plug(Pleroma.Plugs.EnsureUserKeyPlug)
end
- pipeline :oauth_read_or_public do
- plug(Pleroma.Plugs.OAuthScopesPlug, %{
- scopes: ["read"],
- fallback: :proceed_unauthenticated
- })
-
- plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
- end
-
- pipeline :oauth_read do
- plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["read"]})
- end
-
- pipeline :oauth_write do
- plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["write"]})
- end
-
- pipeline :oauth_follow do
- plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["follow"]})
- end
-
- pipeline :oauth_push do
- plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["push"]})
- end
-
pipeline :well_known do
plug(:accepts, ["json", "jrd+json", "xml", "xrd+xml"])
end
end
scope "/api/pleroma/admin", Pleroma.Web.AdminAPI do
- pipe_through([:admin_api, :oauth_write])
+ pipe_through(:admin_api)
post("/users/follow", AdminAPIController, :user_follow)
post("/users/unfollow", AdminAPIController, :user_unfollow)
post("/main/ostatus", UtilController, :remote_subscribe)
get("/ostatus_subscribe", UtilController, :remote_follow)
-
- scope [] do
- pipe_through(:oauth_follow)
- post("/ostatus_subscribe", UtilController, :do_remote_follow)
- end
+ post("/ostatus_subscribe", UtilController, :do_remote_follow)
end
scope "/api/pleroma", Pleroma.Web.TwitterAPI do
pipe_through(:authenticated_api)
- scope [] do
- pipe_through(:oauth_write)
-
- post("/change_email", UtilController, :change_email)
- post("/change_password", UtilController, :change_password)
- post("/delete_account", UtilController, :delete_account)
- put("/notification_settings", UtilController, :update_notificaton_settings)
- post("/disable_account", UtilController, :disable_account)
- end
+ post("/change_email", UtilController, :change_email)
+ post("/change_password", UtilController, :change_password)
+ post("/delete_account", UtilController, :delete_account)
+ put("/notification_settings", UtilController, :update_notificaton_settings)
+ post("/disable_account", UtilController, :disable_account)
- scope [] do
- pipe_through(:oauth_follow)
-
- post("/blocks_import", UtilController, :blocks_import)
- post("/follow_import", UtilController, :follow_import)
- end
+ post("/blocks_import", UtilController, :blocks_import)
+ post("/follow_import", UtilController, :follow_import)
end
scope "/oauth", Pleroma.Web.OAuth do
scope "/api/v1/pleroma", Pleroma.Web.PleromaAPI do
pipe_through(:authenticated_api)
- scope [] do
- pipe_through(:oauth_read)
- get("/conversations/:id/statuses", PleromaAPIController, :conversation_statuses)
- get("/conversations/:id", PleromaAPIController, :conversation)
- end
+ get("/conversations/:id/statuses", PleromaAPIController, :conversation_statuses)
+ get("/conversations/:id", PleromaAPIController, :conversation)
- scope [] do
- pipe_through(:oauth_write)
- patch("/conversations/:id", PleromaAPIController, :update_conversation)
- post("/notifications/read", PleromaAPIController, :read_notification)
- end
+ patch("/conversations/:id", PleromaAPIController, :update_conversation)
+ post("/notifications/read", PleromaAPIController, :read_notification)
end
scope "/api/v1", Pleroma.Web.MastodonAPI do
pipe_through(:authenticated_api)
- scope [] do
- pipe_through(:oauth_read)
-
- get("/accounts/verify_credentials", MastodonAPIController, :verify_credentials)
-
- get("/accounts/relationships", MastodonAPIController, :relationships)
-
- get("/accounts/:id/lists", MastodonAPIController, :account_lists)
- get("/accounts/:id/identity_proofs", MastodonAPIController, :empty_array)
+ get("/accounts/verify_credentials", MastodonAPIController, :verify_credentials)
- get("/follow_requests", MastodonAPIController, :follow_requests)
- get("/blocks", MastodonAPIController, :blocks)
