test/web/auth/basic_auth_test.exs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

# Pleroma: A lightweight social networking server
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.Web.Auth.BasicAuthTest do
  use Pleroma.Web.ConnCase

  import Pleroma.Factory

  test "with HTTP Basic Auth used, grants access to OAuth scope-restricted endpoints", %{
    conn: conn
  } do
    user = insert(:user)
    assert Pbkdf2.verify_pass("test", user.password_hash)

    basic_auth_contents =
      (URI.encode_www_form(user.nickname) <> ":" <> URI.encode_www_form("test"))
      |> Base.encode64()

    # Succeeds with HTTP Basic Auth
    response =
      conn
      |> put_req_header("authorization", "Basic " <> basic_auth_contents)
      |> get("/api/v1/accounts/verify_credentials")
      |> json_response(200)

    user_nickname = user.nickname
    assert %{"username" => ^user_nickname} = response

    # Succeeds with a properly scoped OAuth token
    valid_token = insert(:oauth_token, scopes: ["read:accounts"])

    conn
    |> put_req_header("authorization", "Bearer #{valid_token.token}")
    |> get("/api/v1/accounts/verify_credentials")
    |> json_response(200)

    # Fails with a wrong-scoped OAuth token (proof of restriction)
    invalid_token = insert(:oauth_token, scopes: ["read:something"])

    conn
    |> put_req_header("authorization", "Bearer #{invalid_token.token}")
    |> get("/api/v1/accounts/verify_credentials")
    |> json_response(403)
  end
end