Fix oauth2 (for real) (#179)

[akkoma] / test / pleroma / web / o_auth / o_auth_controller_test.exs
diff --git a/test/pleroma/web/o_auth/o_auth_controller_test.exs b/test/pleroma/web/o_auth/o_auth_controller_test.exs

index a00df8cc7e6e191cdbf0f87b622ff37d0e03edea..9f984b26fad02a21af581c362443bea9e0a84ea5 100644 (file)
--- a/test/pleroma/web/o_auth/o_auth_controller_test.exs
+++ b/test/pleroma/web/o_auth/o_auth_controller_test.exs
@@ -1,9 +1,10 @@
  # Pleroma: A lightweight social networking server
-# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
+# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
  # SPDX-License-Identifier: AGPL-3.0-only
  
  defmodule Pleroma.Web.OAuth.OAuthControllerTest do
    use Pleroma.Web.ConnCase
+
    import Pleroma.Factory
  
    alias Pleroma.MFA
@@ -81,7 +82,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
  
        redirect_query = URI.parse(redirected_to(conn)).query
        assert %{"state" => state_param} = URI.decode_query(redirect_query)
-      assert {:ok, state_components} = Poison.decode(state_param)
+      assert {:ok, state_components} = Jason.decode(state_param)
  
        expected_client_id = app.client_id
        expected_redirect_uri = app.redirect_uris
@@ -115,7 +116,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
              "oauth_token" => "G-5a3AAAAAAAwMH9AAABaektfSM",
              "oauth_verifier" => "QZl8vUqNvXMTKpdmUnGejJxuHG75WWWs",
              "provider" => "twitter",
-            "state" => Poison.encode!(state_params)
+            "state" => Jason.encode!(state_params)
            }
          )
  
@@ -147,7 +148,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
              "oauth_token" => "G-5a3AAAAAAAwMH9AAABaektfSM",
              "oauth_verifier" => "QZl8vUqNvXMTKpdmUnGejJxuHG75WWWs",
              "provider" => "twitter",
-            "state" => Poison.encode!(state_params)
+            "state" => Jason.encode!(state_params)
            }
          )
  
@@ -178,7 +179,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
              "oauth_token" => "G-5a3AAAAAAAwMH9AAABaektfSM",
              "oauth_verifier" => "QZl8vUqNvXMTKpdmUnGejJxuHG75WWWs",
              "provider" => "twitter",
-            "state" => Poison.encode!(state_params)
+            "state" => Jason.encode!(state_params)
            }
          )
  
@@ -314,7 +315,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
             app: app,
             conn: conn
           } do
-      user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt("testpassword"))
+      user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("testpassword"))
        registration = insert(:registration, user: nil)
        redirect_uri = OAuthController.default_redirect_uri(app)
  
@@ -345,7 +346,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
             app: app,
             conn: conn
           } do
-      user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt("testpassword"))
+      user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("testpassword"))
        registration = insert(:registration, user: nil)
        unlisted_redirect_uri = "http://cross-site-request.com"
  
@@ -454,7 +455,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
  
        conn =
          conn
-        |> put_session(:oauth_token, token.token)
+        |> put_req_header("authorization", "Bearer #{token.token}")
          |> get(
            "/oauth/authorize",
            %{
@@ -469,22 +470,92 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
        assert html_response(conn, 200) =~ ~s(type="submit")
      end
  
-    test "renders authentication page if user is already authenticated but user request with another client",
+    test "reuses authentication if the user is authenticated with another client",
           %{
-           app: app,
             conn: conn
           } do
-      token = insert(:oauth_token, app: app)
+      user = insert(:user)
+
+      app = insert(:oauth_app, redirect_uris: "https://redirect.url")
+      other_app = insert(:oauth_app, redirect_uris: "https://redirect.url")
+
+      token = insert(:oauth_token, user: user, app: app)
+      reusable_token = insert(:oauth_token, app: other_app, user: user)
  
