From 6759130cb3e266d63743fdf02978550f45eb7c4b Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Fri, 25 Aug 2023 09:49:44 +0100 Subject: [PATCH] Test that suspended and deleted users can't use OAuth tokens --- test/integration/oauth2_test.rb | 41 +++++++++++++++++++--------- test/integration/oauth_test.rb | 48 +++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+), 12 deletions(-) diff --git a/test/integration/oauth2_test.rb b/test/integration/oauth2_test.rb index 5750a30b2..81f12f7cb 100644 --- a/test/integration/oauth2_test.rb +++ b/test/integration/oauth2_test.rb @@ -2,22 +2,24 @@ require "test_helper" class OAuth2Test < ActionDispatch::IntegrationTest def test_oauth2 + user = create(:user) client = create(:oauth_application, :redirect_uri => "https://some.web.app.example.org/callback", :scopes => "read_prefs write_api read_gpx") state = SecureRandom.urlsafe_base64(16) - authorize_client(client, :state => state) + authorize_client(user, client, :state => state) assert_response :redirect code = validate_redirect(client, state) token = request_token(client, code) - test_token(token, client) + test_token(token, user, client) end def test_oauth2_oob + user = create(:user) client = create(:oauth_application, :redirect_uri => "urn:ietf:wg:oauth:2.0:oob", :scopes => "read_prefs write_api read_gpx") - authorize_client(client) + authorize_client(user, client) assert_response :redirect follow_redirect! assert_response :success @@ -28,42 +30,44 @@ class OAuth2Test < ActionDispatch::IntegrationTest token = request_token(client, code) - test_token(token, client) + test_token(token, user, client) end def test_oauth2_pkce_plain + user = create(:user) client = create(:oauth_application, :redirect_uri => "https://some.web.app.example.org/callback", :scopes => "read_prefs write_api read_gpx") state = SecureRandom.urlsafe_base64(16) verifier = SecureRandom.urlsafe_base64(48) challenge = verifier - authorize_client(client, :state => state, :code_challenge => challenge, :code_challenge_method => "plain") + authorize_client(user, client, :state => state, :code_challenge => challenge, :code_challenge_method => "plain") assert_response :redirect code = validate_redirect(client, state) token = request_token(client, code, verifier) - test_token(token, client) + test_token(token, user, client) end def test_oauth2_pkce_s256 + user = create(:user) client = create(:oauth_application, :redirect_uri => "https://some.web.app.example.org/callback", :scopes => "read_prefs write_api read_gpx") state = SecureRandom.urlsafe_base64(16) verifier = SecureRandom.urlsafe_base64(48) challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(verifier), :padding => false) - authorize_client(client, :state => state, :code_challenge => challenge, :code_challenge_method => "S256") + authorize_client(user, client, :state => state, :code_challenge => challenge, :code_challenge_method => "S256") assert_response :redirect code = validate_redirect(client, state) token = request_token(client, code, verifier) - test_token(token, client) + test_token(token, user, client) end private - def authorize_client(client, options = {}) + def authorize_client(user, client, options = {}) options = options.merge(:client_id => client.uid, :redirect_uri => client.redirect_uri, :response_type => "code", @@ -73,8 +77,6 @@ class OAuth2Test < ActionDispatch::IntegrationTest assert_response :redirect assert_redirected_to login_path(:referer => request.fullpath) - user = create(:user) - post login_path(:username => user.email, :password => "test") follow_redirect! assert_response :success @@ -138,7 +140,7 @@ class OAuth2Test < ActionDispatch::IntegrationTest token["access_token"] end - def test_token(token, client) + def test_token(token, user, client) get user_preferences_path assert_response :unauthorized @@ -156,6 +158,21 @@ class OAuth2Test < ActionDispatch::IntegrationTest get api_trace_path(:id => 2), :headers => auth_header assert_response :forbidden + user.suspend! + + get user_preferences_path, :headers => auth_header + assert_response :forbidden + + user.hide! + + get user_preferences_path, :headers => auth_header + assert_response :forbidden + + user.unhide! + + get user_preferences_path, :headers => auth_header + assert_response :success + post oauth_revoke_path(:token => token) assert_response :forbidden diff --git a/test/integration/oauth_test.rb b/test/integration/oauth_test.rb index 4f56067a4..70f161fc9 100644 --- a/test/integration/oauth_test.rb +++ b/test/integration/oauth_test.rb @@ -91,6 +91,18 @@ class OAuthTest < ActionDispatch::IntegrationTest signed_get "/api/0.6/gpx/2", :oauth => { :token => token } assert_response :forbidden + token.user.suspend! + signed_get "/api/0.6/user/preferences", :oauth => { :token => token } + assert_response :forbidden + + token.user.hide! + signed_get "/api/0.6/user/preferences", :oauth => { :token => token } + assert_response :forbidden + + token.user.unhide! + signed_get "/api/0.6/user/preferences", :oauth => { :token => token } + assert_response :success + session_for(token.user) post "/oauth/revoke", :params => { :token => token.token } @@ -174,6 +186,18 @@ class OAuthTest < ActionDispatch::IntegrationTest signed_get "/api/0.6/user/details", :oauth => { :token => token } assert_response :forbidden + token.user.suspend! + signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token } + assert_response :forbidden + + token.user.hide! + signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token } + assert_response :forbidden + + token.user.unhide! + signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token } + assert_response :success + session_for(token.user) post "/oauth/revoke", :params => { :token => token.token } @@ -237,6 +261,18 @@ class OAuthTest < ActionDispatch::IntegrationTest signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token } assert_response :forbidden + token.user.suspend! + signed_get "/api/0.6/user/preferences", :oauth => { :token => token } + assert_response :forbidden + + token.user.hide! + signed_get "/api/0.6/user/preferences", :oauth => { :token => token } + assert_response :forbidden + + token.user.unhide! + signed_get "/api/0.6/user/preferences", :oauth => { :token => token } + assert_response :success + session_for(token.user) post "/oauth/revoke", :params => { :token => token.token } @@ -292,6 +328,18 @@ class OAuthTest < ActionDispatch::IntegrationTest signed_get "/api/0.6/user/details", :oauth => { :token => token } assert_response :forbidden + token.user.suspend! + signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token } + assert_response :forbidden + + token.user.hide! + signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token } + assert_response :forbidden + + token.user.unhide! + signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token } + assert_response :success + session_for(token.user) post "/oauth/revoke", :params => { :token => token.token } -- 2.39.5