fix: Langflow logo on home page when s3 is enabled

[deon-sanchez]

This pull request refactors the handling of profile pictures in the backend to always use the local filesystem for storing and serving profile images, regardless of the configured storage type (local, S3, etc.). It also adds comprehensive tests to verify profile picture listing and downloading, including error handling and content-type correctness.

Profile picture storage and retrieval (Backend changes):

• Refactored the download_profile_picture and list_profile_pictures endpoints in src/backend/base/langflow/api/v1/files.py to access profile pictures directly from the local filesystem (config_dir/profile_pictures/) using async file operations, removing any dependency on the storage service or storage type configuration.
• Added error handling to return a 404 if a requested profile picture file does not exist, and ensured correct content-type headers are set for SVG images.

Testing and validation (Unit tests):

• Added a new pytest fixture (setup_profile_pictures) in src/backend/tests/unit/api/v1/test_files.py to set up a temporary profile pictures directory structure for tests, including sample SVG files for both "People" and "Space" folders.
• Added multiple async test cases to verify:
  • Listing profile pictures returns expected files and formats.
  • Downloading profile pictures works and returns correct SVG content and content-type.
  • Non-existent profile picture requests return a 404 error.
  • Profile picture endpoints work correctly even when storage type is set to S3, confirming local-only handling.
  • Content-type headers for SVG files are correctly set for all profile pictures.

Summary by CodeRabbit

• Bug Fixes

  • Improved profile picture retrieval with enhanced error handling and proper status codes for missing files.

• Tests

  • Added comprehensive test coverage for profile picture listing and download operations, including error scenarios.

[coderabbitai]

Walkthrough

The changes modify profile picture endpoints in the files API to read directly from local filesystem using a SettingsService dependency, replacing prior storage service integration. Two new dependencies are added, path construction is updated, and error handling is refined with 404/500 responses. Corresponding unit tests validate the new behavior including content-type handling and non-existent file scenarios.

Changes

Cohort / File(s)	Summary
API endpoint updates src/backend/base/langflow/api/v1/files.py	Modified download_profile_picture() and list_profile_pictures() endpoints to accept SettingsService dependency, read directly from local filesystem using async operations via anyio, construct paths from config_dir/profile_pictures/, and return 404 for missing files.
Test suite expansion src/backend/tests/unit/api/v1/test_files.py	Added setup_profile_pictures fixture to configure temporary profile picture directories and environment overrides. Added 6 test cases covering listing, downloading, content-type validation, not-found scenarios, S3 storage compatibility, and file-type handling.

Sequence Diagram(s)

sequenceDiagram
    actor Client
    participant Endpoint as API Endpoint
    participant Settings as SettingsService
    participant FileSystem as Local FileSystem
    
    Note over Client,FileSystem: Download Profile Picture Flow
    Client->>Endpoint: GET /profile_pictures/{folder}/{file}
    Endpoint->>Settings: Get config_dir (via Depends)
    Settings-->>Endpoint: config_dir path
    Endpoint->>FileSystem: Read config_dir/profile_pictures/{folder}/{file}
    alt File exists
        FileSystem-->>Endpoint: File bytes
        Endpoint-->>Client: 200 + file content (image/svg+xml)
    else File not found
        FileSystem-->>Endpoint: Not found error
        Endpoint-->>Client: 404 Not Found
    else General error
        FileSystem-->>Endpoint: Exception
        Endpoint-->>Client: 500 Internal Server Error
    end
    
    Note over Client,FileSystem: List Profile Pictures Flow
    Client->>Endpoint: GET /profile_pictures
    Endpoint->>Settings: Get config_dir (via Depends)
    Settings-->>Endpoint: config_dir path
    Endpoint->>FileSystem: List config_dir/profile_pictures/People
    FileSystem-->>Endpoint: Files from People
    Endpoint->>FileSystem: List config_dir/profile_pictures/Space
    FileSystem-->>Endpoint: Files from Space
    Endpoint-->>Client: 200 + combined files list

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Complexity factors: Dual endpoint modifications with dependency injection changes, async filesystem I/O patterns, error handling refinements, and a comprehensive test suite (1 fixture + 6 tests) covering multiple scenarios including edge cases and storage-type compatibility. Requires verification of path construction correctness, async operations behavior, and test coverage adequacy.

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Test Quality And Coverage	⚠️ Warning	The PR includes six profile picture tests that cover main functionality (listing, downloading), success cases (200 status, correct SVG content types), error cases (404 for missing files), cross-storage scenarios (S3 configuration), and content validation using proper async pytest patterns. However, the implementation contains a critical path traversal vulnerability: the download_profile_picture function constructs file paths directly from user-supplied folder_name and file_name parameters without any validation (no resolve(), realpath(), or path boundary checks), allowing attackers to use ../ sequences to access files outside the intended profile_pictures directory. The review comments explicitly requested three security tests to validate rejection of path traversal attempts, but these tests are completely absent from the test suite, leaving the vulnerability unvalidated and the API endpoint error response testing incomplete.	The test suite must include the three path traversal security tests specified in the review comments: test_download_profile_picture_path_traversal_folder, test_download_profile_picture_path_traversal_filename, and test_download_profile_picture_invalid_folder. These tests should verify that requests with path traversal sequences (e.g., ../../../etc/passwd) and invalid folder names are rejected with 400 or 404 status codes. Additionally, the implementation should be updated to validate that resolved paths remain within the profile_pictures directory using Path.resolve() comparison and explicit folder name validation before constructing the file path.
Test File Naming And Structure	⚠️ Warning	The test file test_files.py follows proper pytest naming conventions (test_*.py) with correct structure and async test functions having descriptive names that clearly explain what is being tested (e.g., test_download_profile_picture_space_rocket, test_download_profile_picture_not_found). Tests are logically organized with proper setup and teardown using the setup_profile_pictures fixture that creates temporary directories and performs cleanup. The test suite covers positive scenarios (successful downloads and listings), some negative scenarios (404 for missing files), and edge cases (S3 storage compatibility, content-type handling). However, the test suite fails to achieve comprehensive coverage by omitting critical security edge cases and error conditions: path traversal vulnerabilities in both folder and filename parameters, and invalid folder name validation, which are explicitly identified in the PR review comments as important security concerns.	Add the three security tests specified in the review comments to complete the comprehensive coverage requirement: test_download_profile_picture_path_traversal_folder to test path traversal in the folder parameter, test_download_profile_picture_path_traversal_filename to test path traversal in the filename parameter, and test_download_profile_picture_invalid_folder to test rejection of invalid folder names. Each test should verify that the endpoint returns 400 or 404 status codes with appropriate error detail messages, ensuring both positive and negative scenarios including critical security edge cases are properly covered.
Test Coverage For New Implementations	❓ Inconclusive	Based on the review comments provided with this PR, there is a clear requirement for security tests related to path traversal vulnerabilities in the profile picture endpoints. The review comment explicitly requests three specific tests: test_download_profile_picture_path_traversal_folder, test_download_profile_picture_path_traversal_filename, and test_download_profile_picture_invalid_folder. These tests are designed to verify that the endpoint properly rejects path traversal attempts (using ../ sequences) and invalid folder names with appropriate HTTP status codes (400 or 404). The PR summary shows that new tests were added for profile picture functionality including coverage for listing, downloading, and S3 storage compatibility, but the provided review comments indicate that critical security regression tests for path traversal prevention are missing. Path traversal attacks use "dot-dot-slash (../)" sequences to access files and directories stored outside the intended directory, making these security tests essential for validating the implementation.	To complete this check, I need to verify whether the three path traversal security tests mentioned in the review comment have been implemented in the test file. Please run a search for these specific test function names in src/backend/tests/unit/api/v1/test_files.py to confirm whether they exist. If they do not exist, the PR is missing critical security test coverage for path traversal attacks. Additionally, verify that the implementation in src/backend/base/langflow/api/v1/files.py includes proper path validation using techniques like Path.resolve() and containment checks to ensure that accessed files remain within the intended profile pictures directory.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 90.00% which is sufficient. The required threshold is 80.00%.
Excessive Mock Usage Warning	✅ Passed	The test suite demonstrates appropriate mock usage rather than excessive mocking. The fixtures create real objects (database entities, app instances, filesystem structures) and use monkeypatch only for environment configuration, which is a legitimate testing pattern. The tests avoid the anti-pattern of over-mocking filesystem operations or HTTP interactions, instead testing actual behavior through integration-style testing with real temporary resources. The setup_profile_pictures fixture creates actual SVG files in temporary directories rather than mocking filesystem operations, enabling tests to verify genuine file behavior. This design avoids brittle tests that would break with implementation changes while still maintaining isolation through temporary environments.
Title check	✅ Passed	The title references fixing the Langflow logo on the home page when S3 is enabled, which directly aligns with the PR objective (#10352) about the logo being empty when LANGFLOW_STORAGE_TYPE=s3. The changes implement local filesystem-based profile picture retrieval that works independently of the storage backend.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch s3-storage-profile-pic

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 31.66%. Comparing base (a56de93) to head (1a4e7a9).
⚠️ Report is 1 commits behind head on main.

❌ Your project status has failed because the head coverage (39.58%) is below the target coverage (60.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #10352      +/-   ##
==========================================
+ Coverage   31.62%   31.66%   +0.03%     
==========================================
  Files        1330     1330              
  Lines       60407    60410       +3     
  Branches     9029     9029              
==========================================
+ Hits        19102    19126      +24     
+ Misses      40394    40374      -20     
+ Partials      911      910       -1     

Flag	Coverage Δ
backend	51.38% <100.00%> (+0.13%)	⬆️
frontend	13.55% <ø> (ø)
lfx	39.58% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/backend/base/langflow/api/v1/files.py	66.14% <100.00%> (+16.94%)	⬆️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/backend/base/langflow/api/v1/files.py (1)

129-158: Critical: Validate folder_name and file_name to prevent path traversal attacks.

The function constructs file paths using user-supplied folder_name and file_name parameters without validation. An attacker could use path traversal sequences (e.g., ../../../etc/passwd) to access files outside the intended profile_pictures directory.

Apply these changes to add validation:

 async def download_profile_picture(
     folder_name: str,
     file_name: str,
     settings_service: Annotated[SettingsService, Depends(get_settings_service)],
 ):
     """Download profile picture from local filesystem.
 
     Profile pictures are always stored locally in config_dir/profile_pictures/,
     regardless of the storage_type setting (local, s3, etc.).
     """
     try:
+        # Validate folder_name to prevent path traversal
+        allowed_folders = {"People", "Space"}
+        if folder_name not in allowed_folders:
+            raise HTTPException(status_code=400, detail=f"Invalid folder name. Must be one of: {allowed_folders}")
+        
+        # Validate file_name to prevent path traversal
+        if ".." in file_name or "/" in file_name or "\\" in file_name:
+            raise HTTPException(status_code=400, detail="Invalid file name")
+        
         extension = file_name.split(".")[-1]
         config_dir = settings_service.settings.config_dir
         config_path = Path(config_dir)  # type: ignore[arg-type]
         file_path = config_path / "profile_pictures" / folder_name / file_name
+        
+        # Additional safety check: ensure resolved path is within profile_pictures
+        resolved_path = file_path.resolve()
+        expected_base = (config_path / "profile_pictures").resolve()
+        if not str(resolved_path).startswith(str(expected_base)):
+            raise HTTPException(status_code=400, detail="Invalid file path")
 
         if not file_path.exists():
             raise HTTPException(status_code=404, detail=f"Profile picture {folder_name}/{file_name} not found")

🧹 Nitpick comments (1)

src/backend/base/langflow/api/v1/files.py (1)

160-186: Consider using async filesystem operations for consistency.

The function uses synchronous filesystem operations (iterdir(), is_file()) despite being declared async. This is inconsistent with download_profile_picture which uses anyio.Path for async operations.

For consistency, consider refactoring to use async operations:

     """List profile pictures from local filesystem.
 
     Profile pictures are always stored locally in config_dir/profile_pictures/,
     regardless of the storage_type setting (local, s3, etc.).
     """
     try:
         config_dir = settings_service.settings.config_dir
         config_path = Path(config_dir)  # type: ignore[arg-type]
 
-        people_path = config_path / "profile_pictures" / "People"
-        space_path = config_path / "profile_pictures" / "Space"
+        people_path = anyio.Path(config_path / "profile_pictures" / "People")
+        space_path = anyio.Path(config_path / "profile_pictures" / "Space")
 
         # List files directly from local filesystem
-        people = [f.name for f in people_path.iterdir() if f.is_file()] if people_path.exists() else []
-        space = [f.name for f in space_path.iterdir() if f.is_file()] if space_path.exists() else []
+        people = []
+        if await people_path.exists():
+            async for f in people_path.iterdir():
+                if await f.is_file():
+                    people.append(f.name)
+        
+        space = []
+        if await space_path.exists():
+            async for f in space_path.iterdir():
+                if await f.is_file():
+                    space.append(f.name)
 
     except Exception as e:
         raise HTTPException(status_code=500, detail=str(e)) from e

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cea4b42 and 6adc58d.

📒 Files selected for processing (2)

• src/backend/base/langflow/api/v1/files.py (2 hunks)
• src/backend/tests/unit/api/v1/test_files.py (1 hunks)

🧰 Additional context used

📓 Path-based instructions (6)

{src/backend/**/*.py,tests/**/*.py,Makefile}

📄 CodeRabbit inference engine (.cursor/rules/backend_development.mdc)

{src/backend/**/*.py,tests/**/*.py,Makefile}: Run make format_backend to format Python code before linting or committing changes
Run make lint to perform linting checks on backend Python code

Files:

• src/backend/base/langflow/api/v1/files.py
• src/backend/tests/unit/api/v1/test_files.py

src/backend/tests/unit/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/backend_development.mdc)

Test component integration within flows using create_flow, build_flow, and get_build_events utilities

Files:

• src/backend/tests/unit/api/v1/test_files.py

src/backend/tests/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/testing.mdc)

src/backend/tests/**/*.py: Unit tests for backend code must be located in the 'src/backend/tests/' directory, with component tests organized by component subdirectory under 'src/backend/tests/unit/components/'.
Test files should use the same filename as the component under test, with an appropriate test prefix or suffix (e.g., 'my_component.py' → 'test_my_component.py').
Use the 'client' fixture (an async httpx.AsyncClient) for API tests in backend Python tests, as defined in 'src/backend/tests/conftest.py'.
When writing component tests, inherit from the appropriate base class in 'src/backend/tests/base.py' (ComponentTestBase, ComponentTestBaseWithClient, or ComponentTestBaseWithoutClient) and provide the required fixtures: 'component_class', 'default_kwargs', and 'file_names_mapping'.
Each test in backend Python test files should have a clear docstring explaining its purpose, and complex setups or mocks should be well-commented.
Test both sync and async code paths in backend Python tests, using '@pytest.mark.asyncio' for async tests.
Mock external dependencies appropriately in backend Python tests to isolate unit tests from external services.
Test error handling and edge cases in backend Python tests, including using 'pytest.raises' and asserting error messages.
Validate input/output behavior and test component initialization and configuration in backend Python tests.
Use the 'no_blockbuster' pytest marker to skip the blockbuster plugin in tests when necessary.
Be aware of ContextVar propagation in async tests; test both direct event loop execution and 'asyncio.to_thread' scenarios to ensure proper context isolation.
Test error handling by mocking internal functions using monkeypatch in backend Python tests.
Test resource cleanup in backend Python tests by using fixtures that ensure proper initialization and cleanup of resources.
Test timeout and performance constraints in backend Python tests using 'asyncio.wait_for' and timing assertions.
Test Langflow's Messag...

Files:

• src/backend/tests/unit/api/v1/test_files.py

**/{test_*.py,*.test.ts,*.test.tsx}

📄 CodeRabbit inference engine (coderabbit-custom-pre-merge-checks-unique-id-file-non-traceable-F7F2B60C-1728-4C9A-8889-4F2235E186CA.txt)

**/{test_*.py,*.test.ts,*.test.tsx}: Review test files for excessive use of mocks that obscure what's actually being tested
Warn when mocks replace testing of real behavior and interactions
Suggest using real objects or simpler test doubles when mocks become excessive
Ensure mocks are reserved for external dependencies, not core logic
Recommend integration tests when unit tests are overly mocked
Test files should have descriptive test function names that explain what is being tested
Organize tests logically with proper setup and teardown
Include edge cases and error conditions for comprehensive coverage
Verify tests cover both positive and negative scenarios where appropriate
Tests should cover the main functionality being implemented
Tests should not be mere smoke tests; they must assert and validate behavior

Files:

• src/backend/tests/unit/api/v1/test_files.py

**/{test_*.py,*.test.ts}

📄 CodeRabbit inference engine (coderabbit-custom-pre-merge-checks-unique-id-file-non-traceable-F7F2B60C-1728-4C9A-8889-4F2235E186CA.txt)

Check that test files follow naming conventions: backend test_*.py, frontend *.test.ts

Files:

• src/backend/tests/unit/api/v1/test_files.py

**/test_*.py

📄 CodeRabbit inference engine (coderabbit-custom-pre-merge-checks-unique-id-file-non-traceable-F7F2B60C-1728-4C9A-8889-4F2235E186CA.txt)

**/test_*.py: Backend tests must be named test_*.py and use proper pytest structure
For async Python code, ensure proper async testing patterns with pytest (e.g., async fixtures, event loop)
Backend tests should follow project patterns: use pytest for test execution and structure
For API endpoints, verify tests cover both success and error responses

Files:

• src/backend/tests/unit/api/v1/test_files.py

🧬 Code graph analysis (1)

src/backend/base/langflow/api/v1/files.py (3)

src/backend/tests/unit/api/v2/test_mcp_servers_file.py (1)

• settings_service (96-97)

src/backend/base/langflow/services/deps.py (1)

• get_settings_service (122-135)

src/lfx/src/lfx/utils/helpers.py (1)

• build_content_type_from_extension (33-34)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: Lint Backend / Run Mypy (3.13)
• GitHub Check: Lint Backend / Run Mypy (3.11)
• GitHub Check: Run Frontend Tests / Determine Test Suites and Shard Distribution
• GitHub Check: Lint Backend / Run Mypy (3.10)
• GitHub Check: Lint Backend / Run Mypy (3.12)
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 2
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 5
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 1
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 4
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 3
• GitHub Check: Run Backend Tests / Test CLI - Python 3.10
• GitHub Check: Run Backend Tests / LFX Tests - Python 3.10
• GitHub Check: Run Backend Tests / Integration Tests - Python 3.10
• GitHub Check: Test Starter Templates
• GitHub Check: Update Component Index
• GitHub Check: Optimize new Python code in this PR

🔇 Additional comments (8)

src/backend/base/langflow/api/v1/files.py (1)

9-9: LGTM: Import added for async filesystem operations.

The anyio import is correctly added to support async file operations used later in the file.

src/backend/tests/unit/api/v1/test_files.py (7)

290-323: LGTM: Well-structured test fixture.

The fixture properly sets up a temporary directory with profile pictures, overrides the config directory, and ensures cleanup. The dependency on files_client ensures proper initialization ordering.

---

326-349: LGTM: Comprehensive test for listing profile pictures.

The test properly verifies the response structure, checks for expected folder prefixes, and validates that specific files are present. The docstring clearly explains the test's purpose.

---

352-370: LGTM: Thorough test for downloading profile pictures.

The test validates the HTTP response, content-type header, and SVG content structure. Good coverage of the download functionality.

---

373-406: LGTM: Defensive test with proper edge case handling.

The test handles the case where no people profile pictures are available by using pytest.skip, which is the correct approach. The verification of content-type and SVG structure is thorough.

---

409-420: LGTM: Good test coverage for 404 error case.

The test properly validates that requesting a non-existent file returns a 404 status code and includes an appropriate error message.

---

423-448: Excellent test for the PR objective!

This test directly validates the fix for the issue described in the PR title. It confirms that profile pictures are served from the local filesystem even when LANGFLOW_STORAGE_TYPE=s3, which is exactly what this PR aims to fix.

---

451-475: LGTM: Good coverage of content-type handling.

The test validates that SVG files are served with the correct image/svg+xml content-type for both Space and People folders.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Add tests for path traversal security vulnerabilities.

The test suite should include tests that verify the endpoint properly rejects path traversal attempts. This is especially important given the security vulnerability identified in the implementation.

Add these security tests:

async def test_download_profile_picture_path_traversal_folder(files_client, setup_profile_pictures):  # noqa: ARG001
    """Test that path traversal in folder_name is rejected.
    
    Args:
        files_client: HTTP client for making API requests
        setup_profile_pictures: Fixture that sets up profile pictures directory
    """
    # Try to access a file outside the profile_pictures directory
    response = await files_client.get("api/v1/files/profile_pictures/../../../etc/passwd")
    assert response.status_code in [400, 404], "Should reject path traversal attempts"


async def test_download_profile_picture_path_traversal_filename(files_client, setup_profile_pictures):  # noqa: ARG001
    """Test that path traversal in file_name is rejected.
    
    Args:
        files_client: HTTP client for making API requests
        setup_profile_pictures: Fixture that sets up profile pictures directory
    """
    # Try to access a file using path traversal in filename
    response = await files_client.get("api/v1/files/profile_pictures/Space/../../../etc/passwd")
    assert response.status_code in [400, 404], "Should reject path traversal attempts"


async def test_download_profile_picture_invalid_folder(files_client, setup_profile_pictures):  # noqa: ARG001
    """Test that invalid folder names are rejected.
    
    Args:
        files_client: HTTP client for making API requests
        setup_profile_pictures: Fixture that sets up profile pictures directory
    """
    response = await files_client.get("api/v1/files/profile_pictures/InvalidFolder/test.svg")
    assert response.status_code == 400, "Should reject invalid folder names"
    assert "Invalid folder name" in response.json()["detail"]

🤖 Prompt for AI Agents

In src/backend/tests/unit/api/v1/test_files.py around line 288, add unit tests
that assert the profile picture download endpoint rejects path traversal and
invalid folder names: create three async tests—one that requests
"api/v1/files/profile_pictures/../../../etc/passwd" and asserts status_code in
[400, 404]; one that requests
"api/v1/files/profile_pictures/Space/../../../etc/passwd" and asserts
status_code in [400, 404]; and one that requests
"api/v1/files/profile_pictures/InvalidFolder/test.svg" and asserts status_code
== 400 and that the response JSON detail contains "Invalid folder name"—use the
existing files_client and setup_profile_pictures fixtures and include brief
docstrings as in the review comment.

[github-actions]

Frontend Unit Test Coverage Report

Coverage Summary

Lines	Statements	Branches	Functions
	14.65% (3957/26993)	7.45% (1533/20566)	8.99% (532/5916)

Unit Test Results

Tests	Skipped	Failures	Errors	Time
1588	0 💤	0 ❌	0 🔥	18.935s ⏱️

[Adam-Aghili]

@deon-sanchez how would I test this PR?

[lucaseduoli]

LGTM!