From 08de0a4e7990192e1714054b9facd075936a64e0 Mon Sep 17 00:00:00 2001 From: Johannes Zellner Date: Wed, 14 Oct 2015 16:15:32 +0200 Subject: [PATCH] Add token exchange tests --- src/routes/test/oauth2-test.js | 269 +++++++++++++++++++++++++++++++++ 1 file changed, 269 insertions(+) diff --git a/src/routes/test/oauth2-test.js b/src/routes/test/oauth2-test.js index 15856fc79..e7a976419 100644 --- a/src/routes/test/oauth2-test.js +++ b/src/routes/test/oauth2-test.js @@ -793,6 +793,275 @@ describe('OAuth2', function () { }); }); }); + + describe('token exchange', function () { + before(setup); + after(cleanup); + + function startAuthorizationFlow(grant, callback) { + var jar = request.jar(); + var url = SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=' + CLIENT_2.redirectURI + '&client_id=' + CLIENT_2.id + '&response_type=' + grant; + + request.get(url, { jar: jar }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(200); + expect(body).to.eql(''); + + request.get(SERVER_URL + '/api/v1/session/login?returnTo=' + CLIENT_2.redirectURI, { jar: jar, followRedirect: false }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(200); + expect(body.indexOf('')).to.not.equal(-1); + + var url = SERVER_URL + '/api/v1/session/login?returnTo=' + CLIENT_2.redirectURI; + var data = { + username: USER_0.username, + password: USER_0.password + }; + + request.post({ url: url, jar: jar, form: data }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(302); + + var tmp = urlParse(response.headers.location, true); + expect(tmp.query.redirect_uri).to.eql(CLIENT_2.redirectURI); + expect(tmp.query.client_id).to.eql(CLIENT_2.id); + expect(tmp.query.response_type).to.eql(grant); + + callback(jar); + }); + }); + }); + } + + it('fails due to missing credentials', function (done) { + startAuthorizationFlow('code', function (jar) { + var url = SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=' + CLIENT_2.redirectURI + '&client_id=' + CLIENT_2.id + '&response_type=code'; + + request.get(url, { jar: jar, followRedirect: false }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(302); + + var tmp = urlParse(response.headers.location, true); + expect(tmp.pathname).to.eql('/api/v1/session/callback'); + expect(tmp.query.redirectURI).to.eql(CLIENT_2.redirectURI + '/'); + expect(tmp.query.code).to.be.a('string'); + + request.post(SERVER_URL + '/api/v1/oauth/token', { jar: jar }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(401); + + done(); + }); + }); + }); + }); + + it('fails due to missing client_id', function (done) { + startAuthorizationFlow('code', function (jar) { + var url = SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=' + CLIENT_2.redirectURI + '&client_id=' + CLIENT_2.id + '&response_type=code'; + + request.get(url, { jar: jar, followRedirect: false }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(302); + + var tmp = urlParse(response.headers.location, true); + expect(tmp.pathname).to.eql('/api/v1/session/callback'); + expect(tmp.query.redirectURI).to.eql(CLIENT_2.redirectURI + '/'); + expect(tmp.query.code).to.be.a('string'); + + var data = { + grant_type: 'authorization_code', + code: tmp.query.code, + // client_id: CLIENT_2.id, + client_secret: CLIENT_2.clientSecret + }; + + request.post(SERVER_URL + '/api/v1/oauth/token', { jar: jar, json: data }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(401); + done(); + }); + }); + }); + }); + + it('fails due to missing grant_type', function (done) { + startAuthorizationFlow('code', function (jar) { + var url = SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=' + CLIENT_2.redirectURI + '&client_id=' + CLIENT_2.id + '&response_type=code'; + + request.get(url, { jar: jar, followRedirect: false }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(302); + + var tmp = urlParse(response.headers.location, true); + expect(tmp.pathname).to.eql('/api/v1/session/callback'); + expect(tmp.query.redirectURI).to.eql(CLIENT_2.redirectURI + '/'); + expect(tmp.query.code).to.be.a('string'); + + var data = { + // grant_type: 'authorization_code', + code: tmp.query.code, + client_id: CLIENT_2.id, + client_secret: CLIENT_2.clientSecret + }; + + request.post(SERVER_URL + '/api/v1/oauth/token', { jar: jar, json: data }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(501); + done(); + }); + }); + }); + }); + + it('fails due to missing code', function (done) { + startAuthorizationFlow('code', function (jar) { + var url = SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=' + CLIENT_2.redirectURI + '&client_id=' + CLIENT_2.id + '&response_type=code'; + + request.get(url, { jar: jar, followRedirect: false }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(302); + + var tmp = urlParse(response.headers.location, true); + expect(tmp.pathname).to.eql('/api/v1/session/callback'); + expect(tmp.query.redirectURI).to.eql(CLIENT_2.redirectURI + '/'); + expect(tmp.query.code).to.be.a('string'); + + var data = { + grant_type: 'authorization_code', + // code: tmp.query.code, + client_id: CLIENT_2.id, + client_secret: CLIENT_2.clientSecret + }; + + request.post(SERVER_URL + '/api/v1/oauth/token', { jar: jar, json: data }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(400); + done(); + }); + }); + }); + }); + + it('fails due to missing client_secret', function (done) { + startAuthorizationFlow('code', function (jar) { + var url = SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=' + CLIENT_2.redirectURI + '&client_id=' + CLIENT_2.id + '&response_type=code'; + + request.get(url, { jar: jar, followRedirect: false }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(302); + + var tmp = urlParse(response.headers.location, true); + expect(tmp.pathname).to.eql('/api/v1/session/callback'); + expect(tmp.query.redirectURI).to.eql(CLIENT_2.redirectURI + '/'); + expect(tmp.query.code).to.be.a('string'); + + var data = { + grant_type: 'authorization_code', + code: tmp.query.code, + client_id: CLIENT_2.id, + // client_secret: CLIENT_2.clientSecret + }; + + request.post(SERVER_URL + '/api/v1/oauth/token', { jar: jar, json: data }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(401); + done(); + }); + }); + }); + }); + + it('fails due to wrong client_secret', function (done) { + startAuthorizationFlow('code', function (jar) { + var url = SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=' + CLIENT_2.redirectURI + '&client_id=' + CLIENT_2.id + '&response_type=code'; + + request.get(url, { jar: jar, followRedirect: false }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(302); + + var tmp = urlParse(response.headers.location, true); + expect(tmp.pathname).to.eql('/api/v1/session/callback'); + expect(tmp.query.redirectURI).to.eql(CLIENT_2.redirectURI + '/'); + expect(tmp.query.code).to.be.a('string'); + + var data = { + grant_type: 'authorization_code', + code: tmp.query.code, + client_id: CLIENT_2.id, + client_secret: CLIENT_2.clientSecret+CLIENT_2.clientSecret + }; + + request.post(SERVER_URL + '/api/v1/oauth/token', { jar: jar, json: data }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(401); + done(); + }); + }); + }); + }); + + it('fails due to wrong client_id', function (done) { + startAuthorizationFlow('code', function (jar) { + var url = SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=' + CLIENT_2.redirectURI + '&client_id=' + CLIENT_2.id + '&response_type=code'; + + request.get(url, { jar: jar, followRedirect: false }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(302); + + var tmp = urlParse(response.headers.location, true); + expect(tmp.pathname).to.eql('/api/v1/session/callback'); + expect(tmp.query.redirectURI).to.eql(CLIENT_2.redirectURI + '/'); + expect(tmp.query.code).to.be.a('string'); + + var data = { + grant_type: 'authorization_code', + code: tmp.query.code, + client_id: CLIENT_2.id+CLIENT_2.id, + client_secret: CLIENT_2.clientSecret + }; + + request.post(SERVER_URL + '/api/v1/oauth/token', { jar: jar, json: data }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(401); + done(); + }); + }); + }); + }); + + it('succeeds', function (done) { + startAuthorizationFlow('code', function (jar) { + var url = SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=' + CLIENT_2.redirectURI + '&client_id=' + CLIENT_2.id + '&response_type=code'; + + request.get(url, { jar: jar, followRedirect: false }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(302); + + var tmp = urlParse(response.headers.location, true); + expect(tmp.pathname).to.eql('/api/v1/session/callback'); + expect(tmp.query.redirectURI).to.eql(CLIENT_2.redirectURI + '/'); + expect(tmp.query.code).to.be.a('string'); + + var data = { + grant_type: 'authorization_code', + code: tmp.query.code, + client_id: CLIENT_2.id, + client_secret: CLIENT_2.clientSecret + }; + + request.post(SERVER_URL + '/api/v1/oauth/token', { jar: jar, json: data }, function (error, response, body) { + expect(error).to.not.be.ok(); + expect(response.statusCode).to.eql(200); + expect(body.access_token).to.be.a('string'); + expect(body.token_type).to.eql('Bearer'); + + done(); + }); + }); + }); + }); + }); }); });