84ec7b4eef7354d15c53065f2800a0283eff9a9a
[akkoma] / test / web / oauth / oauth_controller_test.exs
1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
4
5 defmodule Pleroma.Web.OAuth.OAuthControllerTest do
6 use Pleroma.Web.ConnCase
7 import Pleroma.Factory
8
9 alias Pleroma.Repo
10 alias Pleroma.Web.OAuth.Authorization
11 alias Pleroma.Web.OAuth.Token
12
13 test "redirects with oauth authorization" do
14 user = insert(:user)
15 app = insert(:oauth_app, scopes: ["read", "write", "follow"])
16
17 conn =
18 build_conn()
19 |> post("/oauth/authorize", %{
20 "authorization" => %{
21 "name" => user.nickname,
22 "password" => "test",
23 "client_id" => app.client_id,
24 "redirect_uri" => app.redirect_uris,
25 "scope" => "read write",
26 "state" => "statepassed"
27 }
28 })
29
30 target = redirected_to(conn)
31 assert target =~ app.redirect_uris
32
33 query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
34
35 assert %{"state" => "statepassed", "code" => code} = query
36 auth = Repo.get_by(Authorization, token: code)
37 assert auth
38 assert auth.scopes == ["read", "write"]
39 end
40
41 test "returns 401 for wrong credentials", %{conn: conn} do
42 user = insert(:user)
43 app = insert(:oauth_app)
44
45 result =
46 conn
47 |> post("/oauth/authorize", %{
48 "authorization" => %{
49 "name" => user.nickname,
50 "password" => "wrong",
51 "client_id" => app.client_id,
52 "redirect_uri" => app.redirect_uris,
53 "state" => "statepassed",
54 "scope" => Enum.join(app.scopes, " ")
55 }
56 })
57 |> html_response(:unauthorized)
58
59 # Keep the details
60 assert result =~ app.client_id
61 assert result =~ app.redirect_uris
62
63 # Error message
64 assert result =~ "Invalid Username/Password"
65 end
66
67 test "returns 401 for missing scopes", %{conn: conn} do
68 user = insert(:user)
69 app = insert(:oauth_app)
70
71 result =
72 conn
73 |> post("/oauth/authorize", %{
74 "authorization" => %{
75 "name" => user.nickname,
76 "password" => "test",
77 "client_id" => app.client_id,
78 "redirect_uri" => app.redirect_uris,
79 "state" => "statepassed",
80 "scope" => ""
81 }
82 })
83 |> html_response(:unauthorized)
84
85 # Keep the details
86 assert result =~ app.client_id
87 assert result =~ app.redirect_uris
88
89 # Error message
90 assert result =~ "This action is outside the authorized scopes"
91 end
92
93 test "returns 401 for scopes beyond app scopes", %{conn: conn} do
94 user = insert(:user)
95 app = insert(:oauth_app, scopes: ["read", "write"])
96
97 result =
98 conn
99 |> post("/oauth/authorize", %{
100 "authorization" => %{
101 "name" => user.nickname,
102 "password" => "test",
103 "client_id" => app.client_id,
104 "redirect_uri" => app.redirect_uris,
105 "state" => "statepassed",
106 "scope" => "read write follow"
107 }
108 })
109 |> html_response(:unauthorized)
110
111 # Keep the details
112 assert result =~ app.client_id
113 assert result =~ app.redirect_uris
114
115 # Error message
116 assert result =~ "This action is outside the authorized scopes"
117 end
118
119 test "issues a token for an all-body request" do
120 user = insert(:user)
121 app = insert(:oauth_app, scopes: ["read", "write"])
122
123 {:ok, auth} = Authorization.create_authorization(app, user, ["write"])
124
125 conn =
126 build_conn()
127 |> post("/oauth/token", %{
128 "grant_type" => "authorization_code",
129 "code" => auth.token,
130 "redirect_uri" => app.redirect_uris,
131 "client_id" => app.client_id,
132 "client_secret" => app.client_secret
133 })
134
135 assert %{"access_token" => token, "me" => ap_id} = json_response(conn, 200)
136
137 token = Repo.get_by(Token, token: token)
138 assert token
139 assert token.scopes == auth.scopes
140 assert user.ap_id == ap_id
141 end
142
143 test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do
144 password = "testpassword"
