");
assert_eq!(
payload["eventBanners"][0]["htmlCode"],
"<section>入口公告 HTML</section>"
);
}
/// 中文注释:验证入口公告拒绝可执行脚本,避免后台配置变成不受控注入。
#[tokio::test]
async fn admin_creation_entry_banners_route_rejects_script_html() {
let mut config = AppConfig::default();
config.admin_username = Some("root".to_string());
config.admin_password = Some("secret123".to_string());
let app = build_router(AppState::new(config).expect("state should build"));
let admin_token = read_admin_access_token(app.clone()).await;
let response = app
.oneshot(
Request::builder()
.method("POST")
.uri("/admin/api/creation-entry/config/banners")
.header("authorization", format!("Bearer {admin_token}"))
.header("content-type", "application/json")
.body(Body::from(
serde_json::json!({
"eventBannersJson": serde_json::json!([
{
"title": "危险公告",
"htmlCode": "<script>alert(1)</script>"
}
]).to_string()
})
.to_string(),
))
.expect("banners request should build"),
)
.await
.expect("banners request should succeed");
assert_eq!(response.status(), StatusCode::BAD_REQUEST);
}
#[tokio::test]
async fn admin_debug_http_can_probe_healthz_when_authenticated() {
let mut config = AppConfig::default();