RubyGems - doorkeeper-mongodb - Versions diffs - 5.2.1 → 5.2.3 - Mend

doorkeeper-mongodb 5.2.1 → 5.2.3

Files changed (177) hide show

data/spec/requests/flows/password_spec.rb CHANGED Viewed

@@ -2,315 +2,355 @@
 require "spec_helper"
-describe "Resource Owner Password Credentials Flow not set up" do
-  before do
-    client_exists
-    create_resource_owner
-  end
+RSpec.describe "Resource Owner Password Credentials Flow" do
+  context "when not setup properly" do
+    before do
+      client_exists
+      create_resource_owner
+    end
-  context "with valid user credentials" do
-    it "does not issue new token" do
-      expect do
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to_not(change { Doorkeeper::AccessToken.count })
+    context "with valid user credentials" do
+      it "does not issue new token" do
+        expect do
+          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+        end.not_to(change { Doorkeeper::AccessToken.count })
+      end
     end
   end
-end
-describe "Resource Owner Password Credentials Flow" do
-  let(:client_attributes) { { redirect_uri: nil } }
+  context "when grant type configured" do
+    let(:client_attributes) { { redirect_uri: nil } }
-  before do
-    config_is_set(:grant_flows, ["password"])
-    config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
-    client_exists(client_attributes)
-    create_resource_owner
-  end
+    before do
+      config_is_set(:grant_flows, ["password"])
+      config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
+      client_exists(client_attributes)
+      create_resource_owner
+    end
-  context "with valid user credentials" do
-    context "with non-confidential/public client" do
-      let(:client_attributes) { { confidential: false } }
+    context "with valid user credentials" do
+      context "with confidential client authorized using Basic auth" do
+        it "issues a new token" do
+          expect do
+            post password_token_endpoint_url(
+              resource_owner: @resource_owner,
+            ), headers: { "HTTP_AUTHORIZATION" => basic_auth_header_for_client(@client) }
+          end.to(change { Doorkeeper::AccessToken.count })
-      context "when configured to check application supported grant flow" do
-        before do
-          Doorkeeper.configuration.instance_variable_set(
-            :@allow_grant_flow_for_client,
-            ->(_grant_flow, client) { client.name == "admin" },
+          token = Doorkeeper::AccessToken.first
+          expect(token.application_id).to eq(@client.id)
+          expect(json_response).to match(
+            "access_token" => token.token,
+            "expires_in" => an_instance_of(Integer),
+            "token_type" => "Bearer",
+            "created_at" => an_instance_of(Integer),
           )
         end
+      end
-        scenario "forbids the request when doesn't satisfy condition" do
-          @client.update(name: "sample app")
+      context "with non-confidential/public client" do
+        let(:client_attributes) { { confidential: false } }
-          expect do
-            post password_token_endpoint_url(
-              client_id: @client.uid,
-              client_secret: "foobar",
-              resource_owner: @resource_owner,
+        context "when configured to check application supported grant flow" do
+          before do
+            Doorkeeper.configuration.instance_variable_set(
+              :@allow_grant_flow_for_client,
+              ->(_grant_flow, client) { client.name == "admin" },
             )
-          end.not_to(change { Doorkeeper::AccessToken.count })
+          end
-          expect(response.status).to eq(401)
-          should_have_json "error", "invalid_client"
-        end
+          scenario "forbids the request when doesn't satisfy condition" do
+            @client.update(name: "sample app")
+            expect do
+              post password_token_endpoint_url(
+                client_id: @client.uid,
+                client_secret: "foobar",
+                resource_owner: @resource_owner,
+              )
+            end.not_to(change { Doorkeeper::AccessToken.count })
-        scenario "allows the request when satisfies condition" do
-          @client.update(name: "admin")
+            expect(response.status).to eq(401)
+            expect(json_response).to match(
+              "error" => "invalid_client",
+              "error_description" => an_instance_of(String),
+            )
+          end
-          expect do
-            post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
-          end.to change { Doorkeeper::AccessToken.count }.by(1)
+          scenario "allows the request when satisfies condition" do
+            @client.update(name: "admin")
-          token = Doorkeeper::AccessToken.first
+            expect do
+              post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
+            end.to change { Doorkeeper::AccessToken.count }.by(1)
+            token = Doorkeeper::AccessToken.first
+            expect(token.application_id).to eq(@client.id)
-          expect(token.application_id).to eq @client.id
-          should_have_json "access_token", token.token
+            expect(json_response).to include("access_token" => token.token)
