X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=test%2Fweb%2Foauth%2Foauth_controller_test.exs;h=ed94416ff1a7d50f0d856431a9127b9f6ca1fc80;hb=f58d47d6f752fa04bfd0a5d809b6d4e28248654d;hp=e0d3cb55f916d0ccafc777457251028db12e90bf;hpb=00d43333735acbcadc1dd04ff793f4ce6e8eecb1;p=akkoma diff --git a/test/web/oauth/oauth_controller_test.exs b/test/web/oauth/oauth_controller_test.exs index e0d3cb55f..ed94416ff 100644 --- a/test/web/oauth/oauth_controller_test.exs +++ b/test/web/oauth/oauth_controller_test.exs @@ -7,11 +7,12 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do import Pleroma.Factory alias Pleroma.Repo - alias Pleroma.Web.OAuth.{Authorization, Token} + alias Pleroma.Web.OAuth.Authorization + alias Pleroma.Web.OAuth.Token test "redirects with oauth authorization" do user = insert(:user) - app = insert(:oauth_app) + app = insert(:oauth_app, scopes: ["read", "write", "follow"]) conn = build_conn() @@ -21,6 +22,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "password" => "test", "client_id" => app.client_id, "redirect_uri" => app.redirect_uris, + "scope" => "read write", "state" => "statepassed" } }) @@ -31,10 +33,12 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do query = URI.parse(target).query |> URI.query_decoder() |> Map.new() assert %{"state" => "statepassed", "code" => code} = query - assert Repo.get_by(Authorization, token: code) + auth = Repo.get_by(Authorization, token: code) + assert auth + assert auth.scopes == ["read", "write"] end - test "correctly handles wrong credentials", %{conn: conn} do + test "returns 401 for wrong credentials", %{conn: conn} do user = insert(:user) app = insert(:oauth_app) @@ -46,7 +50,8 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "password" => "wrong", "client_id" => app.client_id, "redirect_uri" => app.redirect_uris, - "state" => "statepassed" + "state" => "statepassed", + "scope" => Enum.join(app.scopes, " ") } }) |> html_response(:unauthorized) @@ -56,14 +61,66 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do assert result =~ app.redirect_uris # Error message - assert result =~ "Invalid" + assert result =~ "Invalid Username/Password" end - test "issues a token for an all-body request" do + test "returns 401 for missing scopes", %{conn: conn} do user = insert(:user) app = insert(:oauth_app) - {:ok, auth} = Authorization.create_authorization(app, user) + result = + conn + |> post("/oauth/authorize", %{ + "authorization" => %{ + "name" => user.nickname, + "password" => "test", + "client_id" => app.client_id, + "redirect_uri" => app.redirect_uris, + "state" => "statepassed", + "scope" => "" + } + }) + |> html_response(:unauthorized) + + # Keep the details + assert result =~ app.client_id + assert result =~ app.redirect_uris + + # Error message + assert result =~ "Permissions not specified" + end + + test "returns 401 for scopes beyond app scopes", %{conn: conn} do + user = insert(:user) + app = insert(:oauth_app, scopes: ["read", "write"]) + + result = + conn + |> post("/oauth/authorize", %{ + "authorization" => %{ + "name" => user.nickname, + "password" => "test", + "client_id" => app.client_id, + "redirect_uri" => app.redirect_uris, + "state" => "statepassed", + "scope" => "read write follow" + } + }) + |> html_response(:unauthorized) + + # Keep the details + assert result =~ app.client_id + assert result =~ app.redirect_uris + + # Error message + assert result =~ "Permissions not specified" + end + + test "issues a token for an all-body request" do + user = insert(:user) + app = insert(:oauth_app, scopes: ["read", "write"]) + + {:ok, auth} = Authorization.create_authorization(app, user, ["write"]) conn = build_conn() @@ -76,15 +133,19 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do }) assert %{"access_token" => token} = json_response(conn, 200) - assert Repo.get_by(Token, token: token) + + token = Repo.get_by(Token, token: token) + assert token + assert token.scopes == auth.scopes end - test "issues a token for `password` grant_type with valid credentials" do + test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do password = "testpassword" user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password)) - app = insert(:oauth_app) + app = insert(:oauth_app, scopes: ["read", "write"]) + # Note: "scope" param is intentionally omitted conn = build_conn() |> post("/oauth/token", %{ @@ -96,14 +157,18 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do }) assert %{"access_token" => token} = json_response(conn, 200) - assert Repo.get_by(Token, token: token) + + token = Repo.get_by(Token, token: token) + assert token + assert token.scopes == app.scopes end test "issues a token for request with HTTP basic auth client credentials" do user = insert(:user) - app = insert(:oauth_app) + app = insert(:oauth_app, scopes: ["scope1", "scope2", "scope3"]) - {:ok, auth} = Authorization.create_authorization(app, user) + {:ok, auth} = Authorization.create_authorization(app, user, ["scope1", "scope2"]) + assert auth.scopes == ["scope1", "scope2"] app_encoded = (URI.encode_www_form(app.client_id) <> ":" <> URI.encode_www_form(app.client_secret)) @@ -118,8 +183,13 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "redirect_uri" => app.redirect_uris }) - assert %{"access_token" => token} = json_response(conn, 200) - assert Repo.get_by(Token, token: token) + assert %{"access_token" => token, "scope" => scope} = json_response(conn, 200) + + assert scope == "scope1 scope2" + + token = Repo.get_by(Token, token: token) + assert token + assert token.scopes == ["scope1", "scope2"] end test "rejects token exchange with invalid client credentials" do