3 class OAuthTest < ActionDispatch::IntegrationTest
4 fixtures :users, :client_applications, :gpx_files
5 set_fixture_class :gpx_files => Trace
9 def test_oauth10_web_app
10 client = client_applications(:oauth_web_app)
12 post_via_redirect "/login", :username => client.user.email, :password => "test"
13 assert_response :success
15 oauth10_without_callback(client)
16 oauth10_with_callback(client, "http://another.web.app.org/callback")
19 def test_oauth10_desktop_app
20 client = client_applications(:oauth_desktop_app)
22 post_via_redirect "/login", :username => client.user.email, :password => "test"
23 assert_response :success
25 oauth10_without_callback(client)
28 def test_oauth10a_web_app
29 client = client_applications(:oauth_web_app)
31 post_via_redirect "/login", :username => client.user.email, :password => "test"
32 assert_response :success
34 oauth10a_without_callback(client)
35 oauth10a_with_callback(client, "http://another.web.app.org/callback")
38 def test_oauth10a_desktop_app
39 client = client_applications(:oauth_desktop_app)
41 post_via_redirect "/login", :username => client.user.email, :password => "test"
42 assert_response :success
44 oauth10a_without_callback(client)
49 def oauth10_without_callback(client)
50 token = get_request_token(client)
52 post "/oauth/authorize",
53 :oauth_token => token.token,
54 :allow_read_prefs => true, :allow_write_prefs => true
55 if client.callback_url
56 assert_response :redirect
57 assert_redirected_to "#{client.callback_url}?oauth_token=#{token.token}"
59 assert_response :success
60 assert_template "authorize_success"
63 assert_not_nil token.created_at
64 assert_not_nil token.authorized_at
65 assert_nil token.invalidated_at
66 assert_allowed token, [:allow_read_prefs]
68 signed_get "/oauth/access_token", :consumer => client, :token => token
69 assert_response :success
71 assert_not_nil token.created_at
72 assert_not_nil token.authorized_at
73 assert_not_nil token.invalidated_at
74 token = parse_token(response)
75 assert_instance_of AccessToken, token
76 assert_not_nil token.created_at
77 assert_not_nil token.authorized_at
78 assert_nil token.invalidated_at
79 assert_allowed token, [:allow_read_prefs]
81 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
82 assert_response :success
84 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
85 assert_response :forbidden
87 post "/oauth/revoke", :token => token.token
88 assert_redirected_to oauth_clients_url(token.user.display_name)
89 token = OauthToken.find_by_token(token.token)
90 assert_not_nil token.invalidated_at
92 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
93 assert_response :unauthorized
96 def oauth10_with_callback(client, callback_url)
97 token = get_request_token(client)
99 post "/oauth/authorize",
100 :oauth_token => token.token, :oauth_callback => callback_url,
101 :allow_write_api => true, :allow_read_gpx => true
102 assert_response :redirect
103 assert_redirected_to "#{callback_url}?oauth_token=#{token.token}"
105 assert_not_nil token.created_at
106 assert_not_nil token.authorized_at
107 assert_nil token.invalidated_at
108 assert_allowed token, [:allow_write_api, :allow_read_gpx]
110 signed_get "/oauth/access_token", :consumer => client, :token => token
111 assert_response :success
113 assert_not_nil token.created_at
114 assert_not_nil token.authorized_at
115 assert_not_nil token.invalidated_at
116 token = parse_token(response)
117 assert_instance_of AccessToken, token
118 assert_not_nil token.created_at
119 assert_not_nil token.authorized_at
120 assert_nil token.invalidated_at
121 assert_allowed token, [:allow_write_api, :allow_read_gpx]
123 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
124 assert_response :success
126 signed_get "/api/0.6/user/details", :consumer => client, :token => token
127 assert_response :forbidden
129 post "/oauth/revoke", :token => token.token
130 assert_redirected_to oauth_clients_url(token.user.display_name)
131 token = OauthToken.find_by_token(token.token)
132 assert_not_nil token.invalidated_at
134 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
135 assert_response :unauthorized
138 def oauth10a_without_callback(client)
139 token = get_request_token(client, :oauth_callback => "oob")
141 post "/oauth/authorize",
142 :oauth_token => token.token,
143 :allow_read_prefs => true, :allow_write_prefs => true
144 if client.callback_url
145 assert_response :redirect
146 verifier = parse_verifier(response)
