Merge pull request 'test(oauth): RFC 6749 Section 10.2 conformance' (#4032) from earl-warren/forgejo:wip-oauth-public into forgejo

+61 -2

2 changed files

expand all

models

fixtures

oauth2_application.yml

tests

integration

oauth_test.go

+1 -1

models/fixtures/oauth2_application.yml

··· 14 14 name: "Test native app" 15 15 client_id: "ce5a1322-42a7-11ed-b878-0242ac120002" 16 16 client_secret: "$2a$10$UYRgUSgekzBp6hYe8pAdc.cgB4Gn06QRKsORUnIYTYQADs.YR/uvi" # bcrypt of "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA= 17 - redirect_uris: '["http://127.0.0.1"]' 17 + redirect_uris: '["b", "http://127.0.0.1"]' 18 18 created_unix: 1546869730 19 19 updated_unix: 1546869730 20 20 confidential_client: false

+60 -1

tests/integration/oauth_test.go

··· 82 82 htmlDoc.GetCSRF() 83 83 } 84 84 85 + func TestOAuth_AuthorizeConfidentialTwice(t *testing.T) { 86 + defer tests.PrepareTestEnv(t)() 87 + 88 + // da7da3ba-9a13-4167-856f-3899de0b0138 a confidential client in models/fixtures/oauth2_application.yml 89 + 90 + // request authorization for the first time shows the grant page ... 91 + authorizeURL := "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=a&response_type=code&state=thestate" 92 + req := NewRequest(t, "GET", authorizeURL) 93 + ctx := loginUser(t, "user4") 94 + resp := ctx.MakeRequest(t, req, http.StatusOK) 95 + 96 + htmlDoc := NewHTMLParser(t, resp.Body) 97 + htmlDoc.AssertElement(t, "#authorize-app", true) 98 + 99 + // ... and the user grants the authorization 100 + req = NewRequestWithValues(t, "POST", "/login/oauth/grant", map[string]string{ 101 + "_csrf": htmlDoc.GetCSRF(), 102 + "client_id": "da7da3ba-9a13-4167-856f-3899de0b0138", 103 + "redirect_uri": "a", 104 + "state": "thestate", 105 + "granted": "true", 106 + }) 107 + resp = ctx.MakeRequest(t, req, http.StatusSeeOther) 108 + assert.Contains(t, test.RedirectURL(resp), "code=") 109 + 110 + // request authorization the second time and the grant page is not shown again, redirection happens immediately 111 + req = NewRequest(t, "GET", authorizeURL) 112 + resp = ctx.MakeRequest(t, req, http.StatusSeeOther) 113 + assert.Contains(t, test.RedirectURL(resp), "code=") 114 + } 115 + 116 + func TestOAuth_AuthorizePublicTwice(t *testing.T) { 117 + defer tests.PrepareTestEnv(t)() 118 + 119 + // ce5a1322-42a7-11ed-b878-0242ac120002 is a public client in models/fixtures/oauth2_application.yml 120 + authorizeURL := "/login/oauth/authorize?client_id=ce5a1322-42a7-11ed-b878-0242ac120002&redirect_uri=b&response_type=code&code_challenge_method=plain&code_challenge=CODE&state=thestate" 121 + ctx := loginUser(t, "user4") 122 + // a public client must be authorized every time 123 + for _, name := range []string{"First", "Second"} { 124 + t.Run(name, func(t *testing.T) { 125 + req := NewRequest(t, "GET", authorizeURL) 126 + resp := ctx.MakeRequest(t, req, http.StatusOK) 127 + 128 + htmlDoc := NewHTMLParser(t, resp.Body) 129 + htmlDoc.AssertElement(t, "#authorize-app", true) 130 + 131 + req = NewRequestWithValues(t, "POST", "/login/oauth/grant", map[string]string{ 132 + "_csrf": htmlDoc.GetCSRF(), 133 + "client_id": "ce5a1322-42a7-11ed-b878-0242ac120002", 134 + "redirect_uri": "b", 135 + "state": "thestate", 136 + "granted": "true", 137 + }) 138 + resp = ctx.MakeRequest(t, req, http.StatusSeeOther) 139 + assert.Contains(t, test.RedirectURL(resp), "code=") 140 + }) 141 + } 142 + } 143 + 85 144 func TestAuthorizeRedirectWithExistingGrant(t *testing.T) { 86 145 defer tests.PrepareTestEnv(t)() 87 146 req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=https%3A%2F%2Fexample.com%2Fxyzzy&response_type=code&state=thestate") ··· 534 593 gitlab := addAuthSource(t, authSourcePayloadGitLabCustom(gitlabName)) 535 594 536 595 // 537 - // Create a user as if it had been previously been created by the GitLab 596 + // Create a user as if it had been previously created by the GitLab 538 597 // authentication source. 539 598 // 540 599 userGitLabUserID := "5678"

Configure Feed

Configure Feed