hamlab/mobilizon-frontend
2
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Add worker to clean obsolete application data, token revokation and spec conformance

Browse Source 
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel
2023-03-23 18:37:53 +01:00
parent a28ce5e6b6
commit 986ae45f52
9 changed files with 436 additions and 160 deletions
Download Patch File Download Diff File Expand all files Collapse all files

148
test/web/controllers/application_controller_test.exs
View File

@@ -11,7 +11,10 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
conn
|> post("/apps", %{"name" => "hello"})
assert response(conn, 400) ==
assert error = json_response(conn, 400)
assert error["error"] == "invalid_request"
assert error["error_description"] ==
"All of name, scope and redirect_uri parameters are required to create an application"
end
@@ -25,7 +28,10 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
"scope" => "write nothing"
})
assert response(conn, 400) ==
assert error = json_response(conn, 400)
assert error["error"] == "invalid_scope"
assert error["error_description"] ==
"The scope parameter is not a space separated list of valid scopes"
end
@@ -57,18 +63,29 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
end
describe "authorize" do
test "without all required params", %{conn: conn} do
conn = get(conn, "/oauth/authorize?client_id=hello")
test "without a valid URI", %{conn: conn} do
conn = get(conn, "/oauth/authorize?client_id=hello&redirect_uri=toto")
assert response(conn, 400) ==
"You need to specify client_id, redirect_uri, scope and state to autorize an application"
"You need to provide a valid redirect_uri to autorize an application"
end
test "without all valid params", %{conn: conn} do
conn =
get(
conn,
"/oauth/authorize?client_id=hello&redirect_uri=#{URI.encode("https://somewhere.org/callback")}"
)
assert redirected_to(conn) =~
"error=invalid_request&error_description=#{URI.encode_www_form("You need to specify client_id, redirect_uri, scope and state to autorize an application")}"
end
test "with all required params redirects to authorization page", %{conn: conn} do
conn =
get(
conn,
"/oauth/authorize?client_id=hello&redirect_uri=somewhere&state=something&scope=everything"
"/oauth/authorize?client_id=hello&redirect_uri=#{URI.encode("https://somewhere.org/callback&state=something&scope=everything")}"
)
assert redirected_to(conn) =~ "/oauth/autorize_approve"
@@ -79,14 +96,19 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
test "without all required params", %{conn: conn} do
conn = post(conn, "/login/device/code", client_id: "hello")
assert response(conn, 400) ==
assert error = json_response(conn, 400)
assert error["error"] == "invalid_request"
assert error["error_description"] ==
"You need to pass both client_id and scope as parameters to obtain a device code"
end
test "with an invalid client_id", %{conn: conn} do
conn = post(conn, "/login/device/code", client_id: "hello", scope: "write:event:create")
assert response(conn, 400) == "No application with this client_id was found"
assert error = json_response(conn, 400)
assert error["error"] == "invalid_client"
assert error["error_description"] == "No application with this client_id was found"
end
test "with a scope not matching app registered scopes", %{conn: conn} do
@@ -96,7 +118,10 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
conn =
post(conn, "/login/device/code", client_id: app.client_id, scope: "write:event:delete")
assert response(conn, 400) ==
assert error = json_response(conn, 400)
assert error["error"] == "invalid_scope"
assert error["error_description"] ==
"The given scope is not in the list of the app declared scopes"
end
@@ -107,14 +132,14 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
conn =
post(conn, "/login/device/code", client_id: app.client_id, scope: "write:event:create")
res = conn |> response(200) |> URI.decode_query()
res = json_response(conn, 200)
verification_uri = Routes.page_url(Mobilizon.Web.Endpoint, :auth_device)
assert %{
"device_code" => _device_code,
"expires_in" => "900",
"interval" => "5",
"expires_in" => 900,
"interval" => 5,
"user_code" => user_code,
"verification_uri" => ^verification_uri
} = res
@@ -151,7 +176,10 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
test "without valid parameters", %{conn: conn} do
conn = post(conn, "/oauth/token")
assert response(conn, 400) ==
assert error = json_response(conn, 400)
assert error["error"] == "invalid_request"
assert error["error_description"] ==
"Incorrect parameters sent. You need to provide at least the grant_type and client_id parameters, depending on the grant type being used."
