1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.Web.OAuth.OAuthControllerTest do
6 use Pleroma.Web.ConnCase
10 alias Pleroma.Registration
12 alias Pleroma.Web.OAuth.Authorization
13 alias Pleroma.Web.OAuth.Token
18 signing_salt: "cooldude"
21 describe "in OAuth consumer mode, " do
23 oauth_consumer_strategies_path = [:auth, :oauth_consumer_strategies]
24 oauth_consumer_strategies = Pleroma.Config.get(oauth_consumer_strategies_path)
25 Pleroma.Config.put(oauth_consumer_strategies_path, ~w(twitter facebook))
28 Pleroma.Config.put(oauth_consumer_strategies_path, oauth_consumer_strategies)
32 app: insert(:oauth_app),
35 |> Plug.Session.call(Plug.Session.init(@session_opts))
40 test "GET /oauth/authorize renders auth forms, including OAuth consumer form", %{
49 "response_type" => "code",
50 "client_id" => app.client_id,
51 "redirect_uri" => app.redirect_uris,
56 assert response = html_response(conn, 200)
57 assert response =~ "Sign in with Twitter"
58 assert response =~ o_auth_path(conn, :prepare_request)
61 test "GET /oauth/prepare_request encodes parameters as `state` and redirects", %{
68 "/oauth/prepare_request",
70 "provider" => "twitter",
72 "scope" => "read follow",
73 "client_id" => app.client_id,
74 "redirect_uri" => app.redirect_uris,
80 assert response = html_response(conn, 302)
82 redirect_query = URI.parse(redirected_to(conn)).query
83 assert %{"state" => state_param} = URI.decode_query(redirect_query)
84 assert {:ok, state_components} = Poison.decode(state_param)
86 expected_client_id = app.client_id
87 expected_redirect_uri = app.redirect_uris
90 "scope" => "read follow",
91 "client_id" => ^expected_client_id,
92 "redirect_uri" => ^expected_redirect_uri,
97 test "with user-bound registration, GET /oauth/<provider>/callback redirects to `redirect_uri` with `code`",
98 %{app: app, conn: conn} do
99 registration = insert(:registration)
102 "scope" => Enum.join(app.scopes, " "),
103 "client_id" => app.client_id,
104 "redirect_uri" => app.redirect_uris,
108 with_mock Pleroma.Web.Auth.Authenticator,
109 get_registration: fn _ -> {:ok, registration} end do
113 "/oauth/twitter/callback",
115 "oauth_token" => "G-5a3AAAAAAAwMH9AAABaektfSM",
116 "oauth_verifier" => "QZl8vUqNvXMTKpdmUnGejJxuHG75WWWs",
117 "provider" => "twitter",
118 "state" => Poison.encode!(state_params)
122 assert response = html_response(conn, 302)
123 assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/
127 test "with user-unbound registration, GET /oauth/<provider>/callback renders registration_details page",
128 %{app: app, conn: conn} do
129 registration = insert(:registration, user: nil)
132 "scope" => "read write",
133 "client_id" => app.client_id,
134 "redirect_uri" => app.redirect_uris,
138 with_mock Pleroma.Web.Auth.Authenticator,
139 get_registration: fn _ -> {:ok, registration} end do
143 "/oauth/twitter/callback",
145 "oauth_token" => "G-5a3AAAAAAAwMH9AAABaektfSM",
146 "oauth_verifier" => "QZl8vUqNvXMTKpdmUnGejJxuHG75WWWs",
147 "provider" => "twitter",
148 "state" => Poison.encode!(state_params)
152 assert response = html_response(conn, 200)
153 assert response =~ ~r/name="op" type="submit" value="register"/
154 assert response =~ ~r/name="op" type="submit" value="connect"/
155 assert response =~ Registration.email(registration)
156 assert response =~ Registration.nickname(registration)
160 test "on authentication error, GET /oauth/<provider>/callback redirects to `redirect_uri`", %{
165 "scope" => Enum.join(app.scopes, " "),
166 "client_id" => app.client_id,
167 "redirect_uri" => app.redirect_uris,
173 |> assign(:ueberauth_failure, %{errors: [%{message: "(error description)"}]})
175 "/oauth/twitter/callback",
177 "oauth_token" => "G-5a3AAAAAAAwMH9AAABaektfSM",
178 "oauth_verifier" => "QZl8vUqNvXMTKpdmUnGejJxuHG75WWWs",
179 "provider" => "twitter",
180 "state" => Poison.encode!(state_params)
184 assert response = html_response(conn, 302)
185 assert redirected_to(conn) == app.redirect_uris
186 assert get_flash(conn, :error) == "Failed to authenticate: (error description)."
189 test "GET /oauth/registration_details renders registration details form", %{
196 "/oauth/registration_details",
198 "authorization" => %{
199 "scopes" => app.scopes,
200 "client_id" => app.client_id,
201 "redirect_uri" => app.redirect_uris,
202 "state" => "a_state",
204 "email" => "john@doe.com"
209 assert response = html_response(conn, 200)
210 assert response =~ ~r/name="op" type="submit" value="register"/
211 assert response =~ ~r/name="op" type="submit" value="connect"/
214 test "with valid params, POST /oauth/register?op=register redirects to `redirect_uri` with `code`",
219 registration = insert(:registration, user: nil, info: %{"nickname" => nil, "email" => nil})
223 |> put_session(:registration_id, registration.id)
228 "authorization" => %{
229 "scopes" => app.scopes,
230 "client_id" => app.client_id,
231 "redirect_uri" => app.redirect_uris,
232 "state" => "a_state",
233 "nickname" => "availablenick",
234 "email" => "available@email.com"
239 assert response = html_response(conn, 302)
240 assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/
243 test "with invalid params, POST /oauth/register?op=register renders registration_details page",
248 another_user = insert(:user)
249 registration = insert(:registration, user: nil, info: %{"nickname" => nil, "email" => nil})
253 "authorization" => %{
254 "scopes" => app.scopes,
255 "client_id" => app.client_id,
256 "redirect_uri" => app.redirect_uris,
257 "state" => "a_state",
258 "nickname" => "availablenickname",
259 "email" => "available@email.com"
263 for {bad_param, bad_param_value} <-
264 [{"nickname", another_user.nickname}, {"email", another_user.email}] do
265 bad_registration_attrs = %{
266 "authorization" => Map.put(params["authorization"], bad_param, bad_param_value)
269 bad_params = Map.merge(params, bad_registration_attrs)
273 |> put_session(:registration_id, registration.id)
274 |> post("/oauth/register", bad_params)
276 assert html_response(conn, 403) =~ ~r/name="op" type="submit" value="register"/
277 assert get_flash(conn, :error) == "Error: #{bad_param} has already been taken."
281 test "with valid params, POST /oauth/register?op=connect redirects to `redirect_uri` with `code`",
286 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt("testpassword"))
287 registration = insert(:registration, user: nil)
291 |> put_session(:registration_id, registration.id)
296 "authorization" => %{
297 "scopes" => app.scopes,
298 "client_id" => app.client_id,
299 "redirect_uri" => app.redirect_uris,
300 "state" => "a_state",
301 "name" => user.nickname,
302 "password" => "testpassword"
307 assert response = html_response(conn, 302)
308 assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/
311 test "with invalid params, POST /oauth/register?op=connect renders registration_details page",
317 registration = insert(:registration, user: nil)
321 "authorization" => %{
322 "scopes" => app.scopes,
323 "client_id" => app.client_id,
324 "redirect_uri" => app.redirect_uris,
325 "state" => "a_state",
326 "name" => user.nickname,
327 "password" => "wrong password"
333 |> put_session(:registration_id, registration.id)
334 |> post("/oauth/register", params)
336 assert html_response(conn, 401) =~ ~r/name="op" type="submit" value="connect"/
337 assert get_flash(conn, :error) == "Invalid Username/Password"
341 describe "GET /oauth/authorize" do
344 app: insert(:oauth_app, redirect_uris: "https://redirect.url"),
347 |> Plug.Session.call(Plug.Session.init(@session_opts))
352 test "renders authentication page", %{app: app, conn: conn} do
358 "response_type" => "code",
359 "client_id" => app.client_id,
360 "redirect_uri" => app.redirect_uris,
365 assert html_response(conn, 200) =~ ~s(type="submit")
