2020-04-17 12:21:10 -06:00
|
|
|
# Pleroma: A lightweight social networking server
|
2021-01-12 23:49:20 -07:00
|
|
|
# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
|
2020-04-17 12:21:10 -06:00
|
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
|
|
|
|
defmodule Pleroma.Web.Auth.BasicAuthTest do
|
2023-08-01 04:43:50 -06:00
|
|
|
use Pleroma.Web.ConnCase, async: false
|
2020-04-17 12:21:10 -06:00
|
|
|
|
|
|
|
import Pleroma.Factory
|
|
|
|
|
|
|
|
test "with HTTP Basic Auth used, grants access to OAuth scope-restricted endpoints", %{
|
|
|
|
conn: conn
|
|
|
|
} do
|
|
|
|
user = insert(:user)
|
2022-12-29 19:46:58 -07:00
|
|
|
assert Pleroma.Password.checkpw("test", user.password_hash)
|
2020-04-17 12:21:10 -06:00
|
|
|
|
|
|
|
basic_auth_contents =
|
|
|
|
(URI.encode_www_form(user.nickname) <> ":" <> URI.encode_www_form("test"))
|
|
|
|
|> Base.encode64()
|
|
|
|
|
|
|
|
# Succeeds with HTTP Basic Auth
|
|
|
|
response =
|
|
|
|
conn
|
|
|
|
|> put_req_header("authorization", "Basic " <> basic_auth_contents)
|
|
|
|
|> get("/api/v1/accounts/verify_credentials")
|
|
|
|
|> json_response(200)
|
|
|
|
|
|
|
|
user_nickname = user.nickname
|
|
|
|
assert %{"username" => ^user_nickname} = response
|
|
|
|
|
|
|
|
# Succeeds with a properly scoped OAuth token
|
|
|
|
valid_token = insert(:oauth_token, scopes: ["read:accounts"])
|
|
|
|
|
|
|
|
conn
|
|
|
|
|> put_req_header("authorization", "Bearer #{valid_token.token}")
|
|
|
|
|> get("/api/v1/accounts/verify_credentials")
|
|
|
|
|> json_response(200)
|
|
|
|
|
|
|
|
# Fails with a wrong-scoped OAuth token (proof of restriction)
|
|
|
|
invalid_token = insert(:oauth_token, scopes: ["read:something"])
|
|
|
|
|
|
|
|
conn
|
|
|
|
|> put_req_header("authorization", "Bearer #{invalid_token.token}")
|
|
|
|
|> get("/api/v1/accounts/verify_credentials")
|
|
|
|
|> json_response(403)
|
|
|
|
end
|
|
|
|
end
|