Page Menu
Home
Phorge
Search
Configure Global Search
Log In
Files
F41645358
auth_test_controller_test.exs
No One
Temporary
Actions
Download File
Edit File
Delete File
View Transforms
Subscribe
Award Token
Flag For Later
Size
7 KB
Referenced Files
None
Subscribers
None
auth_test_controller_test.exs
View Options
# Pleroma: A lightweight social networking server
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule
Pleroma.Tests.AuthTestControllerTest
do
use
Pleroma.Web.ConnCase
import
Pleroma.Factory
describe
"do_oauth_check"
do
test
"serves with proper OAuth token (fulfilling requested scopes)"
do
%{
conn
:
good_token_conn
,
user
:
user
}
=
oauth_access
([
"read"
])
assert
%{
"user_id"
=>
user
.
id
}
==
good_token_conn
|>
get
(
"/test/authenticated_api/do_oauth_check"
)
|>
json_response
(
200
)
# Unintended usage (:api) — use with :authenticated_api instead
assert
%{
"user_id"
=>
user
.
id
}
==
good_token_conn
|>
get
(
"/test/api/do_oauth_check"
)
|>
json_response
(
200
)
end
test
"fails on no token / missing scope(s)"
do
%{
conn
:
bad_token_conn
}
=
oauth_access
([
"irrelevant_scope"
])
bad_token_conn
|>
get
(
"/test/authenticated_api/do_oauth_check"
)
|>
json_response
(
403
)
bad_token_conn
|>
assign
(
:token
,
nil
)
|>
get
(
"/test/api/do_oauth_check"
)
|>
json_response
(
403
)
end
end
describe
"fallback_oauth_check"
do
test
"serves with proper OAuth token (fulfilling requested scopes)"
do
%{
conn
:
good_token_conn
,
user
:
user
}
=
oauth_access
([
"read"
])
assert
%{
"user_id"
=>
user
.
id
}
==
good_token_conn
|>
get
(
"/test/api/fallback_oauth_check"
)
|>
json_response
(
200
)
# Unintended usage (:authenticated_api) — use with :api instead
assert
%{
"user_id"
=>
user
.
id
}
==
good_token_conn
|>
get
(
"/test/authenticated_api/fallback_oauth_check"
)
|>
json_response
(
200
)
end
test
"for :api on public instance, drops :user and renders on no token / missing scope(s)"
do
clear_config
([
:instance
,
:public
],
true
)
%{
conn
:
bad_token_conn
}
=
oauth_access
([
"irrelevant_scope"
])
assert
%{
"user_id"
=>
nil
}
==
bad_token_conn
|>
get
(
"/test/api/fallback_oauth_check"
)
|>
json_response
(
200
)
assert
%{
"user_id"
=>
nil
}
==
bad_token_conn
|>
assign
(
:token
,
nil
)
|>
get
(
"/test/api/fallback_oauth_check"
)
|>
json_response
(
200
)
end
test
"for :api on private instance, fails on no token / missing scope(s)"
do
clear_config
([
:instance
,
:public
],
false
)
%{
conn
:
bad_token_conn
}
=
oauth_access
([
"irrelevant_scope"
])
bad_token_conn
|>
get
(
"/test/api/fallback_oauth_check"
)
|>
json_response
(
403
)
bad_token_conn
|>
assign
(
:token
,
nil
)
|>
get
(
"/test/api/fallback_oauth_check"
)
|>
json_response
(
403
)
end
end
describe
"skip_oauth_check"
do
test
"for :authenticated_api, serves if :user is set (regardless of token / token scopes)"
do
user
=
insert
(
:user
)
assert
%{
"user_id"
=>
user
.
id
}
==
build_conn
()
|>
assign
(
:user
,
user
)
|>
get
(
"/test/authenticated_api/skip_oauth_check"
)
|>
json_response
(
200
)
%{
conn
:
bad_token_conn
,
user
:
user
}
=
oauth_access
([
"irrelevant_scope"
])
assert
%{
"user_id"
=>
user
.
id
}
==
bad_token_conn
|>
get
(
"/test/authenticated_api/skip_oauth_check"
)
|>
json_response
(
200
)
end
test
"serves via :api on public instance if :user is not set"
do
clear_config
([
:instance
,
:public
],
true
)
assert
%{
"user_id"
=>
nil
}
==
build_conn
()
|>
get
(
"/test/api/skip_oauth_check"
)
|>
json_response
(
200
)
build_conn
()
|>
get
(
"/test/authenticated_api/skip_oauth_check"
)
|>
json_response
(
403
)
end
test
"fails on private instance if :user is not set"
do
clear_config
([
:instance
,
:public
],
false
)
build_conn
()
|>
get
(
"/test/api/skip_oauth_check"
)
|>
json_response
(
403
)
build_conn
()
|>
get
(
"/test/authenticated_api/skip_oauth_check"
)
|>
json_response
(
403
)
end
end
describe
"fallback_oauth_skip_publicity_check"
do
test
"serves with proper OAuth token (fulfilling requested scopes)"
do
%{
conn
:
good_token_conn
,
user
:
user
}
=
oauth_access
([
"read"
])
assert
%{
"user_id"
=>
user
.