        conn =
          conn
-        |> put_session(:oauth_token, token.token)
+        |> put_req_header("authorization", "Bearer #{token.token}")
          |> get(
            "/oauth/authorize",
            %{
              "response_type" => "code",
-            "client_id" => "another_client_id",
-            "redirect_uri" => OAuthController.default_redirect_uri(app),
+            "client_id" => other_app.client_id,
+            "redirect_uri" => OAuthController.default_redirect_uri(other_app),
+            "scope" => "read"
+          }
+        )
+
+      assert URI.decode(redirected_to(conn)) ==
+               "https://redirect.url?access_token=#{reusable_token.token}"
+    end
+
+    test "does not reuse other people's tokens",
+         %{
+           conn: conn
+         } do
+      user = insert(:user)
+      other_user = insert(:user)
+
+      app = insert(:oauth_app, redirect_uris: "https://redirect.url")
+      other_app = insert(:oauth_app, redirect_uris: "https://redirect.url")
+
+      token = insert(:oauth_token, user: user, app: app)
+      _not_reusable_token = insert(:oauth_token, app: other_app, user: other_user)
+
+      conn =
+        conn
+        |> put_req_header("authorization", "Bearer #{token.token}")
+        |> get(
+          "/oauth/authorize",
+          %{
+            "response_type" => "code",
+            "client_id" => other_app.client_id,
+            "redirect_uri" => OAuthController.default_redirect_uri(other_app),
+            "scope" => "read"
+          }
+        )
+
+      assert html_response(conn, 200) =~ ~s(type="submit")
+    end
+
+    test "does not reuse expired tokens",
+         %{
+           conn: conn
+         } do
+      user = insert(:user)
+
+      app = insert(:oauth_app, redirect_uris: "https://redirect.url")
+
+      other_app = insert(:oauth_app, redirect_uris: "https://redirect.url")
+
+      token = insert(:oauth_token, user: user, app: app)
+
+      _not_reusable_token =
+        insert(:oauth_token,
+          app: other_app,
+          user: user,
+          valid_until: NaiveDateTime.add(NaiveDateTime.utc_now(), -60 * 100)
+        )
+
+      conn =
+        conn
+        |> put_req_header("authorization", "Bearer #{token.token}")
+        |> get(
+          "/oauth/authorize",
+          %{
+            "response_type" => "code",
+            "client_id" => other_app.client_id,
+            "redirect_uri" => OAuthController.default_redirect_uri(other_app),
              "scope" => "read"
            }
          )
@@ -492,6 +563,40 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
        assert html_response(conn, 200) =~ ~s(type="submit")
      end
  
+    test "does not reuse tokens with the wrong scopes",
+         %{
+           conn: conn
+         } do
+      user = insert(:user)
+
+      app = insert(:oauth_app, redirect_uris: "https://redirect.url")
+
+      other_app = insert(:oauth_app, redirect_uris: "https://redirect.url")
+
+      token = insert(:oauth_token, user: user, app: app, scopes: ["read"])
+
+      _not_reusable_token =
+        insert(:oauth_token,
+          app: other_app,
+          user: user
+        )
+
+      conn =
+        conn
+        |> put_req_header("authorization", "Bearer #{token.token}")
+        |> get(
+          "/oauth/authorize",
+          %{
+            "response_type" => "code",
+            "client_id" => other_app.client_id,
+            "redirect_uri" => OAuthController.default_redirect_uri(other_app),
+            "scope" => "read write"
+          }
+        )
+
+      assert html_response(conn, 200) =~ ~s(type="submit")
+    end
+
      test "with existing authentication and non-OOB `redirect_uri`, redirects to app with `token` and `state` params",
           %{
             app: app,
@@ -501,7 +606,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
  
        conn =
          conn
-        |> put_session(:oauth_token, token.token)
+        |> put_req_header("authorization", "Bearer #{token.token}")
          |> get(
            "/oauth/authorize",
            %{
@@ -527,7 +632,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
  
        conn =
          conn
-        |> put_session(:oauth_token, token.token)
+        |> put_req_header("authorization", "Bearer #{token.token}")
          |> get(
            "/oauth/authorize",
            %{
@@ -551,7 +656,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
  
        conn =
          conn
-        |> put_session(:oauth_token, token.token)
+        |> put_req_header("authorization", "Bearer #{token.token}")
          |> get(
            "/oauth/authorize",
            %{
@@ -753,7 +858,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
  
      test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do
        password = "testpassword"
-      user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))
+      user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
  
        app = insert(:oauth_app, scopes: ["read", "write"])
  
@@ -768,10 +873,12 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            "client_secret" => app.client_secret
          })
  
-      assert %{"access_token" => token} = json_response(conn, 200)
+      assert %{"id" => id, "access_token" => access_token} = json_response(conn, 200)
  
-      token = Repo.get_by(Token, token: token)
+      token = Repo.get_by(Token, token: access_token)
        assert token
+      assert token.id == id
+      assert token.token == access_token
        assert token.scopes == app.scopes
      end
  
@@ -781,7 +888,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
  
        user =
          insert(:user,
-          password_hash: Pbkdf2.hash_pwd_salt(password),
+          password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
            multi_factor_authentication_settings: %MFA.Settings{
              enabled: true,
              totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true}
@@ -886,12 +993,12 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
      end
  
      test "rejects token exchange for valid credentials belonging to unconfirmed user and confirmation is required" do
-      Pleroma.Config.put([:instance, :account_activation_required], true)
+      clear_config([:instance, :account_activation_required], true)
        password = "testpassword"
  