end
@@ -163,7 +191,10 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
device_code: "hello"
)
assert response(conn, 400) ==
assert error = json_response(conn, 400)
assert error["error"] == "invalid_grant"
assert error["error_description"] ==
"The client_id provided or the device_code associated is invalid"
end
@@ -188,7 +219,9 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
device_code: "hello"
)
assert response(conn, 401) == "The user rejected the requested authorization"
assert error = json_response(conn, 400)
assert error["error"] == "access_denied"
assert error["error_description"] == "The user rejected the requested authorization"
end
test "with incorrect device code", %{conn: conn} do
@@ -212,7 +245,10 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
device_code: "hello"
)
assert response(conn, 400) ==
assert error = json_response(conn, 400)
assert error["error"] == "invalid_grant"
assert error["error_description"] ==
"The client_id provided or the device_code associated is invalid"
end
@@ -240,46 +276,13 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
device_code: "hello"
)
assert response(conn, 400) ==
assert error = json_response(conn, 400)
assert error["error"] == "invalid_grant"
assert error["error_description"] ==
"The given device_code has expired"
end
test "with valid params", %{conn: conn} do
user = insert(:user)
{:ok, app} =
Applications.create("My app", ["hello"], "write:event:create write:event:update")
assert {:ok, _res} =
Mobilizon.Applications.create_application_device_activation(%{
device_code: "hello",
user_code: "world",
expires_in: 600,
application_id: app.id,
scope: "write:event:create write:event:update",
status: "success",
user_id: user.id
})
conn =
post(conn, "/oauth/token",
grant_type: "urn:ietf:params:oauth:grant-type:device_code",
client_id: app.client_id,
device_code: "hello"
)
res = conn |> response(200) |> URI.decode_query()
assert %{
"access_token" => _access_token,
"expires_in" => "28800",
"refresh_token" => _refresh_token,
"refresh_token_expires_in" => "15724800",
"scope" => "write:event:create write:event:update",
"token_type" => "bearer"
} = res
end
test "with valid params as JSON", %{conn: conn} do
user = insert(:user)
@@ -331,7 +334,10 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
scope: "hello"
)
assert json_response(conn, 200)["details"] ==
assert error = json_response(conn, 400)
assert error["error"] == "invalid_request"
assert json_response(conn, 400)["error_description"] ==
"No application was found with this client_id"
end
@@ -346,10 +352,13 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
client_secret: app.client_secret,
code: "hello",
redirect_uri: "nope",
scope: "hello"
scope: "write:event:create"
)
assert json_response(conn, 200)["details"] ==
assert error = json_response(conn, 400)
assert error["error"] == "invalid_request"
assert error["error_description"] ==
"This redirect URI is not allowed"
end
@@ -364,10 +373,13 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
client_secret: app.client_secret,
code: "hello",
redirect_uri: "hello",
scope: "hello"
scope: "write:event:create"
)
assert json_response(conn, 200)["details"] ==
assert error = json_response(conn, 400)
assert error["error"] == "invalid_grant"
assert error["error_description"] ==
"The provided code is invalid or expired"
end
@@ -394,7 +406,10 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
scope: "write:event:create write:event:update"
)
assert json_response(conn, 200)["details"] ==
assert error = json_response(conn, 400)
assert error["error"] == "invalid_client"
assert error["error_description"] ==
"The provided client_secret is invalid"
end
@@ -424,7 +439,10 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
scope: "write:event:create write:event:update"
)
assert json_response(conn, 200)["details"] ==
assert error = json_response(conn, 400)
assert error["error"] == "invalid_grant"
assert error["error_description"] ==
"The provided client_id does not match the provided code"
end
@@ -474,7 +492,10 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
refresh_token: "none"
)
assert response(conn, 400) ==
assert error = json_response(conn, 400)
assert error["error"] == "invalid_grant"
assert error["error_description"] ==
"Invalid refresh token provided"
end
@@ -511,7 +532,10 @@ defmodule Mobilizon.Web.ApplicationControllerTest do
refresh_token: res["refresh_token"]
)
assert response(conn, 400) ==
assert error = json_response(conn, 400)
assert error["error"] == "invalid_client"
assert error["error_description"] ==
"Invalid client credentials provided"
end