3 class OAuthTest < ActionDispatch::IntegrationTest
6 def test_oauth10_web_app
7 client = create(:client_application, :callback_url => "http://some.web.app.example.org/callback", :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true)
11 post "/login", :params => { :username => client.user.email, :password => "test" }
13 assert_response :success
15 oauth10_without_callback(client)
16 oauth10_with_callback(client, "http://another.web.app.example.org/callback")
17 oauth10_refused(client)
20 def test_oauth10_desktop_app
21 client = create(:client_application, :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true)
25 post "/login", :params => { :username => client.user.email, :password => "test" }
27 assert_response :success
29 oauth10_without_callback(client)
30 oauth10_refused(client)
33 def test_oauth10a_web_app
34 client = create(:client_application, :callback_url => "http://some.web.app.example.org/callback", :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true)
38 post "/login", :params => { :username => client.user.email, :password => "test" }
40 assert_response :success
42 oauth10a_without_callback(client)
43 oauth10a_with_callback(client, "http://another.web.app.example.org/callback")
44 oauth10a_refused(client)
47 def test_oauth10a_desktop_app
48 client = create(:client_application, :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true)
52 post "/login", :params => { :username => client.user.email, :password => "test" }
54 assert_response :success
56 oauth10a_without_callback(client)
57 oauth10a_refused(client)
62 def oauth10_without_callback(client)
63 token = get_request_token(client)
65 get "/oauth/authorize", :params => { :oauth_token => token.token }
66 assert_response :success
67 assert_template :authorize
69 post "/oauth/authorize",
70 :params => { :oauth_token => token.token,
71 :allow_read_prefs => "1", :allow_write_prefs => "1" }
72 if client.callback_url
73 assert_response :redirect
74 assert_redirected_to "#{client.callback_url}?oauth_token=#{token.token}"
76 assert_response :success
77 assert_template :authorize_success
80 assert_not_nil token.created_at
81 assert_not_nil token.authorized_at
82 assert_nil token.invalidated_at
83 assert_allowed token, [:allow_read_prefs]
85 signed_get "/oauth/access_token", :oauth => { :token => token }
86 assert_response :success
88 assert_not_nil token.created_at
89 assert_not_nil token.authorized_at
90 assert_not_nil token.invalidated_at
91 token = parse_token(response)
92 assert_instance_of AccessToken, token
93 assert_not_nil token.created_at
94 assert_not_nil token.authorized_at
95 assert_nil token.invalidated_at
96 assert_allowed token, [:allow_read_prefs]
98 signed_get "/api/0.6/user/preferences", :oauth => { :token => token }
99 assert_response :success
101 signed_get "/api/0.6/gpx/2", :oauth => { :token => token }
102 assert_response :forbidden
104 post "/oauth/revoke", :params => { :token => token.token }
105 assert_redirected_to oauth_clients_url(token.user.display_name)
106 token = OauthToken.find_by(:token => token.token)
107 assert_not_nil token.invalidated_at
109 signed_get "/api/0.6/user/preferences", :oauth => { :token => token }
110 assert_response :unauthorized
113 def oauth10_refused(client)
114 token = get_request_token(client)
116 get "/oauth/authorize", :params => { :oauth_token => token.token }
117 assert_response :success
118 assert_template :authorize
120 post "/oauth/authorize", :params => { :oauth_token => token.token }
121 assert_response :success
122 assert_template :authorize_failure
123 assert_select "p", "You have denied application #{client.name} access to your account."
125 assert_nil token.authorized_at
126 assert_not_nil token.invalidated_at
128 get "/oauth/authorize", :params => { :oauth_token => token.token }
129 assert_response :success
130 assert_template :authorize_failure
131 assert_select "p", "The authorization token is not valid."
133 assert_nil token.authorized_at
134 assert_not_nil token.invalidated_at
136 post "/oauth/authorize", :params => { :oauth_token => token.token }
137 assert_response :success
138 assert_template :authorize_failure
139 assert_select "p", "The authorization token is not valid."
