1 require File.dirname(__FILE__) + '/../test_helper'
3 class OAuthTest < ActionDispatch::IntegrationTest
4 fixtures :users, :client_applications, :gpx_files
8 def test_oauth10_web_app
9 client = client_applications(:oauth_web_app)
11 post_via_redirect "/login",
12 :username => client.user.email, :password => "test"
13 assert_response :success
15 signed_get "/oauth/request_token", :consumer => client
16 assert_response :success
17 token = parse_token(response)
18 assert_instance_of RequestToken, token
19 assert_not_nil token.created_at
20 assert_nil token.authorized_at
21 assert_nil token.invalidated_at
22 assert_allowed token, client.permissions
24 post "/oauth/authorize",
25 :oauth_token => token.token,
26 :allow_read_prefs => true, :allow_write_prefs => true
27 assert_response :redirect
28 assert_redirected_to "http://some.web.app.org/callback?oauth_token=#{token.token}"
30 assert_not_nil token.created_at
31 assert_not_nil token.authorized_at
32 assert_nil token.invalidated_at
33 assert_allowed token, [ :allow_read_prefs ]
35 signed_get "/oauth/access_token", :consumer => client, :token => token
36 assert_response :success
38 assert_not_nil token.created_at
39 assert_not_nil token.authorized_at
40 assert_not_nil token.invalidated_at
41 token = parse_token(response)
42 assert_instance_of AccessToken, token
43 assert_not_nil token.created_at
44 assert_not_nil token.authorized_at
45 assert_nil token.invalidated_at
46 assert_allowed token, [ :allow_read_prefs ]
48 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
49 assert_response :success
51 post "/oauth/revoke", :token => token.token
52 assert_redirected_to oauth_clients_url(token.user.display_name)
53 token = OauthToken.find_by_token(token.token)
54 assert_not_nil token.invalidated_at
56 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
57 assert_response :unauthorized
59 signed_get "/oauth/request_token", :consumer => client
60 assert_response :success
61 token = parse_token(response)
62 assert_instance_of RequestToken, token
63 assert_not_nil token.created_at
64 assert_nil token.authorized_at
65 assert_nil token.invalidated_at
66 assert_allowed token, client.permissions
68 post "/oauth/authorize",
69 :oauth_token => token.token,
70 :oauth_callback => "http://another.web.app.org/callback",
71 :allow_write_api => true, :allow_read_gpx => true
72 assert_response :redirect
73 assert_redirected_to "http://another.web.app.org/callback?oauth_token=#{token.token}"
75 assert_not_nil token.created_at
76 assert_not_nil token.authorized_at
77 assert_nil token.invalidated_at
78 assert_allowed token, [ :allow_write_api, :allow_read_gpx ]
80 signed_get "/oauth/access_token", :consumer => client, :token => token
81 assert_response :success
83 assert_not_nil token.created_at
84 assert_not_nil token.authorized_at
85 assert_not_nil token.invalidated_at
86 token = parse_token(response)
87 assert_instance_of AccessToken, token
88 assert_not_nil token.created_at
89 assert_not_nil token.authorized_at
90 assert_nil token.invalidated_at
91 assert_allowed token, [ :allow_write_api, :allow_read_gpx ]
93 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
94 assert_response :success
96 post "/oauth/revoke", :token => token.token
97 assert_redirected_to oauth_clients_url(token.user.display_name)
98 token = OauthToken.find_by_token(token.token)
99 assert_not_nil token.invalidated_at
101 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
102 assert_response :unauthorized
105 def test_oauth10_desktop_app
106 client = client_applications(:oauth_desktop_app)
108 post_via_redirect "/login",
109 :username => client.user.email, :password => "test"
110 assert_response :success
112 signed_get "/oauth/request_token", :consumer => client
113 assert_response :success
114 token = parse_token(response)
115 assert_instance_of RequestToken, token
116 assert_not_nil token.created_at
117 assert_nil token.authorized_at
118 assert_nil token.invalidated_at
