1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.Web.OAuth.MFAControllerTest do
6 use Pleroma.Web.ConnCase
10 alias Pleroma.MFA.BackupCodes
11 alias Pleroma.MFA.TOTP
13 alias Pleroma.Web.OAuth.Authorization
14 alias Pleroma.Web.OAuth.OAuthController
16 setup %{conn: conn} do
17 otp_secret = TOTP.generate_secret()
21 multi_factor_authentication_settings: %MFA.Settings{
23 backup_codes: [Pbkdf2.hash_pwd_salt("test-code")],
24 totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true}
28 app = insert(:oauth_app)
29 {:ok, conn: conn, user: user, app: app}
33 setup %{conn: conn, user: user, app: app} do
37 authorization: build(:oauth_authorization, app: app, scopes: ["write"])
40 {:ok, conn: conn, mfa_token: mfa_token}
43 test "GET /oauth/mfa renders mfa forms", %{conn: conn, mfa_token: mfa_token} do
49 "mfa_token" => mfa_token.token,
51 "redirect_uri" => "http://localhost:8080/callback"
55 assert response = html_response(conn, 200)
56 assert response =~ "Two-factor authentication"
57 assert response =~ mfa_token.token
58 assert response =~ "http://localhost:8080/callback"
61 test "GET /oauth/mfa renders mfa recovery forms", %{conn: conn, mfa_token: mfa_token} do
67 "mfa_token" => mfa_token.token,
69 "redirect_uri" => "http://localhost:8080/callback",
70 "challenge_type" => "recovery"
74 assert response = html_response(conn, 200)
75 assert response =~ "Two-factor recovery"
76 assert response =~ mfa_token.token
77 assert response =~ "http://localhost:8080/callback"
82 setup %{conn: conn, user: user, app: app} do
86 authorization: build(:oauth_authorization, app: app, scopes: ["write"])
89 {:ok, conn: conn, user: user, mfa_token: mfa_token, app: app}
92 test "POST /oauth/mfa/verify, verify totp code", %{
98 otp_token = TOTP.generate_token(user.multi_factor_authentication_settings.totp.secret)
102 |> post("/oauth/mfa/verify", %{
104 "mfa_token" => mfa_token.token,
105 "challenge_type" => "totp",
107 "state" => "a_state",
108 "redirect_uri" => OAuthController.default_redirect_uri(app)
112 target = redirected_to(conn)
113 target_url = %URI{URI.parse(target) | query: nil} |> URI.to_string()
114 query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
115 assert %{"state" => "a_state", "code" => code} = query
116 assert target_url == OAuthController.default_redirect_uri(app)
117 auth = Repo.get_by(Authorization, token: code)
118 assert auth.scopes == ["write"]
121 test "POST /oauth/mfa/verify, verify recovery code", %{
123 mfa_token: mfa_token,
128 |> post("/oauth/mfa/verify", %{
130 "mfa_token" => mfa_token.token,
131 "challenge_type" => "recovery",
132 "code" => "test-code",
133 "state" => "a_state",
134 "redirect_uri" => OAuthController.default_redirect_uri(app)
138 target = redirected_to(conn)
139 target_url = %URI{URI.parse(target) | query: nil} |> URI.to_string()
140 query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
141 assert %{"state" => "a_state", "code" => code} = query
142 assert target_url == OAuthController.default_redirect_uri(app)
143 auth = Repo.get_by(Authorization, token: code)
144 assert auth.scopes == ["write"]
148 describe "challenge/totp" do
149 test "returns access token with valid code", %{conn: conn, user: user, app: app} do
150 otp_token = TOTP.generate_token(user.multi_factor_authentication_settings.totp.secret)
155 authorization: build(:oauth_authorization, app: app, scopes: ["write"])
160 |> post("/oauth/mfa/challenge", %{
161 "mfa_token" => mfa_token.token,
162 "challenge_type" => "totp",
164 "client_id" => app.client_id,
165 "client_secret" => app.client_secret
167 |> json_response(:ok)
176 "refresh_token" => _,
178 "token_type" => "Bearer"
184 test "returns errors when mfa token invalid", %{conn: conn, user: user, app: app} do
185 otp_token = TOTP.generate_token(user.multi_factor_authentication_settings.totp.secret)
189 |> post("/oauth/mfa/challenge", %{
190 "mfa_token" => "XXX",
191 "challenge_type" => "totp",
193 "client_id" => app.client_id,
194 "client_secret" => app.client_secret
196 |> json_response(400)
198 assert response == %{"error" => "Invalid code"}
201 test "returns error when otp code is invalid", %{conn: conn, user: user, app: app} do
202 mfa_token = insert(:mfa_token, user: user)
206 |> post("/oauth/mfa/challenge", %{
207 "mfa_token" => mfa_token.token,
208 "challenge_type" => "totp",
210 "client_id" => app.client_id,
211 "client_secret" => app.client_secret
213 |> json_response(400)
215 assert response == %{"error" => "Invalid code"}
218 test "returns error when client credentails is wrong ", %{conn: conn, user: user} do
219 otp_token = TOTP.generate_token(user.multi_factor_authentication_settings.totp.secret)
220 mfa_token = insert(:mfa_token, user: user)
224 |> post("/oauth/mfa/challenge", %{
225 "mfa_token" => mfa_token.token,
226 "challenge_type" => "totp",
228 "client_id" => "xxx",
229 "client_secret" => "xxx"
231 |> json_response(400)
233 assert response == %{"error" => "Invalid code"}
237 describe "challenge/recovery" do
238 setup %{conn: conn} do
239 app = insert(:oauth_app)
240 {:ok, conn: conn, app: app}
243 test "returns access token with valid code", %{conn: conn, app: app} do
244 otp_secret = TOTP.generate_secret()
246 [code | _] = backup_codes = BackupCodes.generate()
250 |> Enum.map(&Pbkdf2.hash_pwd_salt(&1))
254 multi_factor_authentication_settings: %MFA.Settings{
256 backup_codes: hashed_codes,
257 totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true}
264 authorization: build(:oauth_authorization, app: app, scopes: ["write"])
269 |> post("/oauth/mfa/challenge", %{
270 "mfa_token" => mfa_token.token,
271 "challenge_type" => "recovery",
273 "client_id" => app.client_id,
274 "client_secret" => app.client_secret
276 |> json_response(:ok)
285 "refresh_token" => _,
287 "token_type" => "Bearer"
294 |> post("/oauth/mfa/challenge", %{
295 "mfa_token" => mfa_token.token,
296 "challenge_type" => "recovery",
298 "client_id" => app.client_id,
299 "client_secret" => app.client_secret
301 |> json_response(400)
303 assert error_response == %{"error" => "Invalid code"}