projects / akkoma / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge branch 'rework-emoji-management' into 'develop'
[akkoma] / test / web / oauth / oauth_controller_test.exs
1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
4
5 defmodule Pleroma.Web.OAuth.OAuthControllerTest do
6 use Pleroma.Web.ConnCase
7 import Pleroma.Factory
8 import Mock
9
10 alias Pleroma.Registration
11 alias Pleroma.Repo
12 alias Pleroma.Web.OAuth.Authorization
13 alias Pleroma.Web.OAuth.Token
14
15 @session_opts [
16 store: :cookie,
17 key: "_test",
18 signing_salt: "cooldude"
19 ]
20
21 describe "in OAuth consumer mode, " do
22 setup do
23 oauth_consumer_strategies_path = [:auth, :oauth_consumer_strategies]
24 oauth_consumer_strategies = Pleroma.Config.get(oauth_consumer_strategies_path)
25 Pleroma.Config.put(oauth_consumer_strategies_path, ~w(twitter facebook))
26
27 on_exit(fn ->
28 Pleroma.Config.put(oauth_consumer_strategies_path, oauth_consumer_strategies)
29 end)
30
31 [
32 app: insert(:oauth_app),
33 conn:
34 build_conn()
35 |> Plug.Session.call(Plug.Session.init(@session_opts))
36 |> fetch_session()
37 ]
38 end
39
40 test "GET /oauth/authorize renders auth forms, including OAuth consumer form", %{
41 app: app,
42 conn: conn
43 } do
44 conn =
45 get(
46 conn,
47 "/oauth/authorize",
48 %{
49 "response_type" => "code",
50 "client_id" => app.client_id,
51 "redirect_uri" => app.redirect_uris,
52 "scope" => "read"
53 }
54 )
55
56 assert response = html_response(conn, 200)
57 assert response =~ "Sign in with Twitter"
58 assert response =~ o_auth_path(conn, :prepare_request)
59 end
60
61 test "GET /oauth/prepare_request encodes parameters as `state` and redirects", %{
62 app: app,
63 conn: conn
64 } do
65 conn =
66 get(
67 conn,
68 "/oauth/prepare_request",
69 %{
70 "provider" => "twitter",
71 "authorization" => %{
72 "scope" => "read follow",
73 "client_id" => app.client_id,
74 "redirect_uri" => app.redirect_uris,
75 "state" => "a_state"
76 }
77 }
78 )
79
80 assert response = html_response(conn, 302)
81
82 redirect_query = URI.parse(redirected_to(conn)).query
83 assert %{"state" => state_param} = URI.decode_query(redirect_query)
84 assert {:ok, state_components} = Poison.decode(state_param)
85
86 expected_client_id = app.client_id
87 expected_redirect_uri = app.redirect_uris
88
89 assert %{
90 "scope" => "read follow",
91 "client_id" => ^expected_client_id,
92 "redirect_uri" => ^expected_redirect_uri,
93 "state" => "a_state"
94 } = state_components
95 end
96
97 test "with user-bound registration, GET /oauth/<provider>/callback redirects to `redirect_uri` with `code`",
98 %{app: app, conn: conn} do
99 registration = insert(:registration)
100
101 state_params = %{
102 "scope" => Enum.join(app.scopes, " "),
103 "client_id" => app.client_id,
104 "redirect_uri" => app.redirect_uris,
105 "state" => ""
106 }
107
108 with_mock Pleroma.Web.Auth.Authenticator,
109 get_registration: fn _ -> {:ok, registration} end do
110 conn =
111 get(
112 conn,
113 "/oauth/twitter/callback",
114 %{
115 "oauth_token" => "G-5a3AAAAAAAwMH9AAABaektfSM",
116 "oauth_verifier" => "QZl8vUqNvXMTKpdmUnGejJxuHG75WWWs",
117 "provider" => "twitter",
118 "state" => Poison.encode!(state_params)
119 }
120 )
121
122 assert response = html_response(conn, 302)
123 assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/
124 end
125 end
126
127 test "with user-unbound registration, GET /oauth/<provider>/callback renders registration_details page",
128 %{app: app, conn: conn} do
129 registration = insert(:registration, user: nil)
130
131 state_params = %{
132 "scope" => "read write",
133 "client_id" => app.client_id,
134 "redirect_uri" => app.redirect_uris,
135 "state" => "a_state"
136 }
137
138 with_mock Pleroma.Web.Auth.Authenticator,
139 get_registration: fn _ -> {:ok, registration} end do
140 conn =
141 get(
142 conn,
143 "/oauth/twitter/callback",
144 %{
145 "oauth_token" => "G-5a3AAAAAAAwMH9AAABaektfSM",
146 "oauth_verifier" => "QZl8vUqNvXMTKpdmUnGejJxuHG75WWWs",
147 "provider" => "twitter",
148 "state" => Poison.encode!(state_params)
149 }
150 )
151
152 assert response = html_response(conn, 200)
153 assert response =~ ~r/name="op" type="submit" value="register"/
154 assert response =~ ~r/name="op" type="submit" value="connect"/
155 assert response =~ Registration.email(registration)
156 assert response =~ Registration.nickname(registration)
157 end
158 end
159
160 test "on authentication error, GET /oauth/<provider>/callback redirects to `redirect_uri`", %{
161 app: app,
162 conn: conn
163 } do
164 state_params = %{
165 "scope" => Enum.join(app.scopes, " "),
166 "client_id" => app.client_id,
167 "redirect_uri" => app.redirect_uris,
168 "state" => ""
169 }
170
171 conn =
172 conn
173 |> assign(:ueberauth_failure, %{errors: [%{message: "(error description)"}]})
174 |> get(
175 "/oauth/twitter/callback",
176 %{
177 "oauth_token" => "G-5a3AAAAAAAwMH9AAABaektfSM",
178 "oauth_verifier" => "QZl8vUqNvXMTKpdmUnGejJxuHG75WWWs",
179 "provider" => "twitter",
180 "state" => Poison.encode!(state_params)
181 }
182 )
183
184 assert response = html_response(conn, 302)
185 assert redirected_to(conn) == app.redirect_uris
186 assert get_flash(conn, :error) == "Failed to authenticate: (error description)."
187 end
188
189 test "GET /oauth/registration_details renders registration details form", %{
190 app: app,
191 conn: conn
192 } do
193 conn =
194 get(
195 conn,
196 "/oauth/registration_details",
197 %{
198 "authorization" => %{
199 "scopes" => app.scopes,
200 "client_id" => app.client_id,
201 "redirect_uri" => app.redirect_uris,
202 "state" => "a_state",
203 "nickname" => nil,
204 "email" => "john@doe.com"
205 }
206 }
207 )
208
209 assert response = html_response(conn, 200)
210 assert response =~ ~r/name="op" type="submit" value="register"/
211 assert response =~ ~r/name="op" type="submit" value="connect"/
212 end
213
214 test "with valid params, POST /oauth/register?op=register redirects to `redirect_uri` with `code`",
215 %{
216 app: app,
217 conn: conn
218 } do
219 registration = insert(:registration, user: nil, info: %{"nickname" => nil, "email" => nil})
220
221 conn =
222 conn
223 |> put_session(:registration_id, registration.id)
224 |> post(
225 "/oauth/register",
226 %{
227 "op" => "register",
228 "authorization" => %{
229 "scopes" => app.scopes,
230 "client_id" => app.client_id,
231 "redirect_uri" => app.redirect_uris,
232 "state" => "a_state",
233 "nickname" => "availablenick",
234 "email" => "available@email.com"
235 }
236 }
237 )
238
239 assert response = html_response(conn, 302)
240 assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/
241 end
242
243 test "with invalid params, POST /oauth/register?op=register renders registration_details page",
244 %{
245 app: app,
246 conn: conn
247 } do
248 another_user = insert(:user)
249 registration = insert(:registration, user: nil, info: %{"nickname" => nil, "email" => nil})
250
251 params = %{
252 "op" => "register",
253 "authorization" => %{
254 "scopes" => app.scopes,
255 "client_id" => app.client_id,
256 "redirect_uri" => app.redirect_uris,
257 "state" => "a_state",
258 "nickname" => "availablenickname",
259 "email" => "available@email.com"
260 }
261 }
262
263 for {bad_param, bad_param_value} <-
264 [{"nickname", another_user.nickname}, {"email", another_user.email}] do
265 bad_registration_attrs = %{
266 "authorization" => Map.put(params["authorization"], bad_param, bad_param_value)
267 }
268
269 bad_params = Map.merge(params, bad_registration_attrs)
270
271 conn =
272 conn
273 |> put_session(:registration_id, registration.id)
274 |> post("/oauth/register", bad_params)
275
276 assert html_response(conn, 403) =~ ~r/name="op" type="submit" value="register"/
277 assert get_flash(conn, :error) == "Error: #{bad_param} has already been taken."