147 assert_redirected_to "http://some.web.app.org/callback?oauth_token=#{token.token}&oauth_verifier=#{verifier}"
149 assert_response :success
150 assert_template "authorize_success"
151 m = response.body.match("<p>The verification code is ([A-Za-z0-9]+).</p>")
156 assert_not_nil token.created_at
157 assert_not_nil token.authorized_at
158 assert_nil token.invalidated_at
159 assert_allowed token, [:allow_read_prefs]
161 signed_get "/oauth/access_token", :consumer => client, :token => token
162 assert_response :unauthorized
164 signed_get "/oauth/access_token",
165 :consumer => client, :token => token, :oauth_verifier => verifier
166 assert_response :success
168 assert_not_nil token.created_at
169 assert_not_nil token.authorized_at
170 assert_not_nil token.invalidated_at
171 token = parse_token(response)
172 assert_instance_of AccessToken, token
173 assert_not_nil token.created_at
174 assert_not_nil token.authorized_at
175 assert_nil token.invalidated_at
176 assert_allowed token, [:allow_read_prefs]
178 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
179 assert_response :success
181 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
182 assert_response :forbidden
184 post "/oauth/revoke", :token => token.token
185 assert_redirected_to oauth_clients_url(token.user.display_name)
186 token = OauthToken.find_by_token(token.token)
187 assert_not_nil token.invalidated_at
189 signed_get "/api/0.6/user/preferences", :consumer => client, :token => token
190 assert_response :unauthorized
193 def oauth10a_with_callback(client, callback_url)
194 token = get_request_token(client, :oauth_callback => callback_url)
196 post "/oauth/authorize",
197 :oauth_token => token.token,
198 :allow_write_api => true, :allow_read_gpx => true
199 assert_response :redirect
200 verifier = parse_verifier(response)
201 assert_redirected_to "#{callback_url}?oauth_token=#{token.token}&oauth_verifier=#{verifier}"
203 assert_not_nil token.created_at
204 assert_not_nil token.authorized_at
205 assert_nil token.invalidated_at
206 assert_allowed token, [:allow_write_api, :allow_read_gpx]
208 signed_get "/oauth/access_token", :consumer => client, :token => token
209 assert_response :unauthorized
211 signed_get "/oauth/access_token",
212 :consumer => client, :token => token, :oauth_verifier => verifier
213 assert_response :success
215 assert_not_nil token.created_at
216 assert_not_nil token.authorized_at
217 assert_not_nil token.invalidated_at
218 token = parse_token(response)
219 assert_instance_of AccessToken, token
220 assert_not_nil token.created_at
221 assert_not_nil token.authorized_at
222 assert_nil token.invalidated_at
223 assert_allowed token, [:allow_write_api, :allow_read_gpx]
225 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
226 assert_response :success
228 signed_get "/api/0.6/user/details", :consumer => client, :token => token
229 assert_response :forbidden
231 post "/oauth/revoke", :token => token.token
232 assert_redirected_to oauth_clients_url(token.user.display_name)
233 token = OauthToken.find_by_token(token.token)
234 assert_not_nil token.invalidated_at
236 signed_get "/api/0.6/gpx/2", :consumer => client, :token => token
237 assert_response :unauthorized
240 def get_request_token(client, options = {})
241 signed_get "/oauth/request_token", options.merge(:consumer => client)
242 assert_response :success
243 token = parse_token(response)
244 assert_instance_of RequestToken, token
245 assert_not_nil token.created_at
246 assert_nil token.authorized_at
247 assert_nil token.invalidated_at
248 assert_allowed token, client.permissions
253 def signed_get(uri, options)
255 uri.scheme ||= "http"
256 uri.host ||= "www.example.com"
258 helper = OAuth::Client::Helper.new(nil, options)
260 request = OAuth::RequestProxy.proxy(
263 "parameters" => helper.oauth_parameters
266 request.sign!(options)
268 get request.signed_uri
271 def parse_token(response)
272 params = CGI.parse(response.body)
274 token = OauthToken.find_by_token(params["oauth_token"].first)
275 assert_equal token.secret, params["oauth_token_secret"].first
280 def parse_verifier(response)
281 params = CGI.parse(URI.parse(response.location).query)
283 assert_not_nil params["oauth_verifier"]
284 assert params["oauth_verifier"].first.present?
286 params["oauth_verifier"].first
289 def assert_allowed(token, allowed)
290 ClientApplication.all_permissions.each do |p|
291 assert_equal allowed.include?(p), token.attributes[p.to_s]