git.squeep.com Git - akkoma/blob - lib/pleroma/tests/auth_test_controller.ex

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 # A test controller reachable only in :test env.
   6 defmodule Pleroma.Tests.AuthTestController do
   7   @moduledoc false
   8
   9   use Pleroma.Web, :controller
  10
  11   alias Pleroma.User
  12   alias Pleroma.Web.Plugs.OAuthScopesPlug
  13
  14   # Serves only with proper OAuth token (:api and :authenticated_api)
  15   # Skipping EnsurePublicOrAuthenticatedPlug has no effect in this case
  16   #
  17   # Suggested use case: all :authenticated_api endpoints (makes no sense for :api endpoints)
  18   plug(OAuthScopesPlug, %{scopes: ["read"]} when action == :do_oauth_check)
  19
  20   # Via :api, keeps :user if token has requested scopes (if :user is dropped, serves if public)
  21   # Via :authenticated_api, serves if token is present and has requested scopes
  22   #
  23   # Suggested use case: vast majority of :api endpoints (no sense for :authenticated_api ones)
  24   plug(
  25     OAuthScopesPlug,
  26     %{scopes: ["read"], fallback: :proceed_unauthenticated}
  27     when action == :fallback_oauth_check
  28   )
  29
  30   # Keeps :user if present, executes regardless of token / token scopes
  31   # Fails with no :user for :authenticated_api / no user for :api on private instance
  32   # Note: EnsurePublicOrAuthenticatedPlug is not skipped (private instance fails on no :user)
  33   # Note: Basic Auth processing results in :skip_plug call for OAuthScopesPlug
  34   #
  35   # Suggested use: suppressing OAuth checks for other auth mechanisms (like Basic Auth)
  36   # For controller-level use, see :skip_oauth_skip_publicity_check instead
  37   plug(
  38     :skip_plug,
  39     OAuthScopesPlug when action == :skip_oauth_check
  40   )
  41
  42   # (Shouldn't be executed since the plug is skipped)
  43   plug(OAuthScopesPlug, %{scopes: ["admin"]} when action == :skip_oauth_check)
  44
  45   # Via :api, keeps :user if token has requested scopes, and continues with nil :user otherwise
  46   # Via :authenticated_api, serves if token is present and has requested scopes
  47   #
  48   # Suggested use: as :fallback_oauth_check but open with nil :user for :api on private instances
  49   plug(:skip_public_check when action == :fallback_oauth_skip_publicity_check)
  50
  51   plug(
  52     OAuthScopesPlug,
  53     %{scopes: ["read"], fallback: :proceed_unauthenticated}
  54     when action == :fallback_oauth_skip_publicity_check
  55   )
  56
  57   # Via :api, keeps :user if present, serves regardless of token presence / scopes / :user presence
  58   # Via :authenticated_api, serves if :user is set (regardless of token presence and its scopes)
  59   #
  60   # Suggested use: making an :api endpoint always accessible (e.g. email confirmation endpoint)
  61   plug(:skip_auth when action == :skip_oauth_skip_publicity_check)
  62
  63   # Via :authenticated_api, always fails with 403 (endpoint is insecure)
  64   # Via :api, drops :user if present and serves if public (private instance rejects on no user)
  65   #
  66   # Suggested use: none; please define OAuth rules for all :api / :authenticated_api endpoints
  67   plug(:skip_plug, [] when action == :missing_oauth_check_definition)
  68
  69   def do_oauth_check(conn, _params), do: conn_state(conn)
  70
  71   def fallback_oauth_check(conn, _params), do: conn_state(conn)
  72
  73   def skip_oauth_check(conn, _params), do: conn_state(conn)
  74
  75   def fallback_oauth_skip_publicity_check(conn, _params), do: conn_state(conn)
  76
  77   def skip_oauth_skip_publicity_check(conn, _params), do: conn_state(conn)
  78
  79   def missing_oauth_check_definition(conn, _params), do: conn_state(conn)
  80
  81   defp conn_state(%{assigns: %{user: %User{} = user}} = conn),
  82     do: json(conn, %{user_id: user.id})
  83
  84   defp conn_state(conn), do: json(conn, %{user_id: nil})
  85 end