        {:ok, user} =
-        insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))
-        |> User.confirmation_changeset(need_confirmation: true)
+        insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
+        |> User.confirmation_changeset(set_confirmation: false)
          |> User.update_and_set_cache()
  
        refute Pleroma.User.account_status(user) == :active
@@ -918,8 +1025,8 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
  
        user =
          insert(:user,
-          password_hash: Pbkdf2.hash_pwd_salt(password),
-          deactivated: true
+          password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
+          is_active: false
          )
  
        app = insert(:oauth_app)
@@ -946,7 +1053,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
  
        user =
          insert(:user,
-          password_hash: Pbkdf2.hash_pwd_salt(password),
+          password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
            password_reset_pending: true
          )
  
@@ -970,13 +1077,13 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
      end
  
      test "rejects token exchange for user with confirmation_pending set to true" do
-      Pleroma.Config.put([:instance, :account_activation_required], true)
+      clear_config([:instance, :account_activation_required], true)
        password = "testpassword"
  
        user =
          insert(:user,
-          password_hash: Pbkdf2.hash_pwd_salt(password),
-          confirmation_pending: true
+          password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
+          is_confirmed: false
          )
  
        app = insert(:oauth_app, scopes: ["read", "write"])
@@ -1001,7 +1108,11 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
      test "rejects token exchange for valid credentials belonging to an unapproved user" do
        password = "testpassword"
  
-      user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password), approval_pending: true)
+      user =
+        insert(:user,
+          password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
+          is_approved: false
+        )
  
        refute Pleroma.User.account_status(user) == :active
  
@@ -1045,7 +1156,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
      setup do: clear_config([:oauth2, :issue_new_refresh_token])
  
      test "issues a new access token with keep fresh token" do
-      Pleroma.Config.put([:oauth2, :issue_new_refresh_token], true)
+      clear_config([:oauth2, :issue_new_refresh_token], true)
        user = insert(:user)
        app = insert(:oauth_app, scopes: ["read", "write"])
  
@@ -1068,7 +1179,6 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
                 %{
                   "scope" => "write",
                   "token_type" => "Bearer",
-                 "expires_in" => 600,
                   "access_token" => _,
                   "refresh_token" => _,
                   "me" => ^ap_id
@@ -1085,7 +1195,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
      end
  
      test "issues a new access token with new fresh token" do
-      Pleroma.Config.put([:oauth2, :issue_new_refresh_token], false)
+      clear_config([:oauth2, :issue_new_refresh_token], false)
        user = insert(:user)
        app = insert(:oauth_app, scopes: ["read", "write"])
  
@@ -1108,7 +1218,6 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
                 %{
                   "scope" => "write",
                   "token_type" => "Bearer",
-                 "expires_in" => 600,
                   "access_token" => _,
                   "refresh_token" => _,
                   "me" => ^ap_id
@@ -1177,6 +1286,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
  
        response =
          build_conn()
+        |> put_req_header("authorization", "Bearer #{access_token.token}")
          |> post("/oauth/token", %{
            "grant_type" => "refresh_token",
            "refresh_token" => access_token.refresh_token,
@@ -1191,7 +1301,6 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
                 %{
                   "scope" => "write",
                   "token_type" => "Bearer",
-                 "expires_in" => 600,
                   "access_token" => _,
                   "refresh_token" => _,
                   "me" => ^ap_id
@@ -1219,8 +1328,41 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
      end
    end
  
-  describe "POST /oauth/revoke - bad request" do
-    test "returns 500" do
+  describe "POST /oauth/revoke" do
+    test "when authenticated with request token, revokes it and clears it from session" do
+      oauth_token = insert(:oauth_token)
+
+      conn =
+        build_conn()
+        |> Plug.Session.call(Plug.Session.init(@session_opts))
+        |> fetch_session()
+        |> put_req_header("authorization", "Bearer #{oauth_token.token}")
+        |> post("/oauth/revoke", %{"token" => oauth_token.token})
+
+      assert json_response(conn, 200)
+
+      assert Token.get_by_token(oauth_token.token) == {:error, :not_found}
+    end
+
+    test "if request is authenticated with a different token, " <>
+           "revokes requested token but keeps session token" do
+      user = insert(:user)
+      oauth_token = insert(:oauth_token, user: user)
+      other_app_oauth_token = insert(:oauth_token, user: user)
+
+      conn =
+        build_conn()
+        |> Plug.Session.call(Plug.Session.init(@session_opts))
+        |> fetch_session()
+        |> put_req_header("authorization", "Bearer #{oauth_token.token}")
+        |> post("/oauth/revoke", %{"token" => other_app_oauth_token.token})
+
+      assert json_response(conn, 200)
+
+      assert Token.get_by_token(other_app_oauth_token.token) == {:error, :not_found}
+    end
+
+    test "returns 500 on bad request" do
        response =
          build_conn()
          |> post("/oauth/revoke", %{})