projects / akkoma / blob
? search:


75333f2d5d6f0020e22e58ff563b0b32c484db12
[akkoma] / test / web / oauth / oauth_controller_test.exs
1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
4
5 defmodule Pleroma.Web.OAuth.OAuthControllerTest do
6 use Pleroma.Web.ConnCase
7 import Pleroma.Factory
8 import Mock
9
10 alias Pleroma.Registration
11 alias Pleroma.Repo
12 alias Pleroma.Web.OAuth.Authorization
13 alias Pleroma.Web.OAuth.Token
14
15 @session_opts [
16 store: :cookie,
17 key: "_test",
18 signing_salt: "cooldude"
19 ]
20
21 describe "in OAuth consumer mode, " do
22 setup do
23 oauth_consumer_enabled_path = [:auth, :oauth_consumer_enabled]
24 oauth_consumer_strategies_path = [:auth, :oauth_consumer_strategies]
25 oauth_consumer_enabled = Pleroma.Config.get(oauth_consumer_enabled_path)
26 oauth_consumer_strategies = Pleroma.Config.get(oauth_consumer_strategies_path)
27
28 Pleroma.Config.put(oauth_consumer_enabled_path, true)
29 Pleroma.Config.put(oauth_consumer_strategies_path, ~w(twitter facebook))
30
31 on_exit(fn ->
32 Pleroma.Config.put(oauth_consumer_enabled_path, oauth_consumer_enabled)
33 Pleroma.Config.put(oauth_consumer_strategies_path, oauth_consumer_strategies)
34 end)
35
36 [
37 app: insert(:oauth_app),
38 conn:
39 build_conn()
40 |> Plug.Session.call(Plug.Session.init(@session_opts))
41 |> fetch_session()
42 ]
43 end
44
45 test "GET /oauth/authorize also renders OAuth consumer form", %{
46 app: app,
47 conn: conn
48 } do
49 conn =
50 get(
51 conn,
52 "/oauth/authorize",
53 %{
54 "response_type" => "code",
55 "client_id" => app.client_id,
56 "redirect_uri" => app.redirect_uris,
57 "scope" => "read"
58 }
59 )
60
61 assert response = html_response(conn, 200)
62 assert response =~ "Sign in with Twitter"
63 assert response =~ o_auth_path(conn, :prepare_request)
64 end
65
66 test "GET /oauth/prepare_request encodes parameters as `state` and redirects", %{
67 app: app,
68 conn: conn
69 } do
70 conn =
71 get(
72 conn,
73 "/oauth/prepare_request",
74 %{
75 "provider" => "twitter",
76 "scope" => "read follow",
77 "client_id" => app.client_id,
78 "redirect_uri" => app.redirect_uris,
79 "state" => "a_state"
80 }
81 )
82
83 assert response = html_response(conn, 302)
84
85 redirect_query = URI.parse(redirected_to(conn)).query
86 assert %{"state" => state_param} = URI.decode_query(redirect_query)
87 assert {:ok, state_components} = Poison.decode(state_param)
88
89 expected_client_id = app.client_id
90 expected_redirect_uri = app.redirect_uris
91
92 assert %{
93 "scope" => "read follow",
94 "client_id" => ^expected_client_id,
95 "redirect_uri" => ^expected_redirect_uri,
96 "state" => "a_state"
97 } = state_components
98 end
99
100 test "on authentication error, redirects to `redirect_uri`", %{app: app, conn: conn} do
101 state_params = %{
102 "scope" => Enum.join(app.scopes, " "),
103 "client_id" => app.client_id,
104 "redirect_uri" => app.redirect_uris,
105 "state" => ""
106 }
107
108 conn =
109 conn
110 |> assign(:ueberauth_failure, %{errors: [%{message: "unknown error"}]})
111 |> get(
112 "/oauth/twitter/callback",
113 %{
114 "oauth_token" => "G-5a3AAAAAAAwMH9AAABaektfSM",
115 "oauth_verifier" => "QZl8vUqNvXMTKpdmUnGejJxuHG75WWWs",
116 "provider" => "twitter",
117 "state" => Poison.encode!(state_params)
118 }
119 )
120
121 assert response = html_response(conn, 302)
122 assert redirected_to(conn) == app.redirect_uris
123 end
124
125 test "with user-bound registration, GET /oauth/<provider>/callback redirects to `redirect_uri` with `code`",
126 %{app: app, conn: conn} do
127 registration = insert(:registration)
128
129 state_params = %{
