1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.Web.OAuth.OAuthControllerTest do
6 use Pleroma.Web.ConnCase
10 alias Pleroma.Web.OAuth.Authorization
11 alias Pleroma.Web.OAuth.Token
13 test "redirects with oauth authorization" do
15 app = insert(:oauth_app, scopes: ["read", "write", "follow"])
19 |> post("/oauth/authorize", %{
21 "name" => user.nickname,
23 "client_id" => app.client_id,
24 "redirect_uri" => app.redirect_uris,
25 "scope" => "read write",
26 "state" => "statepassed"
30 target = redirected_to(conn)
31 assert target =~ app.redirect_uris
33 query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
35 assert %{"state" => "statepassed", "code" => code} = query
36 auth = Repo.get_by(Authorization, token: code)
38 assert auth.scopes == ["read", "write"]
41 test "returns 401 for wrong credentials", %{conn: conn} do
43 app = insert(:oauth_app)
47 |> post("/oauth/authorize", %{
49 "name" => user.nickname,
50 "password" => "wrong",
51 "client_id" => app.client_id,
52 "redirect_uri" => app.redirect_uris,
53 "state" => "statepassed",
54 "scope" => Enum.join(app.scopes, " ")
57 |> html_response(:unauthorized)
60 assert result =~ app.client_id
61 assert result =~ app.redirect_uris
64 assert result =~ "Invalid Username/Password"
67 test "returns 401 for missing scopes", %{conn: conn} do
69 app = insert(:oauth_app)
73 |> post("/oauth/authorize", %{
75 "name" => user.nickname,
77 "client_id" => app.client_id,
78 "redirect_uri" => app.redirect_uris,
79 "state" => "statepassed",
83 |> html_response(:unauthorized)
86 assert result =~ app.client_id
87 assert result =~ app.redirect_uris
90 assert result =~ "Permissions not specified"
93 test "returns 401 for scopes beyond app scopes", %{conn: conn} do
95 app = insert(:oauth_app, scopes: ["read", "write"])
99 |> post("/oauth/authorize", %{
100 "authorization" => %{
101 "name" => user.nickname,
102 "password" => "test",
103 "client_id" => app.client_id,
104 "redirect_uri" => app.redirect_uris,
105 "state" => "statepassed",
106 "scope" => "read write follow"
109 |> html_response(:unauthorized)
112 assert result =~ app.client_id
113 assert result =~ app.redirect_uris
116 assert result =~ "Permissions not specified"
119 test "issues a token for an all-body request" do
121 app = insert(:oauth_app, scopes: ["read", "write"])
123 {:ok, auth} = Authorization.create_authorization(app, user, ["write"])
127 |> post("/oauth/token", %{
128 "grant_type" => "authorization_code",
129 "code" => auth.token,
130 "redirect_uri" => app.redirect_uris,
131 "client_id" => app.client_id,
132 "client_secret" => app.client_secret
135 assert %{"access_token" => token} = json_response(conn, 200)
137 token = Repo.get_by(Token, token: token)
139 assert token.scopes == auth.scopes
142 test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do
143 password = "testpassword"
144 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
146 app = insert(:oauth_app, scopes: ["read", "write"])
148 # Note: "scope" param is intentionally omitted
151 |> post("/oauth/token", %{
152 "grant_type" => "password",
153 "username" => user.nickname,
154 "password" => password,
155 "client_id" => app.client_id,
156 "client_secret" => app.client_secret
159 assert %{"access_token" => token} = json_response(conn, 200)
161 token = Repo.get_by(Token, token: token)
163 assert token.scopes == app.scopes
166 test "issues a token for request with HTTP basic auth client credentials" do
168 app = insert(:oauth_app, scopes: ["scope1", "scope2", "scope3"])
170 {:ok, auth} = Authorization.create_authorization(app, user, ["scope1", "scope2"])
171 assert auth.scopes == ["scope1", "scope2"]
174 (URI.encode_www_form(app.client_id) <> ":" <> URI.encode_www_form(app.client_secret))
179 |> put_req_header("authorization", "Basic " <> app_encoded)
180 |> post("/oauth/token", %{
181 "grant_type" => "authorization_code",
182 "code" => auth.token,
183 "redirect_uri" => app.redirect_uris
186 assert %{"access_token" => token, "scope" => scope} = json_response(conn, 200)
188 assert scope == "scope1 scope2"
190 token = Repo.get_by(Token, token: token)
192 assert token.scopes == ["scope1", "scope2"]
195 test "rejects token exchange with invalid client credentials" do
197 app = insert(:oauth_app)
199 {:ok, auth} = Authorization.create_authorization(app, user)
203 |> put_req_header("authorization", "Basic JTIxOiVGMCU5RiVBNCVCNwo=")
204 |> post("/oauth/token", %{
205 "grant_type" => "authorization_code",
206 "code" => auth.token,
207 "redirect_uri" => app.redirect_uris
210 assert resp = json_response(conn, 400)
211 assert %{"error" => _} = resp
212 refute Map.has_key?(resp, "access_token")
215 test "rejects token exchange for valid credentials belonging to unconfirmed user and confirmation is required" do
216 setting = Pleroma.Config.get([:instance, :account_activation_required])
219 Pleroma.Config.put([:instance, :account_activation_required], true)
220 on_exit(fn -> Pleroma.Config.put([:instance, :account_activation_required], setting) end)
223 password = "testpassword"
224 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
225 info_change = Pleroma.User.Info.confirmation_changeset(user.info, :unconfirmed)
229 |> Ecto.Changeset.change()
230 |> Ecto.Changeset.put_embed(:info, info_change)
233 refute Pleroma.User.auth_active?(user)
235 app = insert(:oauth_app)
239 |> post("/oauth/token", %{
240 "grant_type" => "password",
241 "username" => user.nickname,
242 "password" => password,
243 "client_id" => app.client_id,
244 "client_secret" => app.client_secret
247 assert resp = json_response(conn, 403)
248 assert %{"error" => _} = resp
249 refute Map.has_key?(resp, "access_token")
252 test "rejects an invalid authorization code" do
253 app = insert(:oauth_app)
257 |> post("/oauth/token", %{
258 "grant_type" => "authorization_code",
259 "code" => "Imobviouslyinvalid",
260 "redirect_uri" => app.redirect_uris,
261 "client_id" => app.client_id,
262 "client_secret" => app.client_secret
265 assert resp = json_response(conn, 400)
266 assert %{"error" => _} = json_response(conn, 400)
267 refute Map.has_key?(resp, "access_token")