graphite/Sharkey
1
0
Fork 0
mirror of https://git.joinsharkey.org/Sharkey/Sharkey.git synced 2024-09-23 02:01:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

redirection test

Browse source
This commit is contained in:
Kagami Sascha Rosylight 2023-04-09 16:43:19 +02:00
parent 0cc9d5aa32
commit 515af3176a
1 changed files with 45 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
packages/backend/test/e2e/oauth.ts
View file

@ -95,7 +95,6 @@ describe('OAuth', () => {
const location = new URL(decisionResponse.headers.get('location')!);
assert.strictEqual(location.origin + location.pathname, redirect_uri);
assert.ok(location.searchParams.has('code'));
assert.strictEqual(location.searchParams.get('state'), 'state');
@ -366,11 +365,54 @@ describe('OAuth', () => {
// TODO: error code (invalid_token)
});
describe('Redirection', () => {
test('Invalid redirect_uri at authorization endpoint', async () => {
const client = getClient();
const response = await fetch(client.authorizeURL({
redirect_uri: 'http://127.0.0.2/',
scope: 'write:notes',
state: 'state',
code_challenge: 'code',
code_challenge_method: 'S256',
}));
// TODO: status code
assert.strictEqual(response.status, 500);
});
test('Invalid redirect_uri at token endpoint', async () => {
const { code_challenge, code_verifier } = pkceChallenge.default(128);
const client = getClient();
const response = await fetch(client.authorizeURL({
redirect_uri,
scope: 'write:notes',
state: 'state',
code_challenge,
code_challenge_method: 'S256',
}));
assert.strictEqual(response.status, 200);
const decisionResponse = await fetchDecisionFromResponse(response, alice);
assert.strictEqual(decisionResponse.status, 302);
const location = new URL(decisionResponse.headers.get('location')!);
assert.ok(location.searchParams.has('code'));
await assert.rejects(client.getToken({
code: location.searchParams.get('code')!,
redirect_uri: 'http://127.0.0.2/',
code_verifier,
}));
});
// TODO: disallow random same-origin URLs with strict redirect_uris with client information discovery
});
// TODO: .well-known/oauth-authorization-server
// TODO: authorizing two users concurrently
// TODO: invalid redirect_uri (at authorize / at token)
// TODO: Error format required by OAuth spec
});