Feature: Allow token introspection without read scope (#27142)
This commit is contained in:
Emelia Smith
GitHub
parent
4612576c68
commit
7c3fea7275
3 changed files with 79 additions and 6 deletions
|
|
@ -1,9 +1,9 @@
|
||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
class Api::V1::Apps::CredentialsController < Api::BaseController
|
class Api::V1::Apps::CredentialsController < Api::BaseController
|
||||||
before_action -> { doorkeeper_authorize! :read }
|
|
||||||
|
|
||||||
def show
|
def show
|
||||||
render json: doorkeeper_token.application, serializer: REST::ApplicationSerializer, fields: %i(name website vapid_key)
|
return doorkeeper_render_error unless valid_doorkeeper_token?
|
||||||
|
|
||||||
|
render json: doorkeeper_token.application, serializer: REST::ApplicationSerializer, fields: %i(name website vapid_key client_id scopes)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
class REST::ApplicationSerializer < ActiveModel::Serializer
|
class REST::ApplicationSerializer < ActiveModel::Serializer
|
||||||
attributes :id, :name, :website, :redirect_uri,
|
attributes :id, :name, :website, :scopes, :redirect_uri,
|
||||||
:client_id, :client_secret, :vapid_key
|
:client_id, :client_secret, :vapid_key
|
||||||
|
|
||||||
def id
|
def id
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,8 @@ describe 'Credentials' do
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'with an oauth token' do
|
context 'with an oauth token' do
|
||||||
let(:token) { Fabricate(:accessible_access_token, scopes: 'read', application: Fabricate(:application)) }
|
let(:application) { Fabricate(:application, scopes: 'read') }
|
||||||
|
let(:token) { Fabricate(:accessible_access_token, application: application) }
|
||||||
let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
|
let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
|
||||||
|
|
||||||
it 'returns the app information correctly', :aggregate_failures do
|
it 'returns the app information correctly', :aggregate_failures do
|
||||||
|
|
@ -21,7 +22,35 @@ describe 'Credentials' do
|
||||||
a_hash_including(
|
a_hash_including(
|
||||||
name: token.application.name,
|
name: token.application.name,
|
||||||
website: token.application.website,
|
website: token.application.website,
|
||||||
vapid_key: Rails.configuration.x.vapid_public_key
|
vapid_key: Rails.configuration.x.vapid_public_key,
|
||||||
|
scopes: token.application.scopes.map(&:to_s),
|
||||||
|
client_id: token.application.uid
|
||||||
|
)
|
||||||
|
)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with a non-read scoped oauth token' do
|
||||||
|
let(:application) { Fabricate(:application, scopes: 'admin:write') }
|
||||||
|
let(:token) { Fabricate(:accessible_access_token, application: application) }
|
||||||
|
let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
|
||||||
|
|
||||||
|
it 'returns http success' do
|
||||||
|
subject
|
||||||
|
|
||||||
|
expect(response).to have_http_status(200)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns the app information correctly' do
|
||||||
|
subject
|
||||||
|
|
||||||
|
expect(body_as_json).to match(
|
||||||
|
a_hash_including(
|
||||||
|
name: token.application.name,
|
||||||
|
website: token.application.website,
|
||||||
|
vapid_key: Rails.configuration.x.vapid_public_key,
|
||||||
|
scopes: token.application.scopes.map(&:to_s),
|
||||||
|
client_id: token.application.uid
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
@ -36,5 +65,49 @@ describe 'Credentials' do
|
||||||
expect(response).to have_http_status(401)
|
expect(response).to have_http_status(401)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'with a revoked oauth token' do
|
||||||
|
let(:application) { Fabricate(:application, scopes: 'read') }
|
||||||
|
let(:token) { Fabricate(:accessible_access_token, application: application, revoked_at: DateTime.now.utc) }
|
||||||
|
let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
|
||||||
|
|
||||||
|
it 'returns http authorization error' do
|
||||||
|
subject
|
||||||
|
|
||||||
|
expect(response).to have_http_status(401)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns the error in the json response' do
|
||||||
|
subject
|
||||||
|
|
||||||
|
expect(body_as_json).to match(
|
||||||
|
a_hash_including(
|
||||||
|
error: 'The access token was revoked'
|
||||||
|
)
|
||||||
|
)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with an invalid oauth token' do
|
||||||
|
let(:application) { Fabricate(:application, scopes: 'read') }
|
||||||
|
let(:token) { Fabricate(:accessible_access_token, application: application) }
|
||||||
|
let(:headers) { { 'Authorization' => "Bearer #{token.token}-invalid" } }
|
||||||
|
|
||||||
|
it 'returns http authorization error' do
|
||||||
|
subject
|
||||||
|
|
||||||
|
expect(response).to have_http_status(401)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns the error in the json response' do
|
||||||
|
subject
|
||||||
|
|
||||||
|
expect(body_as_json).to match(
|
||||||
|
a_hash_including(
|
||||||
|
error: 'The access token is invalid'
|
||||||
|
)
|
||||||
|
)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue