phew big stuff!!!!

2021-03-31 15:24:27 +02:00
parent 13d4fda7fa
commit 8014c9c5df
19 changed files with 689 additions and 57 deletions
--- a/internal/apimodule/account/account.go
+++ b/internal/apimodule/account/account.go
@ -22,10 +22,10 @@ import (
 	"net/http"

 	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/apimodule"
 	"github.com/superseriousbusiness/gotosocial/internal/config"
 	"github.com/superseriousbusiness/gotosocial/internal/db"
 	"github.com/superseriousbusiness/gotosocial/internal/media"
-	"github.com/superseriousbusiness/gotosocial/internal/apimodule"
 	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 	"github.com/superseriousbusiness/gotosocial/internal/router"
 )
@ -62,5 +62,6 @@ func (m *accountModule) Route(r router.Router) error {
 	r.AttachHandler(http.MethodPost, basePath, m.accountCreatePOSTHandler)
 	r.AttachHandler(http.MethodGet, verifyPath, m.accountVerifyGETHandler)
 	r.AttachHandler(http.MethodPatch, updateCredentialsPath, m.accountUpdateCredentialsPATCHHandler)
+	r.AttachHandler(http.MethodGet, basePathWithID, m.accountGETHandler)
 	return nil
 }
--- a/internal/apimodule/account/accountcreate.go
+++ b/internal/apimodule/account/accountcreate.go
@ -119,7 +119,7 @@ func validateCreateAccount(form *mastotypes.AccountCreateRequest, c *config.Acco
 		return errors.New("registration is not open for this server")
 	}

-	if err := util.ValidateSignUpUsername(form.Username); err != nil {
+	if err := util.ValidateUsername(form.Username); err != nil {
 		return err
 	}

@ -127,7 +127,7 @@ func validateCreateAccount(form *mastotypes.AccountCreateRequest, c *config.Acco
 		return err
 	}

-	if err := util.ValidateSignUpPassword(form.Password); err != nil {
+	if err := util.ValidateNewPassword(form.Password); err != nil {
 		return err
 	}

--- a/internal/apimodule/account/accountcreate_test.go
+++ b/internal/apimodule/account/accountcreate_test.go
@ -52,7 +52,7 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )

-type AccountTestSuite struct {
+type AccountCreateTestSuite struct {
 	suite.Suite
 	config               *config.Config
 	log                  *logrus.Logger
@ -74,7 +74,7 @@ type AccountTestSuite struct {
 */

 // SetupSuite sets some variables on the suite that we can use as consts (more or less) throughout
-func (suite *AccountTestSuite) SetupSuite() {
+func (suite *AccountCreateTestSuite) SetupSuite() {
 	// some of our subsequent entities need a log so create this here
 	log := logrus.New()
 	log.SetLevel(logrus.TraceLevel)
@ -109,6 +109,8 @@ func (suite *AccountTestSuite) SetupSuite() {

 	// Direct config to local postgres instance
 	c := config.Empty()
+	c.Protocol = "http"
+	c.Host = "localhost"
 	c.DBConfig = &config.DBConfig{
 		Type:            "postgres",
 		Address:         "localhost",
@ -121,6 +123,13 @@ func (suite *AccountTestSuite) SetupSuite() {
 	c.MediaConfig = &config.MediaConfig{
 		MaxImageSize: 2 << 20,
 	}
+	c.StorageConfig = &config.StorageConfig{
+		Backend: "local",
+		BasePath: "/tmp",
+		ServeProtocol: "http",
+		ServeHost: "localhost",
+		ServeBasePath: "/fileserver/media",
+	}
 	suite.config = c

 	// use an actual database for this, because it's just easier than mocking one out
@ -155,14 +164,14 @@ func (suite *AccountTestSuite) SetupSuite() {
 	suite.accountModule = New(suite.config, suite.db, suite.mockOauthServer, suite.mediaHandler, suite.log).(*accountModule)
 }

-func (suite *AccountTestSuite) TearDownSuite() {
+func (suite *AccountCreateTestSuite) TearDownSuite() {
 	if err := suite.db.Stop(context.Background()); err != nil {
 		logrus.Panicf("error closing db connection: %s", err)
 	}
 }

