X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=test%2Fweb%2Foauth%2Foauth_controller_test.exs;h=ed94416ff1a7d50f0d856431a9127b9f6ca1fc80;hb=f58d47d6f752fa04bfd0a5d809b6d4e28248654d;hp=3a902f128f8500e18ac384301becadb8f8cfcf29;hpb=7f79b467b1b56ce9ac7f544aaa2b687dcae341c5;p=akkoma

diff --git a/test/web/oauth/oauth_controller_test.exs b/test/web/oauth/oauth_controller_test.exs
index 3a902f128..ed94416ff 100644
--- a/test/web/oauth/oauth_controller_test.exs
+++ b/test/web/oauth/oauth_controller_test.exs
@@ -1,13 +1,18 @@
+# Pleroma: A lightweight social networking server
+# Copyright Â© 2017-2018 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
 defmodule Pleroma.Web.OAuth.OAuthControllerTest do
   use Pleroma.Web.ConnCase
   import Pleroma.Factory
 
   alias Pleroma.Repo
-  alias Pleroma.Web.OAuth.{Authorization, Token}
+  alias Pleroma.Web.OAuth.Authorization
+  alias Pleroma.Web.OAuth.Token
 
   test "redirects with oauth authorization" do
     user = insert(:user)
-    app = insert(:oauth_app)
+    app = insert(:oauth_app, scopes: ["read", "write", "follow"])
 
     conn =
       build_conn()
@@ -17,6 +22,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
           "password" => "test",
           "client_id" => app.client_id,
           "redirect_uri" => app.redirect_uris,
+          "scope" => "read write",
           "state" => "statepassed"
         }
       })
@@ -27,14 +33,94 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
     query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
 
     assert %{"state" => "statepassed", "code" => code} = query
-    assert Repo.get_by(Authorization, token: code)
+    auth = Repo.get_by(Authorization, token: code)
+    assert auth
+    assert auth.scopes == ["read", "write"]
   end
 
-  test "issues a token for an all-body request" do
+  test "returns 401 for wrong credentials", %{conn: conn} do
     user = insert(:user)
     app = insert(:oauth_app)
 
-    {:ok, auth} = Authorization.create_authorization(app, user)
+    result =
+      conn
+      |> post("/oauth/authorize", %{
+        "authorization" => %{
+          "name" => user.nickname,
+          "password" => "wrong",
+          "client_id" => app.client_id,
+          "redirect_uri" => app.redirect_uris,
+          "state" => "statepassed",
+          "scope" => Enum.join(app.scopes, " ")
+        }
+      })
+      |> html_response(:unauthorized)
+
+    # Keep the details
+    assert result =~ app.client_id
+    assert result =~ app.redirect_uris
+
+    # Error message
+    assert result =~ "Invalid Username/Password"
+  end
+
+  test "returns 401 for missing scopes", %{conn: conn} do
+    user = insert(:user)
+    app = insert(:oauth_app)
+
+    result =
+      conn
+      |> post("/oauth/authorize", %{
+        "authorization" => %{
+          "name" => user.nickname,
+          "password" => "test",
+          "client_id" => app.client_id,
+          "redirect_uri" => app.redirect_uris,
+          "state" => "statepassed",
+          "scope" => ""
+        }
+      })
+      |> html_response(:unauthorized)
+
+    # Keep the details
+    assert result =~ app.client_id
+    assert result =~ app.redirect_uris
+
+    # Error message
+    assert result =~ "Permissions not specified"
+  end
+
+  test "returns 401 for scopes beyond app scopes", %{conn: conn} do
+    user = insert(:user)
+    app = insert(:oauth_app, scopes: ["read", "write"])
+
+    result =
+      conn
+      |> post("/oauth/authorize", %{
+        "authorization" => %{
+          "name" => user.nickname,
+          "password" => "test",
+          "client_id" => app.client_id,
+          "redirect_uri" => app.redirect_uris,
+          "state" => "statepassed",
+          "scope" => "read write follow"
+        }
+      })
+      |> html_response(:unauthorized)
+
+    # Keep the details
+    assert result =~ app.client_id
+    assert result =~ app.redirect_uris
+
+    # Error message
+    assert result =~ "Permissions not specified"
+  end
+
+  test "issues a token for an all-body request" do
+    user = insert(:user)
+    app = insert(:oauth_app, scopes: ["read", "write"])
+
+    {:ok, auth} = Authorization.create_authorization(app, user, ["write"])
 