145 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
146
147 app = insert(:oauth_app, scopes: ["read", "write"])
148
149 # Note: "scope" param is intentionally omitted
150 conn =
151 build_conn()
152 |> post("/oauth/token", %{
153 "grant_type" => "password",
154 "username" => user.nickname,
155 "password" => password,
156 "client_id" => app.client_id,
157 "client_secret" => app.client_secret
158 })
159
160 assert %{"access_token" => token} = json_response(conn, 200)
161
162 token = Repo.get_by(Token, token: token)
163 assert token
164 assert token.scopes == app.scopes
165 end
166
167 test "issues a token for request with HTTP basic auth client credentials" do
168 user = insert(:user)
169 app = insert(:oauth_app, scopes: ["scope1", "scope2", "scope3"])
170
171 {:ok, auth} = Authorization.create_authorization(app, user, ["scope1", "scope2"])
172 assert auth.scopes == ["scope1", "scope2"]
173
174 app_encoded =
175 (URI.encode_www_form(app.client_id) <> ":" <> URI.encode_www_form(app.client_secret))
176 |> Base.encode64()
177
178 conn =
179 build_conn()
180 |> put_req_header("authorization", "Basic " <> app_encoded)
181 |> post("/oauth/token", %{
182 "grant_type" => "authorization_code",
183 "code" => auth.token,
184 "redirect_uri" => app.redirect_uris
185 })
186
187 assert %{"access_token" => token, "scope" => scope} = json_response(conn, 200)
188
189 assert scope == "scope1 scope2"
190
191 token = Repo.get_by(Token, token: token)
192 assert token
193 assert token.scopes == ["scope1", "scope2"]
194 end
195
196 test "rejects token exchange with invalid client credentials" do
197 user = insert(:user)
198 app = insert(:oauth_app)
199
200 {:ok, auth} = Authorization.create_authorization(app, user)
201
202 conn =
203 build_conn()
204 |> put_req_header("authorization", "Basic JTIxOiVGMCU5RiVBNCVCNwo=")
205 |> post("/oauth/token", %{
206 "grant_type" => "authorization_code",
207 "code" => auth.token,
208 "redirect_uri" => app.redirect_uris
209 })
210
211 assert resp = json_response(conn, 400)
212 assert %{"error" => _} = resp
213 refute Map.has_key?(resp, "access_token")
214 end
215
216 test "rejects token exchange for valid credentials belonging to unconfirmed user and confirmation is required" do
217 setting = Pleroma.Config.get([:instance, :account_activation_required])
218
219 unless setting do
220 Pleroma.Config.put([:instance, :account_activation_required], true)
221 on_exit(fn -> Pleroma.Config.put([:instance, :account_activation_required], setting) end)
222 end
223
224 password = "testpassword"
225 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
226 info_change = Pleroma.User.Info.confirmation_changeset(user.info, :unconfirmed)
227
228 {:ok, user} =
229 user
230 |> Ecto.Changeset.change()
231 |> Ecto.Changeset.put_embed(:info, info_change)
232 |> Repo.update()
233
234 refute Pleroma.User.auth_active?(user)
235
236 app = insert(:oauth_app)
237
238 conn =
239 build_conn()
240 |> post("/oauth/token", %{
241 "grant_type" => "password",
242 "username" => user.nickname,
243 "password" => password,
244 "client_id" => app.client_id,
245 "client_secret" => app.client_secret
246 })
247
248 assert resp = json_response(conn, 403)
249 assert %{"error" => _} = resp
250 refute Map.has_key?(resp, "access_token")
251 end
252
253 test "rejects an invalid authorization code" do
254 app = insert(:oauth_app)
255
256 conn =
257 build_conn()
258 |> post("/oauth/token", %{
259 "grant_type" => "authorization_code",
260 "code" => "Imobviouslyinvalid",
261 "redirect_uri" => app.redirect_uris,
262 "client_id" => app.client_id,
263 "client_secret" => app.client_secret
264 })
265
266 assert resp = json_response(conn, 400)
267 assert %{"error" => _} = json_response(conn, 400)
268 refute Map.has_key?(resp, "access_token")
269 end
270 end