From f45961aa98da629e8bdaaba1189b9a338c8a2a08 Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 24 Apr 2023 19:06:58 +0200 Subject: [PATCH] Add feature test for OAuth access grant (#24624) --- spec/features/oauth_spec.rb | 190 ++++++++++++++++++++++++++++++++++++ spec/rails_helper.rb | 1 + 2 files changed, 191 insertions(+) create mode 100644 spec/features/oauth_spec.rb diff --git a/spec/features/oauth_spec.rb b/spec/features/oauth_spec.rb new file mode 100644 index 0000000000..967956cc8e --- /dev/null +++ b/spec/features/oauth_spec.rb @@ -0,0 +1,190 @@ +# frozen_string_literal: true + +require 'rails_helper' + +describe 'Using OAuth from an external app' do + let(:client_app) { Doorkeeper::Application.create!(name: 'test', redirect_uri: 'http://localhost/', scopes: 'read') } + + context 'when the user is already logged in' do + let!(:user) { Fabricate(:user) } + + before do + sign_in user, scope: :user + end + + it 'when accepting the authorization request' do + params = { client_id: client_app.uid, response_type: 'code', redirect_uri: client_app.redirect_uri, scope: 'read' } + visit "/oauth/authorize?#{params.to_query}" + + # It presents the user with an authorization page + expect(page).to have_content(I18n.t('doorkeeper.authorizations.buttons.authorize')) + + # Upon authorizing, it redirects to the apps' callback URL + click_on I18n.t('doorkeeper.authorizations.buttons.authorize') + expect(page).to have_current_path(/\A#{client_app.redirect_uri}/, url: true) + + # It grants the app access to the account + expect(Doorkeeper::AccessGrant.exists?(application: client_app, resource_owner_id: user.id)).to be true + end + + it 'when rejecting the authorization request' do + params = { client_id: client_app.uid, response_type: 'code', redirect_uri: client_app.redirect_uri, scope: 'read' } + visit "/oauth/authorize?#{params.to_query}" + + # It presents the user with an authorization page + expect(page).to have_content(I18n.t('doorkeeper.authorizations.buttons.deny')) + + # Upon denying, it redirects to the apps' callback URL + click_on I18n.t('doorkeeper.authorizations.buttons.deny') + expect(page).to have_current_path(/\A#{client_app.redirect_uri}/, url: true) + + # It does not grant the app access to the account + expect(Doorkeeper::AccessGrant.exists?(application: client_app, resource_owner_id: user.id)).to be false + end + end + + context 'when the user is not already logged in' do + let(:email) { 'test@example.com' } + let(:password) { 'testpassword' } + let(:user) { Fabricate(:user, email: email, password: password) } + + before do + user.confirm! + user.approve! + end + + it 'when accepting the authorization request' do + params = { client_id: client_app.uid, response_type: 'code', redirect_uri: client_app.redirect_uri, scope: 'read' } + visit "/oauth/authorize?#{params.to_query}" + + # It presents the user with a log-in page + expect(page).to have_content(I18n.t('auth.login')) + + # Failing to log-in presents the form again + fill_in 'user_email', with: email + fill_in 'user_password', with: 'wrong password' + click_on I18n.t('auth.login') + expect(page).to have_content(I18n.t('auth.login')) + + # Logging in redirects to an authorization page + fill_in 'user_email', with: email + fill_in 'user_password', with: password + click_on I18n.t('auth.login') + expect(page).to have_content(I18n.t('doorkeeper.authorizations.buttons.authorize')) + + # Upon authorizing, it redirects to the apps' callback URL + click_on I18n.t('doorkeeper.authorizations.buttons.authorize') + expect(page).to have_current_path(/\A#{client_app.redirect_uri}/, url: true) + + # It grants the app access to the account + expect(Doorkeeper::AccessGrant.exists?(application: client_app, resource_owner_id: user.id)).to be true + end + + it 'when rejecting the authorization request' do + params = { client_id: client_app.uid, response_type: 'code', redirect_uri: client_app.redirect_uri, scope: 'read' } + visit "/oauth/authorize?#{params.to_query}" + + # It presents the user with a log-in page + expect(page).to have_content(I18n.t('auth.login')) + + # Failing to log-in presents the form again + fill_in 'user_email', with: email + fill_in 'user_password', with: 'wrong password' + click_on I18n.t('auth.login') + expect(page).to have_content(I18n.t('auth.login')) + + # Logging in redirects to an authorization page + fill_in 'user_email', with: email + fill_in 'user_password', with: password + click_on I18n.t('auth.login') + expect(page).to have_content(I18n.t('doorkeeper.authorizations.buttons.authorize')) + + # Upon denying, it redirects to the apps' callback URL + click_on I18n.t('doorkeeper.authorizations.buttons.deny') + expect(page).to have_current_path(/\A#{client_app.redirect_uri}/, url: true) + + # It does not grant the app access to the account + expect(Doorkeeper::AccessGrant.exists?(application: client_app, resource_owner_id: user.id)).to be false + end + + context 'when the user has set up TOTP' do + let(:user) { Fabricate(:user, email: email, password: password, otp_required_for_login: true, otp_secret: User.generate_otp_secret(32)) } + + it 'when accepting the authorization request' do + params = { client_id: client_app.uid, response_type: 'code', redirect_uri: client_app.redirect_uri, scope: 'read' } + visit "/oauth/authorize?#{params.to_query}" + + # It presents the user with a log-in page + expect(page).to have_content(I18n.t('auth.login')) + + # Failing to log-in presents the form again + fill_in 'user_email', with: email + fill_in 'user_password', with: 'wrong password' + click_on I18n.t('auth.login') + expect(page).to have_content(I18n.t('auth.login')) + + # Logging in redirects to a two-factor authentication page + fill_in 'user_email', with: email + fill_in 'user_password', with: password + click_on I18n.t('auth.login') + expect(page).to have_content(I18n.t('simple_form.hints.sessions.otp')) + + # Filling in an incorrect two-factor authentication code presents the form again + fill_in 'user_otp_attempt', with: 'wrong' + click_on I18n.t('auth.login') + expect(page).to have_content(I18n.t('simple_form.hints.sessions.otp')) + + # Filling in the correct TOTP code redirects to an app authorization page + fill_in 'user_otp_attempt', with: user.current_otp + click_on I18n.t('auth.login') + expect(page).to have_content(I18n.t('doorkeeper.authorizations.buttons.authorize')) + + # Upon authorizing, it redirects to the apps' callback URL + click_on I18n.t('doorkeeper.authorizations.buttons.authorize') + expect(page).to have_current_path(/\A#{client_app.redirect_uri}/, url: true) + + # It grants the app access to the account + expect(Doorkeeper::AccessGrant.exists?(application: client_app, resource_owner_id: user.id)).to be true + end + + it 'when rejecting the authorization request' do + params = { client_id: client_app.uid, response_type: 'code', redirect_uri: client_app.redirect_uri, scope: 'read' } + visit "/oauth/authorize?#{params.to_query}" + + # It presents the user with a log-in page + expect(page).to have_content(I18n.t('auth.login')) + + # Failing to log-in presents the form again + fill_in 'user_email', with: email + fill_in 'user_password', with: 'wrong password' + click_on I18n.t('auth.login') + expect(page).to have_content(I18n.t('auth.login')) + + # Logging in redirects to a two-factor authentication page + fill_in 'user_email', with: email + fill_in 'user_password', with: password + click_on I18n.t('auth.login') + expect(page).to have_content(I18n.t('simple_form.hints.sessions.otp')) + + # Filling in an incorrect two-factor authentication code presents the form again + fill_in 'user_otp_attempt', with: 'wrong' + click_on I18n.t('auth.login') + expect(page).to have_content(I18n.t('simple_form.hints.sessions.otp')) + + # Filling in the correct TOTP code redirects to an app authorization page + fill_in 'user_otp_attempt', with: user.current_otp + click_on I18n.t('auth.login') + expect(page).to have_content(I18n.t('doorkeeper.authorizations.buttons.authorize')) + + # Upon denying, it redirects to the apps' callback URL + click_on I18n.t('doorkeeper.authorizations.buttons.deny') + expect(page).to have_current_path(/\A#{client_app.redirect_uri}/, url: true) + + # It does not grant the app access to the account + expect(Doorkeeper::AccessGrant.exists?(application: client_app, resource_owner_id: user.id)).to be false + end + end + + # TODO: external auth + end +end diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb index c204fcdbd2..de15cb7853 100644 --- a/spec/rails_helper.rb +++ b/spec/rails_helper.rb @@ -44,6 +44,7 @@ RSpec.configure do |config| config.include Devise::Test::ControllerHelpers, type: :controller config.include Devise::Test::ControllerHelpers, type: :view + config.include Devise::Test::IntegrationHelpers, type: :feature config.include Paperclip::Shoulda::Matchers config.include ActiveSupport::Testing::TimeHelpers config.include Chewy::Rspec::Helpers