|
|
@@ -567,33 +567,41 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do |
|
|
|
end |
|
|
|
|
|
|
|
describe "POST /oauth/authorize" do |
|
|
|
test "redirects with oauth authorization" do |
|
|
|
user = insert(:user) |
|
|
|
app = insert(:oauth_app, scopes: ["read", "write", "follow"]) |
|
|
|
test "redirects with oauth authorization, " <> |
|
|
|
"keeping only non-admin scopes for non-admin user" do |
|
|
|
app = insert(:oauth_app, scopes: ["read", "write", "admin"]) |
|
|
|
redirect_uri = OAuthController.default_redirect_uri(app) |
|
|
|
|
|
|
|
conn = |
|
|
|
build_conn() |
|
|
|
|> post("/oauth/authorize", %{ |
|
|
|
"authorization" => %{ |
|
|
|
"name" => user.nickname, |
|
|
|
"password" => "test", |
|
|
|
"client_id" => app.client_id, |
|
|
|
"redirect_uri" => redirect_uri, |
|
|
|
"scope" => "read:subscope write", |
|
|
|
"state" => "statepassed" |
|
|
|
} |
|
|
|
}) |
|
|
|
non_admin = insert(:user, is_admin: false) |
|
|
|
admin = insert(:user, is_admin: true) |
|
|
|
|
|
|
|
target = redirected_to(conn) |
|
|
|
assert target =~ redirect_uri |
|
|
|
for {user, expected_scopes} <- %{ |
|
|
|
non_admin => ["read:subscope", "write"], |
|
|
|
admin => ["read:subscope", "write", "admin"] |
|
|
|
} do |
|
|
|
conn = |
|
|
|
build_conn() |
|
|
|
|> post("/oauth/authorize", %{ |
|
|
|
"authorization" => %{ |
|
|
|
"name" => user.nickname, |
|
|
|
"password" => "test", |
|
|
|
"client_id" => app.client_id, |
|
|
|
"redirect_uri" => redirect_uri, |
|
|
|
"scope" => "read:subscope write admin", |
|
|
|
"state" => "statepassed" |
|
|
|
} |
|
|
|
}) |
|
|
|
|
|
|
|
query = URI.parse(target).query |> URI.query_decoder() |> Map.new() |
|
|
|
target = redirected_to(conn) |
|
|
|
assert target =~ redirect_uri |
|
|
|
|
|
|
|
assert %{"state" => "statepassed", "code" => code} = query |
|
|
|
auth = Repo.get_by(Authorization, token: code) |
|
|
|
assert auth |
|
|
|
assert auth.scopes == ["read:subscope", "write"] |
|
|
|
query = URI.parse(target).query |> URI.query_decoder() |> Map.new() |
|
|
|
|
|
|
|
assert %{"state" => "statepassed", "code" => code} = query |
|
|
|
auth = Repo.get_by(Authorization, token: code) |
|
|
|
assert auth |
|
|
|
assert auth.scopes == expected_scopes |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
test "returns 401 for wrong credentials", %{conn: conn} do |
|
|
@@ -623,31 +631,34 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do |
|
|
|
assert result =~ "Invalid Username/Password" |
|
|
|
end |
|
|
|
|
|
|
|
test "returns 401 for missing scopes", %{conn: conn} do |
|
|
|
user = insert(:user) |
|
|
|
app = insert(:oauth_app) |
|
|
|
test "returns 401 for missing scopes " <> |
|
|
|
"(including all admin-only scopes for non-admin user)" do |
|
|
|
user = insert(:user, is_admin: false) |
|
|
|
app = insert(:oauth_app, scopes: ["read", "write", "admin"]) |
|
|
|
redirect_uri = OAuthController.default_redirect_uri(app) |
|
|
|
|
|
|
|
result = |
|
|
|
conn |
|
|
|
|> post("/oauth/authorize", %{ |
|
|
|
"authorization" => %{ |
|
|
|
"name" => user.nickname, |
|
|
|
"password" => "test", |
|
|
|
"client_id" => app.client_id, |
|
|
|
"redirect_uri" => redirect_uri, |
|
|
|
"state" => "statepassed", |
|
|
|
"scope" => "" |
|
|
|
} |
|
|
|
}) |
|
|
|
|> html_response(:unauthorized) |
|
|
|
for scope_param <- ["", "admin:read admin:write"] do |
|
|
|
result = |
|
|
|
build_conn() |
|
|
|
|> post("/oauth/authorize", %{ |
|
|
|
"authorization" => %{ |
|
|
|
"name" => user.nickname, |
|
|
|
"password" => "test", |
|
|
|
"client_id" => app.client_id, |
|
|
|
"redirect_uri" => redirect_uri, |
|
|
|
"state" => "statepassed", |
|
|
|
"scope" => scope_param |
|
|
|
} |
|
|
|
}) |
|
|
|
|> html_response(:unauthorized) |
|
|
|
|
|
|
|
# Keep the details |
|
|
|
assert result =~ app.client_id |
|
|
|
assert result =~ redirect_uri |
|
|
|
# Keep the details |
|
|
|
assert result =~ app.client_id |
|
|
|
assert result =~ redirect_uri |
|
|
|
|
|
|
|
# Error message |
|
|
|
assert result =~ "This action is outside the authorized scopes" |
|
|
|
# Error message |
|
|
|
assert result =~ "This action is outside the authorized scopes" |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
test "returns 401 for scopes beyond app scopes hierarchy", %{conn: conn} do |
|
|
|