projects / akkoma / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Added "GET /oauth/authorize" tests.
[akkoma] / test / web / oauth / oauth_controller_test.exs
1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
4
5 defmodule Pleroma.Web.OAuth.OAuthControllerTest do
6 use Pleroma.Web.ConnCase
7 import Pleroma.Factory
8
9 alias Pleroma.Repo
10 alias Pleroma.Web.OAuth.Authorization
11 alias Pleroma.Web.OAuth.Token
12
13 describe "GET /oauth/authorize" do
14 setup do
15 session_opts = [
16 store: :cookie,
17 key: "_test",
18 signing_salt: "cooldude"
19 ]
20
21 [
22 app: insert(:oauth_app, redirect_uris: "https://redirect.url"),
23 conn:
24 build_conn()
25 |> Plug.Session.call(Plug.Session.init(session_opts))
26 |> fetch_session()
27 ]
28 end
29
30 test "renders authentication page", %{app: app, conn: conn} do
31 conn =
32 get(
33 conn,
34 "/oauth/authorize",
35 %{
36 "response_type" => "code",
37 "client_id" => app.client_id,
38 "redirect_uri" => app.redirect_uris,
39 "scope" => "read"
40 }
41 )
42
43 assert html_response(conn, 200) =~ ~s(type="submit")
44 end
45
46 test "renders authentication page if user is already authenticated but `force_login` is tru-ish",
47 %{app: app, conn: conn} do
48 token = insert(:oauth_token, app_id: app.id)
49
50 conn =
51 conn
52 |> put_session(:oauth_token, token.token)
53 |> get(
54 "/oauth/authorize",
55 %{
56 "response_type" => "code",
57 "client_id" => app.client_id,
58 "redirect_uri" => app.redirect_uris,
59 "scope" => "read",
60 "force_login" => "true"
61 }
62 )
63
64 assert html_response(conn, 200) =~ ~s(type="submit")
65 end
66
67 test "redirects to app if user is already authenticated", %{app: app, conn: conn} do
68 token = insert(:oauth_token, app_id: app.id)
69
70 conn =
71 conn
72 |> put_session(:oauth_token, token.token)
73 |> get(
74 "/oauth/authorize",
75 %{
76 "response_type" => "code",
77 "client_id" => app.client_id,
78 "redirect_uri" => app.redirect_uris,
79 "scope" => "read"
80 }
81 )
82
83 assert redirected_to(conn) == "https://redirect.url"
84 end
85 end
86
87 describe "POST /oauth/authorize" do
88 test "redirects with oauth authorization" do
89 user = insert(:user)
90 app = insert(:oauth_app, scopes: ["read", "write", "follow"])
91
92 conn =
93 build_conn()
94 |> post("/oauth/authorize", %{
95 "authorization" => %{
96 "name" => user.nickname,
97 "password" => "test",
98 "client_id" => app.client_id,
99 "redirect_uri" => app.redirect_uris,
100 "scope" => "read write",
101 "state" => "statepassed"
102 }
103 })
104
105 target = redirected_to(conn)
106 assert target =~ app.redirect_uris
107
108 query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
109
110 assert %{"state" => "statepassed", "code" => code} = query
111 auth = Repo.get_by(Authorization, token: code)
112 assert auth
113 assert auth.scopes == ["read", "write"]
114 end
115
116 test "returns 401 for wrong credentials", %{conn: conn} do
117 user = insert(:user)
118 app = insert(:oauth_app)
119
120 result =
121 conn
122 |> post("/oauth/authorize", %{
123 "authorization" => %{
124 "name" => user.nickname,
125 "password" => "wrong",
126 "client_id" => app.client_id,
127 "redirect_uri" => app.redirect_uris,
128 "state" => "statepassed",
129 "scope" => Enum.join(app.scopes, " ")
130 }
131 })
132 |> html_response(:unauthorized)
133
134 # Keep the details
135 assert result =~ app.client_id
136 assert result =~ app.redirect_uris
137
138 # Error message
139 assert result =~ "Invalid Username/Password"
140 end
141
142 test "returns 401 for missing scopes", %{conn: conn} do
143 user = insert(:user)
144 app = insert(:oauth_app)
145
146 result =
147 conn
148 |> post("/oauth/authorize", %{
149 "authorization" => %{
150 "name" => user.nickname,
151 "password" => "test",
152 "client_id" => app.client_id,
153 "redirect_uri" => app.redirect_uris,
154 "state" => "statepassed",
155 "scope" => ""
156 }
157 })
158 |> html_response(:unauthorized)
159
160 # Keep the details
161 assert result =~ app.client_id
162 assert result =~ app.redirect_uris
163
164 # Error message
165 assert result =~ "This action is outside the authorized scopes"
166 end
167
168 test "returns 401 for scopes beyond app scopes", %{conn: conn} do
169 user = insert(:user)
170 app = insert(:oauth_app, scopes: ["read", "write"])
171
172 result =
173 conn
174 |> post("/oauth/authorize", %{
175 "authorization" => %{
176 "name" => user.nickname,
177 "password" => "test",
178 "client_id" => app.client_id,
179 "redirect_uri" => app.redirect_uris,
180 "state" => "statepassed",
181 "scope" => "read write follow"
182 }
183 })
184 |> html_response(:unauthorized)
185
186 # Keep the details
187 assert result =~ app.client_id
188 assert result =~ app.redirect_uris
189
190 # Error message
