3 class OAuthTest < ActionDispatch::IntegrationTest
4 fixtures :users, :client_applications, :gpx_files
5 set_fixture_class :gpx_files => Trace
9 def test_oauth10_web_app
10 client = client_applications(:oauth_web_app)
12 post_via_redirect "/login",
13 :username => client.user.email, :password => "test"
14 assert_response :success
16 signed_get "/oauth/request_token", :consumer => client
17 assert_response :success
18 token = parse_token(response)
19 assert_instance_of RequestToken, token
20 assert_not_nil token.created_at
21 assert_nil token.authorized_at
22 assert_nil token.invalidated_at
23 assert_allowed token, client.permissions
25 post "/oauth/authorize",
26 :oauth_token => token.token,
27 :allow_read_prefs => true, :allow_write_prefs => true
28 assert_response :redirect
29 assert_redirected_to "http://some.web.app.org/callback?oauth_token=#{token.token}"
31 assert_not_nil token.created_at
32 assert_not_nil token.authorized_at
33 assert_nil token.invalidated_at
34 assert_allowed token, [:allow_read_prefs]
36 signed_get "/oauth/access_token", :consumer => client, :token => token
37 assert_response :success
39 assert_not_nil token.created_at
40 assert_not_nil token.authorized_at
41 assert_not_nil token.invalidated_at
42 token = parse_token(response)
43 assert_instance_of AccessToken, token
44 assert_not_nil token.created_at
45 assert_not_nil token.authorized_at
46 assert_nil token.invalidated_at
47 assert_allowed token, [:allow_read_prefs]
49 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
50 assert_response :success
52 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
53 assert_response :forbidden
55 post "/oauth/revoke", :token => token.token
56 assert_redirected_to oauth_clients_url(token.user.display_name)
57 token = OauthToken.find_by_token(token.token)
58 assert_not_nil token.invalidated_at
60 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
61 assert_response :unauthorized
63 signed_get "/oauth/request_token", :consumer => client
64 assert_response :success
65 token = parse_token(response)
66 assert_instance_of RequestToken, token
67 assert_not_nil token.created_at
68 assert_nil token.authorized_at
69 assert_nil token.invalidated_at
70 assert_allowed token, client.permissions
72 post "/oauth/authorize",
73 :oauth_token => token.token,
74 :oauth_callback => "http://another.web.app.org/callback",
75 :allow_write_api => true, :allow_read_gpx => true
76 assert_response :redirect
77 assert_redirected_to "http://another.web.app.org/callback?oauth_token=#{token.token}"
79 assert_not_nil token.created_at
80 assert_not_nil token.authorized_at
81 assert_nil token.invalidated_at
82 assert_allowed token, [:allow_write_api, :allow_read_gpx]
84 signed_get "/oauth/access_token", :consumer => client, :token => token
85 assert_response :success
87 assert_not_nil token.created_at
88 assert_not_nil token.authorized_at
89 assert_not_nil token.invalidated_at
90 token = parse_token(response)
91 assert_instance_of AccessToken, token
92 assert_not_nil token.created_at
93 assert_not_nil token.authorized_at
94 assert_nil token.invalidated_at
95 assert_allowed token, [:allow_write_api, :allow_read_gpx]
97 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
98 assert_response :success
100 signed_get "/api/0.6/user/details", :consumer => client, :token => token
101 assert_response :forbidden
103 post "/oauth/revoke", :token => token.token
104 assert_redirected_to oauth_clients_url(token.user.display_name)
105 token = OauthToken.find_by_token(token.token)
106 assert_not_nil token.invalidated_at
108 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
109 assert_response :unauthorized
112 def test_oauth10_desktop_app
113 client = client_applications(:oauth_desktop_app)
115 post_via_redirect "/login",
116 :username => client.user.email, :password => "test"
117 assert_response :success
119 signed_get "/oauth/request_token", :consumer => client
120 assert_response :success
121 token = parse_token(response)
122 assert_instance_of RequestToken, token
123 assert_not_nil token.created_at
124 assert_nil token.authorized_at
125 assert_nil token.invalidated_at