- get("/mutes", MastodonAPIController, :mutes)
+ get("/accounts/relationships", MastodonAPIController, :relationships)
- get("/timelines/home", MastodonAPIController, :home_timeline)
- get("/timelines/direct", MastodonAPIController, :dm_timeline)
+ get("/accounts/:id/lists", MastodonAPIController, :account_lists)
+ get("/accounts/:id/identity_proofs", MastodonAPIController, :empty_array)
- get("/favourites", MastodonAPIController, :favourites)
- get("/bookmarks", MastodonAPIController, :bookmarks)
+ get("/follow_requests", MastodonAPIController, :follow_requests)
+ get("/blocks", MastodonAPIController, :blocks)
+ get("/mutes", MastodonAPIController, :mutes)
- post("/notifications/clear", MastodonAPIController, :clear_notifications)
- post("/notifications/dismiss", MastodonAPIController, :dismiss_notification)
- get("/notifications", MastodonAPIController, :notifications)
- get("/notifications/:id", MastodonAPIController, :get_notification)
- delete("/notifications/destroy_multiple", MastodonAPIController, :destroy_multiple)
+ get("/timelines/home", MastodonAPIController, :home_timeline)
+ get("/timelines/direct", MastodonAPIController, :dm_timeline)
- get("/scheduled_statuses", MastodonAPIController, :scheduled_statuses)
- get("/scheduled_statuses/:id", MastodonAPIController, :show_scheduled_status)
+ get("/favourites", MastodonAPIController, :favourites)
+ # Note: not present in Mastodon: bookmarks
+ get("/bookmarks", MastodonAPIController, :bookmarks)
- get("/lists", ListController, :index)
- get("/lists/:id", ListController, :show)
- get("/lists/:id/accounts", ListController, :list_accounts)
+ post("/notifications/clear", MastodonAPIController, :clear_notifications)
+ post("/notifications/dismiss", MastodonAPIController, :dismiss_notification)
+ get("/notifications", MastodonAPIController, :notifications)
+ get("/notifications/:id", MastodonAPIController, :get_notification)
- get("/domain_blocks", MastodonAPIController, :domain_blocks)
+ delete(
+ "/notifications/destroy_multiple",
+ MastodonAPIController,
+ :destroy_multiple_notifications
+ )
- get("/filters", MastodonAPIController, :get_filters)
+ get("/scheduled_statuses", MastodonAPIController, :scheduled_statuses)
+ get("/scheduled_statuses/:id", MastodonAPIController, :show_scheduled_status)
- get("/suggestions", MastodonAPIController, :suggestions)
+ get("/lists", ListController, :index)
+ get("/lists/:id", ListController, :show)
+ get("/lists/:id/accounts", ListController, :list_accounts)
- get("/conversations", MastodonAPIController, :conversations)
- post("/conversations/:id/read", MastodonAPIController, :conversation_read)
+ get("/domain_blocks", MastodonAPIController, :domain_blocks)
- get("/endorsements", MastodonAPIController, :empty_array)
- end
+ get("/filters", MastodonAPIController, :get_filters)
- scope [] do
- pipe_through(:oauth_write)
+ get("/suggestions", MastodonAPIController, :suggestions)
- patch("/accounts/update_credentials", MastodonAPIController, :update_credentials)
+ get("/conversations", MastodonAPIController, :conversations)
+ post("/conversations/:id/read", MastodonAPIController, :conversation_read)
- post("/statuses", MastodonAPIController, :post_status)
- delete("/statuses/:id", MastodonAPIController, :delete_status)
+ get("/endorsements", MastodonAPIController, :endorsements)
- post("/statuses/:id/reblog", MastodonAPIController, :reblog_status)
- post("/statuses/:id/unreblog", MastodonAPIController, :unreblog_status)
- post("/statuses/:id/favourite", MastodonAPIController, :fav_status)
- post("/statuses/:id/unfavourite", MastodonAPIController, :unfav_status)
- post("/statuses/:id/pin", MastodonAPIController, :pin_status)
- post("/statuses/:id/unpin", MastodonAPIController, :unpin_status)
- post("/statuses/:id/bookmark", MastodonAPIController, :bookmark_status)
