1
0

oauth_spec.rb 9.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271
  1. # frozen_string_literal: true
  2. require 'rails_helper'
  3. RSpec.describe 'Using OAuth from an external app' do
  4. include ProfileStories
  5. subject { visit "/oauth/authorize?#{params.to_query}" }
  6. let(:client_app) { Doorkeeper::Application.create!(name: 'test', redirect_uri: about_url(host: Rails.application.config.x.local_domain), scopes: 'read') }
  7. let(:params) do
  8. { client_id: client_app.uid, response_type: 'code', redirect_uri: client_app.redirect_uri, scope: 'read' }
  9. end
  10. context 'when the user is already logged in' do
  11. let!(:user) { Fabricate(:user) }
  12. before do
  13. visit new_user_session_path
  14. fill_in_auth_details(user.email, user.password)
  15. end
  16. it 'when accepting the authorization request' do
  17. subject
  18. # It presents the user with an authorization page
  19. expect(page).to have_content(oauth_authorize_text)
  20. # It grants the app access to the account
  21. expect { click_on oauth_authorize_text }
  22. .to change { user_has_grant_with_client_app? }.to(true)
  23. # Upon authorizing, it redirects to the apps' callback URL
  24. expect(page).to redirect_to_callback_url
  25. end
  26. it 'when rejecting the authorization request' do
  27. subject
  28. # It presents the user with an authorization page
  29. expect(page).to have_content(oauth_deny_text)
  30. # It does not grant the app access to the account
  31. expect { click_on oauth_deny_text }
  32. .to_not change { user_has_grant_with_client_app? }.from(false)
  33. # Upon denying, it redirects to the apps' callback URL
  34. expect(page).to redirect_to_callback_url
  35. end
  36. # The tests in this context ensures that requests without PKCE parameters
  37. # still work; In the future we likely want to force usage of PKCE for
  38. # security reasons, as per:
  39. #
  40. # https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-27.html#section-2.1.1-9
  41. context 'when not using PKCE' do
  42. it 'does not include the PKCE values in the hidden inputs' do
  43. subject
  44. code_challenge_inputs = all('.oauth-prompt input[name=code_challenge]', visible: false)
  45. code_challenge_method_inputs = all('.oauth-prompt input[name=code_challenge_method]', visible: false)
  46. expect(code_challenge_inputs).to_not be_empty
  47. expect(code_challenge_method_inputs).to_not be_empty
  48. (code_challenge_inputs.to_a + code_challenge_method_inputs.to_a).each do |input|
  49. expect(input.value).to be_nil
  50. end
  51. end
  52. end
  53. context 'when using PKCE' do
  54. let(:params) do
  55. { client_id: client_app.uid, response_type: 'code', redirect_uri: client_app.redirect_uri, scope: 'read', code_challenge_method: pkce_code_challenge_method, code_challenge: pkce_code_challenge }
  56. end
  57. let(:pkce_code_challenge) { SecureRandom.hex(32) }
  58. let(:pkce_code_challenge_method) { 'S256' }
  59. context 'when using S256 code challenge method' do
  60. it 'includes the PKCE values in the hidden inputs' do
  61. subject
  62. code_challenge_inputs = all('.oauth-prompt input[name=code_challenge]', visible: false)
  63. code_challenge_method_inputs = all('.oauth-prompt input[name=code_challenge_method]', visible: false)
  64. expect(code_challenge_inputs).to_not be_empty
  65. expect(code_challenge_method_inputs).to_not be_empty
  66. code_challenge_inputs.each do |input|
  67. expect(input.value).to eq pkce_code_challenge
  68. end
  69. code_challenge_method_inputs.each do |input|
  70. expect(input.value).to eq pkce_code_challenge_method
  71. end
  72. end
  73. end
  74. context 'when using plain code challenge method' do
  75. let(:pkce_code_challenge_method) { 'plain' }
  76. it 'does not include the PKCE values in the response' do
  77. subject
  78. expect(page).to have_no_css('.oauth-prompt input[name=code_challenge]')
  79. expect(page).to have_no_css('.oauth-prompt input[name=code_challenge_method]')
  80. end
  81. it 'does not include the authorize button' do
  82. subject
  83. expect(page).to have_no_css('.oauth-prompt button[type="submit"]')
  84. end
  85. it 'includes an error message' do
  86. subject
  87. within '.form-container .flash-message' do
  88. expect(page).to have_content(I18n.t('doorkeeper.errors.messages.invalid_code_challenge_method'))
  89. end
  90. end
  91. end
  92. end
  93. end
  94. context 'when the user is not already logged in' do
  95. let(:email) { 'test@example.com' }
  96. let(:password) { 'testpassword' }
  97. let(:user) { Fabricate(:user, email: email, password: password) }
  98. before do
  99. user.mark_email_as_confirmed!
  100. user.approve!
