more discovery test

This commit is contained in:
Kagami Sascha Rosylight 2023-04-10 17:48:45 +02:00
parent 87dbe5e9fb
commit a688bd1061
2 changed files with 134 additions and 91 deletions

View File

@ -511,7 +511,7 @@ export class OAuth2ProviderService {
const clientUrl = validateClientId(clientId); const clientUrl = validateClientId(clientId);
if (process.env.NODE_ENV !== 'test') { if (process.env.NODE_ENV !== 'test' || process.env.MISSKEY_TEST_DISALLOW_LOOPBACK === '1') {
const lookup = await dns.lookup(clientUrl.hostname); const lookup = await dns.lookup(clientUrl.hostname);
if (ipaddr.parse(lookup.address).range() === 'loopback') { if (ipaddr.parse(lookup.address).range() === 'loopback') {
throw new Error('client_id unexpectedly resolves to loopback IP.'); throw new Error('client_id unexpectedly resolves to loopback IP.');

View File

@ -29,7 +29,7 @@ function getClient(): AuthorizationCode<'client_id'> {
}); });
} }
function getMeta(html: string): { transactionId: string | undefined, clientName: string | undefined } | undefined { function getMeta(html: string): { transactionId: string | undefined, clientName: string | undefined } {
const fragment = JSDOM.fragment(html); const fragment = JSDOM.fragment(html);
return { return {
transactionId: fragment.querySelector<HTMLMetaElement>('meta[name="misskey:oauth:transaction-id"]')?.content, transactionId: fragment.querySelector<HTMLMetaElement>('meta[name="misskey:oauth:transaction-id"]')?.content,
@ -68,6 +68,11 @@ describe('OAuth', () => {
beforeAll(async () => { beforeAll(async () => {
app = await startServer(); app = await startServer();
alice = await signup({ username: 'alice' });
}, 1000 * 60 * 2);
beforeEach(async () => {
process.env.MISSKEY_TEST_DISALLOW_LOOPBACK = '';
fastify = Fastify(); fastify = Fastify();
fastify.get('/', async (request, reply) => { fastify.get('/', async (request, reply) => {
reply.send(` reply.send(`
@ -77,12 +82,13 @@ describe('OAuth', () => {
`); `);
}); });
await fastify.listen({ port: clientPort }); await fastify.listen({ port: clientPort });
});
alice = await signup({ username: 'alice' });
}, 1000 * 60 * 2);
afterAll(async () => { afterAll(async () => {
await app.close(); await app.close();
});
afterEach(async () => {
await fastify.close(); await fastify.close();
}); });
@ -104,7 +110,7 @@ describe('OAuth', () => {
const meta = getMeta(await response.text()); const meta = getMeta(await response.text());
assert.strictEqual(typeof meta.transactionId, 'string'); assert.strictEqual(typeof meta.transactionId, 'string');
assert.strictEqual(meta?.clientName, 'Misklient'); assert.strictEqual(meta.clientName, 'Misklient');
const decisionResponse = await fetchDecision(cookie!, meta.transactionId!, alice); const decisionResponse = await fetchDecision(cookie!, meta.transactionId!, alice);
assert.strictEqual(decisionResponse.status, 302); assert.strictEqual(decisionResponse.status, 302);
@ -602,123 +608,139 @@ describe('OAuth', () => {
}); });
describe('Client Information Discovery', () => { describe('Client Information Discovery', () => {
test('Read HTTP header', async () => { describe('Redirection', () => {
await fastify.close(); test('Read HTTP header', async () => {
await fastify.close();
fastify = Fastify(); fastify = Fastify();
fastify.get('/', async (request, reply) => { fastify.get('/', async (request, reply) => {
reply.header('Link', '</redirect>; rel="redirect_uri"'); reply.header('Link', '</redirect>; rel="redirect_uri"');
reply.send(` reply.send(`
<!DOCTYPE html> <!DOCTYPE html>
<div class="h-app"><div class="p-name">Misklient <div class="h-app"><div class="p-name">Misklient
`); `);
});
await fastify.listen({ port: clientPort });
const client = getClient();
const response = await fetch(client.authorizeURL({
redirect_uri,
scope: 'write:notes',
state: 'state',
code_challenge: 'code',
code_challenge_method: 'S256',
}));
assert.strictEqual(response.status, 200);
}); });
await fastify.listen({ port: clientPort });
const client = getClient(); test('Mixed links', async () => {
await fastify.close();
const response = await fetch(client.authorizeURL({ fastify = Fastify();
redirect_uri, fastify.get('/', async (request, reply) => {
scope: 'write:notes', reply.header('Link', '</redirect>; rel="redirect_uri"');
state: 'state', reply.send(`
code_challenge: 'code',
code_challenge_method: 'S256',
}));
assert.strictEqual(response.status, 200);
});
test('Mixed links', async () => {
await fastify.close();
fastify = Fastify();
fastify.get('/', async (request, reply) => {
reply.header('Link', '</redirect>; rel="redirect_uri"');
reply.send(`
<!DOCTYPE html> <!DOCTYPE html>
<link rel="redirect_uri" href="/redirect2" /> <link rel="redirect_uri" href="/redirect2" />
<div class="h-app"><div class="p-name">Misklient <div class="h-app"><div class="p-name">Misklient
`); `);
});
await fastify.listen({ port: clientPort });
const client = getClient();
const response = await fetch(client.authorizeURL({
redirect_uri,
scope: 'write:notes',
state: 'state',
code_challenge: 'code',
code_challenge_method: 'S256',
}));
assert.strictEqual(response.status, 200);
}); });
await fastify.listen({ port: clientPort });
const client = getClient(); test('Multiple items in Link header', async () => {
await fastify.close();
const response = await fetch(client.authorizeURL({ fastify = Fastify();
redirect_uri, fastify.get('/', async (request, reply) => {
scope: 'write:notes', reply.header('Link', '</redirect2>; rel="redirect_uri",</redirect>; rel="redirect_uri"');
state: 'state', reply.send(`
code_challenge: 'code',
code_challenge_method: 'S256',
}));
assert.strictEqual(response.status, 200);
});
test('Multiple items in Link header', async () => {
await fastify.close();
fastify = Fastify();
fastify.get('/', async (request, reply) => {
reply.header('Link', '</redirect2>; rel="redirect_uri",</redirect>; rel="redirect_uri"');
reply.send(`
<!DOCTYPE html> <!DOCTYPE html>
<div class="h-app"><div class="p-name">Misklient <div class="h-app"><div class="p-name">Misklient
`); `);
});
await fastify.listen({ port: clientPort });
const client = getClient();
const response = await fetch(client.authorizeURL({
redirect_uri,
scope: 'write:notes',
state: 'state',
code_challenge: 'code',
code_challenge_method: 'S256',
}));
assert.strictEqual(response.status, 200);
}); });
await fastify.listen({ port: clientPort });
const client = getClient(); test('Multiple items in HTML', async () => {
await fastify.close();
const response = await fetch(client.authorizeURL({ fastify = Fastify();
redirect_uri, fastify.get('/', async (request, reply) => {
scope: 'write:notes', reply.send(`
state: 'state',
code_challenge: 'code',
code_challenge_method: 'S256',
}));
console.log(await response.text());
assert.strictEqual(response.status, 200);
});
test('Multiple items in HTML', async () => {
await fastify.close();
fastify = Fastify();
fastify.get('/', async (request, reply) => {
reply.send(`
<!DOCTYPE html> <!DOCTYPE html>
<link rel="redirect_uri" href="/redirect2" /> <link rel="redirect_uri" href="/redirect2" />
<link rel="redirect_uri" href="/redirect" /> <link rel="redirect_uri" href="/redirect" />
<div class="h-app"><div class="p-name">Misklient <div class="h-app"><div class="p-name">Misklient
`); `);
});
await fastify.listen({ port: clientPort });
const client = getClient();
const response = await fetch(client.authorizeURL({
redirect_uri,
scope: 'write:notes',
state: 'state',
code_challenge: 'code',
code_challenge_method: 'S256',
}));
assert.strictEqual(response.status, 200);
}); });
await fastify.listen({ port: clientPort });
const client = getClient(); test('No item', async () => {
await fastify.close();
const response = await fetch(client.authorizeURL({ fastify = Fastify();
redirect_uri, fastify.get('/', async (request, reply) => {
scope: 'write:notes', reply.send(`
state: 'state',
code_challenge: 'code',
code_challenge_method: 'S256',
}));
assert.strictEqual(response.status, 200);
});
test('No item', async () => {
await fastify.close();
fastify = Fastify();
fastify.get('/', async (request, reply) => {
reply.send(`
<!DOCTYPE html> <!DOCTYPE html>
<div class="h-app"><div class="p-name">Misklient <div class="h-app"><div class="p-name">Misklient
`); `);
});
await fastify.listen({ port: clientPort });
const client = getClient();
const response = await fetch(client.authorizeURL({
redirect_uri,
scope: 'write:notes',
state: 'state',
code_challenge: 'code',
code_challenge_method: 'S256',
}));
// TODO: status code
assert.strictEqual(response.status, 500);
}); });
await fastify.listen({ port: clientPort }); });
test('Disallow loopback', async () => {
process.env.MISSKEY_TEST_DISALLOW_LOOPBACK = '1';
const client = getClient(); const client = getClient();
const response = await fetch(client.authorizeURL({ const response = await fetch(client.authorizeURL({
redirect_uri, redirect_uri,
scope: 'write:notes', scope: 'write:notes',
@ -729,11 +751,32 @@ describe('OAuth', () => {
// TODO: status code // TODO: status code
assert.strictEqual(response.status, 500); assert.strictEqual(response.status, 500);
}); });
test('Missing name', async () => {
await fastify.close();
fastify = Fastify();
fastify.get('/', async (request, reply) => {
reply.header('Link', '</redirect>; rel="redirect_uri"');
reply.send();
});
await fastify.listen({ port: clientPort });
const client = getClient();
const response = await fetch(client.authorizeURL({
redirect_uri,
scope: 'write:notes',
state: 'state',
code_challenge: 'code',
code_challenge_method: 'S256',
}));
assert.strictEqual(response.status, 200);
assert.strictEqual(getMeta(await response.text()).clientName, `http://127.0.0.1:${clientPort}/`);
});
}); });
// TODO: authorizing two users concurrently // TODO: authorizing two users concurrently
// TODO: Error format required by OAuth spec // TODO: Error format required by OAuth spec
// TODO: Client Information Discovery (use http header, loopback check, missing name or redirection uri)
}); });