import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest' vi.mock('../../src/plugins/websocket.js', () => ({ sendToUser: vi.fn(() => false), sendToSessionParticipant: vi.fn(() => false), registerWebSocketPlugin: vi.fn(async () => {}), registerWebSocketRoute: vi.fn(), isUserOnlineWs: vi.fn(() => false), getSessionConnections: vi.fn(() => ({})), })) vi.mock('../../src/services/notification.service.js', () => ({ sendPushNotification: vi.fn(async () => true), registerDeviceToken: vi.fn(async () => {}), })) const { buildPublic } = await import('../helpers/server.js') describe('GET /assets/payment-icons/:slug.svg', () => { let app beforeAll(async () => { app = await buildPublic() }) afterAll(async () => { await app.close() }) it('serves a known idn-finlogos slug with svg content-type and immutable cache', async () => { // 'qris' is one of our seeded slugs and is shipped by idn-finlogos. const res = await app.inject({ method: 'GET', url: '/assets/payment-icons/qris.svg' }) expect(res.statusCode).toBe(200) expect(res.headers['content-type']).toBe('image/svg+xml') expect(res.headers['cache-control']).toBe('public, max-age=31536000, immutable') expect(res.body).toMatch(/^<\?xml|^ { const res = await app.inject({ method: 'GET', url: '/assets/payment-icons/definitely-not-a-real-bank.svg', }) expect(res.statusCode).toBe(404) const body = JSON.parse(res.body) expect(body.error.code).toBe('NOT_FOUND') }) it('404s on slug with path-traversal characters', async () => { // Fastify normalises `..` in the URL, so this resolves to the parent // route; we still expect a 404 (no SVG matches) — but the SLUG_RE guard // is what would catch an unencoded attempt if a router ever let one // through, so we cover its negative case here. const res = await app.inject({ method: 'GET', url: '/assets/payment-icons/UPPER.svg', }) expect(res.statusCode).toBe(404) }) })