From 1f38d624c00fe1f671d06eb5b1f587ff65a5e3b6 Mon Sep 17 00:00:00 2001 From: Kagami Sascha Rosylight Date: Tue, 27 Jun 2023 21:21:06 +0200 Subject: [PATCH] send WWW-Authenticate where it's possible --- packages/backend/test/e2e/oauth.ts | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/packages/backend/test/e2e/oauth.ts b/packages/backend/test/e2e/oauth.ts index 716d16d7d..a40b78be2 100644 --- a/packages/backend/test/e2e/oauth.ts +++ b/packages/backend/test/e2e/oauth.ts @@ -660,7 +660,27 @@ describe('OAuth', () => { // invalid for other reasons. The resource SHOULD respond with // the HTTP 401 (Unauthorized) status code." assert.strictEqual(createResponse.status, 401); - assert.ok(createResponse.headers.has('WWW-Authenticate')); + + let wwwAuthenticate = createResponse.headers.get('WWW-Authenticate'); + assert.ok(wwwAuthenticate?.startsWith('Bearer realm="Misskey", error="invalid_token"')); + + // Pattern 3: No token + createResponse = await relativeFetch('api/notes/create', { + method: 'POST', + headers: { + 'Content-Type': 'application/json', + }, + body: JSON.stringify({ text: 'test' }), + }); + wwwAuthenticate = createResponse.headers.get('WWW-Authenticate'); + + // https://datatracker.ietf.org/doc/html/rfc6750.html#section-3.1 + // "If the request lacks any authentication information (e.g., the client + // was unaware that authentication is necessary or attempted using an + // unsupported authentication method), the resource server SHOULD NOT + // include an error code or other error information." + assert.strictEqual(createResponse.status, 401); + assert.strictEqual(wwwAuthenticate, 'Bearer realm="Misskey"'); }); // https://datatracker.ietf.org/doc/html/rfc6749.html#section-3.1.2.4