     conn =
       build_conn()
@@ -47,14 +133,42 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
       })
 
     assert %{"access_token" => token} = json_response(conn, 200)
-    assert Repo.get_by(Token, token: token)
+
+    token = Repo.get_by(Token, token: token)
+    assert token
+    assert token.scopes == auth.scopes
+  end
+
+  test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do
+    password = "testpassword"
+    user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
+
+    app = insert(:oauth_app, scopes: ["read", "write"])
+
+    # Note: "scope" param is intentionally omitted
+    conn =
+      build_conn()
+      |> post("/oauth/token", %{
+        "grant_type" => "password",
+        "username" => user.nickname,
+        "password" => password,
+        "client_id" => app.client_id,
+        "client_secret" => app.client_secret
+      })
+
+    assert %{"access_token" => token} = json_response(conn, 200)
+
+    token = Repo.get_by(Token, token: token)
+    assert token
+    assert token.scopes == app.scopes
   end
 
   test "issues a token for request with HTTP basic auth client credentials" do
     user = insert(:user)
-    app = insert(:oauth_app)
+    app = insert(:oauth_app, scopes: ["scope1", "scope2", "scope3"])
 
-    {:ok, auth} = Authorization.create_authorization(app, user)
+    {:ok, auth} = Authorization.create_authorization(app, user, ["scope1", "scope2"])
+    assert auth.scopes == ["scope1", "scope2"]
 
     app_encoded =
       (URI.encode_www_form(app.client_id) <> ":" <> URI.encode_www_form(app.client_secret))
@@ -69,8 +183,13 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
         "redirect_uri" => app.redirect_uris
       })
 
-    assert %{"access_token" => token} = json_response(conn, 200)
-    assert Repo.get_by(Token, token: token)
+    assert %{"access_token" => token, "scope" => scope} = json_response(conn, 200)
+
+    assert scope == "scope1 scope2"
+
+    token = Repo.get_by(Token, token: token)
+    assert token
+    assert token.scopes == ["scope1", "scope2"]
   end
 
   test "rejects token exchange with invalid client credentials" do
@@ -93,6 +212,43 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
     refute Map.has_key?(resp, "access_token")
   end
 
+  test "rejects token exchange for valid credentials belonging to unconfirmed user and confirmation is required" do
+    setting = Pleroma.Config.get([:instance, :account_activation_required])
+
+    unless setting do
+      Pleroma.Config.put([:instance, :account_activation_required], true)
+      on_exit(fn -> Pleroma.Config.put([:instance, :account_activation_required], setting) end)
+    end
+
+    password = "testpassword"
+    user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
+    info_change = Pleroma.User.Info.confirmation_changeset(user.info, :unconfirmed)
+
+    {:ok, user} =
+      user
+      |> Ecto.Changeset.change()
+      |> Ecto.Changeset.put_embed(:info, info_change)
+      |> Repo.update()
+
+    refute Pleroma.User.auth_active?(user)
+
+    app = insert(:oauth_app)
+
+    conn =
+      build_conn()
+      |> post("/oauth/token", %{
+        "grant_type" => "password",
+        "username" => user.nickname,
+        "password" => password,
+        "client_id" => app.client_id,
+        "client_secret" => app.client_secret
+      })
+
+    assert resp = json_response(conn, 403)
+    assert %{"error" => _} = resp
+    refute Map.has_key?(resp, "access_token")
+  end
+
   test "rejects an invalid authorization code" do
     app = insert(:oauth_app)