1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.Web.OAuth.OAuthControllerTest do
6 use Pleroma.Web.ConnCase
10 alias Pleroma.Web.OAuth.Authorization
11 alias Pleroma.Web.OAuth.Token
13 test "redirects with oauth authorization" do
15 app = insert(:oauth_app)
19 |> post("/oauth/authorize", %{
21 "name" => user.nickname,
23 "client_id" => app.client_id,
24 "redirect_uri" => app.redirect_uris,
25 "state" => "statepassed"
29 target = redirected_to(conn)
30 assert target =~ app.redirect_uris
32 query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
34 assert %{"state" => "statepassed", "code" => code} = query
35 assert Repo.get_by(Authorization, token: code)
38 test "correctly handles wrong credentials", %{conn: conn} do
40 app = insert(:oauth_app)
44 |> post("/oauth/authorize", %{
46 "name" => user.nickname,
47 "password" => "wrong",
48 "client_id" => app.client_id,
49 "redirect_uri" => app.redirect_uris,
50 "state" => "statepassed"
53 |> html_response(:unauthorized)
56 assert result =~ app.client_id
57 assert result =~ app.redirect_uris
60 assert result =~ "Invalid"
63 test "issues a token for an all-body request" do
65 app = insert(:oauth_app)
67 {:ok, auth} = Authorization.create_authorization(app, user)
71 |> post("/oauth/token", %{
72 "grant_type" => "authorization_code",
74 "redirect_uri" => app.redirect_uris,
75 "client_id" => app.client_id,
76 "client_secret" => app.client_secret
79 assert %{"access_token" => token} = json_response(conn, 200)
80 assert Repo.get_by(Token, token: token)
83 test "issues a token for `password` grant_type with valid credentials" do
84 password = "testpassword"
85 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
87 app = insert(:oauth_app)
91 |> post("/oauth/token", %{
92 "grant_type" => "password",
93 "username" => user.nickname,
94 "password" => password,
95 "client_id" => app.client_id,
96 "client_secret" => app.client_secret
99 assert %{"access_token" => token} = json_response(conn, 200)
100 assert Repo.get_by(Token, token: token)
103 test "issues a token for request with HTTP basic auth client credentials" do
105 app = insert(:oauth_app)
107 {:ok, auth} = Authorization.create_authorization(app, user)
110 (URI.encode_www_form(app.client_id) <> ":" <> URI.encode_www_form(app.client_secret))
115 |> put_req_header("authorization", "Basic " <> app_encoded)
116 |> post("/oauth/token", %{
117 "grant_type" => "authorization_code",
118 "code" => auth.token,
119 "redirect_uri" => app.redirect_uris
122 assert %{"access_token" => token} = json_response(conn, 200)
123 assert Repo.get_by(Token, token: token)
126 test "rejects token exchange with invalid client credentials" do
128 app = insert(:oauth_app)
130 {:ok, auth} = Authorization.create_authorization(app, user)
134 |> put_req_header("authorization", "Basic JTIxOiVGMCU5RiVBNCVCNwo=")
135 |> post("/oauth/token", %{
136 "grant_type" => "authorization_code",
137 "code" => auth.token,
138 "redirect_uri" => app.redirect_uris
141 assert resp = json_response(conn, 400)
142 assert %{"error" => _} = resp
143 refute Map.has_key?(resp, "access_token")
146 test "rejects token exchange for valid credentials belonging to unconfirmed user and confirmation is required" do
147 setting = Pleroma.Config.get([:instance, :account_activation_required])
150 Pleroma.Config.put([:instance, :account_activation_required], true)
151 on_exit(fn -> Pleroma.Config.put([:instance, :account_activation_required], setting) end)
154 password = "testpassword"
155 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
156 info_change = Pleroma.User.Info.confirmation_changeset(user.info, :unconfirmed)
160 |> Ecto.Changeset.change()
161 |> Ecto.Changeset.put_embed(:info, info_change)
164 refute Pleroma.User.auth_active?(user)
166 app = insert(:oauth_app)
170 |> post("/oauth/token", %{
171 "grant_type" => "password",
172 "username" => user.nickname,
173 "password" => password,
174 "client_id" => app.client_id,
175 "client_secret" => app.client_secret
178 assert resp = json_response(conn, 403)
179 assert %{"error" => _} = resp
180 refute Map.has_key?(resp, "access_token")
183 test "rejects an invalid authorization code" do
184 app = insert(:oauth_app)
188 |> post("/oauth/token", %{
189 "grant_type" => "authorization_code",
190 "code" => "Imobviouslyinvalid",
191 "redirect_uri" => app.redirect_uris,
192 "client_id" => app.client_id,
193 "client_secret" => app.client_secret
196 assert resp = json_response(conn, 400)
197 assert %{"error" => _} = json_response(conn, 400)
198 refute Map.has_key?(resp, "access_token")