278 end
279 end
280
281 test "with valid params, POST /oauth/register?op=connect redirects to `redirect_uri` with `code`",
282 %{
283 app: app,
284 conn: conn
285 } do
286 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt("testpassword"))
287 registration = insert(:registration, user: nil)
288
289 conn =
290 conn
291 |> put_session(:registration_id, registration.id)
292 |> post(
293 "/oauth/register",
294 %{
295 "op" => "connect",
296 "authorization" => %{
297 "scopes" => app.scopes,
298 "client_id" => app.client_id,
299 "redirect_uri" => app.redirect_uris,
300 "state" => "a_state",
301 "name" => user.nickname,
302 "password" => "testpassword"
303 }
304 }
305 )
306
307 assert response = html_response(conn, 302)
308 assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/
309 end
310
311 test "with invalid params, POST /oauth/register?op=connect renders registration_details page",
312 %{
313 app: app,
314 conn: conn
315 } do
316 user = insert(:user)
317 registration = insert(:registration, user: nil)
318
319 params = %{
320 "op" => "connect",
321 "authorization" => %{
322 "scopes" => app.scopes,
323 "client_id" => app.client_id,
324 "redirect_uri" => app.redirect_uris,
325 "state" => "a_state",
326 "name" => user.nickname,
327 "password" => "wrong password"
328 }
329 }
330
331 conn =
332 conn
333 |> put_session(:registration_id, registration.id)
334 |> post("/oauth/register", params)
335
336 assert html_response(conn, 401) =~ ~r/name="op" type="submit" value="connect"/
337 assert get_flash(conn, :error) == "Invalid Username/Password"
338 end
339 end
340
341 describe "GET /oauth/authorize" do
342 setup do
343 [
344 app: insert(:oauth_app, redirect_uris: "https://redirect.url"),
345 conn:
346 build_conn()
347 |> Plug.Session.call(Plug.Session.init(@session_opts))
348 |> fetch_session()
349 ]
350 end
351
352 test "renders authentication page", %{app: app, conn: conn} do
353 conn =
354 get(
355 conn,
356 "/oauth/authorize",
357 %{
358 "response_type" => "code",
359 "client_id" => app.client_id,
360 "redirect_uri" => app.redirect_uris,
361 "scope" => "read"
362 }
363 )
364
365 assert html_response(conn, 200) =~ ~s(type="submit")
366 end
367
368 test "properly handles internal calls with `authorization`-wrapped params", %{
369 app: app,
370 conn: conn
371 } do
372 conn =
373 get(
374 conn,
375 "/oauth/authorize",
376 %{
377 "authorization" => %{
378 "response_type" => "code",
379 "client_id" => app.client_id,
380 "redirect_uri" => app.redirect_uris,
381 "scope" => "read"
382 }
383 }
384 )
385
386 assert html_response(conn, 200) =~ ~s(type="submit")
387 end
388
389 test "renders authentication page if user is already authenticated but `force_login` is tru-ish",
390 %{app: app, conn: conn} do
391 token = insert(:oauth_token, app_id: app.id)
392
393 conn =
394 conn
395 |> put_session(:oauth_token, token.token)
396 |> get(
397 "/oauth/authorize",
398 %{
399 "response_type" => "code",
400 "client_id" => app.client_id,
401 "redirect_uri" => app.redirect_uris,
402 "scope" => "read",
403 "force_login" => "true"
404 }
405 )
406
407 assert html_response(conn, 200) =~ ~s(type="submit")
408 end
409
410 test "redirects to app if user is already authenticated", %{app: app, conn: conn} do
411 token = insert(:oauth_token, app_id: app.id)
412
413 conn =
414 conn
415 |> put_session(:oauth_token, token.token)
416 |> get(
417 "/oauth/authorize",
418 %{
419 "response_type" => "code",
420 "client_id" => app.client_id,
421 "redirect_uri" => app.redirect_uris,
422 "scope" => "read"
423 }
424 )
425
426 assert redirected_to(conn) == "https://redirect.url"
427 end
428 end
429
430 describe "POST /oauth/authorize" do
431 test "redirects with oauth authorization" do
432 user = insert(:user)
433 app = insert(:oauth_app, scopes: ["read", "write", "follow"])
434
435 conn =
436 build_conn()
437 |> post("/oauth/authorize", %{
438 "authorization" => %{
439 "name" => user.nickname,