 // SetupTest creates a db connection and creates necessary tables before each test
-func (suite *AccountTestSuite) SetupTest() {
+func (suite *AccountCreateTestSuite) SetupTest() {
 	// create all the tables we might need in thie suite
 	models := []interface{}{
 		&model.User{},
@ -199,7 +208,7 @@ func (suite *AccountTestSuite) SetupTest() {
 }

 // TearDownTest drops tables to make sure there's no data in the db
-func (suite *AccountTestSuite) TearDownTest() {
+func (suite *AccountCreateTestSuite) TearDownTest() {

 	// remove all the tables we might have used so it's clear for the next test
 	models := []interface{}{
@ -231,7 +240,7 @@ func (suite *AccountTestSuite) TearDownTest() {
 // and at the end of it a new user and account should be added into the database.
 //
 // This is the handler served at /api/v1/accounts as POST
-func (suite *AccountTestSuite) TestAccountCreatePOSTHandlerSuccessful() {
+func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerSuccessful() {

 	// setup
 	recorder := httptest.NewRecorder()
@ -307,7 +316,7 @@ func (suite *AccountTestSuite) TestAccountCreatePOSTHandlerSuccessful() {

 // TestAccountCreatePOSTHandlerNoAuth makes sure that the handler fails when no authorization is provided:
 // only registered applications can create accounts, and we don't provide one here.
-func (suite *AccountTestSuite) TestAccountCreatePOSTHandlerNoAuth() {
+func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerNoAuth() {

 	// setup
 	recorder := httptest.NewRecorder()
@ -330,7 +339,7 @@ func (suite *AccountTestSuite) TestAccountCreatePOSTHandlerNoAuth() {
 }

 // TestAccountCreatePOSTHandlerNoAuth makes sure that the handler fails when no form is provided at all.
-func (suite *AccountTestSuite) TestAccountCreatePOSTHandlerNoForm() {
+func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerNoForm() {

 	// setup
 	recorder := httptest.NewRecorder()
@ -352,7 +361,7 @@ func (suite *AccountTestSuite) TestAccountCreatePOSTHandlerNoForm() {
 }

 // TestAccountCreatePOSTHandlerWeakPassword makes sure that the handler fails when a weak password is provided
-func (suite *AccountTestSuite) TestAccountCreatePOSTHandlerWeakPassword() {
+func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerWeakPassword() {

 	// setup
 	recorder := httptest.NewRecorder()
@ -377,7 +386,7 @@ func (suite *AccountTestSuite) TestAccountCreatePOSTHandlerWeakPassword() {
 }

 // TestAccountCreatePOSTHandlerWeirdLocale makes sure that the handler fails when a weird locale is provided
-func (suite *AccountTestSuite) TestAccountCreatePOSTHandlerWeirdLocale() {
+func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerWeirdLocale() {

 	// setup
 	recorder := httptest.NewRecorder()
@ -402,7 +411,7 @@ func (suite *AccountTestSuite) TestAccountCreatePOSTHandlerWeirdLocale() {
 }

 // TestAccountCreatePOSTHandlerRegistrationsClosed makes sure that the handler fails when registrations are closed
-func (suite *AccountTestSuite) TestAccountCreatePOSTHandlerRegistrationsClosed() {
+func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerRegistrationsClosed() {

 	// setup
 	recorder := httptest.NewRecorder()
@ -428,7 +437,7 @@ func (suite *AccountTestSuite) TestAccountCreatePOSTHandlerRegistrationsClosed()
 }

 // TestAccountCreatePOSTHandlerReasonNotProvided makes sure that the handler fails when no reason is provided but one is required
-func (suite *AccountTestSuite) TestAccountCreatePOSTHandlerReasonNotProvided() {
+func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerReasonNotProvided() {

 	// setup
 	recorder := httptest.NewRecorder()
@ -455,7 +464,7 @@ func (suite *AccountTestSuite) TestAccountCreatePOSTHandlerReasonNotProvided() {
 }

 // TestAccountCreatePOSTHandlerReasonNotProvided makes sure that the handler fails when a crappy reason is presented but a good one is required
-func (suite *AccountTestSuite) TestAccountCreatePOSTHandlerInsufficientReason() {
+func (suite *AccountCreateTestSuite) TestAccountCreatePOSTHandlerInsufficientReason() {

 	// setup
 	recorder := httptest.NewRecorder()
@ -485,7 +494,7 @@ func (suite *AccountTestSuite) TestAccountCreatePOSTHandlerInsufficientReason()
 	TESTING: AccountUpdateCredentialsPATCHHandler
 */