368 test "renders authentication page if user is already authenticated but `force_login` is tru-ish",
369 %{app: app, conn: conn} do
370 token = insert(:oauth_token, app_id: app.id)
374 |> put_session(:oauth_token, token.token)
378 "response_type" => "code",
379 "client_id" => app.client_id,
380 "redirect_uri" => app.redirect_uris,
382 "force_login" => "true"
386 assert html_response(conn, 200) =~ ~s(type="submit")
389 test "redirects to app if user is already authenticated", %{app: app, conn: conn} do
390 token = insert(:oauth_token, app_id: app.id)
394 |> put_session(:oauth_token, token.token)
398 "response_type" => "code",
399 "client_id" => app.client_id,
400 "redirect_uri" => app.redirect_uris,
405 assert redirected_to(conn) == "https://redirect.url"
409 describe "POST /oauth/authorize" do
410 test "redirects with oauth authorization" do
412 app = insert(:oauth_app, scopes: ["read", "write", "follow"])
416 |> post("/oauth/authorize", %{
417 "authorization" => %{
418 "name" => user.nickname,
419 "password" => "test",
420 "client_id" => app.client_id,
421 "redirect_uri" => app.redirect_uris,
422 "scope" => "read write",
423 "state" => "statepassed"
427 target = redirected_to(conn)
428 assert target =~ app.redirect_uris
430 query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
432 assert %{"state" => "statepassed", "code" => code} = query
433 auth = Repo.get_by(Authorization, token: code)
435 assert auth.scopes == ["read", "write"]
438 test "returns 401 for wrong credentials", %{conn: conn} do
440 app = insert(:oauth_app)
444 |> post("/oauth/authorize", %{
445 "authorization" => %{
446 "name" => user.nickname,
447 "password" => "wrong",
448 "client_id" => app.client_id,
449 "redirect_uri" => app.redirect_uris,
450 "state" => "statepassed",
451 "scope" => Enum.join(app.scopes, " ")
454 |> html_response(:unauthorized)
457 assert result =~ app.client_id
458 assert result =~ app.redirect_uris
461 assert result =~ "Invalid Username/Password"
464 test "returns 401 for missing scopes", %{conn: conn} do
466 app = insert(:oauth_app)
470 |> post("/oauth/authorize", %{
471 "authorization" => %{
472 "name" => user.nickname,
473 "password" => "test",
474 "client_id" => app.client_id,
475 "redirect_uri" => app.redirect_uris,
476 "state" => "statepassed",
480 |> html_response(:unauthorized)
483 assert result =~ app.client_id
484 assert result =~ app.redirect_uris
487 assert result =~ "This action is outside the authorized scopes"
490 test "returns 401 for scopes beyond app scopes", %{conn: conn} do
492 app = insert(:oauth_app, scopes: ["read", "write"])
496 |> post("/oauth/authorize", %{
497 "authorization" => %{
498 "name" => user.nickname,
499 "password" => "test",
500 "client_id" => app.client_id,
501 "redirect_uri" => app.redirect_uris,
502 "state" => "statepassed",
503 "scope" => "read write follow"
506 |> html_response(:unauthorized)
509 assert result =~ app.client_id
510 assert result =~ app.redirect_uris
513 assert result =~ "This action is outside the authorized scopes"
517 describe "POST /oauth/token" do
518 test "issues a token for an all-body request" do
520 app = insert(:oauth_app, scopes: ["read", "write"])
522 {:ok, auth} = Authorization.create_authorization(app, user, ["write"])
526 |> post("/oauth/token", %{
527 "grant_type" => "authorization_code",
528 "code" => auth.token,
529 "redirect_uri" => app.redirect_uris,
530 "client_id" => app.client_id,
531 "client_secret" => app.client_secret
534 assert %{"access_token" => token, "me" => ap_id} = json_response(conn, 200)
536 token = Repo.get_by(Token, token: token)
538 assert token.scopes == auth.scopes
539 assert user.ap_id == ap_id
542 test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do
543 password = "testpassword"
544 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
