X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=test%2Fweb%2Foauth%2Foauth_controller_test.exs;h=aae34804d24dba8bbae27896009964383e6d460e;hb=03c4ea44add180454e071be935ed2150216cac88;hp=6e96537ecc9759834aa5dc10287ad71902303c55;hpb=6ad8ddfd290f0239956874ccc9dc181167e84647;p=akkoma diff --git a/test/web/oauth/oauth_controller_test.exs b/test/web/oauth/oauth_controller_test.exs index 6e96537ec..aae34804d 100644 --- a/test/web/oauth/oauth_controller_test.exs +++ b/test/web/oauth/oauth_controller_test.exs @@ -10,8 +10,10 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do alias Pleroma.Registration alias Pleroma.Repo alias Pleroma.Web.OAuth.Authorization + alias Pleroma.Web.OAuth.OAuthController alias Pleroma.Web.OAuth.Token + @oauth_config_path [:oauth2, :issue_new_refresh_token] @session_opts [ store: :cookie, key: "_test", @@ -48,7 +50,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do %{ "response_type" => "code", "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => OAuthController.default_redirect_uri(app), "scope" => "read" } ) @@ -71,7 +73,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "authorization" => %{ "scope" => "read follow", "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => OAuthController.default_redirect_uri(app), "state" => "a_state" } } @@ -97,11 +99,12 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do test "with user-bound registration, GET /oauth//callback redirects to `redirect_uri` with `code`", %{app: app, conn: conn} do registration = insert(:registration) + redirect_uri = OAuthController.default_redirect_uri(app) state_params = %{ "scope" => Enum.join(app.scopes, " "), "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => redirect_uri, "state" => "" } @@ -120,7 +123,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do ) assert response = html_response(conn, 302) - assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/ + assert redirected_to(conn) =~ ~r/#{redirect_uri}\?code=.+/ end end @@ -131,7 +134,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do state_params = %{ "scope" => "read write", "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => OAuthController.default_redirect_uri(app), "state" => "a_state" } @@ -164,7 +167,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do state_params = %{ "scope" => Enum.join(app.scopes, " "), "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => OAuthController.default_redirect_uri(app), "state" => "" } @@ -198,7 +201,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "authorization" => %{ "scopes" => app.scopes, "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => OAuthController.default_redirect_uri(app), "state" => "a_state", "nickname" => nil, "email" => "john@doe.com" @@ -217,6 +220,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do conn: conn } do registration = insert(:registration, user: nil, info: %{"nickname" => nil, "email" => nil}) + redirect_uri = OAuthController.default_redirect_uri(app) conn = conn @@ -228,7 +232,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "authorization" => %{ "scopes" => app.scopes, "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => redirect_uri, "state" => "a_state", "nickname" => "availablenick", "email" => "available@email.com" @@ -237,7 +241,36 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do ) assert response = html_response(conn, 302) - assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/ + assert redirected_to(conn) =~ ~r/#{redirect_uri}\?code=.+/ + end + + test "with unlisted `redirect_uri`, POST /oauth/register?op=register results in HTTP 401", + %{ + app: app, + conn: conn + } do + registration = insert(:registration, user: nil, info: %{"nickname" => nil, "email" => nil}) + unlisted_redirect_uri = "http://cross-site-request.com" + + conn = + conn + |> put_session(:registration_id, registration.id) + |> post( + "/oauth/register", + %{ + "op" => "register", + "authorization" => %{ + "scopes" => app.scopes, + "client_id" => app.client_id, + "redirect_uri" => unlisted_redirect_uri, + "state" => "a_state", + "nickname" => "availablenick", + "email" => "available@email.com" + } + } + ) + + assert response = html_response(conn, 401) end test "with invalid params, POST /oauth/register?op=register renders registration_details page", @@ -253,7 +286,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "authorization" => %{ "scopes" => app.scopes, "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => OAuthController.default_redirect_uri(app), "state" => "a_state", "nickname" => "availablenickname", "email" => "available@email.com" @@ -285,6 +318,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do } do user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt("testpassword")) registration = insert(:registration, user: nil) + redirect_uri = OAuthController.default_redirect_uri(app) conn = conn @@ -296,7 +330,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "authorization" => %{ "scopes" => app.scopes, "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => redirect_uri, "state" => "a_state", "name" => user.nickname, "password" => "testpassword" @@ -305,7 +339,37 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do ) assert response = html_response(conn, 302) - assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/ + assert redirected_to(conn) =~ ~r/#{redirect_uri}\?code=.