191 assert result =~ "This action is outside the authorized scopes"
192 end
193 end
194
195 describe "POST /oauth/token" do
196 test "issues a token for an all-body request" do
197 user = insert(:user)
198 app = insert(:oauth_app, scopes: ["read", "write"])
199
200 {:ok, auth} = Authorization.create_authorization(app, user, ["write"])
201
202 conn =
203 build_conn()
204 |> post("/oauth/token", %{
205 "grant_type" => "authorization_code",
206 "code" => auth.token,
207 "redirect_uri" => app.redirect_uris,
208 "client_id" => app.client_id,
209 "client_secret" => app.client_secret
210 })
211
212 assert %{"access_token" => token, "me" => ap_id} = json_response(conn, 200)
213
214 token = Repo.get_by(Token, token: token)
215 assert token
216 assert token.scopes == auth.scopes
217 assert user.ap_id == ap_id
218 end
219
220 test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do
221 password = "testpassword"
222 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
223
224 app = insert(:oauth_app, scopes: ["read", "write"])
225
226 # Note: "scope" param is intentionally omitted
227 conn =
228 build_conn()
229 |> post("/oauth/token", %{
230 "grant_type" => "password",
231 "username" => user.nickname,
232 "password" => password,
233 "client_id" => app.client_id,
234 "client_secret" => app.client_secret
235 })
236
237 assert %{"access_token" => token} = json_response(conn, 200)
238
239 token = Repo.get_by(Token, token: token)
240 assert token
241 assert token.scopes == app.scopes
242 end
243
244 test "issues a token for request with HTTP basic auth client credentials" do
245 user = insert(:user)
246 app = insert(:oauth_app, scopes: ["scope1", "scope2", "scope3"])
247
248 {:ok, auth} = Authorization.create_authorization(app, user, ["scope1", "scope2"])
249 assert auth.scopes == ["scope1", "scope2"]
250
251 app_encoded =
252 (URI.encode_www_form(app.client_id) <> ":" <> URI.encode_www_form(app.client_secret))
253 |> Base.encode64()
254
255 conn =
256 build_conn()
257 |> put_req_header("authorization", "Basic " <> app_encoded)
258 |> post("/oauth/token", %{
259 "grant_type" => "authorization_code",
260 "code" => auth.token,
261 "redirect_uri" => app.redirect_uris
262 })
263
264 assert %{"access_token" => token, "scope" => scope} = json_response(conn, 200)
265
266 assert scope == "scope1 scope2"
267
268 token = Repo.get_by(Token, token: token)
269 assert token
270 assert token.scopes == ["scope1", "scope2"]
271 end
272
273 test "rejects token exchange with invalid client credentials" do
274 user = insert(:user)
275 app = insert(:oauth_app)
276
277 {:ok, auth} = Authorization.create_authorization(app, user)
278
279 conn =
280 build_conn()
281 |> put_req_header("authorization", "Basic JTIxOiVGMCU5RiVBNCVCNwo=")
282 |> post("/oauth/token", %{
283 "grant_type" => "authorization_code",
284 "code" => auth.token,
285 "redirect_uri" => app.redirect_uris
286 })
287
288 assert resp = json_response(conn, 400)
289 assert %{"error" => _} = resp
290 refute Map.has_key?(resp, "access_token")
291 end
292
293 test "rejects token exchange for valid credentials belonging to unconfirmed user and confirmation is required" do
294 setting = Pleroma.Config.get([:instance, :account_activation_required])
295
296 unless setting do
297 Pleroma.Config.put([:instance, :account_activation_required], true)
298 on_exit(fn -> Pleroma.Config.put([:instance, :account_activation_required], setting) end)
299 end
300
301 password = "testpassword"
302 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
303 info_change = Pleroma.User.Info.confirmation_changeset(user.info, :unconfirmed)
304
305 {:ok, user} =
306 user
307 |> Ecto.Changeset.change()
308 |> Ecto.Changeset.put_embed(:info, info_change)
309 |> Repo.update()
310
311 refute Pleroma.User.auth_active?(user)
312
313 app = insert(:oauth_app)
314
315 conn =
316 build_conn()
317 |> post("/oauth/token", %{
318 "grant_type" => "password",
319 "username" => user.nickname,
320 "password" => password,
321 "client_id" => app.client_id,
322 "client_secret" => app.client_secret
323 })
324
325 assert resp = json_response(conn, 403)
326 assert %{"error" => _} = resp
327 refute Map.has_key?(resp, "access_token")
328 end
329
330 test "rejects an invalid authorization code" do
331 app = insert(:oauth_app)
332
333 conn =
334 build_conn()
335 |> post("/oauth/token", %{
336 "grant_type" => "authorization_code",
337 "code" => "Imobviouslyinvalid",
338 "redirect_uri" => app.redirect_uris,
339 "client_id" => app.client_id,
340 "client_secret" => app.client_secret
341 })
342
343 assert resp = json_response(conn, 400)
344 assert %{"error" => _} = json_response(conn, 400)
345 refute Map.has_key?(resp, "access_token")
346 end
347 end
348 end
Fork of https://akkoma.dev/AkkomaGang/akkoma.git