- post("/statuses/:id/unbookmark", MastodonAPIController, :unbookmark_status)
- post("/statuses/:id/mute", MastodonAPIController, :mute_conversation)
- post("/statuses/:id/unmute", MastodonAPIController, :unmute_conversation)
+ patch("/accounts/update_credentials", MastodonAPIController, :update_credentials)
- put("/scheduled_statuses/:id", MastodonAPIController, :update_scheduled_status)
- delete("/scheduled_statuses/:id", MastodonAPIController, :delete_scheduled_status)
+ post("/statuses", MastodonAPIController, :post_status)
+ delete("/statuses/:id", MastodonAPIController, :delete_status)
- post("/polls/:id/votes", MastodonAPIController, :poll_vote)
+ post("/statuses/:id/reblog", MastodonAPIController, :reblog_status)
+ post("/statuses/:id/unreblog", MastodonAPIController, :unreblog_status)
+ post("/statuses/:id/favourite", MastodonAPIController, :fav_status)
+ post("/statuses/:id/unfavourite", MastodonAPIController, :unfav_status)
+ post("/statuses/:id/pin", MastodonAPIController, :pin_status)
+ post("/statuses/:id/unpin", MastodonAPIController, :unpin_status)
+ # Note: not present in Mastodon: bookmark
+ post("/statuses/:id/bookmark", MastodonAPIController, :bookmark_status)
+ # Note: not present in Mastodon: unbookmark
+ post("/statuses/:id/unbookmark", MastodonAPIController, :unbookmark_status)
+ post("/statuses/:id/mute", MastodonAPIController, :mute_conversation)
+ post("/statuses/:id/unmute", MastodonAPIController, :unmute_conversation)
- post("/media", MastodonAPIController, :upload)
- put("/media/:id", MastodonAPIController, :update_media)
+ put("/scheduled_statuses/:id", MastodonAPIController, :update_scheduled_status)
+ delete("/scheduled_statuses/:id", MastodonAPIController, :delete_scheduled_status)
- delete("/lists/:id", ListController, :delete)
- post("/lists", ListController, :create)
- put("/lists/:id", ListController, :update)
+ post("/polls/:id/votes", MastodonAPIController, :poll_vote)
- post("/lists/:id/accounts", ListController, :add_to_list)
- delete("/lists/:id/accounts", ListController, :remove_from_list)
+ post("/media", MastodonAPIController, :upload)
+ put("/media/:id", MastodonAPIController, :update_media)
- post("/filters", MastodonAPIController, :create_filter)
- get("/filters/:id", MastodonAPIController, :get_filter)
- put("/filters/:id", MastodonAPIController, :update_filter)
- delete("/filters/:id", MastodonAPIController, :delete_filter)
+ delete("/lists/:id", ListController, :delete)
+ post("/lists", ListController, :create)
+ put("/lists/:id", ListController, :update)
- patch("/pleroma/accounts/update_avatar", MastodonAPIController, :update_avatar)
- patch("/pleroma/accounts/update_banner", MastodonAPIController, :update_banner)
- patch("/pleroma/accounts/update_background", MastodonAPIController, :update_background)
+ post("/lists/:id/accounts", ListController, :add_to_list)
+ delete("/lists/:id/accounts", ListController, :remove_from_list)
- get("/pleroma/mascot", MastodonAPIController, :get_mascot)
- put("/pleroma/mascot", MastodonAPIController, :set_mascot)
+ post("/filters", MastodonAPIController, :create_filter)
+ get("/filters/:id", MastodonAPIController, :get_filter)
+ put("/filters/:id", MastodonAPIController, :update_filter)
+ delete("/filters/:id", MastodonAPIController, :delete_filter)
- post("/reports", MastodonAPIController, :reports)
- end
+ patch("/pleroma/accounts/update_avatar", MastodonAPIController, :update_avatar)
+ patch("/pleroma/accounts/update_banner", MastodonAPIController, :update_banner)
+ patch("/pleroma/accounts/update_background", MastodonAPIController, :update_background)
- scope [] do
- pipe_through(:oauth_follow)
+ get("/pleroma/mascot", MastodonAPIController, :get_mascot)
+ put("/pleroma/mascot", MastodonAPIController, :set_mascot)
- post("/follows", MastodonAPIController, :follow)
- post("/accounts/:id/follow", MastodonAPIController, :follow)
+ post("/reports", MastodonAPIController, :create_report)
- post("/accounts/:id/unfollow", MastodonAPIController, :unfollow)
- post("/accounts/:id/block", MastodonAPIController, :block)
- post("/accounts/:id/unblock", MastodonAPIController, :unblock)
- post("/accounts/:id/mute", MastodonAPIController, :mute)
- post("/accounts/:id/unmute", MastodonAPIController, :unmute)
+ post("/follows", MastodonAPIController, :follow)
+ post("/accounts/:id/follow", MastodonAPIController, :follow)
- post("/follow_requests/:id/authorize", MastodonAPIController, :authorize_follow_request)
- post("/follow_requests/:id/reject", MastodonAPIController, :reject_follow_request)
+ post("/accounts/:id/unfollow", MastodonAPIController, :unfollow)
+ post("/accounts/:id/block", MastodonAPIController, :block)
+ post("/accounts/:id/unblock", MastodonAPIController, :unblock)
+ post("/accounts/:id/mute", MastodonAPIController, :mute)
+ post("/accounts/:id/unmute", MastodonAPIController, :unmute)
- post("/domain_blocks", MastodonAPIController, :block_domain)
- delete("/domain_blocks", MastodonAPIController, :unblock_domain)
+ post("/follow_requests/:id/authorize", MastodonAPIController, :authorize_follow_request)
+ post("/follow_requests/:id/reject", MastodonAPIController, :reject_follow_request)
- post("/pleroma/accounts/:id/subscribe", MastodonAPIController, :subscribe)
- post("/pleroma/accounts/:id/unsubscribe", MastodonAPIController, :unsubscribe)
- end
+ post("/domain_blocks", MastodonAPIController, :block_domain)
+ delete("/domain_blocks", MastodonAPIController, :unblock_domain)
- scope [] do
- pipe_through(:oauth_push)
+ post("/pleroma/accounts/:id/subscribe", MastodonAPIController, :subscribe)
+ post("/pleroma/accounts/:id/unsubscribe", MastodonAPIController, :unsubscribe)
- post("/push/subscription", SubscriptionController, :create)
- get("/push/subscription", SubscriptionController, :get)
- put("/push/subscription", SubscriptionController, :update)
- delete("/push/subscription", SubscriptionController, :delete)
- end
+ post("/push/subscription", SubscriptionController, :create)
+ get("/push/subscription", SubscriptionController, :get)
+ put("/push/subscription", SubscriptionController, :update)
+ delete("/push/subscription", SubscriptionController, :delete)
end
scope "/api/web", Pleroma.Web.MastodonAPI do
- pipe_through([:authenticated_api, :oauth_write])
+ pipe_through(:authenticated_api)
put("/settings", MastodonAPIController, :put_settings)
end
:account_confirmation_resend
)
- scope [] do
- pipe_through(:oauth_read_or_public)
+ get("/timelines/public", MastodonAPIController, :public_timeline)
+ get("/timelines/tag/:tag", MastodonAPIController, :hashtag_timeline)
+ get("/timelines/list/:list_id", MastodonAPIController, :list_timeline)
- get("/timelines/public", MastodonAPIController, :public_timeline)
- get("/timelines/tag/:tag", MastodonAPIController, :hashtag_timeline)
- get("/timelines/list/:list_id", MastodonAPIController, :list_timeline)
+ get("/statuses", MastodonAPIController, :get_statuses)
+ get("/statuses/:id", MastodonAPIController, :get_status)
+ get("/statuses/:id/context", MastodonAPIController, :get_context)
- get("/statuses", MastodonAPIController, :get_statuses)
- get("/statuses/:id", MastodonAPIController, :get_status)
- get("/statuses/:id/context", MastodonAPIController, :get_context)
+ get("/polls/:id", MastodonAPIController, :get_poll)
- get("/polls/:id", MastodonAPIController, :get_poll)
+ get("/accounts/:id/statuses", MastodonAPIController, :user_statuses)
+ get("/accounts/:id/followers", MastodonAPIController, :followers)
+ get("/accounts/:id/following", MastodonAPIController, :following)
+ get("/accounts/:id", MastodonAPIController, :user)
- get("/accounts/:id/statuses", MastodonAPIController, :user_statuses)
- get("/accounts/:id/followers", MastodonAPIController, :followers)
- get("/accounts/:id/following", MastodonAPIController, :following)
- get("/accounts/:id", MastodonAPIController, :user)
+ get("/search", SearchController, :search)
- get("/search", SearchController, :search)
-
- get("/pleroma/accounts/:id/favourites", MastodonAPIController, :user_favourites)
- end
+ get("/pleroma/accounts/:id/favourites", MastodonAPIController, :user_favourites)
end
scope "/api/v2", Pleroma.Web.MastodonAPI do
- pipe_through([:api, :oauth_read_or_public])
+ pipe_through(:api)
get("/search", SearchController, :search2)
end
get("/oauth_tokens", TwitterAPI.Controller, :oauth_tokens)
delete("/oauth_tokens/:id", TwitterAPI.Controller, :revoke_token)
- scope [] do
- pipe_through(:oauth_read)
-
- post("/qvitter/statuses/notifications/read", TwitterAPI.Controller, :notifications_read)
- end
+ post("/qvitter/statuses/notifications/read", TwitterAPI.Controller, :notifications_read)
end
pipeline :ap_service_actor do
scope "/", Pleroma.Web.ActivityPub do
pipe_through([:activitypub_client])
- scope [] do
- pipe_through(:oauth_read)
- get("/api/ap/whoami", ActivityPubController, :whoami)
- get("/users/:nickname/inbox", ActivityPubController, :read_inbox)
- end
-
- scope [] do
- pipe_through(:oauth_write)
- post("/users/:nickname/outbox", ActivityPubController, :update_outbox)
- end
-
- scope [] do
- pipe_through(:oauth_read_or_public)
- get("/users/:nickname/followers", ActivityPubController, :followers)
- get("/users/:nickname/following", ActivityPubController, :following)
- end
+ get("/api/ap/whoami", ActivityPubController, :whoami)
+ get("/users/:nickname/inbox", ActivityPubController, :read_inbox)
+ post("/users/:nickname/outbox", ActivityPubController, :update_outbox)
+ get("/users/:nickname/followers", ActivityPubController, :followers)
+ get("/users/:nickname/following", ActivityPubController, :following)
end
scope "/", Pleroma.Web.ActivityPub do
pipe_through(:activitypub)
+
post("/inbox", ActivityPubController, :inbox)
post("/users/:nickname/inbox", ActivityPubController, :inbox)
end
post("/auth/password", MastodonAPIController, :password_reset)
- scope [] do
- pipe_through(:oauth_read)
- get("/web/*path", MastodonAPIController, :index)
- end
+ get("/web/*path", MastodonAPIController, :index)
end
pipeline :remote_media do
defmodule Pleroma.Plugs.OAuthScopesPlugTest do
use Pleroma.Web.ConnCase, async: true
+ alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
alias Pleroma.Plugs.OAuthScopesPlug
alias Pleroma.Repo
+ import Mock
import Pleroma.Factory
- test "proceeds with no op if `assigns[:token]` is nil", %{conn: conn} do
- conn =
- conn
- |> assign(:user, insert(:user))
- |> OAuthScopesPlug.call(%{scopes: ["read"]})
+ setup_with_mocks([{EnsurePublicOrAuthenticatedPlug, [], [call: fn conn, _ -> conn end]}]) do
+ :ok
+ end
- refute conn.halted
- assert conn.assigns[:user]
+ describe "when `assigns[:token]` is nil, " do
+ test "with :skip_instance_privacy_check option, proceeds with no op", %{conn: conn} do
+ conn =
+ conn
+ |> assign(:user, insert(:user))
+ |> OAuthScopesPlug.call(%{scopes: ["read"], skip_instance_privacy_check: true})
+
+ refute conn.halted
+ assert conn.assigns[:user]
+
+ refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
+ end
+
+ test "without :skip_instance_privacy_check option, calls EnsurePublicOrAuthenticatedPlug", %{
+ conn: conn
+ } do
+ conn =
+ conn
+ |> assign(:user, insert(:user))
+ |> OAuthScopesPlug.call(%{scopes: ["read"]})
+
+ refute conn.halted
+ assert conn.assigns[:user]
+
+ assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
+ end
end