130 "scope" => Enum.join(app.scopes, " "),
131 "client_id" => app.client_id,
132 "redirect_uri" => app.redirect_uris,
133 "state" => ""
134 }
135
136 with_mock Pleroma.Web.Auth.Authenticator,
137 get_registration: fn _, _ -> {:ok, registration} end do
138 conn =
139 get(
140 conn,
141 "/oauth/twitter/callback",
142 %{
143 "oauth_token" => "G-5a3AAAAAAAwMH9AAABaektfSM",
144 "oauth_verifier" => "QZl8vUqNvXMTKpdmUnGejJxuHG75WWWs",
145 "provider" => "twitter",
146 "state" => Poison.encode!(state_params)
147 }
148 )
149
150 assert response = html_response(conn, 302)
151 assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/
152 end
153 end
154
155 test "with user-unbound registration, GET /oauth/<provider>/callback redirects to registration_details page",
156 %{app: app, conn: conn} do
157 registration = insert(:registration, user: nil)
158
159 state_params = %{
160 "scope" => "read write",
161 "client_id" => app.client_id,
162 "redirect_uri" => app.redirect_uris,
163 "state" => "a_state"
164 }
165
166 with_mock Pleroma.Web.Auth.Authenticator,
167 get_registration: fn _, _ -> {:ok, registration} end do
168 conn =
169 get(
170 conn,
171 "/oauth/twitter/callback",
172 %{
173 "oauth_token" => "G-5a3AAAAAAAwMH9AAABaektfSM",
174 "oauth_verifier" => "QZl8vUqNvXMTKpdmUnGejJxuHG75WWWs",
175 "provider" => "twitter",
176 "state" => Poison.encode!(state_params)
177 }
178 )
179
180 expected_redirect_params =
181 state_params
182 |> Map.delete("scope")
183 |> Map.merge(%{
184 "scope" => "read write",
185 "email" => Registration.email(registration),
186 "nickname" => Registration.nickname(registration)
187 })
188
189 assert response = html_response(conn, 302)
190
191 assert redirected_to(conn) ==
192 o_auth_path(conn, :registration_details, expected_redirect_params)
193 end
194 end
195
196 test "GET /oauth/registration_details renders registration details form", %{
197 app: app,
198 conn: conn
199 } do
200 conn =
201 get(
202 conn,
203 "/oauth/registration_details",
204 %{
205 "scopes" => app.scopes,
206 "client_id" => app.client_id,
207 "redirect_uri" => app.redirect_uris,
208 "state" => "a_state",
209 "nickname" => nil,
210 "email" => "john@doe.com"
211 }
212 )
213
214 assert response = html_response(conn, 200)
215 assert response =~ ~r/name="op" type="submit" value="register"/
216 assert response =~ ~r/name="op" type="submit" value="connect"/
217 end
218
219 test "with valid params, POST /oauth/register?op=register redirects to `redirect_uri` with `code`",
220 %{
221 app: app,
222 conn: conn
223 } do
224 registration = insert(:registration, user: nil, info: %{"nickname" => nil, "email" => nil})
225
226 conn =
227 conn
228 |> put_session(:registration_id, registration.id)
229 |> post(
230 "/oauth/register",
231 %{
232 "op" => "register",
233 "scopes" => app.scopes,
234 "client_id" => app.client_id,
235 "redirect_uri" => app.redirect_uris,
236 "state" => "a_state",
237 "nickname" => "availablenick",
238 "email" => "available@email.com"
239 }
240 )
241
242 assert response = html_response(conn, 302)
243 assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/
244 end
245
246 test "with invalid params, POST /oauth/register?op=register redirects to registration_details page",
247 %{
248 app: app,
249 conn: conn
250 } do
251 another_user = insert(:user)
252 registration = insert(:registration, user: nil, info: %{"nickname" => nil, "email" => nil})
253
254 params = %{
255 "op" => "register",
256 "scopes" => app.scopes,
257 "client_id" => app.client_id,
258 "redirect_uri" => app.redirect_uris,
259 "state" => "a_state",
260 "nickname" => another_user.nickname,
261 "email" => another_user.email