+          end
         end
-      end
-      context "when client_secret absent" do
-        it "should issue new token" do
-          expect do
-            post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
-          end.to change { Doorkeeper::AccessToken.count }.by(1)
+        context "when client_secret absent" do
+          it "issues a new token" do
+            expect do
+              post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
+            end.to change { Doorkeeper::AccessToken.count }.by(1)
-          token = Doorkeeper::AccessToken.first
+            token = Doorkeeper::AccessToken.first
-          expect(token.application_id).to eq @client.id
-          should_have_json "access_token", token.token
+            expect(token.application_id).to eq(@client.id)
+            expect(json_response).to include("access_token" => token.token)
+          end
+        end
+        context "when client_secret present" do
+          it "issues a new token" do
+            expect do
+              post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+            end.to change { Doorkeeper::AccessToken.count }.by(1)
+            token = Doorkeeper::AccessToken.first
+            expect(token.application_id).to eq(@client.id)
+            expect(json_response).to include("access_token" => token.token)
+          end
+          context "when client_secret incorrect" do
+            it "doesn't issue new token" do
+              expect do
+                post password_token_endpoint_url(
+                  client_id: @client.uid,
+                  client_secret: "foobar",
+                  resource_owner: @resource_owner,
+                )
+              end.not_to(change { Doorkeeper::AccessToken.count })
+              expect(response.status).to eq(401)
+              expect(json_response).to include(
+                "error" => "invalid_client",
+                "error_description" => an_instance_of(String),
+              )
+            end
+          end
         end
       end
-      context "when client_secret present" do
-        it "should issue new token" do
+      context "with confidential/private client" do
+        it "issues a new token" do
           expect do
             post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
           end.to change { Doorkeeper::AccessToken.count }.by(1)
           token = Doorkeeper::AccessToken.first
-          expect(token.application_id).to eq @client.id
-          should_have_json "access_token", token.token
+          expect(token.application_id).to eq(@client.id)
+          expect(json_response).to include("access_token" => token.token)
         end
-        context "when client_secret incorrect" do
-          it "should not issue new token" do
+        context "when client_secret absent" do
+          it "doesn't issue new token" do
             expect do
-              post password_token_endpoint_url(
-                client_id: @client.uid,
-                client_secret: "foobar",
-                resource_owner: @resource_owner,
-              )
+              post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
             end.not_to(change { Doorkeeper::AccessToken.count })
             expect(response.status).to eq(401)
-            should_have_json "error", "invalid_client"
+            expect(json_response).to match(
+              "error" => "invalid_client",
+              "error_description" => an_instance_of(String),
+            )
           end
         end
       end
-    end
-    context "with confidential/private client" do
-      it "should issue new token" do
+      it "issues new token without client credentials" do
         expect do
-          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-        end.to change { Doorkeeper::AccessToken.count }.by(1)
+          post password_token_endpoint_url(resource_owner: @resource_owner)
+        end.to(change { Doorkeeper::AccessToken.count }.by(1))
         token = Doorkeeper::AccessToken.first
-        expect(token.application_id).to eq @client.id
-        should_have_json "access_token", token.token
-      end
-      context "when client_secret absent" do
-        it "should not issue new token" do
-          expect do
-            post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
-          end.not_to(change { Doorkeeper::AccessToken.count })
-          expect(response.status).to eq(401)
-          should_have_json "error", "invalid_client"
-        end
+        expect(token.application_id).to be_nil
+        expect(json_response).to include("access_token" => token.token)
       end
-    end
-    it "should issue new token without client credentials" do
-      expect do
-        post password_token_endpoint_url(resource_owner: @resource_owner)
-      end.to(change { Doorkeeper::AccessToken.count }.by(1))
+      it "issues a refresh token if enabled" do
+        config_is_set(:refresh_token_enabled, true)
-      token = Doorkeeper::AccessToken.first
+        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      expect(token.application_id).to be_nil
-      should_have_json "access_token", token.token
-    end
+        token = Doorkeeper::AccessToken.first
+        expect(json_response).to include("refresh_token" => token.refresh_token)
+      end
-    it "should issue a refresh token if enabled" do
-      config_is_set(:refresh_token_enabled, true)
+      it "returns the same token if it is still accessible" do
+        allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
-      post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+        client_is_authorized(@client, @resource_owner)
-      token = Doorkeeper::AccessToken.first
+        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      should_have_json "refresh_token", token.refresh_token
-    end
+        expect(Doorkeeper::AccessToken.count).to be(1)
+        expect(json_response).to include("access_token" => Doorkeeper::AccessToken.first.token)
+      end
-    it "should return the same token if it is still accessible" do
-      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
+      context "with valid, default scope" do
+        before do
+          default_scopes_exist :public
+        end
-      client_is_authorized(@client, @resource_owner)
+        it "issues new token" do
+          expect do
+            post password_token_endpoint_url(client: @client, resource_owner: @resource_owner, scope: "public")
+          end.to change { Doorkeeper::AccessToken.count }.by(1)
-      post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+          token = Doorkeeper::AccessToken.first
-      expect(Doorkeeper::AccessToken.count).to be(1)
-      should_have_json "access_token", Doorkeeper::AccessToken.first.token
+          expect(token.application_id).to eq(@client.id)
+          expect(json_response).to include(
+            "access_token" => token.token,
+            "scope" => "public",
+          )
+        end
+      end
     end
-    context "with valid, default scope" do
+    context "when application scopes are present and differs from configured default scopes and no scope is passed" do
       before do
         default_scopes_exist :public
+        @client.update(scopes: "abc")
       end
-      it "should issue new token" do
+      it "issues new token without any scope" do
         expect do
-          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner, scope: "public")
+          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
         end.to change { Doorkeeper::AccessToken.count }.by(1)
         token = Doorkeeper::AccessToken.first
-        expect(token.application_id).to eq @client.id
-        should_have_json "access_token", token.token
-        should_have_json "scope", "public"
+        expect(token.application_id).to eq(@client.id)
+        expect(token.scopes).to be_empty
+        expect(json_response).to include("access_token" => token.token)
+        expect(json_response).not_to include("scope")
       end
     end
-  end
-  context "when application scopes are present and differs from configured default scopes and no scope is passed" do
-    before do
-      default_scopes_exist :public
-      @client.update(scopes: "abc")
-    end
+    context "when application scopes contain some of the default scopes and no scope is passed" do
+      before do
+        @client.update(scopes: "read write public")
+      end
-    it "issues new token without any scope" do
-      expect do
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
+      it "issues new token with one default scope that are present in application scopes" do
+        default_scopes_exist :public, :admin
-      token = Doorkeeper::AccessToken.first
+        expect do
+          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+        end.to change { Doorkeeper::AccessToken.count }.by(1)
-      expect(token.application_id).to eq @client.id
-      expect(token.scopes).to be_empty
-      should_have_json "access_token", token.token
-      should_not_have_json "scope"
-    end
-  end
+        token = Doorkeeper::AccessToken.first
-  context "when application scopes contain some of the default scopes and no scope is passed" do
-    before do
-      @client.update(scopes: "read write public")
-    end
+        expect(token.application_id).to eq(@client.id)
+        expect(json_response).to include(
+          "access_token" => token.token,
+          "scope" => "public",
+        )
+      end
-    it "issues new token with one default scope that are present in application scopes" do
-      default_scopes_exist :public, :admin
+      it "issues new token with multiple default scopes that are present in application scopes" do
+        default_scopes_exist :public, :read, :update
-      expect do
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
+        expect do
+          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+        end.to change { Doorkeeper::AccessToken.count }.by(1)
-      token = Doorkeeper::AccessToken.first
+        token = Doorkeeper::AccessToken.first
-      expect(token.application_id).to eq @client.id
-      should_have_json "access_token", token.token
-      should_have_json "scope", "public"
+        expect(token.application_id).to eq(@client.id)
+        expect(json_response).to include(
+          "access_token" => token.token,
+          "scope" => "public read",
+        )
+      end
     end
-    it "issues new token with multiple default scopes that are present in application scopes" do
