openstreetmap-website/test/controllers/oauth2_authorizations_controller_test.rb

require "test_helper"

class Oauth2AuthorizationsControllerTest < ActionDispatch::IntegrationTest
  ##
  # test all routes which lead to this controller
  def test_routes
    assert_routing(
      { :path => "/oauth2/authorize", :method => :get },
      { :controller => "oauth2_authorizations", :action => "new" }
    )
    assert_routing(
      { :path => "/oauth2/authorize", :method => :post },
      { :controller => "oauth2_authorizations", :action => "create" }
    )
    assert_routing(
      { :path => "/oauth2/authorize", :method => :delete },
      { :controller => "oauth2_authorizations", :action => "destroy" }
    )
    assert_routing(
      { :path => "/oauth2/authorize/native", :method => :get },
      { :controller => "oauth2_authorizations", :action => "show" }
    )
  end

  def test_new
    application = create(:oauth_application, :scopes => "write_api")

    get oauth_authorization_path(:client_id => application.uid,
                                 :redirect_uri => application.redirect_uri,
                                 :response_type => "code",
                                 :scope => "write_api")
    assert_response :redirect
    assert_redirected_to login_path(:referer => oauth_authorization_path(:client_id => application.uid,
                                                                         :redirect_uri => application.redirect_uri,
                                                                         :response_type => "code",
                                                                         :scope => "write_api"))

    session_for(create(:user))

    get oauth_authorization_path(:client_id => application.uid,
                                 :redirect_uri => application.redirect_uri,
                                 :response_type => "code",
                                 :scope => "write_api")
    assert_response :success
    assert_template "oauth2_authorizations/new"
  end

  def test_new_native
    application = create(:oauth_application, :scopes => "write_api", :redirect_uri => "urn:ietf:wg:oauth:2.0:oob")

    get oauth_authorization_path(:client_id => application.uid,
                                 :redirect_uri => application.redirect_uri,
                                 :response_type => "code",
                                 :scope => "write_api")
    assert_response :redirect
    assert_redirected_to login_path(:referer => oauth_authorization_path(:client_id => application.uid,
                                                                         :redirect_uri => application.redirect_uri,
                                                                         :response_type => "code",
                                                                         :scope => "write_api"))

    session_for(create(:user))

    get oauth_authorization_path(:client_id => application.uid,
                                 :redirect_uri => application.redirect_uri,
                                 :response_type => "code",
                                 :scope => "write_api")
    assert_response :success
    assert_template "oauth2_authorizations/new"
  end

  def test_new_bad_uri
    application = create(:oauth_application, :scopes => "write_api")

    session_for(create(:user))

    get oauth_authorization_path(:client_id => application.uid,
                                 :redirect_uri => "https://bad.example.com/",
                                 :response_type => "code",
                                 :scope => "write_api")
    assert_response :bad_request
    assert_template "oauth2_authorizations/error"
    assert_select "p", "The requested redirect uri is malformed or doesn't match client redirect URI."
  end

  def test_new_bad_scope
    application = create(:oauth_application, :scopes => "write_api")

    session_for(create(:user))

    get oauth_authorization_path(:client_id => application.uid,
                                 :redirect_uri => application.redirect_uri,
                                 :response_type => "code",
                                 :scope => "bad_scope")
    assert_response :bad_request
    assert_template "oauth2_authorizations/error"
    assert_select "p", "The requested scope is invalid, unknown, or malformed."

    get oauth_authorization_path(:client_id => application.uid,
                                 :redirect_uri => application.redirect_uri,
                                 :response_type => "code",
                                 :scope => "write_prefs")
    assert_response :bad_request
    assert_template "oauth2_authorizations/error"
    assert_select "p", "The requested scope is invalid, unknown, or malformed."
  end

  def test_create
    application = create(:oauth_application, :scopes => "write_api")

    post oauth_authorization_path(:client_id => application.uid,
                                  :redirect_uri => application.redirect_uri,
                                  :response_type => "code",
                                  :scope => "write_api")
    assert_response :forbidden

    session_for(create(:user))

    post oauth_authorization_path(:client_id => application.uid,
                                  :redirect_uri => application.redirect_uri,
                                  :response_type => "code",
                                  :scope => "write_api")
    assert_response :redirect
    assert_redirected_to(/^#{Regexp.escape(application.redirect_uri)}\?code=/)
  end

  def test_create_native
    application = create(:oauth_application, :scopes => "write_api", :redirect_uri => "urn:ietf:wg:oauth:2.0:oob")

    post oauth_authorization_path(:client_id => application.uid,
                                  :redirect_uri => application.redirect_uri,
                                  :response_type => "code",
                                  :scope => "write_api")
    assert_response :forbidden

    session_for(create(:user))

    post oauth_authorization_path(:client_id => application.uid,
                                  :redirect_uri => application.redirect_uri,
                                  :response_type => "code",
                                  :scope => "write_api")
    assert_response :redirect
    assert_equal native_oauth_authorization_path, URI.parse(response.location).path
    follow_redirect!
    assert_response :success
    assert_template "oauth2_authorizations/show"
  end

  def test_destroy
    application = create(:oauth_application)

    delete oauth_authorization_path(:client_id => application.uid,
                                    :redirect_uri => application.redirect_uri,
                                    :response_type => "code",
                                    :scope => "write_api")
    assert_response :forbidden

    session_for(create(:user))

    delete oauth_authorization_path(:client_id => application.uid,
                                    :redirect_uri => application.redirect_uri,
                                    :response_type => "code",
                                    :scope => "write_api")
    assert_response :redirect
    assert_redirected_to(/^#{Regexp.escape(application.redirect_uri)}\?error=access_denied/)
  end

  def test_destroy_native
    application = create(:oauth_application, :redirect_uri => "urn:ietf:wg:oauth:2.0:oob")

    delete oauth_authorization_path(:client_id => application.uid,
                                    :redirect_uri => application.redirect_uri,
                                    :response_type => "code",
                                    :scope => "write_api")
    assert_response :forbidden

    session_for(create(:user))

    delete oauth_authorization_path(:client_id => application.uid,
                                    :redirect_uri => application.redirect_uri,
                                    :response_type => "code",
                                    :scope => "write_api")
    assert_response :bad_request
  end
end