262 }
263
264 conn =
265 conn
266 |> put_session(:registration_id, registration.id)
267 |> post("/oauth/register", params)
268
269 assert response = html_response(conn, 302)
270
271 assert redirected_to(conn) ==
272 o_auth_path(conn, :registration_details, params)
273 end
274
275 test "with valid params, POST /oauth/register?op=connect redirects to `redirect_uri` with `code`",
276 %{
277 app: app,
278 conn: conn
279 } do
280 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt("testpassword"))
281 registration = insert(:registration, user: nil)
282
283 conn =
284 conn
285 |> put_session(:registration_id, registration.id)
286 |> post(
287 "/oauth/register",
288 %{
289 "op" => "connect",
290 "scopes" => app.scopes,
291 "client_id" => app.client_id,
292 "redirect_uri" => app.redirect_uris,
293 "state" => "a_state",
294 "auth_name" => user.nickname,
295 "password" => "testpassword"
296 }
297 )
298
299 assert response = html_response(conn, 302)
300 assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/
301 end
302
303 test "with invalid params, POST /oauth/register?op=connect redirects to registration_details page",
304 %{
305 app: app,
306 conn: conn
307 } do
308 user = insert(:user)
309 registration = insert(:registration, user: nil)
310
311 params = %{
312 "op" => "connect",
313 "scopes" => app.scopes,
314 "client_id" => app.client_id,
315 "redirect_uri" => app.redirect_uris,
316 "state" => "a_state",
317 "auth_name" => user.nickname,
318 "password" => "wrong password"
319 }
320
321 conn =
322 conn
323 |> put_session(:registration_id, registration.id)
324 |> post("/oauth/register", params)
325
326 assert response = html_response(conn, 302)
327
328 assert redirected_to(conn) ==
329 o_auth_path(conn, :registration_details, Map.delete(params, "password"))
330 end
331 end
332
333 describe "GET /oauth/authorize" do
334 setup do
335 [
336 app: insert(:oauth_app, redirect_uris: "https://redirect.url"),
337 conn:
338 build_conn()
339 |> Plug.Session.call(Plug.Session.init(@session_opts))
340 |> fetch_session()
341 ]
342 end
343
344 test "renders authentication page", %{app: app, conn: conn} do
345 conn =
346 get(
347 conn,
348 "/oauth/authorize",
349 %{
350 "response_type" => "code",
351 "client_id" => app.client_id,
352 "redirect_uri" => app.redirect_uris,
353 "scope" => "read"
354 }
355 )
356
357 assert html_response(conn, 200) =~ ~s(type="submit")
358 end
359
360 test "renders authentication page if user is already authenticated but `force_login` is tru-ish",
361 %{app: app, conn: conn} do
362 token = insert(:oauth_token, app_id: app.id)
363
364 conn =
365 conn
366 |> put_session(:oauth_token, token.token)
367 |> get(
368 "/oauth/authorize",
369 %{
370 "response_type" => "code",
371 "client_id" => app.client_id,
372 "redirect_uri" => app.redirect_uris,
373 "scope" => "read",
374 "force_login" => "true"
375 }
376 )
377
378 assert html_response(conn, 200) =~ ~s(type="submit")
379 end
380
381 test "redirects to app if user is already authenticated", %{app: app, conn: conn} do
382 token = insert(:oauth_token, app_id: app.id)
383
384 conn =
385 conn
386 |> put_session(:oauth_token, token.token)
387 |> get(
388 "/oauth/authorize",
389 %{
390 "response_type" => "code",
391 "client_id" => app.client_id,
392 "redirect_uri" => app.redirect_uris,
393 "scope" => "read"
394 }
395 )
396
397 assert redirected_to(conn) == "https://redirect.url"
398 end
399 end
400
401 describe "POST /oauth/authorize" do
402 test "redirects with oauth authorization" do
403 user = insert(:user)
404 app = insert(:oauth_app, scopes: ["read", "write", "follow"])
405
406 conn =
407 build_conn()