-      default_scopes_exist :public, :read, :update
-      expect do
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
-      token = Doorkeeper::AccessToken.first
+    context "with invalid scopes" do
+      subject do
+        post password_token_endpoint_url(
+          client: @client,
+          resource_owner: @resource_owner,
+          scope: "random",
+        )
+      end
-      expect(token.application_id).to eq @client.id
-      should_have_json "access_token", token.token
-      should_have_json "scope", "public read"
-    end
-  end
+      it "doesn't issue new token" do
+        expect { subject }.not_to(change { Doorkeeper::AccessToken.count })
+      end
-  context "with invalid scopes" do
-    subject do
-      post password_token_endpoint_url(
-        client: @client,
-        resource_owner: @resource_owner,
-        scope: "random",
-      )
-    end
+      it "returns invalid_scope error" do
+        subject
-    it "should not issue new token" do
-      expect { subject }.to_not(change { Doorkeeper::AccessToken.count })
-    end
+        expect(json_response).to include(
+          "error" => "invalid_scope",
+          "error_description" => translated_error_message(:invalid_scope),
+        )
-    it "should return invalid_scope error" do
-      subject
-      should_have_json "error", "invalid_scope"
-      should_have_json "error_description", translated_error_message(:invalid_scope)
-      should_not_have_json "access_token"
+        expect(json_response).not_to include("access_token")
-      expect(response.status).to eq(400)
+        expect(response.status).to eq(400)
+      end
     end
-  end
-  context "with invalid user credentials" do
-    it "should not issue new token with bad password" do
-      expect do
-        post password_token_endpoint_url(
-          client: @client,
-          resource_owner_username: @resource_owner.name,
-          resource_owner_password: "wrongpassword",
-        )
-      end.to_not(change { Doorkeeper::AccessToken.count })
-    end
+    context "with invalid user credentials" do
+      it "doesn't issue new token with bad password" do
+        expect do
+          post password_token_endpoint_url(
+            client: @client,
+            resource_owner_username: @resource_owner.name,
+            resource_owner_password: "wrongpassword",
+          )
+        end.not_to(change { Doorkeeper::AccessToken.count })
+      end
-    it "should not issue new token without credentials" do
-      expect do
-        post password_token_endpoint_url(client: @client)
-      end.to_not(change { Doorkeeper::AccessToken.count })
-    end
+      it "doesn't issue new token without credentials" do
+        expect do
+          post password_token_endpoint_url(client: @client)
+        end.not_to(change { Doorkeeper::AccessToken.count })
+      end
-    it "should not issue new token if resource_owner_from_credentials returned false or nil" do
-      config_is_set(:resource_owner_from_credentials) { false }
+      it "doesn't issue new token if resource_owner_from_credentials returned false or nil" do
+        config_is_set(:resource_owner_from_credentials) { false }
-      expect do
-        post password_token_endpoint_url(client: @client)
-      end.to_not(change { Doorkeeper::AccessToken.count })
+        expect do
+          post password_token_endpoint_url(client: @client)
+        end.not_to(change { Doorkeeper::AccessToken.count })
-      config_is_set(:resource_owner_from_credentials) { nil }
+        config_is_set(:resource_owner_from_credentials) { nil }
-      expect do
-        post password_token_endpoint_url(client: @client)
-      end.to_not(change { Doorkeeper::AccessToken.count })
+        expect do
+          post password_token_endpoint_url(client: @client)
+        end.not_to(change { Doorkeeper::AccessToken.count })
+      end
     end
-  end
-  context "with invalid confidential client credentials" do
-    it "should not issue new token with bad client credentials" do
-      expect do
-        post password_token_endpoint_url(
-          client_id: @client.uid,
-          client_secret: "bad_secret",
-          resource_owner: @resource_owner,
-        )
-      end.to_not(change { Doorkeeper::AccessToken.count })
+    context "with invalid confidential client credentials" do
+      it "doesn't issue new token with bad client credentials" do
+        expect do
+          post password_token_endpoint_url(
+            client_id: @client.uid,
+            client_secret: "bad_secret",
+            resource_owner: @resource_owner,
+          )
+        end.not_to(change { Doorkeeper::AccessToken.count })
+      end
     end
-  end
-  context "with invalid public client id" do
-    it "should not issue new token with bad client id" do
-      expect do
-        post password_token_endpoint_url(client_id: "bad_id", resource_owner: @resource_owner)
-      end.to_not(change { Doorkeeper::AccessToken.count })
+    context "with invalid public client id" do
+      it "doesn't issue new token with bad client id" do
+        expect do
+          post password_token_endpoint_url(client_id: "bad_id", resource_owner: @resource_owner)
+        end.not_to(change { Doorkeeper::AccessToken.count })
+      end
     end
   end
 end