+/ + end + + test "with unlisted `redirect_uri`, POST /oauth/register?op=connect results in HTTP 401`", + %{ + app: app, + conn: conn + } do + user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt("testpassword")) + registration = insert(:registration, user: nil) + unlisted_redirect_uri = "http://cross-site-request.com" + + conn = + conn + |> put_session(:registration_id, registration.id) + |> post( + "/oauth/register", + %{ + "op" => "connect", + "authorization" => %{ + "scopes" => app.scopes, + "client_id" => app.client_id, + "redirect_uri" => unlisted_redirect_uri, + "state" => "a_state", + "name" => user.nickname, + "password" => "testpassword" + } + } + ) + + assert response = html_response(conn, 401) end test "with invalid params, POST /oauth/register?op=connect renders registration_details page", @@ -321,7 +385,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "authorization" => %{ "scopes" => app.scopes, "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => OAuthController.default_redirect_uri(app), "state" => "a_state", "name" => user.nickname, "password" => "wrong password" @@ -357,7 +421,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do %{ "response_type" => "code", "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => OAuthController.default_redirect_uri(app), "scope" => "read" } ) @@ -377,7 +441,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "authorization" => %{ "response_type" => "code", "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => OAuthController.default_redirect_uri(app), "scope" => "read" } } @@ -398,7 +462,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do %{ "response_type" => "code", "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => OAuthController.default_redirect_uri(app), "scope" => "read", "force_login" => "true" } @@ -407,7 +471,61 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do assert html_response(conn, 200) =~ ~s(type="submit") end - test "redirects to app if user is already authenticated", %{app: app, conn: conn} do + test "with existing authentication and non-OOB `redirect_uri`, redirects to app with `token` and `state` params", + %{ + app: app, + conn: conn + } do + token = insert(:oauth_token, app_id: app.id) + + conn = + conn + |> put_session(:oauth_token, token.token) + |> get( + "/oauth/authorize", + %{ + "response_type" => "code", + "client_id" => app.client_id, + "redirect_uri" => OAuthController.default_redirect_uri(app), + "state" => "specific_client_state", + "scope" => "read" + } + ) + + assert URI.decode(redirected_to(conn)) == + "https://redirect.url?access_token=#{token.token}&state=specific_client_state" + end + + test "with existing authentication and unlisted non-OOB `redirect_uri`, redirects without credentials", + %{ + app: app, + conn: conn + } do + unlisted_redirect_uri = "http://cross-site-request.com" + token = insert(:oauth_token, app_id: app.id) + + conn = + conn + |> put_session(:oauth_token, token.token) + |> get( + "/oauth/authorize", + %{ + "response_type" => "code", + "client_id" => app.client_id, + "redirect_uri" => unlisted_redirect_uri, + "state" => "specific_client_state", + "scope" => "read" + } + ) + + assert redirected_to(conn) == unlisted_redirect_uri + end + + test "with existing authentication and OOB `redirect_uri`, redirects to app with `token` and `state` params", + %{ + app: app, + conn: conn + } do token = insert(:oauth_token, app_id: app.id) conn = @@ -418,12 +536,12 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do %{ "response_type" => "code", "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => "urn:ietf:wg:oauth:2.0:oob", "scope" => "read" } ) - assert redirected_to(conn) == "https://redirect.url" + assert html_response(conn, 200) =~ "Authorization exists" end end @@ -431,6 +549,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do test "redirects with oauth authorization" do user = insert(:user) app = insert(:oauth_app, scopes: ["read", "write", "follow"]) + redirect_uri = OAuthController.default_redirect_uri(app) conn = build_conn() @@ -439,14 +558,14 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "name" => user.nickname, "password" => "test", "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => redirect_uri, "scope" => "read write", "state" => "statepassed" } }) target = redirected_to(conn) - assert target =~ app.redirect_uris + assert target =~ redirect_uri query = URI.parse(target).query |> URI.query_decoder() |> Map.new() @@ -459,6 +578,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do test "returns 401 for wrong credentials", %{conn: conn} do user = insert(:user) app = insert(:oauth_app) + redirect_uri = OAuthController.default_redirect_uri(app) result = conn @@ -467,7 +587,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "name" => user.nickname, "password" => "wrong", "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => redirect_uri, "state" => "statepassed", "scope" => Enum.join(app.scopes, " ") } @@ -476,7 +596,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do # Keep the details assert result =~ app.client_id - assert result =~ app.redirect_uris + assert result =~ redirect_uri # Error message assert result =~ "Invalid Username/Password" @@ -485,6 +605,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do test "returns 401 for missing scopes", %{conn: conn} do user = insert(:user) app = insert(:oauth_app) + redirect_uri = OAuthController.default_redirect_uri(app) result = conn @@ -493,7 +614,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "name" => user.nickname, "password" => "test", "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => redirect_uri, "state" => "statepassed", "scope" => "" } @@ -502,7 +623,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do # Keep the details assert result =~ app.client_id - assert result =~ app.redirect_uris + assert result =~ redirect_uri # Error message assert result =~ "This action is outside the authorized scopes" @@ -511,6 +632,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do test "returns 401 for scopes beyond app scopes", %{conn: conn} do user = insert(:user) app = insert(:oauth_app, scopes: ["read", "write"]) + redirect_uri = OAuthController.default_redirect_uri(app) result = conn @@ -519,7 +641,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "name" => user.nickname, "password" => "test", "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => redirect_uri, "state" => "statepassed", "scope" => "read write follow" } @@ -528,7 +650,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do # Keep the details assert result =~ app.client_id - assert result =~ app.redirect_uris + assert result =~ redirect_uri # Error message assert result =~ "This action is outside the authorized scopes" @@ -547,7 +669,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do |> post("/oauth/token", %{ "grant_type" => "authorization_code", "code" => auth.token, - "redirect_uri" => app.redirect_uris, + "redirect_uri" => OAuthController.default_redirect_uri(app), "client_id" => app.client_id, "client_secret" => app.client_secret }) @@ -601,7 +723,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do |> post("/oauth/token", %{ "grant_type" => "authorization_code", "code" => auth.token, - "redirect_uri" => app.redirect_uris + "redirect_uri" => OAuthController.default_redirect_uri(app) }) assert %{"access_token" => token, "scope" => scope} = json_response(conn, 200) @@ -613,6 +735,27 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do assert token.scopes == ["scope1", "scope2"] end + test "issue a token for client_credentials grant type" do + app = insert(:oauth_app, scopes: ["read", "write"]) + + conn = + build_conn() + |> post("/oauth/token", %{ + "grant_type" => "client_credentials", + "client_id" => app.client_id, + "client_secret" => app.client_secret + }) + + assert %{"access_token" => token, "refresh_token" => refresh, "scope" => scope} = + json_response(conn, 200) + + assert token + token_from_db = Repo.get_by(Token, token: token) + assert token_from_db + assert refresh + assert scope == "read write" + end + test "rejects token exchange with invalid client credentials" do user = insert(:user) app = insert(:oauth_app) @@ -625,7 +768,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do |> post("/oauth/token", %{ "grant_type" => "authorization_code", "code" => auth.token, - "redirect_uri" => app.redirect_uris + "redirect_uri" => OAuthController.default_redirect_uri(app) }) assert resp = json_response(conn, 400) @@ -643,7 +786,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do password = "testpassword" user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password)) - info_change = Pleroma.User.Info.confirmation_changeset(user.info, :unconfirmed) + info_change = Pleroma.User.Info.confirmation_changeset(user.info, need_confirmation: true) {:ok, user} = user @@ -704,7 +847,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do |> post("/oauth/token", %{ "grant_type" => "authorization_code", "code" => "Imobviouslyinvalid", - "redirect_uri" => app.redirect_uris, + "redirect_uri" => OAuthController.default_redirect_uri(app), "client_id" => app.client_id, "client_secret" => app.client_secret }) @@ -714,4 +857,199 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do refute Map.has_key?