alias Pleroma.Web.OAuth.App
import Pleroma.Factory
- test "create an authorization token for a valid app" do
+ setup do
{:ok, app} =
Repo.insert(
App.register_changeset(%App{}, %{
client_name: "client",
- scopes: ["scope"],
+ scopes: ["read", "write"],
redirect_uris: "url"
})
)
+ %{app: app}
+ end
+
+ test "create an authorization token for a valid app", %{app: app} do
user = insert(:user)
- {:ok, auth} = Authorization.create_authorization(app, user)
+ {:ok, auth1} = Authorization.create_authorization(app, user)
+ assert auth1.scopes == app.scopes
- assert auth.user_id == user.id
- assert auth.app_id == app.id
- assert String.length(auth.token) > 10
- assert auth.used == false
- end
+ {:ok, auth2} = Authorization.create_authorization(app, user, ["read"])
+ assert auth2.scopes == ["read"]
- test "use up a token" do
- {:ok, app} =
- Repo.insert(
- App.register_changeset(%App{}, %{
- client_name: "client",
- scopes: ["scope"],
- redirect_uris: "url"
- })
- )
+ for auth <- [auth1, auth2] do
+ assert auth.user_id == user.id
+ assert auth.app_id == app.id
+ assert String.length(auth.token) > 10
+ assert auth.used == false
+ end
+ end
+ test "use up a token", %{app: app} do
user = insert(:user)
{:ok, auth} = Authorization.create_authorization(app, user)
assert {:error, "token expired"} == Authorization.use_token(expired_auth)
end
- test "delete authorizations" do
- {:ok, app} =
- Repo.insert(
- App.register_changeset(%App{}, %{
- client_name: "client",
- scopes: ["scope"],
- redirect_uris: "url"
- })
- )
-
+ test "delete authorizations", %{app: app} do
user = insert(:user)
{:ok, auth} = Authorization.create_authorization(app, user)
test "redirects with oauth authorization" do
user = insert(:user)
- app = insert(:oauth_app)
+ app = insert(:oauth_app, scopes: ["read", "write", "follow"])
conn =
build_conn()
"password" => "test",
"client_id" => app.client_id,
"redirect_uri" => app.redirect_uris,
- "scope" => Enum.join(app.scopes, " "),
+ "scope" => "read write",
"state" => "statepassed"
}
})
query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
assert %{"state" => "statepassed", "code" => code} = query
- assert Repo.get_by(Authorization, token: code)
+ auth = Repo.get_by(Authorization, token: code)
+ assert auth
+ assert auth.scopes == ["read", "write"]
end
- test "correctly handles wrong credentials", %{conn: conn} do
+ test "returns 401 for wrong credentials", %{conn: conn} do
user = insert(:user)
app = insert(:oauth_app)
"password" => "wrong",
"client_id" => app.client_id,
"redirect_uri" => app.redirect_uris,
- "state" => "statepassed"
+ "state" => "statepassed",
+ "scope" => Enum.join(app.scopes, " ")
}
})
|> html_response(:unauthorized)
assert result =~ app.redirect_uris
# Error message
- assert result =~ "Invalid"
+ assert result =~ "Invalid Username/Password"
end
- test "issues a token for an all-body request" do
+ test "returns 401 for missing scopes", %{conn: conn} do
user = insert(:user)
app = insert(:oauth_app)
- {:ok, auth} = Authorization.create_authorization(app, user)
+ result =
+ conn
+ |> post("/oauth/authorize", %{
+ "authorization" => %{
+ "name" => user.nickname,
+ "password" => "test",
+ "client_id" => app.client_id,
+ "redirect_uri" => app.redirect_uris,
+ "state" => "statepassed",
+ "scope" => ""
+ }
+ })
+ |> html_response(:unauthorized)
+
+ # Keep the details
+ assert result =~ app.client_id
+ assert result =~ app.redirect_uris
+
+ # Error message
+ assert result =~ "Permissions not specified"
+ end
+
+ test "returns 401 for scopes beyond app scopes", %{conn: conn} do
+ user = insert(:user)
+ app = insert(:oauth_app, scopes: ["read", "write"])
+
+ result =
+ conn
+ |> post("/oauth/authorize", %{
+ "authorization" => %{
+ "name" => user.nickname,
+ "password" => "test",
+ "client_id" => app.client_id,
+ "redirect_uri" => app.redirect_uris,
+ "state" => "statepassed",
+ "scope" => "read write follow"
+ }
+ })
+ |> html_response(:unauthorized)
+
+ # Keep the details
+ assert result =~ app.client_id
+ assert result =~ app.redirect_uris
+
+ # Error message
+ assert result =~ "Permissions not specified"
+ end
+
+ test "issues a token for an all-body request" do
+ user = insert(:user)
+ app = insert(:oauth_app, scopes: ["read", "write"])
+
+ {:ok, auth} = Authorization.create_authorization(app, user, ["write"])
conn =
build_conn()
})
assert %{"access_token" => token} = json_response(conn, 200)
- assert Repo.get_by(Token, token: token)
+
+ token = Repo.get_by(Token, token: token)
+ assert token
+ assert token.scopes == auth.scopes
end
- test "issues a token for `password` grant_type with valid credentials" do
+ test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do
password = "testpassword"
user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
- app = insert(:oauth_app)
+ app = insert(:oauth_app, scopes: ["read", "write"])
+ # Note: "scope" param is intentionally omitted
conn =
build_conn()
|> post("/oauth/token", %{
})
assert %{"access_token" => token} = json_response(conn, 200)
- assert Repo.get_by(Token, token: token)
+
+ token = Repo.get_by(Token, token: token)
+ assert token
+ assert token.scopes == app.scopes
end
test "issues a token for request with HTTP basic auth client credentials" do
user = insert(:user)
- app = insert(:oauth_app)
+ app = insert(:oauth_app, scopes: ["scope1", "scope2"])
- {:ok, auth} = Authorization.create_authorization(app, user)
+ {:ok, auth} = Authorization.create_authorization(app, user, ["scope2"])
+ assert auth.scopes == ["scope2"]
app_encoded =
(URI.encode_www_form(app.client_id) <> ":" <> URI.encode_www_form(app.client_secret))
})
assert %{"access_token" => token} = json_response(conn, 200)
- assert Repo.get_by(Token, token: token)
+
+ token = Repo.get_by(Token, token: token)
+ assert token
+ assert token.scopes == ["scope2"]
end
test "rejects token exchange with invalid client credentials" do
projects / akkoma / commitdiff