  101. end
  102. it 'when accepting the authorization request' do
  103. visit "/oauth/authorize?#{params.to_query}"
  104. # It presents the user with a log-in page
  105. expect(page).to have_content(I18n.t('auth.login'))
  106. # Failing to log-in presents the form again
  107. fill_in_auth_details(email, 'wrong password')
  108. expect(page).to have_content(I18n.t('auth.login'))
  109. # Logging in redirects to an authorization page
  110. fill_in_auth_details(email, password)
  111. expect(page).to have_content(oauth_authorize_text)
  112. # It grants the app access to the account
  113. expect { click_on oauth_authorize_text }
  114. .to change { user_has_grant_with_client_app? }.to(true)
  115. # Upon authorizing, it redirects to the apps' callback URL
  116. expect(page).to redirect_to_callback_url
  117. end
  118. it 'when rejecting the authorization request' do
  119. visit "/oauth/authorize?#{params.to_query}"
  120. # It presents the user with a log-in page
  121. expect(page).to have_content(I18n.t('auth.login'))
  122. # Failing to log-in presents the form again
  123. fill_in_auth_details(email, 'wrong password')
  124. expect(page).to have_content(I18n.t('auth.login'))
  125. # Logging in redirects to an authorization page
  126. fill_in_auth_details(email, password)
  127. expect(page).to have_content(oauth_authorize_text)
  128. # It does not grant the app access to the account
  129. expect { click_on oauth_deny_text }
  130. .to_not change { user_has_grant_with_client_app? }.from(false)
  131. # Upon denying, it redirects to the apps' callback URL
  132. expect(page).to redirect_to_callback_url
  133. end
  134. context 'when the user has set up TOTP' do
  135. let(:user) { Fabricate(:user, email: email, password: password, otp_required_for_login: true, otp_secret: User.generate_otp_secret) }
  136. it 'when accepting the authorization request' do
  137. visit "/oauth/authorize?#{params.to_query}"
  138. # It presents the user with a log-in page
  139. expect(page).to have_content(I18n.t('auth.login'))
  140. # Failing to log-in presents the form again
  141. fill_in_auth_details(email, 'wrong password')
  142. expect(page).to have_content(I18n.t('auth.login'))
  143. # Logging in redirects to a two-factor authentication page
  144. fill_in_auth_details(email, password)
  145. expect(page).to have_content(I18n.t('simple_form.hints.sessions.otp'))
  146. # Filling in an incorrect two-factor authentication code presents the form again
  147. fill_in_otp_details('wrong')
  148. expect(page).to have_content(I18n.t('simple_form.hints.sessions.otp'))
  149. # Filling in the correct TOTP code redirects to an app authorization page
  150. fill_in_otp_details(user.current_otp)
  151. expect(page).to have_content(oauth_authorize_text)
  152. # It grants the app access to the account
  153. expect { click_on oauth_authorize_text }
  154. .to change { user_has_grant_with_client_app? }.to(true)
  155. # Upon authorizing, it redirects to the apps' callback URL
  156. expect(page).to redirect_to_callback_url
  157. end
  158. it 'when rejecting the authorization request' do
  159. visit "/oauth/authorize?#{params.to_query}"
  160. # It presents the user with a log-in page
  161. expect(page).to have_content(I18n.t('auth.login'))
  162. # Failing to log-in presents the form again
  163. fill_in_auth_details(email, 'wrong password')
  164. expect(page).to have_content(I18n.t('auth.login'))
  165. # Logging in redirects to a two-factor authentication page
  166. fill_in_auth_details(email, password)
  167. expect(page).to have_content(I18n.t('simple_form.hints.sessions.otp'))
  168. # Filling in an incorrect two-factor authentication code presents the form again
  169. fill_in_otp_details('wrong')
  170. expect(page).to have_content(I18n.t('simple_form.hints.sessions.otp'))
  171. # Filling in the correct TOTP code redirects to an app authorization page
  172. fill_in_otp_details(user.current_otp)
  173. expect(page).to have_content(oauth_authorize_text)
  174. # It does not grant the app access to the account
  175. expect { click_on oauth_deny_text }
  176. .to_not change { user_has_grant_with_client_app? }.from(false)
  177. # Upon denying, it redirects to the apps' callback URL
  178. expect(page).to redirect_to_callback_url
  179. end
  180. end
  181. # TODO: external auth
  182. end
  183. private
  184. def fill_in_otp_details(value)
  185. fill_in 'user_otp_attempt', with: value
  186. click_on I18n.t('auth.login')
  187. end
  188. def oauth_authorize_text
  189. I18n.t('doorkeeper.authorizations.buttons.authorize')
  190. end
  191. def oauth_deny_text
  192. I18n.t('doorkeeper.authorizations.buttons.deny')
  193. end
  194. def redirect_to_callback_url
  195. have_current_path(/\A#{client_app.redirect_uri}/, url: true)
  196. end
  197. def user_has_grant_with_client_app?
  198. Doorkeeper::AccessGrant
  199. .exists?(
  200. application: client_app,
  201. resource_owner_id: user.id
  202. )
  203. end
  204. end