X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=test%2Fweb%2Foauth%2Foauth_controller_test.exs;h=ff1e56fe9d3e02c419889f2ec1c69bf96daeb84d;hb=20e0f3660541f19cf878b789aa9f5b9d5ce8cddb;hp=ccd55225859fa699fda02cdf41426ace62155fe9;hpb=3c08d229db423052d0dd88b8a36fb39b0ae81ead;p=akkoma diff --git a/test/web/oauth/oauth_controller_test.exs b/test/web/oauth/oauth_controller_test.exs index ccd552258..ff1e56fe9 100644 --- a/test/web/oauth/oauth_controller_test.exs +++ b/test/web/oauth/oauth_controller_test.exs @@ -7,11 +7,12 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do import Pleroma.Factory alias Pleroma.Repo - alias Pleroma.Web.OAuth.{Authorization, Token} + alias Pleroma.Web.OAuth.Authorization + alias Pleroma.Web.OAuth.Token test "redirects with oauth authorization" do user = insert(:user) - app = insert(:oauth_app) + app = insert(:oauth_app, scopes: ["read", "write", "follow"]) conn = build_conn() @@ -21,6 +22,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "password" => "test", "client_id" => app.client_id, "redirect_uri" => app.redirect_uris, + "scope" => "read write", "state" => "statepassed" } }) @@ -31,14 +33,94 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do query = URI.parse(target).query |> URI.query_decoder() |> Map.new() assert %{"state" => "statepassed", "code" => code} = query - assert Repo.get_by(Authorization, token: code) + auth = Repo.get_by(Authorization, token: code) + assert auth + assert auth.scopes == ["read", "write"] end - test "issues a token for an all-body request" do + test "returns 401 for wrong credentials", %{conn: conn} do user = insert(:user) app = insert(:oauth_app) - {:ok, auth} = Authorization.create_authorization(app, user) + result = + conn + |> post("/oauth/authorize", %{ + "authorization" => %{ + "name" => user.nickname, + "password" => "wrong", + "client_id" => app.client_id, + "redirect_uri" => app.redirect_uris, + "state" => "statepassed", + "scope" => Enum.join(app.scopes, " ") + } + }) + |> html_response(:unauthorized) + + # Keep the details + assert result =~ app.client_id + assert result =~ app.redirect_uris + + # Error message + assert result =~ "Invalid Username/Password" + end + + test "returns 401 for missing scopes", %{conn: conn} do + user = insert(:user) + app = insert(:oauth_app) + + result = + conn + |> post("/oauth/authorize", %{ + "authorization" => %{ + "name" => user.nickname, + "password" => "test", + "client_id" => app.client_id, + "redirect_uri" => app.redirect_uris, + "state" => "statepassed", + "scope" => "" + } + }) + |> html_response(:unauthorized) + + # Keep the details + assert result =~ app.client_id + assert result =~ app.redirect_uris + + # Error message + assert result =~ "Permissions not specified" + end + + test "returns 401 for scopes beyond app scopes", %{conn: conn} do + user = insert(:user) + app = insert(:oauth_app, scopes: ["read", "write"]) + + result = + conn + |> post("/oauth/authorize", %{ + "authorization" => %{ + "name" => user.nickname, + "password" => "test", + "client_id" => app.client_id, + "redirect_uri" => app.redirect_uris, + "state" => "statepassed", + "scope" => "read write follow" + } + }) + |> html_response(:unauthorized) + + # Keep the details + assert result =~ app.client_id + assert result =~ app.redirect_uris + + # Error message + assert result =~ "Permissions not specified" + end + + test "issues a token for an all-body request" do + user = insert(:user) + app = insert(:oauth_app, scopes: ["read", "write"]) + + {:ok, auth} = Authorization.create_authorization(app, user, ["write"]) conn = build_conn() @@ -50,16 +132,21 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "client_secret" => app.client_secret }) - assert %{"access_token" => token} = json_response(conn, 200) - assert Repo.get_by(Token, token: token) + assert %{"access_token" => token, "me" => ap_id} = json_response(conn, 200) + + token = Repo.get_by(Token, token: token) + assert token + assert token.scopes == auth.scopes + assert user.ap_id == ap_id end - test "issues a token for `password` grant_type with valid credentials" do + test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do password = "testpassword" user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password)) - app = insert(:oauth_app) + app = insert(:oauth_app, scopes: ["read", "write"]) + # Note: "scope" param is intentionally omitted conn = build_conn() |> post("/oauth/token", %{ @@ -71,14 +158,18 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do }) assert %{"access_token" => token} = json_response(conn, 200) - assert Repo.get_by(Token, token: token) + + token = Repo.get_by(Token, token: token) + assert token + assert token.scopes == app.scopes end test "issues a token for request with HTTP basic auth client credentials" do user = insert(:user) - app = insert(:oauth_app) + app = insert(:oauth_app, scopes: ["scope1", "scope2", "scope3"]) - {:ok, auth} = Authorization.create_authorization(app, user) + {:ok, auth} = Authorization.create_authorization(app, user, ["scope1", "scope2"]) + assert auth.scopes == ["scope1", "scope2"] app_encoded = (URI.encode_www_form(app.client_id) <> ":" <> URI.encode_www_form(app.client_secret)) @@ -93,8 +184,13 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "redirect_uri" => app.redirect_uris }) - assert %{"access_token" => token} = json_response(conn, 200) - assert Repo.get_by(Token, token: token) + assert %{"access_token" => token, "scope" => scope} = json_response(conn, 200) + + assert scope == "scope1 scope2" + + token = Repo.get_by(Token, token: token) + assert token + assert token.scopes == ["scope1", "scope2"] end test "rejects token exchange with invalid client credentials" do