From 96f93336fc1f389ee5bd065e13d2d2abbcc8f761 Mon Sep 17 00:00:00 2001
From: cesine <cesine@yahoo.com>
Date: Fri, 26 Dec 2025 10:06:45 -0500
Subject: [PATCH 1/4] support couchapp attachments while testing locally

---
 etc/local.ini               |  6 ++++++
 test/integration/install.js | 23 ++++++++++++++++++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/etc/local.ini b/etc/local.ini
index 961b231f..10327c6c 100644
--- a/etc/local.ini
+++ b/etc/local.ini
@@ -5,6 +5,12 @@ enable_cors = true
 origins = *
 credentials = true
 
+[csp]
+attachments_enable = true
+; https://docs.couchdb.org/en/stable/cve/2021-38295.html
+; use nginx instead to allow only signed couchapps when on deployed server
+attachments_header_value = "child-src 'self' data: blob:; default-src 'self'; img-src 'self' data: https://secure.gravatar.com; font-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
+
 [couchdb]
 single_node=true
 
diff --git a/test/integration/install.js b/test/integration/install.js
index bc500c4a..564fe0ec 100644
--- a/test/integration/install.js
+++ b/test/integration/install.js
@@ -18,6 +18,8 @@ debug('replay localhosts', replay._localhosts);
              \"TLS server: In state wait_finished received CLIENT ALERT: Fatal - Certificate Unknown\\n\"}}}"
  */
 let destination = 'http://admin:none@localhost:5984';
+const couchUrl = destination.replace('admin:none@', '');
+
 if (!destination) {
   destination = url.parse(config.usersDbConnection.url);
   destination.auth = `${config.couchKeys.username}:${config.couchKeys.password}`;
@@ -525,6 +527,18 @@ describe('install', () => {
           expect(res.body.ok).to.equal(true);
 
           return supertest(destination)
+            .put(`/${dbnameToReplicate}/_security`)
+            .set('cookie', adminSessionCookie)
+            .set('Accept', 'application/json')
+            .send({
+              "members":{"roles":[]},
+              "admins":{"roles":["_admin"]}
+            })
+        })
+        .then((res) => {
+          expect(res.body.ok).to.equal(true);
+
+          return supertest(couchUrl)
             .get(`/${dbnameToReplicate}/_design/prototype`)
             .set('Accept', 'application/json');
         })
@@ -532,12 +546,19 @@ describe('install', () => {
           debug('res.body prototype after ', res.body);
           expect(res.body.couchapp && res.body.couchapp.name).to.contain('Prototype (has the most features of the apps)', JSON.stringify(res.body));
 
-          return supertest(destination)
+          return supertest(couchUrl)
             .get(`/${dbnameToReplicate}/_design/prototype/user.html`);
         })
         .then((res) => {
           debug('res.body prototype after ', res.body);
           expect(res.status).to.equal(200);
+
+          return supertest(couchUrl)
+            .get(`/${dbnameToReplicate}/_design/prototype/app/app.css`);
+        })
+        .then((res) => {
+          debug('attachments prototype after ', res.body);
+          expect(res.status).to.equal(200);
         });
     });
   });

From 5cbd409a22399641b1ec51d1df236f5362f0a7df Mon Sep 17 00:00:00 2001
From: cesine <cesine@yahoo.com>
Date: Fri, 26 Dec 2025 10:09:11 -0500
Subject: [PATCH 2/4] fix lint

---
 test/integration/install.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/integration/install.js b/test/integration/install.js
index 564fe0ec..202a8306 100644
--- a/test/integration/install.js
+++ b/test/integration/install.js
@@ -533,7 +533,7 @@ describe('install', () => {
             .send({
               "members":{"roles":[]},
               "admins":{"roles":["_admin"]}
-            })
+            });
         })
         .then((res) => {
           expect(res.body.ok).to.equal(true);

From befa7c0612140015a656b8e05ceda7eab6bcb063 Mon Sep 17 00:00:00 2001
From: MatMath <mathieu.k.legault@gmail.com>
Date: Fri, 26 Dec 2025 10:17:58 -0500
Subject: [PATCH 3/4] prettier

---
 test/integration/install.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/test/integration/install.js b/test/integration/install.js
index 202a8306..085c01c0 100644
--- a/test/integration/install.js
+++ b/test/integration/install.js
@@ -531,8 +531,9 @@ describe('install', () => {
             .set('cookie', adminSessionCookie)
             .set('Accept', 'application/json')
             .send({
-              "members":{"roles":[]},
-              "admins":{"roles":["_admin"]}
+              // The couchapp is public but only admins can write to it
+              members: { roles: [] },
+              admins: { roles: ["_admin"] },
             });
         })
         .then((res) => {

From 0b1111f07c293ad5f3e5e9054d1f30a894e3a81b Mon Sep 17 00:00:00 2001
From: MatMath <mathieu.k.legault@gmail.com>
Date: Fri, 26 Dec 2025 10:26:48 -0500
Subject: [PATCH 4/4] update coverage

---
 nyc.config.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nyc.config.js b/nyc.config.js
index 8c8c2235..2f9f2fed 100644
--- a/nyc.config.js
+++ b/nyc.config.js
@@ -7,7 +7,7 @@ module.exports = {
   ],
   'check-coverage': true,
   branches: 65,
-  functions: 66,
+  functions: 65,
   lines: 76,
   statements: 76,
   reporter: ['text', 'lcov'],