126 assert_allowed token, client.permissions
128 post "/oauth/authorize",
129 :oauth_token => token.token,
130 :allow_read_prefs => true, :allow_write_prefs => true
131 assert_response :success
132 assert_template "authorize_success"
134 assert_not_nil token.created_at
135 assert_not_nil token.authorized_at
136 assert_nil token.invalidated_at
137 assert_allowed token, [:allow_read_prefs]
139 signed_get "/oauth/access_token", :consumer => client, :token => token
140 assert_response :success
142 assert_not_nil token.created_at
143 assert_not_nil token.authorized_at
144 assert_not_nil token.invalidated_at
145 token = parse_token(response)
146 assert_instance_of AccessToken, token
147 assert_not_nil token.created_at
148 assert_not_nil token.authorized_at
149 assert_nil token.invalidated_at
150 assert_allowed token, [:allow_read_prefs]
152 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
153 assert_response :success
155 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
156 assert_response :forbidden
158 post "/oauth/revoke", :token => token.token
159 assert_redirected_to oauth_clients_url(token.user.display_name)
160 token = OauthToken.find_by_token(token.token)
161 assert_not_nil token.invalidated_at
163 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
164 assert_response :unauthorized
167 def test_oauth10a_web_app
168 client = client_applications(:oauth_web_app)
170 post_via_redirect "/login",
171 :username => client.user.email, :password => "test"
172 assert_response :success
174 signed_get "/oauth/request_token",
175 :consumer => client, :oauth_callback => "oob"
176 assert_response :success
177 token = parse_token(response)
178 assert_instance_of RequestToken, token
179 assert_not_nil token.created_at
180 assert_nil token.authorized_at
181 assert_nil token.invalidated_at
182 assert_allowed token, client.permissions
184 post "/oauth/authorize",
185 :oauth_token => token.token,
186 :allow_read_prefs => true, :allow_write_prefs => true
187 assert_response :redirect
188 verifier = parse_verifier(response)
189 assert_redirected_to "http://some.web.app.org/callback?oauth_token=#{token.token}&oauth_verifier=#{verifier}"
191 assert_not_nil token.created_at
192 assert_not_nil token.authorized_at
193 assert_nil token.invalidated_at
194 assert_allowed token, [:allow_read_prefs]
196 signed_get "/oauth/access_token", :consumer => client, :token => token
197 assert_response :unauthorized
199 signed_get "/oauth/access_token",
200 :consumer => client, :token => token, :oauth_verifier => verifier
201 assert_response :success
203 assert_not_nil token.created_at
204 assert_not_nil token.authorized_at
205 assert_not_nil token.invalidated_at
206 token = parse_token(response)
207 assert_instance_of AccessToken, token
208 assert_not_nil token.created_at
209 assert_not_nil token.authorized_at
210 assert_nil token.invalidated_at
211 assert_allowed token, [:allow_read_prefs]
213 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
214 assert_response :success
216 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
217 assert_response :forbidden
219 post "/oauth/revoke", :token => token.token
220 assert_redirected_to oauth_clients_url(token.user.display_name)
221 token = OauthToken.find_by_token(token.token)
222 assert_not_nil token.invalidated_at
224 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
225 assert_response :unauthorized
227 signed_get "/oauth/request_token",
229 :oauth_callback => "http://another.web.app.org/callback"
230 assert_response :success
231 token = parse_token(response)
232 assert_instance_of RequestToken, token
233 assert_not_nil token.created_at
234 assert_nil token.authorized_at
235 assert_nil token.invalidated_at
236 assert_allowed token, client.permissions
238 post "/oauth/authorize",
239 :oauth_token => token.token,
240 :allow_write_api => true, :allow_read_gpx => true
241 assert_response :redirect
242 verifier = parse_verifier(response)
243 assert_redirected_to "http://another.web.app.org/callback?oauth_token=#{token.token}&oauth_verifier=#{verifier}"
245 assert_not_nil token.created_at
246 assert_not_nil token.authorized_at
