From 66f55106bda23e0cfb01cb63f7397f4383518963 Mon Sep 17 00:00:00 2001
From: Ivan Tashkinov <ivantashkinov@gmail.com>
Date: Fri, 17 Apr 2020 21:21:10 +0300
Subject: [#1682] Fixed Basic Auth permissions issue by disabling OAuth scopes
 checks when password is provided. Refactored plugs skipping functionality.

---
 test/web/auth/basic_auth_test.exs | 46 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 test/web/auth/basic_auth_test.exs

(limited to 'test/web/auth/basic_auth_test.exs')

diff --git a/test/web/auth/basic_auth_test.exs b/test/web/auth/basic_auth_test.exs
new file mode 100644
index 000000000..64f8a6863
--- /dev/null
+++ b/test/web/auth/basic_auth_test.exs
@@ -0,0 +1,46 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.Auth.BasicAuthTest do
+  use Pleroma.Web.ConnCase
+
+  import Pleroma.Factory
+
+  test "with HTTP Basic Auth used, grants access to OAuth scope-restricted endpoints", %{
+    conn: conn
+  } do
+    user = insert(:user)
+    assert Comeonin.Pbkdf2.checkpw("test", user.password_hash)
+
+    basic_auth_contents =
+      (URI.encode_www_form(user.nickname) <> ":" <> URI.encode_www_form("test"))
+      |> Base.encode64()
+
+    # Succeeds with HTTP Basic Auth
+    response =
+      conn
+      |> put_req_header("authorization", "Basic " <> basic_auth_contents)
+      |> get("/api/v1/accounts/verify_credentials")
+      |> json_response(200)
+
+    user_nickname = user.nickname
+    assert %{"username" => ^user_nickname} = response
+
+    # Succeeds with a properly scoped OAuth token
+    valid_token = insert(:oauth_token, scopes: ["read:accounts"])
+
+    conn
+    |> put_req_header("authorization", "Bearer #{valid_token.token}")
+    |> get("/api/v1/accounts/verify_credentials")
+    |> json_response(200)
+
+    # Fails with a wrong-scoped OAuth token (proof of restriction)
+    invalid_token = insert(:oauth_token, scopes: ["read:something"])
+
+    conn
+    |> put_req_header("authorization", "Bearer #{invalid_token.token}")
+    |> get("/api/v1/accounts/verify_credentials")
+    |> json_response(403)
+  end
+end
-- 
cgit v1.2.3


From b46811a07444187e7765f439e933f214c0a0aeb3 Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Tue, 12 May 2020 16:42:24 -0500
Subject: Upgrade Comeonin to v5
 https://github.com/riverrun/comeonin/blob/master/UPGRADE_v5.md

---
 test/web/auth/basic_auth_test.exs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'test/web/auth/basic_auth_test.exs')

diff --git a/test/web/auth/basic_auth_test.exs b/test/web/auth/basic_auth_test.exs
index 64f8a6863..bf6e3d2fc 100644
--- a/test/web/auth/basic_auth_test.exs
+++ b/test/web/auth/basic_auth_test.exs
@@ -11,7 +11,7 @@ defmodule Pleroma.Web.Auth.BasicAuthTest do
     conn: conn
   } do
     user = insert(:user)
-    assert Comeonin.Pbkdf2.checkpw("test", user.password_hash)
+    assert Pbkdf2.verify_pass("test", user.password_hash)
 
     basic_auth_contents =
       (URI.encode_www_form(user.nickname) <> ":" <> URI.encode_www_form("test"))
-- 
cgit v1.2.3