- test "proceeds with no op if `token.scopes` fulfill specified 'any of' conditions", %{
- conn: conn
- } do
+ test "if `token.scopes` fulfills specified 'any of' conditions, " <>
+ "proceeds with no op",
+ %{conn: conn} do
token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
conn =
assert conn.assigns[:user]
end
- test "proceeds with no op if `token.scopes` fulfill specified 'all of' conditions", %{
- conn: conn
- } do
+ test "if `token.scopes` fulfills specified 'all of' conditions, " <>
+ "proceeds with no op",
+ %{conn: conn} do
token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
conn =
assert conn.assigns[:user]
end
- test "proceeds with cleared `assigns[:user]` if `token.scopes` doesn't fulfill specified 'any of' conditions " <>
- "and `fallback: :proceed_unauthenticated` option is specified",
- %{conn: conn} do
- token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
+ describe "with `fallback: :proceed_unauthenticated` option, " do
+ test "if `token.scopes` doesn't fulfill specified 'any of' conditions, " <>
+ "clears `assigns[:user]` and calls EnsurePublicOrAuthenticatedPlug",
+ %{conn: conn} do
+ token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
+
+ conn =
+ conn
+ |> assign(:user, token.user)
+ |> assign(:token, token)
+ |> OAuthScopesPlug.call(%{scopes: ["follow"], fallback: :proceed_unauthenticated})
+
+ refute conn.halted
+ refute conn.assigns[:user]
+
+ assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
+ end
+
+ test "if `token.scopes` doesn't fulfill specified 'all of' conditions, " <>
+ "clears `assigns[:user] and calls EnsurePublicOrAuthenticatedPlug",
+ %{conn: conn} do
+ token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
+
+ conn =
+ conn
+ |> assign(:user, token.user)
+ |> assign(:token, token)
+ |> OAuthScopesPlug.call(%{
+ scopes: ["read", "follow"],
+ op: :&,
+ fallback: :proceed_unauthenticated
+ })
+
+ refute conn.halted
+ refute conn.assigns[:user]
+
+ assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
+ end
+
+ test "with :skip_instance_privacy_check option, " <>
+ "if `token.scopes` doesn't fulfill specified conditions, " <>
+ "clears `assigns[:user]` and does not call EnsurePublicOrAuthenticatedPlug",
+ %{conn: conn} do
+ token = insert(:oauth_token, scopes: ["read:statuses", "write"]) |> Repo.preload(:user)
+
+ conn =
+ conn
+ |> assign(:user, token.user)
+ |> assign(:token, token)
+ |> OAuthScopesPlug.call(%{
+ scopes: ["read"],
+ fallback: :proceed_unauthenticated,
+ skip_instance_privacy_check: true
+ })
+
+ refute conn.halted
+ refute conn.assigns[:user]
+
+ refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
+ end
+ end
- conn =
- conn
- |> assign(:user, token.user)
- |> assign(:token, token)
- |> OAuthScopesPlug.call(%{scopes: ["follow"], fallback: :proceed_unauthenticated})
+ describe "without :fallback option, " do
+ test "if `token.scopes` does not fulfill specified 'any of' conditions, " <>
+ "returns 403 and halts",
+ %{conn: conn} do
+ token = insert(:oauth_token, scopes: ["read", "write"])
+ any_of_scopes = ["follow"]
- refute conn.halted
- refute conn.assigns[:user]
- end
+ conn =
+ conn
+ |> assign(:token, token)
+ |> OAuthScopesPlug.call(%{scopes: any_of_scopes})
- test "proceeds with cleared `assigns[:user]` if `token.scopes` doesn't fulfill specified 'all of' conditions " <>
- "and `fallback: :proceed_unauthenticated` option is specified",
- %{conn: conn} do
- token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
+ assert conn.halted
+ assert 403 == conn.status
- conn =
- conn
- |> assign(:user, token.user)
- |> assign(:token, token)
- |> OAuthScopesPlug.call(%{
- scopes: ["read", "follow"],
- op: :&,
- fallback: :proceed_unauthenticated
- })
+ expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, ", ")}."
