X-Git-Url: https://git.squeep.com/?a=blobdiff_plain;f=test%2Fpleroma%2Fweb%2Fo_auth%2Fo_auth_controller_test.exs;h=9f984b26fad02a21af581c362443bea9e0a84ea5;hb=aa681d7e15f6170e7e92d86146d5ba96be6433bc;hp=0fdd5b8e9fb853e6cd2f4a84ef6eb1ad39030292;hpb=c4b4258374e73ca4a6e3f3b30e3a8dad0ce40039;p=akkoma diff --git a/test/pleroma/web/o_auth/o_auth_controller_test.exs b/test/pleroma/web/o_auth/o_auth_controller_test.exs index 0fdd5b8e9..9f984b26f 100644 --- a/test/pleroma/web/o_auth/o_auth_controller_test.exs +++ b/test/pleroma/web/o_auth/o_auth_controller_test.exs @@ -7,7 +7,6 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do import Pleroma.Factory - alias Pleroma.Helpers.AuthHelper alias Pleroma.MFA alias Pleroma.MFA.TOTP alias Pleroma.Repo @@ -456,7 +455,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do conn = conn - |> AuthHelper.put_session_token(token.token) + |> put_req_header("authorization", "Bearer #{token.token}") |> get( "/oauth/authorize", %{ @@ -471,22 +470,92 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do assert html_response(conn, 200) =~ ~s(type="submit") end - test "renders authentication page if user is already authenticated but user request with another client", + test "reuses authentication if the user is authenticated with another client", %{ - app: app, conn: conn } do - token = insert(:oauth_token, app: app) + user = insert(:user) + + app = insert(:oauth_app, redirect_uris: "https://redirect.url") + other_app = insert(:oauth_app, redirect_uris: "https://redirect.url") + + token = insert(:oauth_token, user: user, app: app) + reusable_token = insert(:oauth_token, app: other_app, user: user) conn = conn - |> AuthHelper.put_session_token(token.token) + |> put_req_header("authorization", "Bearer #{token.token}") |> get( "/oauth/authorize", %{ "response_type" => "code", - "client_id" => "another_client_id", - "redirect_uri" => OAuthController.default_redirect_uri(app), + "client_id" => other_app.client_id, + "redirect_uri" => OAuthController.default_redirect_uri(other_app), + "scope" => "read" + } + ) + + assert URI.decode(redirected_to(conn)) == + "https://redirect.url?access_token=#{reusable_token.token}" + end + + test "does not reuse other people's tokens", + %{ + conn: conn + } do + user = insert(:user) + other_user = insert(:user) + + app = insert(:oauth_app, redirect_uris: "https://redirect.url") + other_app = insert(:oauth_app, redirect_uris: "https://redirect.url") + + token = insert(:oauth_token, user: user, app: app) + _not_reusable_token = insert(:oauth_token, app: other_app, user: other_user) + + conn = + conn + |> put_req_header("authorization", "Bearer #{token.token}") + |> get( + "/oauth/authorize", + %{ + "response_type" => "code", + "client_id" => other_app.client_id, + "redirect_uri" => OAuthController.default_redirect_uri(other_app), + "scope" => "read" + } + ) + + assert html_response(conn, 200) =~ ~s(type="submit") + end + + test "does not reuse expired tokens", + %{ + conn: conn + } do + user = insert(:user) + + app = insert(:oauth_app, redirect_uris: "https://redirect.url") + + other_app = insert(:oauth_app, redirect_uris: "https://redirect.url") + + token = insert(:oauth_token, user: user, app: app) + + _not_reusable_token = + insert(:oauth_token, + app: other_app, + user: user, + valid_until: NaiveDateTime.add(NaiveDateTime.utc_now(), -60 * 100) + ) + + conn = + conn + |> put_req_header("authorization", "Bearer #{token.token}") + |> get( + "/oauth/authorize", + %{ + "response_type" => "code", + "client_id" => other_app.client_id, + "redirect_uri" => OAuthController.default_redirect_uri(other_app), "scope" => "read" } ) @@ -494,6 +563,40 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do assert html_response(conn, 200) =~ ~s(type="submit") end + test "does not reuse tokens with the wrong scopes", + %{ + conn: conn + } do + user = insert(:user) + + app = insert(:oauth_app, redirect_uris: "https://redirect.url") + + other_app = insert(:oauth_app, redirect_uris: "https://redirect.url") + + token = insert(:oauth_token, user: user, app: app, scopes: ["read"]) + + _not_reusable_token = + insert(:oauth_token, + app: other_app, + user: user + ) + + conn = + conn + |> put_req_header("authorization", "Bearer #{token.token}") + |> get( + "/oauth/authorize", + %{ + "response_type" => "code", + "client_id" => other_app.client_id, + "redirect_uri" => OAuthController.default_redirect_uri(other_app), + "scope" => "read write" + } + ) + + assert html_response(conn, 200) =~ ~s(type="submit") + end + test "with existing authentication and non-OOB `redirect_uri`, redirects to app with `token` and `state` params", %{ app: app, @@ -503,7 +606,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do conn = conn - |> AuthHelper.put_session_token(token.token) + |> put_req_header("authorization", "Bearer #{token.token}") |> get( "/oauth/authorize", %{ @@ -529,7 +632,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do conn = conn - |> AuthHelper.put_session_token(token.token) + |> put_req_header("authorization", "Bearer #{token.token}") |> get( "/oauth/authorize", %{ @@ -553,7 +656,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do conn = conn - |> AuthHelper.put_session_token(token.token) + |> put_req_header("authorization", "Bearer #{token.token}") |> get( "/oauth/authorize", %{ @@ -611,41 +714,6 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do end end - test "authorize from cookie" do - user = insert(:user) - app = insert(:oauth_app) - oauth_token = insert(:oauth_token, user: user, app: app) - redirect_uri = OAuthController.default_redirect_uri(app) - - conn = - build_conn() - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session() - |> AuthHelper.put_session_token(oauth_token.token) - |> post( - "/oauth/authorize", - %{ - "authorization" => %{ - "name" => user.nickname, - "client_id" => app.client_id, - "redirect_uri" => redirect_uri, - "scope" => app.scopes, - "state" => "statepassed" - } - } - ) - - target = redirected_to(conn) - assert target =~ redirect_uri - - query = URI.parse(target).query |> URI.query_decoder() |> Map.new() - - assert %{"state" => "statepassed", "code" => code} = query - auth = Repo.get_by(Authorization, token: code) - assert auth - assert auth.scopes == app.scopes - end - test "redirect to on two-factor auth page" do otp_secret = TOTP.generate_secret() @@ -1218,6 +1286,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do response = build_conn() + |> put_req_header("authorization", "Bearer #{access_token.token}") |> post("/oauth/token", %{ "grant_type" => "refresh_token", "refresh_token" => access_token.refresh_token, @@ -1267,12 +1336,11 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do build_conn() |> Plug.Session.call(Plug.Session.init(@session_opts)) |> fetch_session() - |> AuthHelper.put_session_token(oauth_token.token) + |> put_req_header("authorization", "Bearer #{oauth_token.token}") |> post("/oauth/revoke", %{"token" => oauth_token.token}) assert json_response(conn, 200) - refute AuthHelper.get_session_token(conn) assert Token.get_by_token(oauth_token.token) == {:error, :not_found} end @@ -1286,12 +1354,11 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do build_conn() |> Plug.Session.call(Plug.Session.init(@session_opts)) |> fetch_session() - |> AuthHelper.put_session_token(oauth_token.token) + |> put_req_header("authorization", "Bearer #{oauth_token.token}") |> post("/oauth/revoke", %{"token" => other_app_oauth_token.token}) assert json_response(conn, 200) - assert AuthHelper.get_session_token(conn) == oauth_token.token assert Token.get_by_token(other_app_oauth_token.token) == {:error, :not_found} end