header test
This commit is contained in:
Kagami Sascha Rosylight
parent
401575a903
commit
0cc9d5aa32
1 changed files with 54 additions and 2 deletions
|
|
@ -310,6 +310,60 @@ describe('OAuth', () => {
|
||||||
});
|
});
|
||||||
|
|
||||||
// TODO: duplicate scopes test (currently token response doesn't return final scopes, although it must)
|
// TODO: duplicate scopes test (currently token response doesn't return final scopes, although it must)
|
||||||
|
|
||||||
|
// TODO: write failure when no scope
|
||||||
|
});
|
||||||
|
|
||||||
|
test('Authorization header', async () => {
|
||||||
|
const { code_challenge, code_verifier } = pkceChallenge.default(128);
|
||||||
|
|
||||||
|
const client = getClient();
|
||||||
|
|
||||||
|
const response = await fetch(client.authorizeURL({
|
||||||
|
redirect_uri,
|
||||||
|
scope: 'write:notes',
|
||||||
|
state: 'state',
|
||||||
|
code_challenge,
|
||||||
|
code_challenge_method: 'S256',
|
||||||
|
}));
|
||||||
|
assert.strictEqual(response.status, 200);
|
||||||
|
|
||||||
|
const decisionResponse = await fetchDecisionFromResponse(response, alice);
|
||||||
|
assert.strictEqual(decisionResponse.status, 302);
|
||||||
|
|
||||||
|
const location = new URL(decisionResponse.headers.get('location')!);
|
||||||
|
assert.ok(location.searchParams.has('code'));
|
||||||
|
|
||||||
|
const token = await client.getToken({
|
||||||
|
code: location.searchParams.get('code')!,
|
||||||
|
redirect_uri,
|
||||||
|
code_verifier,
|
||||||
|
});
|
||||||
|
|
||||||
|
// Pattern 1: No preceding "Bearer "
|
||||||
|
let createResponse = await relativeFetch('api/notes/create', {
|
||||||
|
method: 'POST',
|
||||||
|
headers: {
|
||||||
|
Authorization: token.token.access_token as string,
|
||||||
|
'Content-Type': 'application/json',
|
||||||
|
},
|
||||||
|
body: JSON.stringify({ text: 'test' }),
|
||||||
|
});
|
||||||
|
assert.strictEqual(createResponse.status, 401);
|
||||||
|
|
||||||
|
// Pattern 2: Incorrect token
|
||||||
|
createResponse = await relativeFetch('api/notes/create', {
|
||||||
|
method: 'POST',
|
||||||
|
headers: {
|
||||||
|
Authorization: `Bearer ${(token.token.access_token as string).slice(0, -1)}`,
|
||||||
|
'Content-Type': 'application/json',
|
||||||
|
},
|
||||||
|
body: JSON.stringify({ text: 'test' }),
|
||||||
|
});
|
||||||
|
// RFC 6750 section 3.1 says 401 but it's SHOULD not MUST. 403 should be okay for now.
|
||||||
|
assert.strictEqual(createResponse.status, 403);
|
||||||
|
|
||||||
|
// TODO: error code (invalid_token)
|
||||||
});
|
});
|
||||||
|
|
||||||
// TODO: .well-known/oauth-authorization-server
|
// TODO: .well-known/oauth-authorization-server
|
||||||
|
|
@ -318,7 +372,5 @@ describe('OAuth', () => {
|
||||||
|
|
||||||
// TODO: invalid redirect_uri (at authorize / at token)
|
// TODO: invalid redirect_uri (at authorize / at token)
|
||||||
|
|
||||||
// TODO: Wrong Authorization header (Not starts with Bearer / token is wrong)
|
|
||||||
|
|
||||||
// TODO: Error format required by OAuth spec
|
// TODO: Error format required by OAuth spec
|
||||||
});
|
});
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue