~cytrogen/masto-fe

ref: 685270f3f7ea6d4a8a48ec641e8fdfd9fc2e2d7f masto-fe/spec/features/oauth_spec.rb -rw-r--r-- 8.2 KiB
685270f3 — Claire [Glitch] Fix clicking “Explore” or “Live feeds” column headers to scroll in advanced mode 2 years ago 
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190

# frozen_string_literal: true

require 'rails_helper'

describe 'Using OAuth from an external app' do
  let(:client_app) { Doorkeeper::Application.create!(name: 'test', redirect_uri: 'http://localhost/', scopes: 'read') }

  context 'when the user is already logged in' do
    let!(:user) { Fabricate(:user) }

    before do
      sign_in user, scope: :user
    end

    it 'when accepting the authorization request' do
      params = { client_id: client_app.uid, response_type: 'code', redirect_uri: client_app.redirect_uri, scope: 'read' }
      visit "/oauth/authorize?#{params.to_query}"

      # It presents the user with an authorization page
      expect(page).to have_content(I18n.t('doorkeeper.authorizations.buttons.authorize'))

      # Upon authorizing, it redirects to the apps' callback URL
      click_on I18n.t('doorkeeper.authorizations.buttons.authorize')
      expect(page).to have_current_path(/\A#{client_app.redirect_uri}/, url: true)

      # It grants the app access to the account
      expect(Doorkeeper::AccessGrant.exists?(application: client_app, resource_owner_id: user.id)).to be true
    end

    it 'when rejecting the authorization request' do
      params = { client_id: client_app.uid, response_type: 'code', redirect_uri: client_app.redirect_uri, scope: 'read' }
      visit "/oauth/authorize?#{params.to_query}"

      # It presents the user with an authorization page
      expect(page).to have_content(I18n.t('doorkeeper.authorizations.buttons.deny'))

      # Upon denying, it redirects to the apps' callback URL
      click_on I18n.t('doorkeeper.authorizations.buttons.deny')
      expect(page).to have_current_path(/\A#{client_app.redirect_uri}/, url: true)

      # It does not grant the app access to the account
      expect(Doorkeeper::AccessGrant.exists?(application: client_app, resource_owner_id: user.id)).to be false
    end
  end

  context 'when the user is not already logged in' do
    let(:email)    { 'test@example.com' }
    let(:password) { 'testpassword' }
    let(:user)     { Fabricate(:user, email: email, password: password) }

    before do
      user.confirm!
      user.approve!
    end

    it 'when accepting the authorization request' do
      params = { client_id: client_app.uid, response_type: 'code', redirect_uri: client_app.redirect_uri, scope: 'read' }
      visit "/oauth/authorize?#{params.to_query}"

      # It presents the user with a log-in page
      expect(page).to have_content(I18n.t('auth.login'))

      # Failing to log-in presents the form again
      fill_in 'user_email', with: email
      fill_in 'user_password', with: 'wrong password'
      click_on I18n.t('auth.login')
      expect(page).to have_content(I18n.t('auth.login'))

      # Logging in redirects to an authorization page
      fill_in 'user_email', with: email
      fill_in 'user_password', with: password
      click_on I18n.t('auth.login')
      expect(page).to have_content(I18n.t('doorkeeper.authorizations.buttons.authorize'))

      # Upon authorizing, it redirects to the apps' callback URL
      click_on I18n.t('doorkeeper.authorizations.buttons.authorize')
      expect(page).to have_current_path(/\A#{client_app.redirect_uri}/, url: true)

      # It grants the app access to the account
      expect(Doorkeeper::AccessGrant.exists?(application: client_app, resource_owner_id: user.id)).to be true
    end

    it 'when rejecting the authorization request' do
      params = { client_id: client_app.uid, response_type: 'code', redirect_uri: client_app.redirect_uri, scope: 'read' }
      visit "/oauth/authorize?#{params.to_query}"

      # It presents the user with a log-in page
      expect(page).to have_content(I18n.t('auth.login'))

      # Failing to log-in presents the form again
      fill_in 'user_email', with: email
      fill_in 'user_password', with: 'wrong password'
      click_on I18n.t('auth.login')
      expect(page).to have_content(I18n.t('auth.login'))

      # Logging in redirects to an authorization page
      fill_in 'user_email', with: email
      fill_in 'user_password', with: password
      click_on I18n.t('auth.login')
      expect(page).to have_content(I18n.t('doorkeeper.authorizations.buttons.authorize'))

      # Upon denying, it redirects to the apps' callback URL
      click_on I18n.t('doorkeeper.authorizations.buttons.deny')
      expect(page).to have_current_path(/\A#{client_app.redirect_uri}/, url: true)

      # It does not grant the app access to the account
      expect(Doorkeeper::AccessGrant.exists?(application: client_app, resource_owner_id: user.id)).to be false
    end

    context 'when the user has set up TOTP' do
      let(:user) { Fabricate(:user, email: email, password: password, otp_required_for_login: true, otp_secret: User.generate_otp_secret(32)) }

      it 'when accepting the authorization request' do
        params = { client_id: client_app.uid, response_type: 'code', redirect_uri: client_app.redirect_uri, scope: 'read' }
        visit "/oauth/authorize?#{params.to_query}"

        # It presents the user with a log-in page
        expect(page).to have_content(I18n.t('auth.login'))

        # Failing to log-in presents the form again
        fill_in 'user_email', with: email
        fill_in 'user_password', with: 'wrong password'
        click_on I18n.t('auth.login')
        expect(page).to have_content(I18n.t('auth.login'))

        # Logging in redirects to a two-factor authentication page
        fill_in 'user_email', with: email
        fill_in 'user_password', with: password
        click_on I18n.t('auth.login')
        expect(page).to have_content(I18n.t('simple_form.hints.sessions.otp'))

        # Filling in an incorrect two-factor authentication code presents the form again
        fill_in 'user_otp_attempt', with: 'wrong'
        click_on I18n.t('auth.login')
        expect(page).to have_content(I18n.t('simple_form.hints.sessions.otp'))

        # Filling in the correct TOTP code redirects to an app authorization page
        fill_in 'user_otp_attempt', with: user.current_otp
        click_on I18n.t('auth.login')
        expect(page).to have_content(I18n.t('doorkeeper.authorizations.buttons.authorize'))

        # Upon authorizing, it redirects to the apps' callback URL
        click_on I18n.t('doorkeeper.authorizations.buttons.authorize')
        expect(page).to have_current_path(/\A#{client_app.redirect_uri}/, url: true)

        # It grants the app access to the account
        expect(Doorkeeper::AccessGrant.exists?(application: client_app, resource_owner_id: user.id)).to be true
      end

      it 'when rejecting the authorization request' do
        params = { client_id: client_app.uid, response_type: 'code', redirect_uri: client_app.redirect_uri, scope: 'read' }
        visit "/oauth/authorize?#{params.to_query}"

        # It presents the user with a log-in page
        expect(page).to have_content(I18n.t('auth.login'))

        # Failing to log-in presents the form again
        fill_in 'user_email', with: email
        fill_in 'user_password', with: 'wrong password'
        click_on I18n.t('auth.login')
        expect(page).to have_content(I18n.t('auth.login'))

        # Logging in redirects to a two-factor authentication page
        fill_in 'user_email', with: email
        fill_in 'user_password', with: password
        click_on I18n.t('auth.login')
        expect(page).to have_content(I18n.t('simple_form.hints.sessions.otp'))

        # Filling in an incorrect two-factor authentication code presents the form again
        fill_in 'user_otp_attempt', with: 'wrong'
        click_on I18n.t('auth.login')
        expect(page).to have_content(I18n.t('simple_form.hints.sessions.otp'))

        # Filling in the correct TOTP code redirects to an app authorization page
        fill_in 'user_otp_attempt', with: user.current_otp
        click_on I18n.t('auth.login')
        expect(page).to have_content(I18n.t('doorkeeper.authorizations.buttons.authorize'))

        # Upon denying, it redirects to the apps' callback URL
        click_on I18n.t('doorkeeper.authorizations.buttons.deny')
        expect(page).to have_current_path(/\A#{client_app.redirect_uri}/, url: true)

        # It does not grant the app access to the account
        expect(Doorkeeper::AccessGrant.exists?(application: client_app, resource_owner_id: user.id)).to be false
      end
    end

    # TODO: external auth
  end
end