-func (suite *AccountTestSuite) TestAccountUpdateCredentialsPATCHHandler() {
+func (suite *AccountCreateTestSuite) TestAccountUpdateCredentialsPATCHHandler() {

 	// put test local account in db
 	err := suite.db.Put(suite.testAccountLocal)
@ -533,6 +542,6 @@ func (suite *AccountTestSuite) TestAccountUpdateCredentialsPATCHHandler() {
 	// assert.Equal(suite.T(), `{"error":"not authorized"}`, string(b))
 }

-func TestAccountTestSuite(t *testing.T) {
-	suite.Run(t, new(AccountTestSuite))
+func TestAccountCreateTestSuite(t *testing.T) {
+	suite.Run(t, new(AccountCreateTestSuite))
 }
--- a/internal/apimodule/account/accountget.go
+++ b/internal/apimodule/account/accountget.go
@ -0,0 +1,58 @@
+/*
+   GoToSocial
+   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package account
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/gotosocial/internal/db/model"
+)
+
+// accountGetHandler serves the account information held by the server in response to a GET
+// request. It should be served as a GET at /api/v1/accounts/:id.
+//
+// See: https://docs.joinmastodon.org/methods/accounts/
+func (m *accountModule) accountGETHandler(c *gin.Context) {
+	targetAcctID := c.Param(idKey)
+	if targetAcctID == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error":"no account id specified"})
+		return
+	}
+
+	targetAccount := &model.Account{}
+	if err := m.db.GetByID(targetAcctID, targetAccount); err != nil {
+		if _, ok := err.(db.ErrNoEntries); !ok {
+			c.JSON(http.StatusNotFound, gin.H{"error":"Record not found"})
+			return
+		} else {
+			c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+			return
+		}
+	}
+
+	acctInfo, err := m.db.AccountToMastoPublic(targetAccount)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, acctInfo)
+}
--- a/internal/apimodule/account/accountupdate.go
+++ b/internal/apimodule/account/accountupdate.go
@ -29,6 +29,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/superseriousbusiness/gotosocial/internal/db/model"
 	"github.com/superseriousbusiness/gotosocial/internal/oauth"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
 	"github.com/superseriousbusiness/gotosocial/pkg/mastotypes"
 )

@ -38,6 +39,8 @@ import (
 // TODO: this can be optimized massively by building up a picture of what we want the new account
 // details to be, and then inserting it all in the database at once. As it is, we do queries one-by-one
 // which is not gonna make the database very happy when lots of requests are going through.
+// This way it would also be safer because the update won't happen until *all* the fields are validated.
+// Otherwise we risk doing a partial update and that's gonna cause probllleeemmmsss.
 func (m *accountModule) accountUpdateCredentialsPATCHHandler(c *gin.Context) {
 	l := m.log.WithField("func", "accountUpdateCredentialsPATCHHandler")
 	authed, err := oauth.MustAuth(c, true, false, false, true)
@ -80,6 +83,10 @@ func (m *accountModule) accountUpdateCredentialsPATCHHandler(c *gin.Context) {
 	}

 	if form.DisplayName != nil {
+		if err := util.ValidateDisplayName(*form.DisplayName); err != nil {
+			c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+			return
+		}
 		if err := m.db.UpdateOneByID(authed.Account.ID, "display_name", *form.DisplayName, &model.Account{}); err != nil {
 			c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
 			return
@ -87,6 +94,10 @@ func (m *accountModule) accountUpdateCredentialsPATCHHandler(c *gin.Context) {
 	}

 	if form.Note != nil {
+		if err := util.ValidateNote(*form.Note); err != nil {
+			c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+			return
+		}
 		if err := m.db.UpdateOneByID(authed.Account.ID, "note", *form.Note, &model.Account{}); err != nil {
 			l.Debugf("error updating note: %s", err)
 			c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
@ -122,11 +133,11 @@ func (m *accountModule) accountUpdateCredentialsPATCHHandler(c *gin.Context) {
 	}

 	if form.Source != nil {
-
+		// TODO: parse source nicely and update
 	}

 	if form.FieldsAttributes != nil {
-
+		// TODO: parse fields attributes nicely and update
 	}

 	// fetch the account with all updated values set
@ -159,7 +170,7 @@ func (m *accountModule) accountUpdateCredentialsPATCHHandler(c *gin.Context) {
 // the account's new avatar image.
 func (m *accountModule) UpdateAccountAvatar(avatar *multipart.FileHeader, accountID string) (*model.MediaAttachment, error) {
 	var err error
-	if avatar.Size > m.config.MediaConfig.MaxImageSize {
+	if int(avatar.Size) > m.config.MediaConfig.MaxImageSize {
 		err = fmt.Errorf("avatar with size %d exceeded max image size of %d bytes", avatar.Size, m.config.MediaConfig.MaxImageSize)
 		return nil, err
 	}
@ -192,7 +203,7 @@ func (m *accountModule) UpdateAccountAvatar(avatar *multipart.FileHeader, accoun
 // the account's new header image.
 func (m *accountModule) UpdateAccountHeader(header *multipart.FileHeader, accountID string) (*model.MediaAttachment, error) {
 	var err error
-	if header.Size > m.config.MediaConfig.MaxImageSize {
+	if int(header.Size) > m.config.MediaConfig.MaxImageSize {
 		err = fmt.Errorf("header with size %d exceeded max image size of %d bytes", header.Size, m.config.MediaConfig.MaxImageSize)
 		return nil, err
 	}
--- a/internal/apimodule/account/accountupdate_test.go
+++ b/internal/apimodule/account/accountupdate_test.go
@ -0,0 +1,301 @@
+/*
+   GoToSocial
+   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package account
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"mime/multipart"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/suite"
+	"github.com/superseriousbusiness/gotosocial/internal/config"
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/gotosocial/internal/db/model"
+	"github.com/superseriousbusiness/gotosocial/internal/media"
+	"github.com/superseriousbusiness/gotosocial/internal/oauth"
+	"github.com/superseriousbusiness/gotosocial/internal/storage"
+	"github.com/superseriousbusiness/oauth2/v4"
+	"github.com/superseriousbusiness/oauth2/v4/models"
+	oauthmodels "github.com/superseriousbusiness/oauth2/v4/models"
+)
+
+type AccountUpdateTestSuite struct {
+	suite.Suite
+	config               *config.Config
+	log                  *logrus.Logger
+	testAccountLocal     *model.Account
+	testAccountRemote    *model.Account
+	testUser             *model.User
+	testApplication      *model.Application
+	testToken            oauth2.TokenInfo
+	mockOauthServer      *oauth.MockServer
+	mockStorage          *storage.MockStorage
+	mediaHandler         media.MediaHandler
+	db                   db.DB
+	accountModule        *accountModule
+	newUserFormHappyPath url.Values
+}
+
+/*
+	TEST INFRASTRUCTURE
+*/
+
+// SetupSuite sets some variables on the suite that we can use as consts (more or less) throughout
+func (suite *AccountUpdateTestSuite) SetupSuite() {
+	// some of our subsequent entities need a log so create this here
+	log := logrus.New()
+	log.SetLevel(logrus.TraceLevel)
+	suite.log = log
+
+	suite.testAccountLocal = &model.Account{
+		ID:       uuid.NewString(),
+		Username: "test_user",
+	}
+
+	// can use this test application throughout
+	suite.testApplication = &model.Application{
+		ID:           "weeweeeeeeeeeeeeee",
+		Name:         "a test application",
+		Website:      "https://some-application-website.com",
+		RedirectURI:  "http://localhost:8080",
+		ClientID:     "a-known-client-id",
+		ClientSecret: "some-secret",
+		Scopes:       "read",
+		VapidKey:     "aaaaaa-aaaaaaaa-aaaaaaaaaaa",
+	}
+
+	// can use this test token throughout
+	suite.testToken = &oauthmodels.Token{
+		ClientID:      "a-known-client-id",
+		RedirectURI:   "http://localhost:8080",
+		Scope:         "read",
+		Code:          "123456789",
+		CodeCreateAt:  time.Now(),
+		CodeExpiresIn: time.Duration(10 * time.Minute),
+	}
+
+	// Direct config to local postgres instance
+	c := config.Empty()
+	c.Protocol = "http"
+	c.Host = "localhost"
+	c.DBConfig = &config.DBConfig{
+		Type:            "postgres",
+		Address:         "localhost",
+		Port:            5432,