408 |> post("/oauth/authorize", %{
409 "authorization" => %{
410 "name" => user.nickname,
411 "password" => "test",
412 "client_id" => app.client_id,
413 "redirect_uri" => app.redirect_uris,
414 "scope" => "read write",
415 "state" => "statepassed"
416 }
417 })
418
419 target = redirected_to(conn)
420 assert target =~ app.redirect_uris
421
422 query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
423
424 assert %{"state" => "statepassed", "code" => code} = query
425 auth = Repo.get_by(Authorization, token: code)
426 assert auth
427 assert auth.scopes == ["read", "write"]
428 end
429
430 test "returns 401 for wrong credentials", %{conn: conn} do
431 user = insert(:user)
432 app = insert(:oauth_app)
433
434 result =
435 conn
436 |> post("/oauth/authorize", %{
437 "authorization" => %{
438 "name" => user.nickname,
439 "password" => "wrong",
440 "client_id" => app.client_id,
441 "redirect_uri" => app.redirect_uris,
442 "state" => "statepassed",
443 "scope" => Enum.join(app.scopes, " ")
444 }
445 })
446 |> html_response(:unauthorized)
447
448 # Keep the details
449 assert result =~ app.client_id
450 assert result =~ app.redirect_uris
451
452 # Error message
453 assert result =~ "Invalid Username/Password"
454 end
455
456 test "returns 401 for missing scopes", %{conn: conn} do
457 user = insert(:user)
458 app = insert(:oauth_app)
459
460 result =
461 conn
462 |> post("/oauth/authorize", %{
463 "authorization" => %{
464 "name" => user.nickname,
465 "password" => "test",
466 "client_id" => app.client_id,
467 "redirect_uri" => app.redirect_uris,
468 "state" => "statepassed",
469 "scope" => ""
470 }
471 })
472 |> html_response(:unauthorized)
473
474 # Keep the details
475 assert result =~ app.client_id
476 assert result =~ app.redirect_uris
477
478 # Error message
479 assert result =~ "This action is outside the authorized scopes"
480 end
481
482 test "returns 401 for scopes beyond app scopes", %{conn: conn} do
483 user = insert(:user)
484 app = insert(:oauth_app, scopes: ["read", "write"])
485
486 result =
487 conn
488 |> post("/oauth/authorize", %{
489 "authorization" => %{
490 "name" => user.nickname,
491 "password" => "test",
492 "client_id" => app.client_id,
493 "redirect_uri" => app.redirect_uris,
494 "state" => "statepassed",
495 "scope" => "read write follow"
496 }
497 })
498 |> html_response(:unauthorized)
499
500 # Keep the details
501 assert result =~ app.client_id
502 assert result =~ app.redirect_uris
503
504 # Error message
505 assert result =~ "This action is outside the authorized scopes"
506 end
507 end
508
509 describe "POST /oauth/token" do
510 test "issues a token for an all-body request" do
511 user = insert(:user)
512 app = insert(:oauth_app, scopes: ["read", "write"])
513
514 {:ok, auth} = Authorization.create_authorization(app, user, ["write"])
515
516 conn =
517 build_conn()
518 |> post("/oauth/token", %{
519 "grant_type" => "authorization_code",
520 "code" => auth.token,
521 "redirect_uri" => app.redirect_uris,
522 "client_id" => app.client_id,
523 "client_secret" => app.client_secret
524 })
525
526 assert %{"access_token" => token, "me" => ap_id} = json_response(conn, 200)
527
528 token = Repo.get_by(Token, token: token)
529 assert token
530 assert token.scopes == auth.scopes
531 assert user.ap_id == ap_id
532 end
533
534 test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do
535 password = "testpassword"
536 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
537
538 app = insert(:oauth_app, scopes: ["read", "write"])
539
540 # Note: "scope" param is intentionally omitted
541 conn =
542 build_conn()
543 |> post("/oauth/token", %{