247 assert_nil token.invalidated_at
248 assert_allowed token, [:allow_write_api, :allow_read_gpx]
250 signed_get "/oauth/access_token", :consumer => client, :token => token
251 assert_response :unauthorized
253 signed_get "/oauth/access_token",
254 :consumer => client, :token => token, :oauth_verifier => verifier
255 assert_response :success
257 assert_not_nil token.created_at
258 assert_not_nil token.authorized_at
259 assert_not_nil token.invalidated_at
260 token = parse_token(response)
261 assert_instance_of AccessToken, token
262 assert_not_nil token.created_at
263 assert_not_nil token.authorized_at
264 assert_nil token.invalidated_at
265 assert_allowed token, [:allow_write_api, :allow_read_gpx]
267 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
268 assert_response :success
270 signed_get "/api/0.6/user/details", :consumer => client, :token => token
271 assert_response :forbidden
273 post "/oauth/revoke", :token => token.token
274 assert_redirected_to oauth_clients_url(token.user.display_name)
275 token = OauthToken.find_by_token(token.token)
276 assert_not_nil token.invalidated_at
278 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
279 assert_response :unauthorized
282 def test_oauth10a_desktop_app
283 client = client_applications(:oauth_desktop_app)
285 post_via_redirect "/login",
286 :username => client.user.email, :password => "test"
287 assert_response :success
289 signed_get "/oauth/request_token",
290 :consumer => client, :oauth_callback => "oob"
291 assert_response :success
292 token = parse_token(response)
293 assert_instance_of RequestToken, token
294 assert_not_nil token.created_at
295 assert_nil token.authorized_at
296 assert_nil token.invalidated_at
297 assert_allowed token, client.permissions
299 post "/oauth/authorize",
300 :oauth_token => token.token,
301 :allow_read_prefs => true, :allow_write_prefs => true
302 assert_response :success
303 assert_template "authorize_success"
304 m = response.body.match("<p>The verification code is ([A-Za-z0-9]+).</p>")
308 assert_not_nil token.created_at
309 assert_not_nil token.authorized_at
310 assert_nil token.invalidated_at
311 assert_allowed token, [:allow_read_prefs]
313 signed_get "/oauth/access_token", :consumer => client, :token => token
314 assert_response :unauthorized
316 signed_get "/oauth/access_token",
317 :consumer => client, :token => token, :oauth_verifier => verifier
318 assert_response :success
320 assert_not_nil token.created_at
321 assert_not_nil token.authorized_at
322 assert_not_nil token.invalidated_at
323 token = parse_token(response)
324 assert_instance_of AccessToken, token
325 assert_not_nil token.created_at
326 assert_not_nil token.authorized_at
327 assert_nil token.invalidated_at
328 assert_allowed token, [:allow_read_prefs]
330 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
331 assert_response :success
333 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
334 assert_response :forbidden
336 post "/oauth/revoke", :token => token.token
337 assert_redirected_to oauth_clients_url(token.user.display_name)
338 token = OauthToken.find_by_token(token.token)
339 assert_not_nil token.invalidated_at
341 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
342 assert_response :unauthorized
347 def signed_get(uri, options)
349 uri.scheme ||= "http"
350 uri.host ||= "www.example.com"
352 helper = OAuth::Client::Helper.new(nil, options)
354 request = OAuth::RequestProxy.proxy(
357 "parameters" => helper.oauth_parameters
360 request.sign!(options)
362 get request.signed_uri
365 def parse_token(response)
366 params = CGI.parse(response.body)
368 token = OauthToken.find_by_token(params["oauth_token"].first)
369 assert_equal token.secret, params["oauth_token_secret"].first
374 def parse_verifier(response)
375 params = CGI.parse(URI.parse(response.location).query)
377 assert_not_nil params["oauth_verifier"]
378 assert params["oauth_verifier"].first.present?
380 params["oauth_verifier"].first
383 def assert_allowed(token, allowed)
384 ClientApplication.all_permissions.each do |p|
385 assert_equal allowed.include?(p), token.attributes[p.to_s]