440 "password" => "test",
441 "client_id" => app.client_id,
442 "redirect_uri" => app.redirect_uris,
443 "scope" => "read write",
444 "state" => "statepassed"
445 }
446 })
447
448 target = redirected_to(conn)
449 assert target =~ app.redirect_uris
450
451 query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
452
453 assert %{"state" => "statepassed", "code" => code} = query
454 auth = Repo.get_by(Authorization, token: code)
455 assert auth
456 assert auth.scopes == ["read", "write"]
457 end
458
459 test "returns 401 for wrong credentials", %{conn: conn} do
460 user = insert(:user)
461 app = insert(:oauth_app)
462
463 result =
464 conn
465 |> post("/oauth/authorize", %{
466 "authorization" => %{
467 "name" => user.nickname,
468 "password" => "wrong",
469 "client_id" => app.client_id,
470 "redirect_uri" => app.redirect_uris,
471 "state" => "statepassed",
472 "scope" => Enum.join(app.scopes, " ")
473 }
474 })
475 |> html_response(:unauthorized)
476
477 # Keep the details
478 assert result =~ app.client_id
479 assert result =~ app.redirect_uris
480
481 # Error message
482 assert result =~ "Invalid Username/Password"
483 end
484
485 test "returns 401 for missing scopes", %{conn: conn} do
486 user = insert(:user)
487 app = insert(:oauth_app)
488
489 result =
490 conn
491 |> post("/oauth/authorize", %{
492 "authorization" => %{
493 "name" => user.nickname,
494 "password" => "test",
495 "client_id" => app.client_id,
496 "redirect_uri" => app.redirect_uris,
497 "state" => "statepassed",
498 "scope" => ""
499 }
500 })
501 |> html_response(:unauthorized)
502
503 # Keep the details
504 assert result =~ app.client_id
505 assert result =~ app.redirect_uris
506
507 # Error message
508 assert result =~ "This action is outside the authorized scopes"
509 end
510
511 test "returns 401 for scopes beyond app scopes", %{conn: conn} do
512 user = insert(:user)
513 app = insert(:oauth_app, scopes: ["read", "write"])
514
515 result =
516 conn
517 |> post("/oauth/authorize", %{
518 "authorization" => %{
519 "name" => user.nickname,
520 "password" => "test",
521 "client_id" => app.client_id,
522 "redirect_uri" => app.redirect_uris,
523 "state" => "statepassed",
524 "scope" => "read write follow"
525 }
526 })
527 |> html_response(:unauthorized)
528
529 # Keep the details
530 assert result =~ app.client_id
531 assert result =~ app.redirect_uris
532
533 # Error message
534 assert result =~ "This action is outside the authorized scopes"
535 end
536 end
537
538 describe "POST /oauth/token" do
539 test "issues a token for an all-body request" do
540 user = insert(:user)
541 app = insert(:oauth_app, scopes: ["read", "write"])
542
543 {:ok, auth} = Authorization.create_authorization(app, user, ["write"])
544
545 conn =
546 build_conn()
547 |> post("/oauth/token", %{
548 "grant_type" => "authorization_code",
549 "code" => auth.token,
550 "redirect_uri" => app.redirect_uris,
551 "client_id" => app.client_id,
552 "client_secret" => app.client_secret
553 })
554
555 assert %{"access_token" => token, "me" => ap_id} = json_response(conn, 200)
556
557 token = Repo.get_by(Token, token: token)
558 assert token
559 assert token.scopes == auth.scopes
560 assert user.ap_id == ap_id
561 end
562
563 test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do
564 password = "testpassword"
565 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
566
567 app = insert(:oauth_app, scopes: ["read", "write"])
568
569 # Note: "scope" param is intentionally omitted
570 conn =
571 build_conn()
572 |> post("/oauth/token", %{
573 "grant_type" => "password",
574 "username" => user.nickname,
575 "password" => password,
576 "client_id" => app.client_id,
577 "client_secret" => app.client_secret
578 })
579
580 assert %{"access_token" => token} = json_response(conn, 200)
581
582 token = Repo.get_by(Token, token: token)
583 assert token
584 assert token.scopes == app.scopes
585 end
586