+		User:            "postgres",
+		Password:        "postgres",
+		Database:        "postgres",
+		ApplicationName: "gotosocial",
+	}
+	c.MediaConfig = &config.MediaConfig{
+		MaxImageSize: 2 << 20,
+	}
+	c.StorageConfig = &config.StorageConfig{
+		Backend:       "local",
+		BasePath:      "/tmp",
+		ServeProtocol: "http",
+		ServeHost:     "localhost",
+		ServeBasePath: "/fileserver/media",
+	}
+	suite.config = c
+
+	// use an actual database for this, because it's just easier than mocking one out
+	database, err := db.New(context.Background(), c, log)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
+	suite.db = database
+
+	// we need to mock the oauth server because account creation needs it to create a new token
+	suite.mockOauthServer = &oauth.MockServer{}
+	suite.mockOauthServer.On("GenerateUserAccessToken", suite.testToken, suite.testApplication.ClientSecret, mock.AnythingOfType("string")).Run(func(args mock.Arguments) {
+		l := suite.log.WithField("func", "GenerateUserAccessToken")
+		token := args.Get(0).(oauth2.TokenInfo)
+		l.Infof("received token %+v", token)
+		clientSecret := args.Get(1).(string)
+		l.Infof("received clientSecret %+v", clientSecret)
+		userID := args.Get(2).(string)
+		l.Infof("received userID %+v", userID)
+	}).Return(&models.Token{
+		Code: "we're authorized now!",
+	}, nil)
+
+	suite.mockStorage = &storage.MockStorage{}
+	// We don't need storage to do anything for these tests, so just simulate a success and do nothing -- we won't need to return anything from storage
+	suite.mockStorage.On("StoreFileAt", mock.AnythingOfType("string"), mock.AnythingOfType("[]uint8")).Return(nil)
+
+	// set a media handler because some handlers (eg update credentials) need to upload media (new header/avatar)
+	suite.mediaHandler = media.New(suite.config, suite.db, suite.mockStorage, log)
+
+	// and finally here's the thing we're actually testing!
+	suite.accountModule = New(suite.config, suite.db, suite.mockOauthServer, suite.mediaHandler, suite.log).(*accountModule)
+}
+
+func (suite *AccountUpdateTestSuite) TearDownSuite() {
+	if err := suite.db.Stop(context.Background()); err != nil {
+		logrus.Panicf("error closing db connection: %s", err)
+	}
+}
+
+// SetupTest creates a db connection and creates necessary tables before each test
+func (suite *AccountUpdateTestSuite) SetupTest() {
+	// create all the tables we might need in thie suite
+	models := []interface{}{
+		&model.User{},
+		&model.Account{},
+		&model.Follow{},
+		&model.FollowRequest{},
+		&model.Status{},
+		&model.Application{},
+		&model.EmailDomainBlock{},
+		&model.MediaAttachment{},
+	}
+	for _, m := range models {
+		if err := suite.db.CreateTable(m); err != nil {
+			logrus.Panicf("db connection error: %s", err)
+		}
+	}
+
+	// form to submit for happy path account create requests -- this will be changed inside tests so it's better to set it before each test
+	suite.newUserFormHappyPath = url.Values{
+		"reason":    []string{"a very good reason that's at least 40 characters i swear"},
+		"username":  []string{"test_user"},
+		"email":     []string{"user@example.org"},
+		"password":  []string{"very-strong-password"},
+		"agreement": []string{"true"},
+		"locale":    []string{"en"},
+	}
+
+	// same with accounts config
+	suite.config.AccountsConfig = &config.AccountsConfig{
+		OpenRegistration: true,
+		RequireApproval:  true,
+		ReasonRequired:   true,
+	}
+}
+
+// TearDownTest drops tables to make sure there's no data in the db
+func (suite *AccountUpdateTestSuite) TearDownTest() {
+
+	// remove all the tables we might have used so it's clear for the next test
+	models := []interface{}{
+		&model.User{},
+		&model.Account{},
+		&model.Follow{},
+		&model.FollowRequest{},
+		&model.Status{},
+		&model.Application{},
+		&model.EmailDomainBlock{},
+		&model.MediaAttachment{},
+	}
+	for _, m := range models {
+		if err := suite.db.DropTable(m); err != nil {
+			logrus.Panicf("error dropping table: %s", err)