544 "grant_type" => "password",
545 "username" => user.nickname,
546 "password" => password,
547 "client_id" => app.client_id,
548 "client_secret" => app.client_secret
549 })
550
551 assert %{"access_token" => token} = json_response(conn, 200)
552
553 token = Repo.get_by(Token, token: token)
554 assert token
555 assert token.scopes == app.scopes
556 end
557
558 test "issues a token for request with HTTP basic auth client credentials" do
559 user = insert(:user)
560 app = insert(:oauth_app, scopes: ["scope1", "scope2", "scope3"])
561
562 {:ok, auth} = Authorization.create_authorization(app, user, ["scope1", "scope2"])
563 assert auth.scopes == ["scope1", "scope2"]
564
565 app_encoded =
566 (URI.encode_www_form(app.client_id) <> ":" <> URI.encode_www_form(app.client_secret))
567 |> Base.encode64()
568
569 conn =
570 build_conn()
571 |> put_req_header("authorization", "Basic " <> app_encoded)
572 |> post("/oauth/token", %{
573 "grant_type" => "authorization_code",
574 "code" => auth.token,
575 "redirect_uri" => app.redirect_uris
576 })
577
578 assert %{"access_token" => token, "scope" => scope} = json_response(conn, 200)
579
580 assert scope == "scope1 scope2"
581
582 token = Repo.get_by(Token, token: token)
583 assert token
584 assert token.scopes == ["scope1", "scope2"]
585 end
586
587 test "rejects token exchange with invalid client credentials" do
588 user = insert(:user)
589 app = insert(:oauth_app)
590
591 {:ok, auth} = Authorization.create_authorization(app, user)
592
593 conn =
594 build_conn()
595 |> put_req_header("authorization", "Basic JTIxOiVGMCU5RiVBNCVCNwo=")
596 |> post("/oauth/token", %{
597 "grant_type" => "authorization_code",
598 "code" => auth.token,
599 "redirect_uri" => app.redirect_uris
600 })
601
602 assert resp = json_response(conn, 400)
603 assert %{"error" => _} = resp
604 refute Map.has_key?(resp, "access_token")
605 end
606
607 test "rejects token exchange for valid credentials belonging to unconfirmed user and confirmation is required" do
608 setting = Pleroma.Config.get([:instance, :account_activation_required])
609
610 unless setting do
611 Pleroma.Config.put([:instance, :account_activation_required], true)
612 on_exit(fn -> Pleroma.Config.put([:instance, :account_activation_required], setting) end)
613 end
614
615 password = "testpassword"
616 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
617 info_change = Pleroma.User.Info.confirmation_changeset(user.info, :unconfirmed)
618
619 {:ok, user} =
620 user
621 |> Ecto.Changeset.change()
622 |> Ecto.Changeset.put_embed(:info, info_change)
623 |> Repo.update()
624
625 refute Pleroma.User.auth_active?(user)
626
627 app = insert(:oauth_app)
628
629 conn =
630 build_conn()
631 |> post("/oauth/token", %{
632 "grant_type" => "password",
633 "username" => user.nickname,
634 "password" => password,
635 "client_id" => app.client_id,
636 "client_secret" => app.client_secret
637 })
638
639 assert resp = json_response(conn, 403)
640 assert %{"error" => _} = resp
641 refute Map.has_key?(resp, "access_token")
642 end
643
644 test "rejects an invalid authorization code" do
645 app = insert(:oauth_app)
646
647 conn =
648 build_conn()
649 |> post("/oauth/token", %{
650 "grant_type" => "authorization_code",
651 "code" => "Imobviouslyinvalid",
652 "redirect_uri" => app.redirect_uris,
653 "client_id" => app.client_id,
654 "client_secret" => app.client_secret
655 })
656
657 assert resp = json_response(conn, 400)
658 assert %{"error" => _} = json_response(conn, 400)
659 refute Map.has_key?(resp, "access_token")
660 end
661 end
662 end
Fork of https://akkoma.dev/AkkomaGang/akkoma.git