587 test "issues a token for request with HTTP basic auth client credentials" do
588 user = insert(:user)
589 app = insert(:oauth_app, scopes: ["scope1", "scope2", "scope3"])
590
591 {:ok, auth} = Authorization.create_authorization(app, user, ["scope1", "scope2"])
592 assert auth.scopes == ["scope1", "scope2"]
593
594 app_encoded =
595 (URI.encode_www_form(app.client_id) <> ":" <> URI.encode_www_form(app.client_secret))
596 |> Base.encode64()
597
598 conn =
599 build_conn()
600 |> put_req_header("authorization", "Basic " <> app_encoded)
601 |> post("/oauth/token", %{
602 "grant_type" => "authorization_code",
603 "code" => auth.token,
604 "redirect_uri" => app.redirect_uris
605 })
606
607 assert %{"access_token" => token, "scope" => scope} = json_response(conn, 200)
608
609 assert scope == "scope1 scope2"
610
611 token = Repo.get_by(Token, token: token)
612 assert token
613 assert token.scopes == ["scope1", "scope2"]
614 end
615
616 test "rejects token exchange with invalid client credentials" do
617 user = insert(:user)
618 app = insert(:oauth_app)
619
620 {:ok, auth} = Authorization.create_authorization(app, user)
621
622 conn =
623 build_conn()
624 |> put_req_header("authorization", "Basic JTIxOiVGMCU5RiVBNCVCNwo=")
625 |> post("/oauth/token", %{
626 "grant_type" => "authorization_code",
627 "code" => auth.token,
628 "redirect_uri" => app.redirect_uris
629 })
630
631 assert resp = json_response(conn, 400)
632 assert %{"error" => _} = resp
633 refute Map.has_key?(resp, "access_token")
634 end
635
636 test "rejects token exchange for valid credentials belonging to unconfirmed user and confirmation is required" do
637 setting = Pleroma.Config.get([:instance, :account_activation_required])
638
639 unless setting do
640 Pleroma.Config.put([:instance, :account_activation_required], true)
641 on_exit(fn -> Pleroma.Config.put([:instance, :account_activation_required], setting) end)
642 end
643
644 password = "testpassword"
645 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
646 info_change = Pleroma.User.Info.confirmation_changeset(user.info, :unconfirmed)
647
648 {:ok, user} =
649 user
650 |> Ecto.Changeset.change()
651 |> Ecto.Changeset.put_embed(:info, info_change)
652 |> Repo.update()
653
654 refute Pleroma.User.auth_active?(user)
655
656 app = insert(:oauth_app)
657
658 conn =
659 build_conn()
660 |> post("/oauth/token", %{
661 "grant_type" => "password",
662 "username" => user.nickname,
663 "password" => password,
664 "client_id" => app.client_id,
665 "client_secret" => app.client_secret
666 })
667
668 assert resp = json_response(conn, 403)
669 assert %{"error" => _} = resp
670 refute Map.has_key?(resp, "access_token")
671 end
672
673 test "rejects token exchange for valid credentials belonging to deactivated user" do
674 password = "testpassword"
675
676 user =
677 insert(:user,
678 password_hash: Comeonin.Pbkdf2.hashpwsalt(password),
679 info: %{deactivated: true}
680 )
681
682 app = insert(:oauth_app)
683
684 conn =
685 build_conn()
686 |> post("/oauth/token", %{
687 "grant_type" => "password",
688 "username" => user.nickname,
689 "password" => password,
690 "client_id" => app.client_id,
691 "client_secret" => app.client_secret
692 })
693
694 assert resp = json_response(conn, 403)
695 assert %{"error" => _} = resp
696 refute Map.has_key?(resp, "access_token")
697 end
698
699 test "rejects an invalid authorization code" do
700 app = insert(:oauth_app)
701
702 conn =
703 build_conn()
704 |> post("/oauth/token", %{
705 "grant_type" => "authorization_code",
706 "code" => "Imobviouslyinvalid",
707 "redirect_uri" => app.redirect_uris,
708 "client_id" => app.client_id,
709 "client_secret" => app.client_secret
710 })
711
712 assert resp = json_response(conn, 400)
713 assert %{"error" => _} = json_response(conn, 400)
714 refute Map.has_key?(resp, "access_token")
715 end
716 end
717 end
Fork of https://akkoma.dev/AkkomaGang/akkoma.git