server/tests/plugins/external-auth.ts

   1 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
   2
   3 import { expect } from 'chai'
   4 import { wait } from '@shared/core-utils'
   5 import { HttpStatusCode, UserRole } from '@shared/models'
   6 import {
   7   cleanupTests,
   8   createSingleServer,
   9   decodeQueryString,
  10   PeerTubeServer,
  11   PluginsCommand,
  12   setAccessTokensToServers
  13 } from '@shared/server-commands'
  14
  15 async function loginExternal (options: {
  16   server: PeerTubeServer
  17   npmName: string
  18   authName: string
  19   username: string
  20   query?: any
  21   expectedStatus?: HttpStatusCode
  22   expectedStatusStep2?: HttpStatusCode
  23 }) {
  24   const res = await options.server.plugins.getExternalAuth({
  25     npmName: options.npmName,
  26     npmVersion: '0.0.1',
  27     authName: options.authName,
  28     query: options.query,
  29     expectedStatus: options.expectedStatus || HttpStatusCode.FOUND_302
  30   })
  31
  32   if (res.status !== HttpStatusCode.FOUND_302) return
  33
  34   const location = res.header.location
  35   const { externalAuthToken } = decodeQueryString(location)
  36
  37   const resLogin = await options.server.login.loginUsingExternalToken({
  38     username: options.username,
  39     externalAuthToken: externalAuthToken as string,
  40     expectedStatus: options.expectedStatusStep2
  41   })
  42
  43   return resLogin.body
  44 }
  45
  46 describe('Test external auth plugins', function () {
  47   let server: PeerTubeServer
  48
  49   let cyanAccessToken: string
  50   let cyanRefreshToken: string
  51
  52   let kefkaAccessToken: string
  53   let kefkaRefreshToken: string
  54
  55   let externalAuthToken: string
  56
  57   before(async function () {
  58     this.timeout(30000)
  59
  60     server = await createSingleServer(1, {
  61       rates_limit: {
  62         login: {
  63           max: 30
  64         }
  65       }
  66     })
  67
  68     await setAccessTokensToServers([ server ])
  69
  70     for (const suffix of [ 'one', 'two', 'three' ]) {
  71       await server.plugins.install({ path: PluginsCommand.getPluginTestPath('-external-auth-' + suffix) })
  72     }
  73   })
  74
  75   it('Should display the correct configuration', async function () {
  76     const config = await server.config.getConfig()
  77
  78     const auths = config.plugin.registeredExternalAuths
  79     expect(auths).to.have.lengthOf(9)
  80
  81     const auth2 = auths.find((a) => a.authName === 'external-auth-2')
  82     expect(auth2).to.exist
  83     expect(auth2.authDisplayName).to.equal('External Auth 2')
  84     expect(auth2.npmName).to.equal('peertube-plugin-test-external-auth-one')
  85   })
  86
  87   it('Should redirect for a Cyan login', async function () {
  88     const res = await server.plugins.getExternalAuth({
  89       npmName: 'test-external-auth-one',
  90       npmVersion: '0.0.1',
  91       authName: 'external-auth-1',
  92       query: {
  93         username: 'cyan'
  94       },
  95       expectedStatus: HttpStatusCode.FOUND_302
  96     })
  97
  98     const location = res.header.location
  99     expect(location.startsWith('/login?')).to.be.true
 100
 101     const searchParams = decodeQueryString(location)
 102
 103     expect(searchParams.externalAuthToken).to.exist
 104     expect(searchParams.username).to.equal('cyan')
 105
 106     externalAuthToken = searchParams.externalAuthToken as string
 107   })
 108
 109   it('Should reject auto external login with a missing or invalid token', async function () {
 110     const command = server.login
 111
 112     await command.loginUsingExternalToken({ username: 'cyan', externalAuthToken: '', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
 113     await command.loginUsingExternalToken({ username: 'cyan', externalAuthToken: 'blabla', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
 114   })
 115
 116   it('Should reject auto external login with a missing or invalid username', async function () {
 117     const command = server.login