+ assert Jason.encode!(%{error: expected_error}) == conn.resp_body
+ end
- refute conn.halted
- refute conn.assigns[:user]
- end
+ test "if `token.scopes` does not fulfill specified 'all of' conditions, " <>
+ "returns 403 and halts",
+ %{conn: conn} do
+ token = insert(:oauth_token, scopes: ["read", "write"])
+ all_of_scopes = ["write", "follow"]
- test "returns 403 and halts in case of no :fallback option and `token.scopes` not fulfilling specified 'any of' conditions",
- %{conn: conn} do
- token = insert(:oauth_token, scopes: ["read", "write"])
- any_of_scopes = ["follow"]
+ conn =
+ conn
+ |> assign(:token, token)
+ |> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
- conn =
- conn
- |> assign(:token, token)
- |> OAuthScopesPlug.call(%{scopes: any_of_scopes})
+ assert conn.halted
+ assert 403 == conn.status
- assert conn.halted
- assert 403 == conn.status
+ expected_error =
+ "Insufficient permissions: #{Enum.join(all_of_scopes -- token.scopes, ", ")}."
- expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, ", ")}."
- assert Jason.encode!(%{error: expected_error}) == conn.resp_body
+ assert Jason.encode!(%{error: expected_error}) == conn.resp_body
+ end
end
- test "returns 403 and halts in case of no :fallback option and `token.scopes` not fulfilling specified 'all of' conditions",
- %{conn: conn} do
- token = insert(:oauth_token, scopes: ["read", "write"])
- all_of_scopes = ["write", "follow"]
+ describe "with hierarchical scopes, " do
+ test "if `token.scopes` fulfills specified 'any of' conditions, " <>
+ "proceeds with no op",
+ %{conn: conn} do
+ token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
+
+ conn =
+ conn
+ |> assign(:user, token.user)
+ |> assign(:token, token)
+ |> OAuthScopesPlug.call(%{scopes: ["read:something"]})
+
+ refute conn.halted
+ assert conn.assigns[:user]
+ end
+
+ test "if `token.scopes` fulfills specified 'all of' conditions, " <>
+ "proceeds with no op",
+ %{conn: conn} do
+ token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
+
+ conn =
+ conn
+ |> assign(:user, token.user)
+ |> assign(:token, token)
+ |> OAuthScopesPlug.call(%{scopes: ["scope1:subscope", "scope2:subscope"], op: :&})
+
+ refute conn.halted
+ assert conn.assigns[:user]
+ end
+ end
- conn =
- conn
- |> assign(:token, token)
- |> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
+ describe "filter_descendants/2" do
+ test "filters scopes which directly match or are ancestors of supported scopes" do
+ f = fn scopes, supported_scopes ->
+ OAuthScopesPlug.filter_descendants(scopes, supported_scopes)
+ end
+
+ assert f.(["read", "follow"], ["write", "read"]) == ["read"]
- assert conn.halted
- assert 403 == conn.status
+ assert f.(["read", "write:something", "follow"], ["write", "read"]) ==
+ ["read", "write:something"]
- expected_error =
- "Insufficient permissions: #{Enum.join(all_of_scopes -- token.scopes, ", ")}."
+ assert f.(["admin:read"], ["write", "read"]) == []
- assert Jason.encode!(%{error: expected_error}) == conn.resp_body
+ assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
+ end
end
end
projects / akkoma / commitdiff