logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma

auth_test_controller_test.exs (8047B)


  1. # Pleroma: A lightweight social networking server
  2. # Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
  3. # SPDX-License-Identifier: AGPL-3.0-only
  4. defmodule Pleroma.Tests.AuthTestControllerTest do
  5. use Pleroma.Web.ConnCase
  6. import Pleroma.Factory
  7. describe "do_oauth_check" do
  8. test "serves with proper OAuth token (fulfilling requested scopes)" do
  9. %{conn: good_token_conn, user: user} = oauth_access(["read"])
  10. assert %{"user_id" => user.id} ==
  11. good_token_conn
  12. |> get("/test/authenticated_api/do_oauth_check")
  13. |> json_response(200)
  14. # Unintended usage (:api) — use with :authenticated_api instead
  15. assert %{"user_id" => user.id} ==
  16. good_token_conn
  17. |> get("/test/api/do_oauth_check")
  18. |> json_response(200)
  19. end
  20. test "fails on no token / missing scope(s)" do
  21. %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"])
  22. bad_token_conn
  23. |> get("/test/authenticated_api/do_oauth_check")
  24. |> json_response(403)
  25. bad_token_conn
  26. |> assign(:token, nil)
  27. |> get("/test/api/do_oauth_check")
  28. |> json_response(403)
  29. end
  30. end
  31. describe "fallback_oauth_check" do
  32. test "serves with proper OAuth token (fulfilling requested scopes)" do
  33. %{conn: good_token_conn, user: user} = oauth_access(["read"])
  34. assert %{"user_id" => user.id} ==
  35. good_token_conn
  36. |> get("/test/api/fallback_oauth_check")
  37. |> json_response(200)
  38. # Unintended usage (:authenticated_api) — use with :api instead
  39. assert %{"user_id" => user.id} ==
  40. good_token_conn
  41. |> get("/test/authenticated_api/fallback_oauth_check")
  42. |> json_response(200)
  43. end
  44. test "for :api on public instance, drops :user and renders on no token / missing scope(s)" do
  45. clear_config([:instance, :public], true)
  46. %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"])
  47. assert %{"user_id" => nil} ==
  48. bad_token_conn
  49. |> get("/test/api/fallback_oauth_check")
  50. |> json_response(200)
  51. assert %{"user_id" => nil} ==
  52. bad_token_conn
  53. |> assign(:token, nil)
  54. |> get("/test/api/fallback_oauth_check")
  55. |> json_response(200)
  56. end
  57. test "for :api on private instance, fails on no token / missing scope(s)" do
  58. clear_config([:instance, :public], false)
  59. %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"])
  60. bad_token_conn
  61. |> get("/test/api/fallback_oauth_check")
  62. |> json_response(403)
  63. bad_token_conn
  64. |> assign(:token, nil)
  65. |> get("/test/api/fallback_oauth_check")
  66. |> json_response(403)
  67. end
  68. end
  69. describe "skip_oauth_check" do
  70. test "for :authenticated_api, serves if :user is set (regardless of token / token scopes)" do
  71. user = insert(:user)
  72. assert %{"user_id" => user.id} ==
  73. build_conn()
  74. |> assign(:user, user)
  75. |> get("/test/authenticated_api/skip_oauth_check")
  76. |> json_response(200)
  77. %{conn: bad_token_conn, user: user} = oauth_access(["irrelevant_scope"])
  78. assert %{"user_id" => user.id} ==
  79. bad_token_conn
  80. |> get("/test/authenticated_api/skip_oauth_check")
  81. |> json_response(200)
  82. end
  83. test "serves via :api on public instance if :user is not set" do
  84. clear_config([:instance, :public], true)
  85. assert %{"user_id" => nil} ==
  86. build_conn()
  87. |> get("/test/api/skip_oauth_check")
  88. |> json_response(200)
  89. build_conn()
  90. |> get("/test/authenticated_api/skip_oauth_check")
  91. |> json_response(403)
  92. end
  93. test "fails on private instance if :user is not set" do
  94. clear_config([:instance, :public], false)
  95. build_conn()