141 assert_nil token.authorized_at
142 assert_not_nil token.invalidated_at
145 def oauth10_with_callback(client, callback_url)
146 token = get_request_token(client)
148 get "/oauth/authorize", :params => { :oauth_token => token.token }
149 assert_response :success
150 assert_template :authorize
152 post "/oauth/authorize",
153 :params => { :oauth_token => token.token, :oauth_callback => callback_url,
154 :allow_write_api => "1", :allow_read_gpx => "1" }
155 assert_response :redirect
156 assert_redirected_to "#{callback_url}?oauth_token=#{token.token}"
158 assert_not_nil token.created_at
159 assert_not_nil token.authorized_at
160 assert_nil token.invalidated_at
161 assert_allowed token, [:allow_write_api, :allow_read_gpx]
163 signed_get "/oauth/access_token", :oauth => { :token => token }
164 assert_response :success
166 assert_not_nil token.created_at
167 assert_not_nil token.authorized_at
168 assert_not_nil token.invalidated_at
169 token = parse_token(response)
170 assert_instance_of AccessToken, token
171 assert_not_nil token.created_at
172 assert_not_nil token.authorized_at
173 assert_nil token.invalidated_at
174 assert_allowed token, [:allow_write_api, :allow_read_gpx]
176 trace = create(:trace, :user => client.user)
177 signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token }
178 assert_response :success
180 signed_get "/api/0.6/user/details", :oauth => { :token => token }
181 assert_response :forbidden
183 post "/oauth/revoke", :params => { :token => token.token }
184 assert_redirected_to oauth_clients_url(token.user.display_name)
185 token = OauthToken.find_by(:token => token.token)
186 assert_not_nil token.invalidated_at
188 signed_get "/api/0.6/gpx/2", :oauth => { :token => token }
189 assert_response :unauthorized
192 def oauth10a_without_callback(client)
193 token = get_request_token(client, :oauth_callback => "oob")
195 get "/oauth/authorize", :params => { :oauth_token => token.token }
196 assert_response :success
197 assert_template :authorize
199 post "/oauth/authorize",
200 :params => { :oauth_token => token.token,
201 :allow_read_prefs => "1", :allow_write_prefs => "1" }
202 if client.callback_url
203 assert_response :redirect
204 verifier = parse_verifier(response)
205 assert_redirected_to "http://some.web.app.example.org/callback?oauth_token=#{token.token}&oauth_verifier=#{verifier}"
207 assert_response :success
208 assert_template :authorize_success
209 m = response.body.match("<p>The verification code is ([A-Za-z0-9]+).</p>")
214 assert_not_nil token.created_at
215 assert_not_nil token.authorized_at
216 assert_nil token.invalidated_at
217 assert_allowed token, [:allow_read_prefs]
219 signed_get "/oauth/access_token", :oauth => { :token => token }
220 assert_response :unauthorized
222 signed_get "/oauth/access_token", :oauth => { :token => token, :oauth_verifier => verifier }
223 assert_response :success
225 assert_not_nil token.created_at
226 assert_not_nil token.authorized_at
227 assert_not_nil token.invalidated_at
228 token = parse_token(response)
229 assert_instance_of AccessToken, token
230 assert_not_nil token.created_at
231 assert_not_nil token.authorized_at
232 assert_nil token.invalidated_at
233 assert_allowed token, [:allow_read_prefs]
235 signed_get "/api/0.6/user/preferences", :oauth => { :token => token }
236 assert_response :success
238 trace = create(:trace, :user => client.user)
239 signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token }
240 assert_response :forbidden
242 post "/oauth/revoke", :params => { :token => token.token }
243 assert_redirected_to oauth_clients_url(token.user.display_name)
244 token = OauthToken.find_by(:token => token.token)
245 assert_not_nil token.invalidated_at
247 signed_get "/api/0.6/user/preferences", :oauth => { :token => token }
248 assert_response :unauthorized
251 def oauth10a_with_callback(client, callback_url)
252 token = get_request_token(client, :oauth_callback => callback_url)
