[#3112] Allowed revoking same-user token from any apps. Added tests.
This commit is contained in:
parent
50e47a215f
commit
d50a3345ae
3 changed files with 39 additions and 4 deletions
lib/pleroma/web
test/pleroma/web/o_auth
|
@ -6,8 +6,8 @@ defmodule Pleroma.Web.MastoFEController do
|
||||||
use Pleroma.Web, :controller
|
use Pleroma.Web, :controller
|
||||||
|
|
||||||
alias Pleroma.User
|
alias Pleroma.User
|
||||||
alias Pleroma.Web.OAuth.Token
|
|
||||||
alias Pleroma.Web.MastodonAPI.AuthController
|
alias Pleroma.Web.MastodonAPI.AuthController
|
||||||
|
alias Pleroma.Web.OAuth.Token
|
||||||
alias Pleroma.Web.Plugs.EnsurePublicOrAuthenticatedPlug
|
alias Pleroma.Web.Plugs.EnsurePublicOrAuthenticatedPlug
|
||||||
alias Pleroma.Web.Plugs.OAuthScopesPlug
|
alias Pleroma.Web.Plugs.OAuthScopesPlug
|
||||||
|
|
||||||
|
|
|
@ -379,9 +379,9 @@ defp handle_token_exchange_error(%Plug.Conn{} = conn, _error) do
|
||||||
render_invalid_credentials_error(conn)
|
render_invalid_credentials_error(conn)
|
||||||
end
|
end
|
||||||
|
|
||||||
def token_revoke(%Plug.Conn{} = conn, %{"token" => _token} = params) do
|
def token_revoke(%Plug.Conn{} = conn, %{"token" => token}) do
|
||||||
with {:ok, app} <- Token.Utils.fetch_app(conn),
|
with {:ok, %Token{} = oauth_token} <- Token.get_by_token(token),
|
||||||
{:ok, %Token{} = oauth_token} <- RevokeToken.revoke(app, params) do
|
{:ok, oauth_token} <- RevokeToken.revoke(oauth_token) do
|
||||||
conn =
|
conn =
|
||||||
with session_token = AuthHelper.get_session_token(conn),
|
with session_token = AuthHelper.get_session_token(conn),
|
||||||
%Token{token: ^session_token} <- oauth_token do
|
%Token{token: ^session_token} <- oauth_token do
|
||||||
|
|
|
@ -1257,6 +1257,41 @@ test "returns 500" do
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "POST /oauth/revoke" do
|
describe "POST /oauth/revoke" do
|
||||||
|
test "when authenticated with request token, revokes it and clears it from session" do
|
||||||
|
oauth_token = insert(:oauth_token)
|
||||||
|
|
||||||
|
conn =
|
||||||
|
build_conn()
|
||||||
|
|> Plug.Session.call(Plug.Session.init(@session_opts))
|
||||||
|
|> fetch_session()
|
||||||
|
|> AuthHelper.put_session_token(oauth_token.token)
|
||||||
|
|> post("/oauth/revoke", %{"token" => oauth_token.token})
|
||||||
|
|
||||||
|
assert json_response(conn, 200)
|
||||||
|
|
||||||
|
refute AuthHelper.get_session_token(conn)
|
||||||
|
assert Token.get_by_token(oauth_token.token) == {:error, :not_found}
|
||||||
|
end
|
||||||
|
|
||||||
|
test "if request is authenticated with a different token, " <>
|
||||||
|
"revokes requested token but keeps session token" do
|
||||||
|
user = insert(:user)
|
||||||
|
oauth_token = insert(:oauth_token, user: user)
|
||||||
|
other_app_oauth_token = insert(:oauth_token, user: user)
|
||||||
|
|
||||||
|
conn =
|
||||||
|
build_conn()
|
||||||
|
|> Plug.Session.call(Plug.Session.init(@session_opts))
|
||||||
|
|> fetch_session()
|
||||||
|
|> AuthHelper.put_session_token(oauth_token.token)
|
||||||
|
|> post("/oauth/revoke", %{"token" => other_app_oauth_token.token})
|
||||||
|
|
||||||
|
assert json_response(conn, 200)
|
||||||
|
|
||||||
|
assert AuthHelper.get_session_token(conn) == oauth_token.token
|
||||||
|
assert Token.get_by_token(other_app_oauth_token.token) == {:error, :not_found}
|
||||||
|
end
|
||||||
|
|
||||||
test "returns 500 on bad request" do
|
test "returns 500 on bad request" do
|
||||||
response =
|
response =
|
||||||
build_conn()
|
build_conn()
|
||||||
|
|
Loading…
Reference in a new issue