(resp, "access_token") end end + + describe "POST /oauth/token - refresh token" do + setup do + oauth_token_config = Pleroma.Config.get(@oauth_config_path) + + on_exit(fn -> + Pleroma.Config.get(@oauth_config_path, oauth_token_config) + end) + end + + test "issues a new access token with keep fresh token" do + Pleroma.Config.put(@oauth_config_path, true) + user = insert(:user) + app = insert(:oauth_app, scopes: ["read", "write"]) + + {:ok, auth} = Authorization.create_authorization(app, user, ["write"]) + {:ok, token} = Token.exchange_token(app, auth) + + response = + build_conn() + |> post("/oauth/token", %{ + "grant_type" => "refresh_token", + "refresh_token" => token.refresh_token, + "client_id" => app.client_id, + "client_secret" => app.client_secret + }) + |> json_response(200) + + ap_id = user.ap_id + + assert match?( + %{ + "scope" => "write", + "token_type" => "Bearer", + "expires_in" => 600, + "access_token" => _, + "refresh_token" => _, + "me" => ^ap_id + }, + response + ) + + refute Repo.get_by(Token, token: token.token) + new_token = Repo.get_by(Token, token: response["access_token"]) + assert new_token.refresh_token == token.refresh_token + assert new_token.scopes == auth.scopes + assert new_token.user_id == user.id + assert new_token.app_id == app.id + end + + test "issues a new access token with new fresh token" do + Pleroma.Config.put(@oauth_config_path, false) + user = insert(:user) + app = insert(:oauth_app, scopes: ["read", "write"]) + + {:ok, auth} = Authorization.create_authorization(app, user, ["write"]) + {:ok, token} = Token.exchange_token(app, auth) + + response = + build_conn() + |> post("/oauth/token", %{ + "grant_type" => "refresh_token", + "refresh_token" => token.refresh_token, + "client_id" => app.client_id, + "client_secret" => app.client_secret + }) + |> json_response(200) + + ap_id = user.ap_id + + assert match?( + %{ + "scope" => "write", + "token_type" => "Bearer", + "expires_in" => 600, + "access_token" => _, + "refresh_token" => _, + "me" => ^ap_id + }, + response + ) + + refute Repo.get_by(Token, token: token.token) + new_token = Repo.get_by(Token, token: response["access_token"]) + refute new_token.refresh_token == token.refresh_token + assert new_token.scopes == auth.scopes + assert new_token.user_id == user.id + assert new_token.app_id == app.id + end + + test "returns 400 if we try use access token" do + user = insert(:user) + app = insert(:oauth_app, scopes: ["read", "write"]) + + {:ok, auth} = Authorization.create_authorization(app, user, ["write"]) + {:ok, token} = Token.exchange_token(app, auth) + + response = + build_conn() + |> post("/oauth/token", %{ + "grant_type" => "refresh_token", + "refresh_token" => token.token, + "client_id" => app.client_id, + "client_secret" => app.client_secret + }) + |> json_response(400) + + assert %{"error" => "Invalid credentials"} == response + end + + test "returns 400 if refresh_token invalid" do + app = insert(:oauth_app, scopes: ["read", "write"]) + + response = + build_conn() + |> post("/oauth/token", %{ + "grant_type" => "refresh_token", + "refresh_token" => "token.refresh_token", + "client_id" => app.client_id, + "client_secret" => app.client_secret + }) + |> json_response(400) + + assert %{"error" => "Invalid credentials"} == response + end + + test "issues a new token if token expired" do + user = insert(:user) + app = insert(:oauth_app, scopes: ["read", "write"]) + + {:ok, auth} = Authorization.create_authorization(app, user, ["write"]) + {:ok, token} = Token.exchange_token(app, auth) + + change = + Ecto.Changeset.change( + token, + %{valid_until: NaiveDateTime.add(NaiveDateTime.utc_now(), -86_400 * 30)} + ) + + {:ok, access_token} = Repo.update(change) + + response = + build_conn() + |> post("/oauth/token", %{ + "grant_type" => "refresh_token", + "refresh_token" => access_token.refresh_token, + "client_id" => app.client_id, + "client_secret" => app.client_secret + }) + |> json_response(200) + + ap_id = user.ap_id + + assert match?( + %{ + "scope" => "write", + "token_type" => "Bearer", + "expires_in" => 600, + "access_token" => _, + "refresh_token" => _, + "me" => ^ap_id + }, + response + ) + + refute Repo.get_by(Token, token: token.token) + token = Repo.get_by(Token, token: response["access_token"]) + assert token + assert token.scopes == auth.scopes + assert token.user_id == user.id + assert token.app_id == app.id + end + end + + describe "POST /oauth/token - bad request" do + test "returns 500" do + response = + build_conn() + |> post("/oauth/token", %{}) + |> json_response(500) + + assert %{"error" => "Bad request"} == response + end + end + + describe "POST /oauth/revoke - bad request" do + test "returns 500" do + response = + build_conn() + |> post("/oauth/revoke", %{}) + |> json_response(500) + + assert %{"error" => "Bad request"} == response + end + end end