1 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
3 import { expect } from 'chai'
4 import { wait } from '@shared/core-utils'
5 import { HttpStatusCode, UserRole } from '@shared/models'
12 setAccessTokensToServers
13 } from '@shared/server-commands'
15 async function loginExternal (options: {
16 server: PeerTubeServer
21 expectedStatus?: HttpStatusCode
22 expectedStatusStep2?: HttpStatusCode
24 const res = await options.server.plugins.getExternalAuth({
25 npmName: options.npmName,
27 authName: options.authName,
29 expectedStatus: options.expectedStatus || HttpStatusCode.FOUND_302
32 if (res.status !== HttpStatusCode.FOUND_302) return
34 const location = res.header.location
35 const { externalAuthToken } = decodeQueryString(location)
37 const resLogin = await options.server.login.loginUsingExternalToken({
38 username: options.username,
39 externalAuthToken: externalAuthToken as string,
40 expectedStatus: options.expectedStatusStep2
46 describe('Test external auth plugins', function () {
47 let server: PeerTubeServer
49 let cyanAccessToken: string
50 let cyanRefreshToken: string
52 let kefkaAccessToken: string
53 let kefkaRefreshToken: string
55 let externalAuthToken: string
57 before(async function () {
60 server = await createSingleServer(1, {
68 await setAccessTokensToServers([ server ])
70 for (const suffix of [ 'one', 'two', 'three' ]) {
71 await server.plugins.install({ path: PluginsCommand.getPluginTestPath('-external-auth-' + suffix) })
75 it('Should display the correct configuration', async function () {
76 const config = await server.config.getConfig()
78 const auths = config.plugin.registeredExternalAuths
79 expect(auths).to.have.lengthOf(9)
81 const auth2 = auths.find((a) => a.authName === 'external-auth-2')
82 expect(auth2).to.exist
83 expect(auth2.authDisplayName).to.equal('External Auth 2')
84 expect(auth2.npmName).to.equal('peertube-plugin-test-external-auth-one')
87 it('Should redirect for a Cyan login', async function () {
88 const res = await server.plugins.getExternalAuth({
89 npmName: 'test-external-auth-one',
91 authName: 'external-auth-1',
95 expectedStatus: HttpStatusCode.FOUND_302
98 const location = res.header.location
99 expect(location.startsWith('/login?')).to.be.true
101 const searchParams = decodeQueryString(location)
103 expect(searchParams.externalAuthToken).to.exist
104 expect(searchParams.username).to.equal('cyan')
106 externalAuthToken = searchParams.externalAuthToken as string
109 it('Should reject auto external login with a missing or invalid token', async function () {
110 const command = server.login
112 await command.loginUsingExternalToken({ username: 'cyan', externalAuthToken: '', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
113 await command.loginUsingExternalToken({ username: 'cyan', externalAuthToken: 'blabla', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
116 it('Should reject auto external login with a missing or invalid username', async function () {
117 const command = server.login
119 await command.loginUsingExternalToken({ username: '', externalAuthToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
120 await command.loginUsingExternalToken({ username: '', externalAuthToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
123 it('Should reject auto external login with an expired token', async function () {
128 await server.login.loginUsingExternalToken({
131 expectedStatus: HttpStatusCode.BAD_REQUEST_400
134 await server.servers.waitUntilLog('expired external auth token', 4)
137 it('Should auto login Cyan, create the user and use the token', async function () {
139 const res = await loginExternal({
141 npmName: 'test-external-auth-one',
142 authName: 'external-auth-1',
149 cyanAccessToken = res.access_token
150 cyanRefreshToken = res.refresh_token
154 const body = await server.users.getMyInfo({ token: cyanAccessToken })
155 expect(body.username).to.equal('cyan')
156 expect(body.account.displayName).to.equal('cyan')
157 expect(body.email).to.equal('cyan@example.com')
158 expect(body.role.id).to.equal(UserRole.USER)
162 it('Should auto login Kefka, create the user and use the token', async function () {
164 const res = await loginExternal({
166 npmName: 'test-external-auth-one',
167 authName: 'external-auth-2',
171 kefkaAccessToken = res.access_token
172 kefkaRefreshToken = res.refresh_token
176 const body = await server.users.getMyInfo({ token: kefkaAccessToken })
177 expect(body.username).to.equal('kefka')
178 expect(body.account.displayName).to.equal('Kefka Palazzo')
179 expect(body.email).to.equal('kefka@example.com')
180 expect(body.role.id).to.equal(UserRole.ADMINISTRATOR)
184 it('Should refresh Cyan token, but not Kefka token', async function () {
186 const resRefresh = await server.login.refreshToken({ refreshToken: cyanRefreshToken })
187 cyanAccessToken = resRefresh.body.access_token
188 cyanRefreshToken = resRefresh.body.refresh_token
190 const body = await server.users.getMyInfo({ token: cyanAccessToken })
191 expect(body.username).to.equal('cyan')
195 await server.login.refreshToken({ refreshToken: kefkaRefreshToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
199 it('Should update Cyan profile', async function () {
200 await server.users.updateMe({
201 token: cyanAccessToken,
202 displayName: 'Cyan Garamonde',
203 description: 'Retainer to the king of Doma'
206 const body = await server.users.getMyInfo({ token: cyanAccessToken })
207 expect(body.account.displayName).to.equal('Cyan Garamonde')
208 expect(body.account.description).to.equal('Retainer to the king of Doma')
211 it('Should logout Cyan', async function () {
212 await server.login.logout({ token: cyanAccessToken })
215 it('Should have logged out Cyan', async function () {
216 await server.servers.waitUntilLog('On logout cyan')
218 await server.users.getMyInfo({ token: cyanAccessToken, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
221 it('Should login Cyan and keep the old existing profile', async function () {
223 const res = await loginExternal({
225 npmName: 'test-external-auth-one',
226 authName: 'external-auth-1',
233 cyanAccessToken = res.access_token
236 const body = await server.users.getMyInfo({ token: cyanAccessToken })
237 expect(body.username).to.equal('cyan')
238 expect(body.account.displayName).to.equal('Cyan Garamonde')
239 expect(body.account.description).to.equal('Retainer to the king of Doma')
240 expect(body.role.id).to.equal(UserRole.USER)
243 it('Should not update an external auth email', async function () {
244 await server.users.updateMe({
245 token: cyanAccessToken,
246 email: 'toto@example.com',
247 currentPassword: 'toto',
248 expectedStatus: HttpStatusCode.BAD_REQUEST_400
252 it('Should reject token of Kefka by the plugin hook', async function () {
257 await server.users.getMyInfo({ token: kefkaAccessToken, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
260 it('Should unregister external-auth-2 and do not login existing Kefka', async function () {
261 await server.plugins.updateSettings({
262 npmName: 'peertube-plugin-test-external-auth-one',
263 settings: { disableKefka: true }
266 await server.login.login({ user: { username: 'kefka', password: 'fake' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
268 await loginExternal({
270 npmName: 'test-external-auth-one',
271 authName: 'external-auth-2',
276 expectedStatus: HttpStatusCode.NOT_FOUND_404
280 it('Should have disabled this auth', async function () {
281 const config = await server.config.getConfig()
283 const auths = config.plugin.registeredExternalAuths
284 expect(auths).to.have.lengthOf(8)
286 const auth1 = auths.find(a => a.authName === 'external-auth-2')
287 expect(auth1).to.not.exist
290 it('Should uninstall the plugin one and do not login Cyan', async function () {
291 await server.plugins.uninstall({ npmName: 'peertube-plugin-test-external-auth-one' })
293 await loginExternal({
295 npmName: 'test-external-auth-one',
296 authName: 'external-auth-1',
301 expectedStatus: HttpStatusCode.NOT_FOUND_404
304 await server.login.login({ user: { username: 'cyan', password: null }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
305 await server.login.login({ user: { username: 'cyan', password: '' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
306 await server.login.login({ user: { username: 'cyan', password: 'fake' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
309 it('Should not login kefka with another plugin', async function () {
310 await loginExternal({
312 npmName: 'test-external-auth-two',
313 authName: 'external-auth-4',
315 expectedStatusStep2: HttpStatusCode.BAD_REQUEST_400
318 await loginExternal({
320 npmName: 'test-external-auth-two',
321 authName: 'external-auth-4',
323 expectedStatusStep2: HttpStatusCode.BAD_REQUEST_400
327 it('Should not login an existing user email', async function () {
328 await server.users.create({ username: 'existing_user', password: 'super_password' })
330 await loginExternal({
332 npmName: 'test-external-auth-two',
333 authName: 'external-auth-6',
334 username: 'existing_user',
335 expectedStatusStep2: HttpStatusCode.BAD_REQUEST_400
339 it('Should be able to login an existing user username and channel', async function () {
340 await server.users.create({ username: 'existing_user2' })
341 await server.users.create({ username: 'existing_user2-1_channel' })
343 // Test twice to ensure we don't generate a username on every login
344 for (let i = 0; i < 2; i++) {
345 const res = await loginExternal({
347 npmName: 'test-external-auth-two',
348 authName: 'external-auth-7',
349 username: 'existing_user2'
352 const token = res.access_token
354 const myInfo = await server.users.getMyInfo({ token })
355 expect(myInfo.username).to.equal('existing_user2-1')
357 expect(myInfo.videoChannels[0].name).to.equal('existing_user2-1_channel-1')
361 it('Should display the correct configuration', async function () {
362 const config = await server.config.getConfig()
364 const auths = config.plugin.registeredExternalAuths
365 expect(auths).to.have.lengthOf(7)
367 const auth2 = auths.find((a) => a.authName === 'external-auth-2')
368 expect(auth2).to.not.exist
371 after(async function () {
372 await cleanupTests([ server ])
375 it('Should forward the redirectUrl if the plugin returns one', async function () {
376 const resLogin = await loginExternal({
378 npmName: 'test-external-auth-three',
379 authName: 'external-auth-7',
383 const { redirectUrl } = await server.login.logout({ token: resLogin.access_token })
384 expect(redirectUrl).to.equal('https://example.com/redirectUrl')
387 it('Should call the plugin\'s onLogout method with the request', async function () {
388 const resLogin = await loginExternal({
390 npmName: 'test-external-auth-three',
391 authName: 'external-auth-8',
395 const { redirectUrl } = await server.login.logout({ token: resLogin.access_token })
396 expect(redirectUrl).to.equal('https://example.com/redirectUrl?access_token=' + resLogin.access_token)