gnh1201/mastodon
1
0
Fork 0
mirror of https://github.com/mastodon/mastodon.git synced 2025-11-27 10:00:50 +00:00
Code Issues Actions 17 Packages Projects Releases Wiki Activity

Merge 4a32e720f5 into 002632c3bb

Browse Source
This commit is contained in:
Emelia Smith 2025-11-26 17:05:13 +00:00 committed by GitHub
commit 8967be6dfd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 108 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
spec/requests/oauth/token_spec.rb
View File

@ -5,103 +5,151 @@ require 'rails_helper'
RSpec.describe 'Managing OAuth Tokens' do
describe 'POST /oauth/token' do
subject do
post '/oauth/token', params: params
post '/oauth/token', params: params.merge(additional_params), headers: headers
end
let(:headers) { nil }
let(:additional_params) { {} }
let(:params) { {} }
let(:application) do
Fabricate(:application, scopes: 'read write follow', redirect_uri: 'urn:ietf:wg:oauth:2.0:oob')
end
let(:params) do
{
grant_type: grant_type,
client_id: application.uid,
client_secret: application.secret,
redirect_uri: 'urn:ietf:wg:oauth:2.0:oob',
code: code,
scope: scope,
}
end
context "with grant_type 'authorization_code'" do
let(:grant_type) { 'authorization_code' }
let(:code) do
access_grant = Fabricate(:access_grant, application: application, redirect_uri: 'urn:ietf:wg:oauth:2.0:oob', scopes: 'read write')
access_grant.plaintext_token
end
let(:access_grant) { Fabricate(:access_grant, application: application, redirect_uri: 'urn:ietf:wg:oauth:2.0:oob', scopes: 'read write') }
let(:access_grant_scopes) { access_grant.scopes.to_s }
let(:code) { access_grant.plaintext_token }
shared_examples 'original scope request preservation' do
it 'returns all scopes requested for the given code' do
shared_examples 'returns a correctly scoped access token' do
it 'returns the scopes requested by the authorization code' do
subject
expect(response).to have_http_status(200)
expect(response.parsed_body[:scope]).to eq 'read write'
expect(response.parsed_body[:scope]).to eq access_grant_scopes
end
context 'with additional parameters not used by the grant type' do
# When performing an authorization code grant flow, the `/oauth/token`
# endpoint does not accept a `scope` parameter, and should not
# override the scopes from the authorization grant.
let(:additional_params) do
{
scope: 'write',
}
end
it 'returns the scopes requested by the authorization code' do
subject
expect(response).to have_http_status(200)
expect(response.parsed_body[:scope]).to eq access_grant_scopes
end
end
end
context 'with no scopes specified' do
let(:scope) { nil }
context 'with client authentication via params' do
let(:headers) { nil }
let(:params) do
{
grant_type: 'authorization_code',
redirect_uri: 'urn:ietf:wg:oauth:2.0:oob',
client_id: application.uid,
client_secret: application.secret,
code: code,
}
end
it_behaves_like 'original scope request preservation'
it_behaves_like 'returns a correctly scoped access token'
end
context 'with scopes specified' do
context 'when the scopes were requested for this code' do
let(:scope) { 'write' }
it_behaves_like 'original scope request preservation'
context 'with client authentication via basic auth' do
let(:headers) do
{
Authorization: ActionController::HttpAuthentication::Basic.encode_credentials(application.uid, application.secret),
}
end
context 'when the scope was not requested for the code' do
let(:scope) { 'follow' }
it_behaves_like 'original scope request preservation'
let(:params) do
{
grant_type: 'authorization_code',
redirect_uri: 'urn:ietf:wg:oauth:2.0:oob',
code: code,
}
end
context 'when the scope does not belong to the application' do
let(:scope) { 'push' }
it_behaves_like 'original scope request preservation'
end
it_behaves_like 'returns a correctly scoped access token'
end
end
context "with grant_type 'client_credentials'" do
let(:grant_type) { 'client_credentials' }
let(:code) { nil }
shared_examples 'returns the correct scopes' do
context 'with no scopes specified' do
let(:scope) { nil }
context 'with no scopes specified' do
let(:scope) { nil }
it 'returns only the default scope' do
subject
expect(response).to have_http_status(200)
expect(response.parsed_body[:scope]).to eq('read')
end
end
context 'with scopes specified' do
context 'when the scopes belong to the application' do
let(:scope) { 'read write' }
it 'returns all the requested scopes' do
it 'returns only the authorization server default scope (read)' do
subject
expect(response).to have_http_status(200)
expect(response.parsed_body[:scope]).to eq 'read write'
expect(response.parsed_body[:scope]).to eq('read')
end
end
context 'when some scopes do not belong to the application' do
let(:scope) { 'read write push' }
context 'with scopes specified' do
context 'when the scopes belong to the application' do
let(:scope) { 'read write' }
it 'returns an error' do
subject
it 'returns all the requested scopes' do
subject
expect(response).to have_http_status(400)
expect(response).to have_http_status(200)
expect(response.parsed_body[:scope]).to eq 'read write'
end
end
context 'when some scopes do not belong to the application' do
let(:scope) { 'read write push' }
it 'returns an error' do
subject
expect(response).to have_http_status(400)
expect(response.parsed_body[:error]).to eq 'invalid_scope'
end
end
end
end
context 'with client authentication via basic auth' do
let(:headers) do
{
Authorization: ActionController::HttpAuthentication::Basic.encode_credentials(application.uid, application.secret),
}
end
let(:params) do
{
grant_type: 'client_credentials',
scope: scope,
}
end
it_behaves_like 'returns the correct scopes'
end
context 'with client authentication via params' do
let(:headers) { nil }
let(:params) do
{
grant_type: 'client_credentials',
client_id: application.uid,
client_secret: application.secret,
scope: scope,
}
end
it_behaves_like 'returns the correct scopes'
end
end
end