diff options
author | Ivan Tashkinov <ivantashkinov@gmail.com> | 2020-04-17 21:21:10 +0300 |
---|---|---|
committer | rinpatch <rinpatch@sdf.org> | 2020-05-01 01:00:37 +0300 |
commit | 862d4886c9c600ff0ff85edc744e3c05a3fcd68d (patch) | |
tree | 6633381b6d96fdd3b3773c1980eea5b2dfa76a5f /test/web/auth/basic_auth_test.exs | |
parent | da4923f2e59aac7f97812a756593602083f17626 (diff) | |
download | pleroma-862d4886c9c600ff0ff85edc744e3c05a3fcd68d.tar.gz pleroma-862d4886c9c600ff0ff85edc744e3c05a3fcd68d.zip |
[#1682] Fixed Basic Auth permissions issue by disabling OAuth scopes checks when password is provided. Refactored plugs skipping functionality.
Diffstat (limited to 'test/web/auth/basic_auth_test.exs')
-rw-r--r-- | test/web/auth/basic_auth_test.exs | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/test/web/auth/basic_auth_test.exs b/test/web/auth/basic_auth_test.exs new file mode 100644 index 000000000..64f8a6863 --- /dev/null +++ b/test/web/auth/basic_auth_test.exs @@ -0,0 +1,46 @@ +# Pleroma: A lightweight social networking server +# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/> +# SPDX-License-Identifier: AGPL-3.0-only + +defmodule Pleroma.Web.Auth.BasicAuthTest do + use Pleroma.Web.ConnCase + + import Pleroma.Factory + + test "with HTTP Basic Auth used, grants access to OAuth scope-restricted endpoints", %{ + conn: conn + } do + user = insert(:user) + assert Comeonin.Pbkdf2.checkpw("test", user.password_hash) + + basic_auth_contents = + (URI.encode_www_form(user.nickname) <> ":" <> URI.encode_www_form("test")) + |> Base.encode64() + + # Succeeds with HTTP Basic Auth + response = + conn + |> put_req_header("authorization", "Basic " <> basic_auth_contents) + |> get("/api/v1/accounts/verify_credentials") + |> json_response(200) + + user_nickname = user.nickname + assert %{"username" => ^user_nickname} = response + + # Succeeds with a properly scoped OAuth token + valid_token = insert(:oauth_token, scopes: ["read:accounts"]) + + conn + |> put_req_header("authorization", "Bearer #{valid_token.token}") + |> get("/api/v1/accounts/verify_credentials") + |> json_response(200) + + # Fails with a wrong-scoped OAuth token (proof of restriction) + invalid_token = insert(:oauth_token, scopes: ["read:something"]) + + conn + |> put_req_header("authorization", "Bearer #{invalid_token.token}") + |> get("/api/v1/accounts/verify_credentials") + |> json_response(403) + end +end |