| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134 |
- # frozen_string_literal: true
- require 'rails_helper'
- RSpec.describe 'Credentials' do
- describe 'GET /api/v1/apps/verify_credentials' do
- subject do
- get '/api/v1/apps/verify_credentials', headers: headers
- end
- context 'with an oauth token' do
- let(:application) { Fabricate(:application, scopes: 'read') }
- let(:token) { Fabricate(:accessible_access_token, application: application) }
- let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
- it 'returns the app information correctly', :aggregate_failures do
- subject
- expect(response).to have_http_status(200)
- expect(response.content_type)
- .to start_with('application/json')
- expect(response.parsed_body).to match(
- a_hash_including(
- id: token.application.id.to_s,
- name: token.application.name,
- website: token.application.website,
- scopes: token.application.scopes.map(&:to_s),
- redirect_uris: token.application.redirect_uris,
- # Deprecated properties as of 4.3:
- redirect_uri: token.application.redirect_uri.split.first,
- vapid_key: Rails.configuration.x.vapid_public_key
- )
- )
- end
- it 'does not expose the client_id or client_secret' do
- subject
- expect(response).to have_http_status(200)
- expect(response.content_type)
- .to start_with('application/json')
- expect(response.parsed_body)
- .to not_include(client_id: be_present)
- .and not_include(client_secret: be_present)
- .and not_include(client_secret_expires_at: be_present)
- end
- end
- context 'with a non-read scoped oauth token' do
- let(:application) { Fabricate(:application, scopes: 'admin:write') }
- let(:token) { Fabricate(:accessible_access_token, application: application) }
- let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
- it 'returns http success and returns app information' do
- subject
- expect(response).to have_http_status(200)
- expect(response.content_type)
- .to start_with('application/json')
- expect(response.parsed_body).to match(
- a_hash_including(
- id: token.application.id.to_s,
- name: token.application.name,
- website: token.application.website,
- scopes: token.application.scopes.map(&:to_s),
- redirect_uris: token.application.redirect_uris,
- # Deprecated properties as of 4.3:
- redirect_uri: token.application.redirect_uri.split.first,
- vapid_key: Rails.configuration.x.vapid_public_key
- )
- )
- end
- end
- context 'without an oauth token' do
- let(:headers) { {} }
- it 'returns http unauthorized' do
- subject
- expect(response).to have_http_status(401)
- expect(response.content_type)
- .to start_with('application/json')
- end
- end
- context 'with a revoked oauth token' do
- let(:application) { Fabricate(:application, scopes: 'read') }
- let(:token) { Fabricate(:accessible_access_token, application: application, revoked_at: DateTime.now.utc) }
- let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
- it 'returns http authorization error' do
- subject
- expect(response).to have_http_status(401)
- expect(response.content_type)
- .to start_with('application/json')
- end
- it 'returns the error in the json response' do
- subject
- expect(response.parsed_body).to match(
- a_hash_including(
- error: 'The access token was revoked'
- )
- )
- end
- end
- context 'with an invalid oauth token' do
- let(:application) { Fabricate(:application, scopes: 'read') }
- let(:token) { Fabricate(:accessible_access_token, application: application) }
- let(:headers) { { 'Authorization' => "Bearer #{token.token}-invalid" } }
- it 'returns http authorization error with json error' do
- subject
- expect(response).to have_http_status(401)
- expect(response.content_type)
- .to start_with('application/json')
- expect(response.parsed_body).to match(
- a_hash_including(
- error: 'The access token is invalid'
- )
- )
- end
- end
- end
- end
|
