diff --git a/spec/requests/oauth/token_spec.rb b/spec/requests/oauth/token_spec.rb index 7be65e7ab3f..c3ca353d54c 100644 --- a/spec/requests/oauth/token_spec.rb +++ b/spec/requests/oauth/token_spec.rb @@ -5,103 +5,151 @@ require 'rails_helper' RSpec.describe 'Managing OAuth Tokens' do describe 'POST /oauth/token' do subject do - post '/oauth/token', params: params + post '/oauth/token', params: params.merge(additional_params), headers: headers end + let(:headers) { nil } + let(:additional_params) { {} } + let(:params) { {} } + let(:application) do Fabricate(:application, scopes: 'read write follow', redirect_uri: 'urn:ietf:wg:oauth:2.0:oob') end - let(:params) do - { - grant_type: grant_type, - client_id: application.uid, - client_secret: application.secret, - redirect_uri: 'urn:ietf:wg:oauth:2.0:oob', - code: code, - scope: scope, - } - end context "with grant_type 'authorization_code'" do - let(:grant_type) { 'authorization_code' } - let(:code) do - access_grant = Fabricate(:access_grant, application: application, redirect_uri: 'urn:ietf:wg:oauth:2.0:oob', scopes: 'read write') - access_grant.plaintext_token - end + let(:access_grant) { Fabricate(:access_grant, application: application, redirect_uri: 'urn:ietf:wg:oauth:2.0:oob', scopes: 'read write') } + let(:access_grant_scopes) { access_grant.scopes.to_s } + let(:code) { access_grant.plaintext_token } - shared_examples 'original scope request preservation' do - it 'returns all scopes requested for the given code' do + shared_examples 'returns a correctly scoped access token' do + it 'returns the scopes requested by the authorization code' do subject expect(response).to have_http_status(200) - expect(response.parsed_body[:scope]).to eq 'read write' + expect(response.parsed_body[:scope]).to eq access_grant_scopes + end + + context 'with additional parameters not used by the grant type' do + # When performing an authorization code grant flow, the `/oauth/token` + # endpoint does not accept a `scope` parameter, and should not + # override the scopes from the authorization grant. + let(:additional_params) do + { + scope: 'write', + } + end + + it 'returns the scopes requested by the authorization code' do + subject + + expect(response).to have_http_status(200) + expect(response.parsed_body[:scope]).to eq access_grant_scopes + end end end - context 'with no scopes specified' do - let(:scope) { nil } + context 'with client authentication via params' do + let(:headers) { nil } + let(:params) do + { + grant_type: 'authorization_code', + redirect_uri: 'urn:ietf:wg:oauth:2.0:oob', + client_id: application.uid, + client_secret: application.secret, + code: code, + } + end - it_behaves_like 'original scope request preservation' + it_behaves_like 'returns a correctly scoped access token' end - context 'with scopes specified' do - context 'when the scopes were requested for this code' do - let(:scope) { 'write' } - - it_behaves_like 'original scope request preservation' + context 'with client authentication via basic auth' do + let(:headers) do + { + Authorization: ActionController::HttpAuthentication::Basic.encode_credentials(application.uid, application.secret), + } end - context 'when the scope was not requested for the code' do - let(:scope) { 'follow' } - - it_behaves_like 'original scope request preservation' + let(:params) do + { + grant_type: 'authorization_code', + redirect_uri: 'urn:ietf:wg:oauth:2.0:oob', + code: code, + } end - context 'when the scope does not belong to the application' do - let(:scope) { 'push' } - - it_behaves_like 'original scope request preservation' - end + it_behaves_like 'returns a correctly scoped access token' end end context "with grant_type 'client_credentials'" do - let(:grant_type) { 'client_credentials' } - let(:code) { nil } + shared_examples 'returns the correct scopes' do + context 'with no scopes specified' do + let(:scope) { nil } - context 'with no scopes specified' do - let(:scope) { nil } - - it 'returns only the default scope' do - subject - - expect(response).to have_http_status(200) - expect(response.parsed_body[:scope]).to eq('read') - end - end - - context 'with scopes specified' do - context 'when the scopes belong to the application' do - let(:scope) { 'read write' } - - it 'returns all the requested scopes' do + it 'returns only the authorization server default scope (read)' do subject expect(response).to have_http_status(200) - expect(response.parsed_body[:scope]).to eq 'read write' + expect(response.parsed_body[:scope]).to eq('read') end end - context 'when some scopes do not belong to the application' do - let(:scope) { 'read write push' } + context 'with scopes specified' do + context 'when the scopes belong to the application' do + let(:scope) { 'read write' } - it 'returns an error' do - subject + it 'returns all the requested scopes' do + subject - expect(response).to have_http_status(400) + expect(response).to have_http_status(200) + expect(response.parsed_body[:scope]).to eq 'read write' + end + end + + context 'when some scopes do not belong to the application' do + let(:scope) { 'read write push' } + + it 'returns an error' do + subject + + expect(response).to have_http_status(400) + expect(response.parsed_body[:error]).to eq 'invalid_scope' + end end end end + + context 'with client authentication via basic auth' do + let(:headers) do + { + Authorization: ActionController::HttpAuthentication::Basic.encode_credentials(application.uid, application.secret), + } + end + + let(:params) do + { + grant_type: 'client_credentials', + scope: scope, + } + end + + it_behaves_like 'returns the correct scopes' + end + + context 'with client authentication via params' do + let(:headers) { nil } + let(:params) do + { + grant_type: 'client_credentials', + client_id: application.uid, + client_secret: application.secret, + scope: scope, + } + end + + it_behaves_like 'returns the correct scopes' + end end end