id
}
==
good_token_conn
|>
get
(
"/test/api/fallback_oauth_skip_publicity_check"
)
|>
json_response
(
200
)
# Unintended usage (:authenticated_api)
assert
%{
"user_id"
=>
user
.
id
}
==
good_token_conn
|>
get
(
"/test/authenticated_api/fallback_oauth_skip_publicity_check"
)
|>
json_response
(
200
)
end
test
"for :api on private / public instance, drops :user and renders on token issue"
do
%{
conn
:
bad_token_conn
}
=
oauth_access
([
"irrelevant_scope"
])
for
is_public
<-
[
true
,
false
]
do
clear_config
([
:instance
,
:public
],
is_public
)
assert
%{
"user_id"
=>
nil
}
==
bad_token_conn
|>
get
(
"/test/api/fallback_oauth_skip_publicity_check"
)
|>
json_response
(
200
)
assert
%{
"user_id"
=>
nil
}
==
bad_token_conn
|>
assign
(
:token
,
nil
)
|>
get
(
"/test/api/fallback_oauth_skip_publicity_check"
)
|>
json_response
(
200
)
end
end
end
describe
"skip_oauth_skip_publicity_check"
do
test
"for :authenticated_api, serves if :user is set (regardless of token / token scopes)"
do
user
=
insert
(
:user
)
assert
%{
"user_id"
=>
user
.
id
}
==
build_conn
()
|>
assign
(
:user
,
user
)
|>
get
(
"/test/authenticated_api/skip_oauth_skip_publicity_check"
)
|>
json_response
(
200
)
%{
conn
:
bad_token_conn
,
user
:
user
}
=
oauth_access
([
"irrelevant_scope"
])
assert
%{
"user_id"
=>
user
.
id
}
==
bad_token_conn
|>
get
(
"/test/authenticated_api/skip_oauth_skip_publicity_check"
)
|>
json_response
(
200
)
end
test
"for :api, serves on private and public instances regardless of whether :user is set"
do
user
=
insert
(
:user
)
for
is_public
<-
[
true
,
false
]
do
clear_config
([
:instance
,
:public
],
is_public
)
assert
%{
"user_id"
=>
nil
}
==
build_conn
()
|>
get
(
"/test/api/skip_oauth_skip_publicity_check"
)
|>
json_response
(
200
)
assert
%{
"user_id"
=>
user
.
id
}
==
build_conn
()
|>
assign
(
:user
,
user
)
|>
get
(
"/test/api/skip_oauth_skip_publicity_check"
)
|>
json_response
(
200
)
end
end
end
describe
"missing_oauth_check_definition"
do
def
test_missing_oauth_check_definition_failure
(
endpoint
,
expected_error
)
do
%{
conn
:
conn
}
=
oauth_access
([
"read"
,
"write"
,
"follow"
,
"push"
,
"admin"
])
assert
%{
"error"
=>
expected_error
}
==
conn
|>
get
(
endpoint
)
|>
json_response
(
403
)
end
test
"fails if served via :authenticated_api"
do
test_missing_oauth_check_definition_failure
(
"/test/authenticated_api/missing_oauth_check_definition"
,
"Security violation: OAuth scopes check was neither handled nor explicitly skipped."
)
end
test
"fails if served via :api and the instance is private"
do
clear_config
([
:instance
,
:public
],
false
)
test_missing_oauth_check_definition_failure
(
"/test/api/missing_oauth_check_definition"
,
"This resource requires authentication."
)
end
test
"succeeds with dropped :user if served via :api on public instance"
do
%{
conn
:
conn
}
=
oauth_access
([
"read"
,
"write"
,
"follow"
,
"push"
,
"admin"
])
assert
%{
"user_id"
=>
nil
}
==
conn
|>
get
(
"/test/api/missing_oauth_check_definition"
)
|>
json_response
(
200
)
end
end
end
File Metadata
Details
Attached
Mime Type
text/x-ruby
Expires
Sun, Feb 15, 4:32 AM (2 h, 55 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
983094
Default Alt Text
auth_test_controller_test.exs (7 KB)
Attached To
Mode
rPUBE pleroma-upstream
Attached
Detach File
Event Timeline
Log In to Comment