119 assert_allowed token, client.permissions
121 post "/oauth/authorize",
122 :oauth_token => token.token,
123 :allow_read_prefs => true, :allow_write_prefs => true
124 assert_response :success
125 assert_template "authorize_success"
127 assert_not_nil token.created_at
128 assert_not_nil token.authorized_at
129 assert_nil token.invalidated_at
130 assert_allowed token, [ :allow_read_prefs ]
132 signed_get "/oauth/access_token", :consumer => client, :token => token
133 assert_response :success
135 assert_not_nil token.created_at
136 assert_not_nil token.authorized_at
137 assert_not_nil token.invalidated_at
138 token = parse_token(response)
139 assert_instance_of AccessToken, token
140 assert_not_nil token.created_at
141 assert_not_nil token.authorized_at
142 assert_nil token.invalidated_at
143 assert_allowed token, [ :allow_read_prefs ]
145 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
146 assert_response :success
148 post "/oauth/revoke", :token => token.token
149 assert_redirected_to oauth_clients_url(token.user.display_name)
150 token = OauthToken.find_by_token(token.token)
151 assert_not_nil token.invalidated_at
153 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
154 assert_response :unauthorized
157 def test_oauth10a_web_app
158 client = client_applications(:oauth_web_app)
160 post_via_redirect "/login",
161 :username => client.user.email, :password => "test"
162 assert_response :success
164 signed_get "/oauth/request_token",
165 :consumer => client, :oauth_callback => "oob"
166 assert_response :success
167 token = parse_token(response)
168 assert_instance_of RequestToken, token
169 assert_not_nil token.created_at
170 assert_nil token.authorized_at
171 assert_nil token.invalidated_at
172 assert_allowed token, client.permissions
174 post "/oauth/authorize",
175 :oauth_token => token.token,
176 :allow_read_prefs => true, :allow_write_prefs => true
177 assert_response :redirect
178 verifier = parse_verifier(response)
179 assert_redirected_to "http://some.web.app.org/callback?oauth_token=#{token.token}&oauth_verifier=#{verifier}"
181 assert_not_nil token.created_at
182 assert_not_nil token.authorized_at
183 assert_nil token.invalidated_at
184 assert_allowed token, [ :allow_read_prefs ]
186 signed_get "/oauth/access_token", :consumer => client, :token => token
187 assert_response :unauthorized
189 signed_get "/oauth/access_token",
190 :consumer => client, :token => token, :oauth_verifier => verifier
191 assert_response :success
193 assert_not_nil token.created_at
194 assert_not_nil token.authorized_at
195 assert_not_nil token.invalidated_at
196 token = parse_token(response)
197 assert_instance_of AccessToken, token
198 assert_not_nil token.created_at
199 assert_not_nil token.authorized_at
200 assert_nil token.invalidated_at
201 assert_allowed token, [ :allow_read_prefs ]
203 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
204 assert_response :success
206 post "/oauth/revoke", :token => token.token
207 assert_redirected_to oauth_clients_url(token.user.display_name)
208 token = OauthToken.find_by_token(token.token)
209 assert_not_nil token.invalidated_at
211 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
212 assert_response :unauthorized
214 signed_get "/oauth/request_token",
216 :oauth_callback => "http://another.web.app.org/callback"
217 assert_response :success
218 token = parse_token(response)
219 assert_instance_of RequestToken, token
220 assert_not_nil token.created_at
221 assert_nil token.authorized_at
222 assert_nil token.invalidated_at
223 assert_allowed token, client.permissions
225 post "/oauth/authorize",
226 :oauth_token => token.token,
227 :allow_write_api => true, :allow_read_gpx => true
228 assert_response :redirect
229 verifier = parse_verifier(response)
230 assert_redirected_to "http://another.web.app.org/callback?oauth_token=#{token.token}&oauth_verifier=#{verifier}"
232 assert_not_nil token.created_at
