logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma git clone https://hacktivis.me/git/pleroma.git

auth_controller_test.exs (8046B)

    

  1. # Pleroma: A lightweight social networking server
  2. # Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
  3. # SPDX-License-Identifier: AGPL-3.0-only
  5. defmodule Pleroma.Web.Auth.AuthControllerTest do
  6.   use Pleroma.Web.ConnCase
  8.   import Pleroma.Factory
  10.   describe "do_oauth_check" do
  11.     test "serves with proper OAuth token (fulfilling requested scopes)" do
  12.       %{conn: good_token_conn, user: user} = oauth_access(["read"])
  14.       assert %{"user_id" => user.id} ==
  15.                good_token_conn
  16.                |> get("/test/authenticated_api/do_oauth_check")
  17.                |> json_response(200)
  19.       # Unintended usage (:api) — use with :authenticated_api instead
  20.       assert %{"user_id" => user.id} ==
  21.                good_token_conn
  22.                |> get("/test/api/do_oauth_check")
  23.                |> json_response(200)
  24.     end
  26.     test "fails on no token / missing scope(s)" do
  27.       %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"])
  29.       bad_token_conn
  30.       |> get("/test/authenticated_api/do_oauth_check")
  31.       |> json_response(403)
  33.       bad_token_conn
  34.       |> assign(:token, nil)
  35.       |> get("/test/api/do_oauth_check")
  36.       |> json_response(403)
  37.     end
  38.   end
  40.   describe "fallback_oauth_check" do
  41.     test "serves with proper OAuth token (fulfilling requested scopes)" do
  42.       %{conn: good_token_conn, user: user} = oauth_access(["read"])
  44.       assert %{"user_id" => user.id} ==
  45.                good_token_conn
  46.                |> get("/test/api/fallback_oauth_check")
  47.                |> json_response(200)
  49.       # Unintended usage (:authenticated_api) — use with :api instead
  50.       assert %{"user_id" => user.id} ==
  51.                good_token_conn
  52.                |> get("/test/authenticated_api/fallback_oauth_check")
  53.                |> json_response(200)
  54.     end
  56.     test "for :api on public instance, drops :user and renders on no token / missing scope(s)" do
  57.       clear_config([:instance, :public], true)
  59.       %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"])
  61.       assert %{"user_id" => nil} ==
  62.                bad_token_conn
  63.                |> get("/test/api/fallback_oauth_check")
  64.                |> json_response(200)
  66.       assert %{"user_id" => nil} ==
  67.                bad_token_conn
  68.                |> assign(:token, nil)
  69.                |> get("/test/api/fallback_oauth_check")
  70.                |> json_response(200)
  71.     end
  73.     test "for :api on private instance, fails on no token / missing scope(s)" do
  74.       clear_config([:instance, :public], false)
  76.       %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"])
  78.       bad_token_conn
  79.       |> get("/test/api/fallback_oauth_check")
  80.       |> json_response(403)
  82.       bad_token_conn
  83.       |> assign(:token, nil)
  84.       |> get("/test/api/fallback_oauth_check")
  85.       |> json_response(403)
  86.     end
  87.   end
  89.   describe "skip_oauth_check" do
  90.     test "for :authenticated_api, serves if :user is set (regardless of token / token scopes)" do
  91.       user = insert(:user)
  93.       assert %{"user_id" => user.id} ==
  94.                build_conn()
  95.                |> assign(:user, user)
  96.                |> get("/test/authenticated_api/skip_oauth_check")
  97.                |> json_response(200)
  99.       %{conn: bad_token_conn, user: user} = oauth_access(["irrelevant_scope"])
  101.       assert %{"user_id" => user.id} ==
  102.                bad_token_conn
  103.                |> get("/test/authenticated_api/skip_oauth_check")
  104.                |> json_response(200)
  105.     end
  107.     test "serves via :api on public instance if :user is not set" do
  108.       clear_config([:instance, :public], true)
  110.       assert %{"user_id" => nil} ==
  111.                build_conn()
  112.                |> get("/test/api/skip_oauth_check")
  113.                |> json_response(200)
  115.       build_conn()
  116.       |> get("/test/authenticated_api/skip_oauth_check")
  117.       |> json_response(403)
  118.     end
  120.     test "fails on private instance if :user is not set" do
  121.       clear_config([:instance, :public], false)
  123.       build_conn()
  124.       |> get("/test/api/skip_oauth_check")
