1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.Web.OAuth.OAuthControllerTest do
6 use Pleroma.Web.ConnCase
10 alias Pleroma.Web.OAuth.Authorization
11 alias Pleroma.Web.OAuth.Token
13 test "redirects with oauth authorization" do
15 app = insert(:oauth_app)
19 |> post("/oauth/authorize", %{
21 "name" => user.nickname,
23 "client_id" => app.client_id,
24 "redirect_uri" => app.redirect_uris,
25 "scope" => Enum.join(app.scopes, " "),
26 "state" => "statepassed"
30 target = redirected_to(conn)
31 assert target =~ app.redirect_uris
33 query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
35 assert %{"state" => "statepassed", "code" => code} = query
36 assert Repo.get_by(Authorization, token: code)
39 test "correctly handles wrong credentials", %{conn: conn} do
41 app = insert(:oauth_app)
45 |> post("/oauth/authorize", %{
47 "name" => user.nickname,
48 "password" => "wrong",
49 "client_id" => app.client_id,
50 "redirect_uri" => app.redirect_uris,
51 "state" => "statepassed"
54 |> html_response(:unauthorized)
57 assert result =~ app.client_id
58 assert result =~ app.redirect_uris
61 assert result =~ "Invalid"
64 test "issues a token for an all-body request" do
66 app = insert(:oauth_app)
68 {:ok, auth} = Authorization.create_authorization(app, user)
72 |> post("/oauth/token", %{
73 "grant_type" => "authorization_code",
75 "redirect_uri" => app.redirect_uris,
76 "client_id" => app.client_id,
77 "client_secret" => app.client_secret
80 assert %{"access_token" => token} = json_response(conn, 200)
81 assert Repo.get_by(Token, token: token)
84 test "issues a token for `password` grant_type with valid credentials" do
85 password = "testpassword"
86 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
88 app = insert(:oauth_app)
92 |> post("/oauth/token", %{
93 "grant_type" => "password",
94 "username" => user.nickname,
95 "password" => password,
96 "client_id" => app.client_id,
97 "client_secret" => app.client_secret
100 assert %{"access_token" => token} = json_response(conn, 200)
101 assert Repo.get_by(Token, token: token)
104 test "issues a token for request with HTTP basic auth client credentials" do
106 app = insert(:oauth_app)
108 {:ok, auth} = Authorization.create_authorization(app, user)
111 (URI.encode_www_form(app.client_id) <> ":" <> URI.encode_www_form(app.client_secret))
116 |> put_req_header("authorization", "Basic " <> app_encoded)
117 |> post("/oauth/token", %{
118 "grant_type" => "authorization_code",
119 "code" => auth.token,
120 "redirect_uri" => app.redirect_uris
123 assert %{"access_token" => token} = json_response(conn, 200)
124 assert Repo.get_by(Token, token: token)
127 test "rejects token exchange with invalid client credentials" do
129 app = insert(:oauth_app)
131 {:ok, auth} = Authorization.create_authorization(app, user)
135 |> put_req_header("authorization", "Basic JTIxOiVGMCU5RiVBNCVCNwo=")
136 |> post("/oauth/token", %{
137 "grant_type" => "authorization_code",
138 "code" => auth.token,
139 "redirect_uri" => app.redirect_uris
142 assert resp = json_response(conn, 400)
143 assert %{"error" => _} = resp
144 refute Map.has_key?(resp, "access_token")
147 test "rejects token exchange for valid credentials belonging to unconfirmed user and confirmation is required" do
148 setting = Pleroma.Config.get([:instance, :account_activation_required])
151 Pleroma.Config.put([:instance, :account_activation_required], true)
152 on_exit(fn -> Pleroma.Config.put([:instance, :account_activation_required], setting) end)
155 password = "testpassword"
156 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
157 info_change = Pleroma.User.Info.confirmation_changeset(user.info, :unconfirmed)
161 |> Ecto.Changeset.change()
162 |> Ecto.Changeset.put_embed(:info, info_change)
165 refute Pleroma.User.auth_active?(user)
167 app = insert(:oauth_app)
171 |> post("/oauth/token", %{
172 "grant_type" => "password",
173 "username" => user.nickname,
174 "password" => password,
175 "client_id" => app.client_id,
176 "client_secret" => app.client_secret
179 assert resp = json_response(conn, 403)
180 assert %{"error" => _} = resp
181 refute Map.has_key?(resp, "access_token")
184 test "rejects an invalid authorization code" do
185 app = insert(:oauth_app)
189 |> post("/oauth/token", %{
190 "grant_type" => "authorization_code",
191 "code" => "Imobviouslyinvalid",
192 "redirect_uri" => app.redirect_uris,
193 "client_id" => app.client_id,
194 "client_secret" => app.client_secret
197 assert resp = json_response(conn, 400)
198 assert %{"error" => _} = json_response(conn, 400)
199 refute Map.has_key?(resp, "access_token")