233 assert_not_nil token.authorized_at
234 assert_nil token.invalidated_at
235 assert_allowed token, [ :allow_write_api, :allow_read_gpx ]
237 signed_get "/oauth/access_token", :consumer => client, :token => token
238 assert_response :unauthorized
240 signed_get "/oauth/access_token",
241 :consumer => client, :token => token, :oauth_verifier => verifier
242 assert_response :success
244 assert_not_nil token.created_at
245 assert_not_nil token.authorized_at
246 assert_not_nil token.invalidated_at
247 token = parse_token(response)
248 assert_instance_of AccessToken, token
249 assert_not_nil token.created_at
250 assert_not_nil token.authorized_at
251 assert_nil token.invalidated_at
252 assert_allowed token, [ :allow_write_api, :allow_read_gpx ]
254 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
255 assert_response :success
257 post "/oauth/revoke", :token => token.token
258 assert_redirected_to oauth_clients_url(token.user.display_name)
259 token = OauthToken.find_by_token(token.token)
260 assert_not_nil token.invalidated_at
262 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
263 assert_response :unauthorized
266 def test_oauth10a_desktop_app
267 client = client_applications(:oauth_desktop_app)
269 post_via_redirect "/login",
270 :username => client.user.email, :password => "test"
271 assert_response :success
273 signed_get "/oauth/request_token",
274 :consumer => client, :oauth_callback => "oob"
275 assert_response :success
276 token = parse_token(response)
277 assert_instance_of RequestToken, token
278 assert_not_nil token.created_at
279 assert_nil token.authorized_at
280 assert_nil token.invalidated_at
281 assert_allowed token, client.permissions
283 post "/oauth/authorize",
284 :oauth_token => token.token,
285 :allow_read_prefs => true, :allow_write_prefs => true
286 assert_response :success
287 assert_template "authorize_success"
288 m = response.body.match("<p>The verification code is ([A-Za-z0-9]+)</p>")
292 assert_not_nil token.created_at
293 assert_not_nil token.authorized_at
294 assert_nil token.invalidated_at
295 assert_allowed token, [ :allow_read_prefs ]
297 signed_get "/oauth/access_token", :consumer => client, :token => token
298 assert_response :unauthorized
300 signed_get "/oauth/access_token",
301 :consumer => client, :token => token, :oauth_verifier => verifier
302 assert_response :success
304 assert_not_nil token.created_at
305 assert_not_nil token.authorized_at
306 assert_not_nil token.invalidated_at
307 token = parse_token(response)
308 assert_instance_of AccessToken, token
309 assert_not_nil token.created_at
310 assert_not_nil token.authorized_at
311 assert_nil token.invalidated_at
312 assert_allowed token, [ :allow_read_prefs ]
314 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
315 assert_response :success
317 post "/oauth/revoke", :token => token.token
318 assert_redirected_to oauth_clients_url(token.user.display_name)
319 token = OauthToken.find_by_token(token.token)
320 assert_not_nil token.invalidated_at
322 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
323 assert_response :unauthorized
328 def signed_get(uri, options)
330 uri.scheme ||= "http"
331 uri.host ||= "www.example.com"
333 helper = OAuth::Client::Helper.new(nil, options)
335 request = OAuth::RequestProxy.proxy(
338 "parameters" => helper.oauth_parameters
341 request.sign!(options)
343 get request.signed_uri
346 def parse_token(response)
347 params = CGI.parse(response.body)
349 token = OauthToken.find_by_token(params["oauth_token"].first)
350 assert_equal token.secret, params["oauth_token_secret"].first
355 def parse_verifier(response)
356 params = CGI.parse(URI.parse(response.location).query)
358 assert_not_nil params["oauth_verifier"]
359 assert params["oauth_verifier"].first.present?
361 params["oauth_verifier"].first
364 def assert_allowed(token, allowed)
365 ClientApplication.all_permissions.each do |p|
366 assert_equal allowed.include?(p), token.attributes[p.to_s]