  96. |> get("/test/api/skip_oauth_check")
  97. |> json_response(403)
  98. build_conn()
  99. |> get("/test/authenticated_api/skip_oauth_check")
  100. |> json_response(403)
  101. end
  102. end
  103. describe "fallback_oauth_skip_publicity_check" do
  104. test "serves with proper OAuth token (fulfilling requested scopes)" do
  105. %{conn: good_token_conn, user: user} = oauth_access(["read"])
  106. assert %{"user_id" => user.id} ==
  107. good_token_conn
  108. |> get("/test/api/fallback_oauth_skip_publicity_check")
  109. |> json_response(200)
  110. # Unintended usage (:authenticated_api)
  111. assert %{"user_id" => user.id} ==
  112. good_token_conn
  113. |> get("/test/authenticated_api/fallback_oauth_skip_publicity_check")
  114. |> json_response(200)
  115. end
  116. test "for :api on private / public instance, drops :user and renders on token issue" do
  117. %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"])
  118. for is_public <- [true, false] do
  119. clear_config([:instance, :public], is_public)
  120. assert %{"user_id" => nil} ==
  121. bad_token_conn
  122. |> get("/test/api/fallback_oauth_skip_publicity_check")
  123. |> json_response(200)
  124. assert %{"user_id" => nil} ==
  125. bad_token_conn
  126. |> assign(:token, nil)
  127. |> get("/test/api/fallback_oauth_skip_publicity_check")
  128. |> json_response(200)
  129. end
  130. end
  131. end
  132. describe "skip_oauth_skip_publicity_check" do
  133. test "for :authenticated_api, serves if :user is set (regardless of token / token scopes)" do
  134. user = insert(:user)
  135. assert %{"user_id" => user.id} ==
  136. build_conn()
  137. |> assign(:user, user)
  138. |> get("/test/authenticated_api/skip_oauth_skip_publicity_check")
  139. |> json_response(200)
  140. %{conn: bad_token_conn, user: user} = oauth_access(["irrelevant_scope"])
  141. assert %{"user_id" => user.id} ==
  142. bad_token_conn
  143. |> get("/test/authenticated_api/skip_oauth_skip_publicity_check")
  144. |> json_response(200)
  145. end
  146. test "for :api, serves on private and public instances regardless of whether :user is set" do
  147. user = insert(:user)
  148. for is_public <- [true, false] do
  149. clear_config([:instance, :public], is_public)
  150. assert %{"user_id" => nil} ==
  151. build_conn()
  152. |> get("/test/api/skip_oauth_skip_publicity_check")
  153. |> json_response(200)
  154. assert %{"user_id" => user.id} ==
  155. build_conn()
  156. |> assign(:user, user)
  157. |> get("/test/api/skip_oauth_skip_publicity_check")
  158. |> json_response(200)
  159. end
  160. end
  161. end
  162. describe "missing_oauth_check_definition" do
  163. def test_missing_oauth_check_definition_failure(endpoint, expected_error) do
  164. %{conn: conn} = oauth_access(["read", "write", "follow", "push", "admin"])
  165. assert %{"error" => expected_error} ==
  166. conn
  167. |> get(endpoint)
  168. |> json_response(403)
  169. end
  170. test "fails if served via :authenticated_api" do
  171. test_missing_oauth_check_definition_failure(
  172. "/test/authenticated_api/missing_oauth_check_definition",
  173. "Security violation: OAuth scopes check was neither handled nor explicitly skipped."
  174. )
  175. end
  176. test "fails if served via :api and the instance is private" do
  177. clear_config([:instance, :public], false)
  178. test_missing_oauth_check_definition_failure(
  179. "/test/api/missing_oauth_check_definition",
  180. "This resource requires authentication."
  181. )
  182. end
  183. test "succeeds with dropped :user if served via :api on public instance" do
  184. %{conn: conn} = oauth_access(["read", "write", "follow", "push", "admin"])
  185. assert %{"user_id" => nil} ==
  186. conn
  187. |> get("/test/api/missing_oauth_check_definition")
  188. |> json_response(200)
  189. end
  190. end
  191. end