+		}
+	}
+}
+
+/*
+	ACTUAL TESTS
+*/
+
+/*
+	TESTING: AccountUpdateCredentialsPATCHHandler
+*/
+
+func (suite *AccountUpdateTestSuite) TestAccountUpdateCredentialsPATCHHandler() {
+
+	// put test local account in db
+	err := suite.db.Put(suite.testAccountLocal)
+	assert.NoError(suite.T(), err)
+
+	// attach avatar to request form
+	avatarFile, err := os.Open("../../media/test/test-jpeg.jpg")
+	assert.NoError(suite.T(), err)
+	body := &bytes.Buffer{}
+	writer := multipart.NewWriter(body)
+
+	avatarPart, err := writer.CreateFormFile("avatar", "test-jpeg.jpg")
+	assert.NoError(suite.T(), err)
+
+	_, err = io.Copy(avatarPart, avatarFile)
+	assert.NoError(suite.T(), err)
+
+	err = avatarFile.Close()
+	assert.NoError(suite.T(), err)
+
+	// set display name to a new value
+	displayNamePart, err := writer.CreateFormField("display_name")
+	assert.NoError(suite.T(), err)
+
+	_, err = io.Copy(displayNamePart, bytes.NewBufferString("test_user_wohoah"))
+	assert.NoError(suite.T(), err)
+
+	// set locked to true
+	lockedPart, err := writer.CreateFormField("locked")
+	assert.NoError(suite.T(), err)
+
+	_, err = io.Copy(lockedPart, bytes.NewBufferString("true"))
+	assert.NoError(suite.T(), err)
+
+	// close the request writer, the form is now prepared
+	err = writer.Close()
+	assert.NoError(suite.T(), err)
+
+	// setup
+	recorder := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(recorder)
+	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccountLocal)
+	ctx.Set(oauth.SessionAuthorizedToken, suite.testToken)
+	ctx.Request = httptest.NewRequest(http.MethodPatch, fmt.Sprintf("http://localhost:8080/%s", updateCredentialsPath), body) // the endpoint we're hitting
+	ctx.Request.Header.Set("Content-Type", writer.FormDataContentType())
+	suite.accountModule.accountUpdateCredentialsPATCHHandler(ctx)
+
+	// check response
+
+	// 1. we should have OK because our request was valid
+	suite.EqualValues(http.StatusOK, recorder.Code)
+
+	// 2. we should have an error message in the result body
+	result := recorder.Result()
+	defer result.Body.Close()
+	// TODO: implement proper checks here
+	//
+	b, err := ioutil.ReadAll(result.Body)
+	assert.NoError(suite.T(), err)
+	assert.Equal(suite.T(), `{"error":"not authorized"}`, string(b))
+}
+
+func TestAccountUpdateTestSuite(t *testing.T) {
+	suite.Run(t, new(AccountUpdateTestSuite))
+}
--- a/internal/apimodule/account/accountverify_test.go
+++ b/internal/apimodule/account/accountverify_test.go
@ -0,0 +1,19 @@
+/*
+   GoToSocial
+   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package account
--- a/internal/apimodule/fileserver/fileserver.go
+++ b/internal/apimodule/fileserver/fileserver.go
@ -0,0 +1,42 @@
+package fileserver
+
+import (
+	"fmt"
+
+	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/apimodule"
+	"github.com/superseriousbusiness/gotosocial/internal/config"
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/gotosocial/internal/router"
+	"github.com/superseriousbusiness/gotosocial/internal/storage"
+)
+
+// fileServer implements the RESTAPIModule interface.
+// The goal here is to serve requested media files if the gotosocial server is configured to use local storage.
+type fileServer struct {
+	config      *config.Config
+	db          db.DB
+	storage     storage.Storage
+	log         *logrus.Logger
+	storageBase string
+}
+
+// New returns a new fileServer module
+func New(config *config.Config, db db.DB, storage storage.Storage, log *logrus.Logger) apimodule.ClientAPIModule {
+
+	storageBase := fmt.Sprintf("%s", config.StorageConfig.BasePath) // TODO: do this properly
+
+	return &fileServer{
+		config:      config,
+		db:          db,
+		storage:     storage,
+		log:         log,
+		storageBase: storageBase,
+	}
+}
+
+// Route satisfies the RESTAPIModule interface
+func (m *fileServer) Route(s router.Router) error {
+	// s.AttachHandler(http.MethodPost, appsPath, m.appsPOSTHandler)
+	return nil
+}