X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=test%2Fweb%2Foauth%2Foauth_controller_test.exs;h=ff1e56fe9d3e02c419889f2ec1c69bf96daeb84d;hb=20e0f3660541f19cf878b789aa9f5b9d5ce8cddb;hp=26505bab7035cef3a1fdb1f036862b45d85a92eb;hpb=59fc5d15dfde0120fb10ec14631ad1115a6087a9;p=akkoma

diff --git a/test/web/oauth/oauth_controller_test.exs b/test/web/oauth/oauth_controller_test.exs
index 26505bab7..ff1e56fe9 100644
--- a/test/web/oauth/oauth_controller_test.exs
+++ b/test/web/oauth/oauth_controller_test.exs
@@ -1,13 +1,18 @@
+# Pleroma: A lightweight social networking server
+# Copyright Â© 2017-2018 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
 defmodule Pleroma.Web.OAuth.OAuthControllerTest do
   use Pleroma.Web.ConnCase
   import Pleroma.Factory
 
   alias Pleroma.Repo
-  alias Pleroma.Web.OAuth.{Authorization, Token}
+  alias Pleroma.Web.OAuth.Authorization
+  alias Pleroma.Web.OAuth.Token
 
   test "redirects with oauth authorization" do
     user = insert(:user)
-    app = insert(:oauth_app)
+    app = insert(:oauth_app, scopes: ["read", "write", "follow"])
 
     conn =
       build_conn()
@@ -17,6 +22,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
           "password" => "test",
           "client_id" => app.client_id,
           "redirect_uri" => app.redirect_uris,
+          "scope" => "read write",
           "state" => "statepassed"
         }
       })
@@ -27,14 +33,94 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
     query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
 
     assert %{"state" => "statepassed", "code" => code} = query
-    assert Repo.get_by(Authorization, token: code)
+    auth = Repo.get_by(Authorization, token: code)
+    assert auth
+    assert auth.scopes == ["read", "write"]
   end
 
-  test "issues a token for an all-body request" do
+  test "returns 401 for wrong credentials", %{conn: conn} do
     user = insert(:user)
     app = insert(:oauth_app)
 
-    {:ok, auth} = Authorization.create_authorization(app, user)
+    result =
+      conn
+      |> post("/oauth/authorize", %{
+        "authorization" => %{
+          "name" => user.nickname,
+          "password" => "wrong",
+          "client_id" => app.client_id,
+          "redirect_uri" => app.redirect_uris,
+          "state" => "statepassed",
+          "scope" => Enum.join(app.scopes, " ")
+        }
+      })
+      |> html_response(:unauthorized)
+
+    # Keep the details
+    assert result =~ app.client_id
+    assert result =~ app.redirect_uris
+
+    # Error message
+    assert result =~ "Invalid Username/Password"
+  end
+
+  test "returns 401 for missing scopes", %{conn: conn} do
+    user = insert(:user)
+    app = insert(:oauth_app)
+
+    result =
+      conn
+      |> post("/oauth/authorize", %{
+        "authorization" => %{
+          "name" => user.nickname,
+          "password" => "test",
+          "client_id" => app.client_id,
+          "redirect_uri" => app.redirect_uris,
+          "state" => "statepassed",
+          "scope" => ""
+        }
+      })
+      |> html_response(:unauthorized)
+
+    # Keep the details
+    assert result =~ app.client_id
+    assert result =~ app.redirect_uris
+
+    # Error message
+    assert result =~ "Permissions not specified"
+  end
+
+  test "returns 401 for scopes beyond app scopes", %{conn: conn} do
+    user = insert(:user)
+    app = insert(:oauth_app, scopes: ["read", "write"])
+
+    result =
+      conn
+      |> post("/oauth/authorize", %{
+        "authorization" => %{
+          "name" => user.nickname,
+          "password" => "test",
+          "client_id" => app.client_id,
+          "redirect_uri" => app.redirect_uris,
+          "state" => "statepassed",
+          "scope" => "read write follow"
+        }
+      })
+      |> html_response(:unauthorized)
+
+    # Keep the details
+    assert result =~ app.client_id
+    assert result =~ app.redirect_uris
+
+    # Error message
+    assert result =~ "Permissions not specified"
+  end
+
+  test "issues a token for an all-body request" do
+    user = insert(:user)
+    app = insert(:oauth_app, scopes: ["read", "write"])
+
+    {:ok, auth} = Authorization.create_authorization(app, user, ["write"])
 
     conn =
       build_conn()
@@ -46,16 +132,21 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
         "client_secret" => app.client_secret
       })
 
-    assert %{"access_token" => token} = json_response(conn, 200)
-    assert Repo.get_by(Token, token: token)
+    assert %{"access_token" => token, "me" => ap_id} = json_response(conn, 200)
+
+    token = Repo.get_by(Token, token: token)
+    assert token
+    assert token.scopes == auth.scopes
+    assert user.ap_id == ap_id
   end
 
-  test "issues a token for `password` grant_type with valid credentials" do
+  test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do
     password = "testpassword"
     user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
 
-    app = insert(:oauth_app)
+    app = insert(:oauth_app, scopes: ["read", "write"])
 
+    # Note: "scope" param is intentionally omitted
     conn =
       build_conn()
       |> post("/oauth/token", %{
@@ -67,14 +158,18 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
       })
 
     assert %{"access_token" => token} = json_response(conn, 200)
-    assert Repo.get_by(Token, token: token)
+
+    token = Repo.get_by(Token, token: token)
+    assert token
+    assert token.scopes == app.scopes
   end
 
   test "issues a token for request with HTTP basic auth client credentials" do
     user = insert(:user)
-    app = insert(:oauth_app)
+    app = insert(:oauth_app, scopes: ["scope1", "scope2", "scope3"])
 
-    {:ok, auth} = Authorization.create_authorization(app, user)
+    {:ok, auth} = Authorization.create_authorization(app, user, ["scope1", "scope2"])
+    assert auth.scopes == ["scope1", "scope2"]
 
     app_encoded =
       (URI.encode_www_form(app.client_id) <> ":" <> URI.encode_www_form(app.client_secret))
@@ -89,8 +184,13 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
         "redirect_uri" => app.redirect_uris
       })
 
-    assert %{"access_token" => token} = json_response(conn, 200)
-    assert Repo.get_by(Token, token: token)
+    assert %{"access_token" => token, "scope" => scope} = json_response(conn, 200)
+
+    assert scope == "scope1 scope2"
+
+    token = Repo.get_by(Token, token: token)
+    assert token
+    assert token.scopes == ["scope1", "scope2"]
   end
 
   test "rejects token exchange with invalid client credentials" do
@@ -113,10 +213,17 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
     refute Map.has_key?(resp, "access_token")
   end
 
-  test "rejects token exchange for valid credentials belonging to unconfirmed user" do
+  test "rejects token exchange for valid credentials belonging to unconfirmed user and confirmation is required" do
+    setting = Pleroma.Config.get([:instance, :account_activation_required])
+
+    unless setting do
+      Pleroma.Config.put([:instance, :account_activation_required], true)
+      on_exit(fn -> Pleroma.Config.put([:instance, :account_activation_required], setting) end)
+    end
+
     password = "testpassword"
     user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
-    info_change = Pleroma.User.Info.confirmation_change(user.info, :unconfirmed)
+    info_change = Pleroma.User.Info.confirmation_changeset(user.info, :unconfirmed)
 
     {:ok, user} =
       user