| blob | bc8872d3f88fb5af363cf586e882eb322ecdd302 |
1 'use strict';
3 process.env.DISABLE_MATRIX_BRIDGE = '1';
4 process.env.DISABLE_API_LISTEN = '1';
5 process.env.DISABLE_API_WEB_LISTEN = '1';
6 process.env.TEST_EXPORT_RATE_LIMIT = 100;
8 var fixtureLoader = require('gitter-web-test-utils/lib/test-fixtures');
9 var assert = require('assert');
10 var request = require('supertest');
12 var app = require('../../server/web');
14 describe('OAuth tests', function() {
15 var fixture = fixtureLoader.setup({
16 user1: {
17 accessToken: 'web-internal'
18 },
19 oAuthClientNoRedirectUri1: {
20 registeredRedirectUri: null
21 },
22 oAuthClient1: {
23 registeredRedirectUri: 'http://localhost:3434/callback'
24 },
25 oAuthCode1: {
26 user: 'user1',
27 client: 'oAuthClient1'
28 },
29 oAuthClientGoodProtocol1: {
30 registeredRedirectUri: 'https://gitter.im/login/desktop/callback'
31 },
32 oAuthClientGoodProtocol2: {
33 registeredRedirectUri: 'app://gitter/oauth.html'
34 },
36 oAuthClientNoProtocol1: {
37 registeredRedirectUri: 'noprotocol'
38 },
39 oAuthClientBadDataProtocol1: {
40 registeredRedirectUri: 'data:text/html,<script>alert(1)</script>;;?sss'
41 },
42 oAuthClientBadDataProtocol2: {
43 registeredRedirectUri: '%0Adata:text/html,<script>alert(1)</script>;;?sss'
44 },
45 oAuthClientBadJavascriptProtocol1: {
46 registeredRedirectUri: `javascript:alert('xss')`
47 },
48 oAuthClientBadJavascriptProtocol2: {
49 registeredRedirectUri: `\njavascript:alert('xss')`
50 },
51 oAuthClientBadJavascriptProtocol3: {
52 registeredRedirectUri: `%0Ajavascript:alert('xss')`
53 },
54 oAuthClientBadXss1: {
55 registeredRedirectUri: `"onmouseover="alert(1) "`
56 },
57 oAuthClientBadXss2: {
58 registeredRedirectUri: `"><img src=x onerror=confirm(1);>`
59 }
60 });
62 it("GET /login/oauth/token clears out authorization code so it can't be re-used", async function() {
63 this.timeout(8000);
65 const postData = {
66 client_id: fixture.oAuthClient1.clientKey,
67 client_secret: fixture.oAuthClient1.clientSecret,
68 redirect_uri: fixture.oAuthClient1.registeredRedirectUri,
69 grant_type: 'authorization_code',
70 code: fixture.oAuthCode1.code
71 };
73 await request(app)
74 .post(`/login/oauth/token`)
75 .send(postData)
76 .expect(200)
77 .then(function(result) {
78 assert(
79 result.body.access_token && result.body.access_token.length > 0,
80 'no access token provided in body'
81 );
82 assert(result.body.token_type === 'Bearer', 'wrong token_type returned');
83 });
85 await request(app)
86 .post(`/login/oauth/token`)
87 .send(postData)
88 .expect(403)
89 .then(function(result) {
90 assert.deepEqual(result.body, {
91 error: 'invalid_grant',
92 error_description: 'Invalid authorization code'
93 });
94 });
95 });
97 const goodFixtureKeys = ['oAuthClientGoodProtocol1', 'oAuthClientGoodProtocol2'];
99 goodFixtureKeys.forEach(goodFixtureKey => {
100 it(`GET /login/oauth/authorize with bad protocol(${goodFixtureKey}) shows approval authorization page`, async () => {
101 this.timeout(8000);
103 const goodOauthClient = fixture[goodFixtureKey];
105 const goodRedirectUri = encodeURIComponent(goodOauthClient.registeredRedirectUri);
107 await request(app)
108 .get(
109 `/login/oauth/authorize?response_type=code&redirect_uri=${goodRedirectUri}&client_id=${goodOauthClient.clientKey}`
110 )
111 .set('Authorization', `Bearer ${fixture.user1.accessToken}`)
112 .expect(200)
113 .then(function(result) {
114 assert(result.text.includes('Do you approve?'), 'has approval question text');
115 });
116 });
117 });
119 const badFixtureKeys = [
120 'oAuthClientNoProtocol1',
121 'oAuthClientBadDataProtocol1',
122 'oAuthClientBadDataProtocol2',
123 'oAuthClientBadJavascriptProtocol1',
124 'oAuthClientBadJavascriptProtocol2',
125 'oAuthClientBadJavascriptProtocol3',
126 'oAuthClientBadXss1',
127 'oAuthClientBadXss2'
128 ];
130 badFixtureKeys.forEach(badFixtureKey => {
131 it(`GET /login/oauth/authorize with bad protocol(${badFixtureKey}) shows invalid error page`, async () => {
132 this.timeout(8000);
134 const badOauthClient = fixture[badFixtureKey];
136 const badRedirectUri = encodeURIComponent(badOauthClient.registeredRedirectUri);
138 await request(app)
139 .get(
140 `/login/oauth/authorize?response_type=code&redirect_uri=${badRedirectUri}&client_id=${badOauthClient.clientKey}`
141 )
142 .set('Authorization', `Bearer ${fixture.user1.accessToken}`)
143 .expect(401)
144 .then(function(result) {
145 assert(
146 result.text.includes('Your OAuth request is incorrect'),
147 'has incorrect OAuth request page'
148 );
149 assert(
150 result.text.includes('Provided redirectUri is using disallowed bad protocol'),
151 'tells you what is wrong with the redirect URI'
152 );
153 });
154 });
155 });
157 it(`GET /login/oauth/authorize with no client.redirect_uri does not crash server`, async () => {
158 this.timeout(8000);
160 const oAuthClient = fixture.oAuthClientNoRedirectUri1;
162 await request(app)
163 .get(
164 `/login/oauth/authorize?response_type=code&redirect_uri=http://whatever&client_id=${oAuthClient.clientKey}`
165 )
166 .set('Authorization', `Bearer ${fixture.user1.accessToken}`)
167 .expect(401);
168 });
170 it(`GET /login/oauth/authorize with no ?redirect_uri query param does not crash server`, async () => {
171 this.timeout(8000);
173 const oAuthClient = fixture.oAuthClientNoRedirectUri1;
175 await request(app)
176 .get(`/login/oauth/authorize?response_type=code&client_id=${oAuthClient.clientKey}`)
177 .set('Authorization', `Bearer ${fixture.user1.accessToken}`)
178 .expect(401);
179 });
181 it(`GET /login/oauth/authorize with empty ?redirect_uri= query param does not crash server`, async () => {
182 this.timeout(8000);
184 const oAuthClient = fixture.oAuthClientNoRedirectUri1;
186 await request(app)
187 .get(
188 `/login/oauth/authorize?response_type=code&redirect_uri=&client_id=${oAuthClient.clientKey}`
189 )
190 .set('Authorization', `Bearer ${fixture.user1.accessToken}`)
191 .expect(401);
192 });
193 });