546 app = insert(:oauth_app, scopes: ["read", "write"])
548 # Note: "scope" param is intentionally omitted
551 |> post("/oauth/token", %{
552 "grant_type" => "password",
553 "username" => user.nickname,
554 "password" => password,
555 "client_id" => app.client_id,
556 "client_secret" => app.client_secret
559 assert %{"access_token" => token} = json_response(conn, 200)
561 token = Repo.get_by(Token, token: token)
563 assert token.scopes == app.scopes
566 test "issues a token for request with HTTP basic auth client credentials" do
568 app = insert(:oauth_app, scopes: ["scope1", "scope2", "scope3"])
570 {:ok, auth} = Authorization.create_authorization(app, user, ["scope1", "scope2"])
571 assert auth.scopes == ["scope1", "scope2"]
574 (URI.encode_www_form(app.client_id) <> ":" <> URI.encode_www_form(app.client_secret))
579 |> put_req_header("authorization", "Basic " <> app_encoded)
580 |> post("/oauth/token", %{
581 "grant_type" => "authorization_code",
582 "code" => auth.token,
583 "redirect_uri" => app.redirect_uris
586 assert %{"access_token" => token, "scope" => scope} = json_response(conn, 200)
588 assert scope == "scope1 scope2"
590 token = Repo.get_by(Token, token: token)
592 assert token.scopes == ["scope1", "scope2"]
595 test "rejects token exchange with invalid client credentials" do
597 app = insert(:oauth_app)
599 {:ok, auth} = Authorization.create_authorization(app, user)
603 |> put_req_header("authorization", "Basic JTIxOiVGMCU5RiVBNCVCNwo=")
604 |> post("/oauth/token", %{
605 "grant_type" => "authorization_code",
606 "code" => auth.token,
607 "redirect_uri" => app.redirect_uris
610 assert resp = json_response(conn, 400)
611 assert %{"error" => _} = resp
612 refute Map.has_key?(resp, "access_token")
615 test "rejects token exchange for valid credentials belonging to unconfirmed user and confirmation is required" do
616 setting = Pleroma.Config.get([:instance, :account_activation_required])
619 Pleroma.Config.put([:instance, :account_activation_required], true)
620 on_exit(fn -> Pleroma.Config.put([:instance, :account_activation_required], setting) end)
623 password = "testpassword"
624 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
625 info_change = Pleroma.User.Info.confirmation_changeset(user.info, :unconfirmed)
629 |> Ecto.Changeset.change()
630 |> Ecto.Changeset.put_embed(:info, info_change)
633 refute Pleroma.User.auth_active?(user)
635 app = insert(:oauth_app)
639 |> post("/oauth/token", %{
640 "grant_type" => "password",
641 "username" => user.nickname,
642 "password" => password,
643 "client_id" => app.client_id,
644 "client_secret" => app.client_secret
647 assert resp = json_response(conn, 403)
648 assert %{"error" => _} = resp
649 refute Map.has_key?(resp, "access_token")
652 test "rejects token exchange for valid credentials belonging to deactivated user" do
653 password = "testpassword"
657 password_hash: Comeonin.Pbkdf2.hashpwsalt(password),
658 info: %{deactivated: true}
661 app = insert(:oauth_app)
665 |> post("/oauth/token", %{
666 "grant_type" => "password",
667 "username" => user.nickname,
668 "password" => password,
669 "client_id" => app.client_id,
670 "client_secret" => app.client_secret
673 assert resp = json_response(conn, 403)
674 assert %{"error" => _} = resp
675 refute Map.has_key?(resp, "access_token")
678 test "rejects an invalid authorization code" do
679 app = insert(:oauth_app)
683 |> post("/oauth/token", %{
684 "grant_type" => "authorization_code",
685 "code" => "Imobviouslyinvalid",
686 "redirect_uri" => app.redirect_uris,
687 "client_id" => app.client_id,
688 "client_secret" => app.client_secret
691 assert resp = json_response(conn, 400)
692 assert %{"error" => _} = json_response(conn, 400)
693 refute Map.has_key?(resp, "access_token")