Add file download endpoint for beacon content sync

oatkins8 · oatkins8 · commit 5aa9416ccb14 · 2026-02-04T15:36:31.000+01:00
Beacons receive a manifest listing files they need, then download
each file individually via this endpoint. The controller validates
that the requesting beacon has access through its assigned topics
and supports resumable downloads via Range headers for reliability
on unstable connections.
diff --git a/app/controllers/api/v1/beacons/files_controller.rb b/app/controllers/api/v1/beacons/files_controller.rb
@@ -0,0 +1,21 @@
+module Api
+  module V1
+    module Beacons
+      class FilesController < Beacons::BaseController
+        include ActiveStorage::Streaming
+
+        def show
+          blob = Current.beacon.accessible_blobs.find(params[:id])
+
+          if request.headers["Range"].present?
+            send_blob_byte_range_data(blob, request.headers["Range"])
+          else
+            send_blob_stream(blob, disposition: :attachment)
+          end
+        rescue ActiveRecord::RecordNotFound
+          head :not_found
+        end
+      end
+    end
+  end
+end
diff --git a/config/routes.rb b/config/routes.rb
@@ -41,6 +41,8 @@
       resources :tags, only: %i[index show]
 
       namespace :beacons do
+        resource :manifest, only: :show
+        resources :files, only: :show
         resource :status, only: :show
       end
     end
diff --git a/spec/requests/api/v1/beacons/files_spec.rb b/spec/requests/api/v1/beacons/files_spec.rb
@@ -0,0 +1,132 @@
+require "rails_helper"
+
+RSpec.describe "Beacons Files API", type: :request do
+  let(:language) { create(:language) }
+  let(:region) { create(:region) }
+  let(:provider) { create(:provider) }
+
+  let(:beacon) do
+    b, @raw_key = create_beacon_with_key(language: language, region: region)
+    b.providers << provider
+    b
+  end
+
+  let(:raw_key) { beacon; @raw_key }
+
+  let(:topic) do
+    create(:topic, :with_documents, provider: provider, language: language).tap do |t|
+      beacon.topics << t
+    end
+  end
+
+  let(:blob) { topic.documents.first.blob }
+
+  describe "GET /api/v1/beacons/files/:id" do
+    context "with valid authentication and access" do
+      it "returns the file with correct headers" do
+        get "/api/v1/beacons/files/#{blob.id}", headers: beacon_auth_headers(raw_key)
+
+        expect(response).to have_http_status(:ok)
+        expect(response.headers["Content-Type"]).to eq(blob.content_type)
+        expect(response.headers["Content-Disposition"]).to include("attachment")
+        expect(response.headers["Content-Length"]).to eq(blob.byte_size.to_s)
+      end
+
+      it "streams the file content" do
+        get "/api/v1/beacons/files/#{blob.id}", headers: beacon_auth_headers(raw_key)
+
+        expect(response.body).not_to be_empty
+        expect(response.body.bytesize).to eq(blob.byte_size)
+      end
+
+      it "includes the filename in Content-Disposition" do
+        get "/api/v1/beacons/files/#{blob.id}", headers: beacon_auth_headers(raw_key)
+
+        expect(response.headers["Content-Disposition"]).to include(blob.filename.to_s)
+      end
+    end
+
+    context "with Range header for resumable downloads" do
+      it "returns 206 Partial Content" do
+        get "/api/v1/beacons/files/#{blob.id}",
+          headers: beacon_auth_headers(raw_key).merge("Range" => "bytes=0-1023")
+
+        expect(response).to have_http_status(:partial_content)
+      end
+
+      it "includes Content-Range header" do
+        get "/api/v1/beacons/files/#{blob.id}",
+          headers: beacon_auth_headers(raw_key).merge("Range" => "bytes=0-1023")
+
+        expect(response.headers["Content-Range"]).to be_present
+        expect(response.headers["Content-Range"]).to match(/bytes 0-1023\/\d+/)
+      end
+
+      it "returns only the requested byte range" do
+        get "/api/v1/beacons/files/#{blob.id}",
+          headers: beacon_auth_headers(raw_key).merge("Range" => "bytes=0-99")
+
+        expect(response.body.bytesize).to be <= 100
+      end
+    end
+
+    context "when file does not exist" do
+      it "returns 404" do
+        get "/api/v1/beacons/files/99999", headers: beacon_auth_headers(raw_key)
+
+        expect(response).to have_http_status(:not_found)
+      end
+    end
+
+    context "when beacon does not have access to the file" do
+      let(:other_beacon) do
+        b, @other_raw_key = create_beacon_with_key(language: language, region: region)
+        b.providers << provider
+        b
+      end
+
+      let(:other_raw_key) { other_beacon; @other_raw_key }
+
+      let(:other_topic) do
+        create(:topic, :with_documents, provider: provider, language: language).tap do |t|
+          other_beacon.topics << t
+        end
+      end
+
+      let(:other_blob) { other_topic.documents.first.blob }
+
+      it "returns 404 when requesting another beacon's file" do
+        get "/api/v1/beacons/files/#{other_blob.id}", headers: beacon_auth_headers(raw_key)
+
+        expect(response).to have_http_status(:not_found)
+      end
+    end
+
+    context "without authentication" do
+      it "returns 401" do
+        get "/api/v1/beacons/files/#{blob.id}"
+
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+
+    context "with invalid authentication" do
+      it "returns 401" do
+        get "/api/v1/beacons/files/#{blob.id}",
+          headers: beacon_auth_headers("invalid-key")
+
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+
+    context "with revoked beacon" do
+      before { beacon.revoke! }
+
+      it "returns 401" do
+        get "/api/v1/beacons/files/#{blob.id}", headers: beacon_auth_headers(raw_key)
+
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+  end
+end