254 get "/oauth/authorize", :params => { :oauth_token => token.token }
255 assert_response :success
256 assert_template :authorize
258 post "/oauth/authorize",
259 :params => { :oauth_token => token.token,
260 :allow_write_api => "1", :allow_read_gpx => "1" }
261 assert_response :redirect
262 verifier = parse_verifier(response)
263 assert_redirected_to "#{callback_url}?oauth_token=#{token.token}&oauth_verifier=#{verifier}"
265 assert_not_nil token.created_at
266 assert_not_nil token.authorized_at
267 assert_nil token.invalidated_at
268 assert_allowed token, [:allow_write_api, :allow_read_gpx]
270 signed_get "/oauth/access_token", :oauth => { :token => token }
271 assert_response :unauthorized
273 signed_get "/oauth/access_token", :oauth => { :token => token, :oauth_verifier => verifier }
274 assert_response :success
276 assert_not_nil token.created_at
277 assert_not_nil token.authorized_at
278 assert_not_nil token.invalidated_at
279 token = parse_token(response)
280 assert_instance_of AccessToken, token
281 assert_not_nil token.created_at
282 assert_not_nil token.authorized_at
283 assert_nil token.invalidated_at
284 assert_allowed token, [:allow_write_api, :allow_read_gpx]
286 trace = create(:trace, :user => client.user)
287 signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token }
288 assert_response :success
290 signed_get "/api/0.6/user/details", :oauth => { :token => token }
291 assert_response :forbidden
293 post "/oauth/revoke", :params => { :token => token.token }
294 assert_redirected_to oauth_clients_url(token.user.display_name)
295 token = OauthToken.find_by(:token => token.token)
296 assert_not_nil token.invalidated_at
298 signed_get "/api/0.6/gpx/2", :oauth => { :token => token }
299 assert_response :unauthorized
302 def oauth10a_refused(client)
303 token = get_request_token(client, :oauth_callback => "oob")
305 get "/oauth/authorize", :params => { :oauth_token => token.token }
306 assert_response :success
307 assert_template :authorize
309 post "/oauth/authorize", :params => { :oauth_token => token.token }
310 assert_response :success
311 assert_template :authorize_failure
312 assert_select "p", "You have denied application #{client.name} access to your account."
314 assert_nil token.authorized_at
315 assert_not_nil token.invalidated_at
317 get "/oauth/authorize", :params => { :oauth_token => token.token }
318 assert_response :success
319 assert_template :authorize_failure
320 assert_select "p", "The authorization token is not valid."
322 assert_nil token.authorized_at
323 assert_not_nil token.invalidated_at
325 post "/oauth/authorize", :params => { :oauth_token => token.token }
326 assert_response :success
327 assert_template :authorize_failure
328 assert_select "p", "The authorization token is not valid."
330 assert_nil token.authorized_at
331 assert_not_nil token.invalidated_at
334 def get_request_token(client, options = {})
335 signed_get "/oauth/request_token", :oauth => options.merge(:consumer => client)
336 assert_response :success
337 token = parse_token(response)
338 assert_instance_of RequestToken, token
339 assert_not_nil token.created_at
340 assert_nil token.authorized_at
341 assert_nil token.invalidated_at
342 assert_equal_allowing_nil options[:oauth_callback], token.callback_url
343 assert_allowed token, client.permissions
348 def parse_token(response)
349 params = CGI.parse(response.body)
351 token = OauthToken.find_by(:token => params["oauth_token"].first)
352 assert_equal token.secret, params["oauth_token_secret"].first
357 def parse_verifier(response)
358 params = CGI.parse(URI.parse(response.location).query)
360 assert_not_nil params["oauth_verifier"]
361 assert params["oauth_verifier"].first.present?
363 params["oauth_verifier"].first
366 def assert_allowed(token, allowed)
367 ClientApplication.all_permissions.each do |p|
368 assert_equal allowed.include?(p), token.attributes[p.to_s]