[#1682] Fixed Basic Auth permissions issue Closes #1682 See merge request pleroma/pleroma!2401stable
commit
f1843db41d
@ -0,0 +1,46 @@
|
||||
# Pleroma: A lightweight social networking server
|
||||
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
|
||||
# SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
defmodule Pleroma.Web.Auth.BasicAuthTest do
|
||||
use Pleroma.Web.ConnCase
|
||||
|
||||
import Pleroma.Factory
|
||||
|
||||
test "with HTTP Basic Auth used, grants access to OAuth scope-restricted endpoints", %{
|
||||
conn: conn
|
||||
} do
|
||||
user = insert(:user)
|
||||
assert Comeonin.Pbkdf2.checkpw("test", user.password_hash)
|
||||
|
||||
basic_auth_contents =
|
||||
(URI.encode_www_form(user.nickname) <> ":" <> URI.encode_www_form("test"))
|
||||
|> Base.encode64()
|
||||
|
||||
# Succeeds with HTTP Basic Auth
|
||||
response =
|
||||
conn
|
||||
|> put_req_header("authorization", "Basic " <> basic_auth_contents)
|
||||
|> get("/api/v1/accounts/verify_credentials")
|
||||
|> json_response(200)
|
||||
|
||||
user_nickname = user.nickname
|
||||
assert %{"username" => ^user_nickname} = response
|
||||
|
||||
# Succeeds with a properly scoped OAuth token
|
||||
valid_token = insert(:oauth_token, scopes: ["read:accounts"])
|
||||
|
||||
conn
|
||||
|> put_req_header("authorization", "Bearer #{valid_token.token}")
|
||||
|> get("/api/v1/accounts/verify_credentials")
|
||||
|> json_response(200)
|
||||
|
||||
# Fails with a wrong-scoped OAuth token (proof of restriction)
|
||||
invalid_token = insert(:oauth_token, scopes: ["read:something"])
|
||||
|
||||
conn
|
||||
|> put_req_header("authorization", "Bearer #{invalid_token.token}")
|
||||
|> get("/api/v1/accounts/verify_credentials")
|
||||
|> json_response(403)
|
||||
end
|
||||
end
|
Loading…
Reference in new issue