  125.       |> json_response(403)
  127.       build_conn()
  128.       |> get("/test/authenticated_api/skip_oauth_check")
  129.       |> json_response(403)
  130.     end
  131.   end
  133.   describe "fallback_oauth_skip_publicity_check" do
  134.     test "serves with proper OAuth token (fulfilling requested scopes)" do
  135.       %{conn: good_token_conn, user: user} = oauth_access(["read"])
  137.       assert %{"user_id" => user.id} ==
  138.                good_token_conn
  139.                |> get("/test/api/fallback_oauth_skip_publicity_check")
  140.                |> json_response(200)
  142.       # Unintended usage (:authenticated_api)
  143.       assert %{"user_id" => user.id} ==
  144.                good_token_conn
  145.                |> get("/test/authenticated_api/fallback_oauth_skip_publicity_check")
  146.                |> json_response(200)
  147.     end
  149.     test "for :api on private / public instance, drops :user and renders on token issue" do
  150.       %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"])
  152.       for is_public <- [true, false] do
  153.         clear_config([:instance, :public], is_public)
  155.         assert %{"user_id" => nil} ==
  156.                  bad_token_conn
  157.                  |> get("/test/api/fallback_oauth_skip_publicity_check")
  158.                  |> json_response(200)
  160.         assert %{"user_id" => nil} ==
  161.                  bad_token_conn
  162.                  |> assign(:token, nil)
  163.                  |> get("/test/api/fallback_oauth_skip_publicity_check")
  164.                  |> json_response(200)
  165.       end
  166.     end
  167.   end
  169.   describe "skip_oauth_skip_publicity_check" do
  170.     test "for :authenticated_api, serves if :user is set (regardless of token / token scopes)" do
  171.       user = insert(:user)
  173.       assert %{"user_id" => user.id} ==
  174.                build_conn()
  175.                |> assign(:user, user)
  176.                |> get("/test/authenticated_api/skip_oauth_skip_publicity_check")
  177.                |> json_response(200)
  179.       %{conn: bad_token_conn, user: user} = oauth_access(["irrelevant_scope"])
  181.       assert %{"user_id" => user.id} ==
  182.                bad_token_conn
  183.                |> get("/test/authenticated_api/skip_oauth_skip_publicity_check")
  184.                |> json_response(200)
  185.     end
  187.     test "for :api, serves on private and public instances regardless of whether :user is set" do
  188.       user = insert(:user)
  190.       for is_public <- [true, false] do
  191.         clear_config([:instance, :public], is_public)
  193.         assert %{"user_id" => nil} ==
  194.                  build_conn()
  195.                  |> get("/test/api/skip_oauth_skip_publicity_check")
  196.                  |> json_response(200)
  198.         assert %{"user_id" => user.id} ==
  199.                  build_conn()
  200.                  |> assign(:user, user)
  201.                  |> get("/test/api/skip_oauth_skip_publicity_check")
  202.                  |> json_response(200)
  203.       end
  204.     end
  205.   end
  207.   describe "missing_oauth_check_definition" do
  208.     def test_missing_oauth_check_definition_failure(endpoint, expected_error) do
  209.       %{conn: conn} = oauth_access(["read", "write", "follow", "push", "admin"])
  211.       assert %{"error" => expected_error} ==
  212.                conn
  213.                |> get(endpoint)
  214.                |> json_response(403)
  215.     end
  217.     test "fails if served via :authenticated_api" do
  218.       test_missing_oauth_check_definition_failure(
  219.         "/test/authenticated_api/missing_oauth_check_definition",
  220.         "Security violation: OAuth scopes check was neither handled nor explicitly skipped."
  221.       )
  222.     end
  224.     test "fails if served via :api and the instance is private" do
  225.       clear_config([:instance, :public], false)
  227.       test_missing_oauth_check_definition_failure(
  228.         "/test/api/missing_oauth_check_definition",
  229.         "This resource requires authentication."
  230.       )
  231.     end
  233.     test "succeeds with dropped :user if served via :api on public instance" do
  234.       %{conn: conn} = oauth_access(["read", "write", "follow", "push", "admin"])
  236.       assert %{"user_id" => nil} ==
  237.                conn
  238.                |> get("/test/api/missing_oauth_check_definition")
  239.                |> json_response(200)
  240.     end
  241.   end
  242. end