forked from fedi/mastodon
Fix app name, website and redirect URIs not having a maximum length (#16042)
Fix app scopes not being validated
This commit is contained in:
parent
3d82a1de05
commit
3b8d085436
|
@ -4,6 +4,8 @@ module ApplicationExtension
|
||||||
extend ActiveSupport::Concern
|
extend ActiveSupport::Concern
|
||||||
|
|
||||||
included do
|
included do
|
||||||
validates :website, url: true, if: :website?
|
validates :name, length: { maximum: 60 }
|
||||||
|
validates :website, url: true, length: { maximum: 2_000 }, if: :website?
|
||||||
|
validates :redirect_uri, length: { maximum: 2_000 }
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -52,6 +52,11 @@ Doorkeeper.configure do
|
||||||
# Issue access tokens with refresh token (disabled by default)
|
# Issue access tokens with refresh token (disabled by default)
|
||||||
# use_refresh_token
|
# use_refresh_token
|
||||||
|
|
||||||
|
# Forbids creating/updating applications with arbitrary scopes that are
|
||||||
|
# not in configuration, i.e. `default_scopes` or `optional_scopes`.
|
||||||
|
# (Disabled by default)
|
||||||
|
enforce_configured_scopes
|
||||||
|
|
||||||
# Provide support for an owner to be assigned to each registered application (disabled by default)
|
# Provide support for an owner to be assigned to each registered application (disabled by default)
|
||||||
# Optional parameter :confirmation => true (default false) if you want to enforce ownership of
|
# Optional parameter :confirmation => true (default false) if you want to enforce ownership of
|
||||||
# a registered application
|
# a registered application
|
||||||
|
|
|
@ -4,23 +4,83 @@ RSpec.describe Api::V1::AppsController, type: :controller do
|
||||||
render_views
|
render_views
|
||||||
|
|
||||||
describe 'POST #create' do
|
describe 'POST #create' do
|
||||||
|
let(:client_name) { 'Test app' }
|
||||||
|
let(:scopes) { nil }
|
||||||
|
let(:redirect_uris) { 'urn:ietf:wg:oauth:2.0:oob' }
|
||||||
|
let(:website) { nil }
|
||||||
|
|
||||||
|
let(:app_params) do
|
||||||
|
{
|
||||||
|
client_name: client_name,
|
||||||
|
redirect_uris: redirect_uris,
|
||||||
|
scopes: scopes,
|
||||||
|
website: website,
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
before do
|
before do
|
||||||
post :create, params: { client_name: 'Test app', redirect_uris: 'urn:ietf:wg:oauth:2.0:oob' }
|
post :create, params: app_params
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'returns http success' do
|
context 'with valid params' do
|
||||||
expect(response).to have_http_status(200)
|
it 'returns http success' do
|
||||||
|
expect(response).to have_http_status(200)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'creates an OAuth app' do
|
||||||
|
expect(Doorkeeper::Application.find_by(name: client_name)).to_not be nil
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns client ID and client secret' do
|
||||||
|
json = body_as_json
|
||||||
|
|
||||||
|
expect(json[:client_id]).to_not be_blank
|
||||||
|
expect(json[:client_secret]).to_not be_blank
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'creates an OAuth app' do
|
context 'with an unsupported scope' do
|
||||||
expect(Doorkeeper::Application.find_by(name: 'Test app')).to_not be nil
|
let(:scopes) { 'hoge' }
|
||||||
|
|
||||||
|
it 'returns http unprocessable entity' do
|
||||||
|
expect(response).to have_http_status(422)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'returns client ID and client secret' do
|
context 'with many duplicate scopes' do
|
||||||
json = body_as_json
|
let(:scopes) { (%w(read) * 40).join(' ') }
|
||||||
|
|
||||||
expect(json[:client_id]).to_not be_blank
|
it 'returns http success' do
|
||||||
expect(json[:client_secret]).to_not be_blank
|
expect(response).to have_http_status(200)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'only saves the scope once' do
|
||||||
|
expect(Doorkeeper::Application.find_by(name: client_name).scopes.to_s).to eq 'read'
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with a too-long name' do
|
||||||
|
let(:client_name) { 'hoge' * 20 }
|
||||||
|
|
||||||
|
it 'returns http unprocessable entity' do
|
||||||
|
expect(response).to have_http_status(422)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with a too-long website' do
|
||||||
|
let(:website) { 'https://foo.bar/' + ('hoge' * 2_000) }
|
||||||
|
|
||||||
|
it 'returns http unprocessable entity' do
|
||||||
|
expect(response).to have_http_status(422)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with a too-long redirect_uris' do
|
||||||
|
let(:redirect_uris) { 'https://foo.bar/' + ('hoge' * 2_000) }
|
||||||
|
|
||||||
|
it 'returns http unprocessable entity' do
|
||||||
|
expect(response).to have_http_status(422)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue