scope test

This commit is contained in:
Kagami Sascha Rosylight 2023-04-08 20:31:18 +02:00
parent 88fd7f2758
commit 401575a903
2 changed files with 88 additions and 4 deletions

View file

@ -330,6 +330,7 @@ export class OAuth2ProviderService {
// },
// });
// TODO: store this in Redis
const TEMP_GRANT_CODES: Record<string, {
clientId: string,
userId: string,
@ -368,7 +369,6 @@ export class OAuth2ProviderService {
return [false];
}
delete TEMP_GRANT_CODES[code];
if (!granted.scopes.length) return [false];
if (body.client_id !== granted.clientId) return [false];
if (redirectUri !== granted.redirectUri) return [false];
if (!body.code_verifier || pkceS256(body.code_verifier) !== granted.codeChallenge) return [false];
@ -444,11 +444,16 @@ export class OAuth2ProviderService {
throw new Error('`code_challenge_method` parameter must be set as S256');
}
const scopes = [...new Set(oauth2?.req.scope)].filter(s => kinds.includes(s));
if (!scopes.length) {
throw new Error('`scope` parameter has no known scope');
}
reply.header('Cache-Control', 'no-store');
return await reply.view('oauth', {
transactionId: oauth2?.transactionID,
clientId: oauth2?.client,
scope: oauth2?.req.scope.join(' '),
scope: scopes.join(' '),
});
});
fastify.post('/oauth/decision', async () => { });

View file

@ -233,13 +233,92 @@ describe('OAuth', () => {
assert.ok(location.searchParams.has('error'));
});
// TODO: .well-known/oauth-authorization-server
describe('Scope', () => {
test('Missing scope', async () => {
const client = getClient();
// TODO: scopes (totally missing / empty / exists but all invalid / exists but partially invalid / all valid)
const response = await fetch(client.authorizeURL({
redirect_uri,
state: 'state',
code_challenge: 'code',
code_challenge_method: 'S256',
}));
// TODO: But 500 is not a valid code, should be 403 or such. Check the OAuth spec
assert.strictEqual(response.status, 500);
});
test('Empty scope', async () => {
const client = getClient();
const response = await fetch(client.authorizeURL({
redirect_uri,
scope: '',
state: 'state',
code_challenge: 'code',
code_challenge_method: 'S256',
}));
// TODO: But 500 is not a valid code, should be 403 or such. Check the OAuth spec
assert.strictEqual(response.status, 500);
});
test('Unknown scopes', async () => {
const client = getClient();
const response = await fetch(client.authorizeURL({
redirect_uri,
scope: 'test:unknown test:unknown2',
state: 'state',
code_challenge: 'code',
code_challenge_method: 'S256',
}));
// TODO: But 500 is not a valid code, should be 403 or such. Check the OAuth spec
assert.strictEqual(response.status, 500);
});
test('Partially known scopes', async () => {
const client = getClient();
const response = await fetch(client.authorizeURL({
redirect_uri,
scope: 'write:notes test:unknown test:unknown2',
state: 'state',
code_challenge: 'code',
code_challenge_method: 'S256',
}));
// Just get the known scope for this case for backward compatibility
assert.strictEqual(response.status, 200);
// TODO: OAuth2 requires returning `scope` in the token response in this case but oauth2orize seemingly doesn't support this
});
test('Known scopes', async () => {
const client = getClient();
const response = await fetch(client.authorizeURL({
redirect_uri,
scope: 'write:notes read:account',
state: 'state',
code_challenge: 'code',
code_challenge_method: 'S256',
}));
// Just get the known scope for this case for backward compatibility
assert.strictEqual(response.status, 200);
});
// TODO: duplicate scopes test (currently token response doesn't return final scopes, although it must)
});
// TODO: .well-known/oauth-authorization-server
// TODO: authorizing two users concurrently
// TODO: invalid redirect_uri (at authorize / at token)
// TODO: Wrong Authorization header (Not starts with Bearer / token is wrong)
// TODO: Error format required by OAuth spec
});