 118
 119     await command.loginUsingExternalToken({ username: '', externalAuthToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
 120     await command.loginUsingExternalToken({ username: '', externalAuthToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
 121   })
 122
 123   it('Should reject auto external login with an expired token', async function () {
 124     this.timeout(15000)
 125
 126     await wait(5000)
 127
 128     await server.login.loginUsingExternalToken({
 129       username: 'cyan',
 130       externalAuthToken,
 131       expectedStatus: HttpStatusCode.BAD_REQUEST_400
 132     })
 133
 134     await server.servers.waitUntilLog('expired external auth token', 4)
 135   })
 136
 137   it('Should auto login Cyan, create the user and use the token', async function () {
 138     {
 139       const res = await loginExternal({
 140         server,
 141         npmName: 'test-external-auth-one',
 142         authName: 'external-auth-1',
 143         query: {
 144           username: 'cyan'
 145         },
 146         username: 'cyan'
 147       })
 148
 149       cyanAccessToken = res.access_token
 150       cyanRefreshToken = res.refresh_token
 151     }
 152
 153     {
 154       const body = await server.users.getMyInfo({ token: cyanAccessToken })
 155       expect(body.username).to.equal('cyan')
 156       expect(body.account.displayName).to.equal('cyan')
 157       expect(body.email).to.equal('cyan@example.com')
 158       expect(body.role.id).to.equal(UserRole.USER)
 159     }
 160   })
 161
 162   it('Should auto login Kefka, create the user and use the token', async function () {
 163     {
 164       const res = await loginExternal({
 165         server,
 166         npmName: 'test-external-auth-one',
 167         authName: 'external-auth-2',
 168         username: 'kefka'
 169       })
 170
 171       kefkaAccessToken = res.access_token
 172       kefkaRefreshToken = res.refresh_token
 173     }
 174
 175     {
 176       const body = await server.users.getMyInfo({ token: kefkaAccessToken })
 177       expect(body.username).to.equal('kefka')
 178       expect(body.account.displayName).to.equal('Kefka Palazzo')
 179       expect(body.email).to.equal('kefka@example.com')
 180       expect(body.role.id).to.equal(UserRole.ADMINISTRATOR)
 181     }
 182   })
 183
 184   it('Should refresh Cyan token, but not Kefka token', async function () {
 185     {
 186       const resRefresh = await server.login.refreshToken({ refreshToken: cyanRefreshToken })
 187       cyanAccessToken = resRefresh.body.access_token
 188       cyanRefreshToken = resRefresh.body.refresh_token
 189
 190       const body = await server.users.getMyInfo({ token: cyanAccessToken })
 191       expect(body.username).to.equal('cyan')
 192     }
 193
 194     {
 195       await server.login.refreshToken({ refreshToken: kefkaRefreshToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
 196     }
 197   })
 198
 199   it('Should update Cyan profile', async function () {
 200     await server.users.updateMe({
 201       token: cyanAccessToken,
 202       displayName: 'Cyan Garamonde',
 203       description: 'Retainer to the king of Doma'
 204     })
 205
 206     const body = await server.users.getMyInfo({ token: cyanAccessToken })
 207     expect(body.account.displayName).to.equal('Cyan Garamonde')
 208     expect(body.account.description).to.equal('Retainer to the king of Doma')
 209   })
 210
 211   it('Should logout Cyan', async function () {
 212     await server.login.logout({ token: cyanAccessToken })
 213   })
 214
 215   it('Should have logged out Cyan', async function () {
 216     await server.servers.waitUntilLog('On logout cyan')
 217
 218     await server.users.getMyInfo({ token: cyanAccessToken, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
 219   })
 220
 221   it('Should login Cyan and keep the old existing profile', async function () {
 222     {
 223       const res = await loginExternal({
 224         server,
 225         npmName: 'test-external-auth-one',
 226         authName: 'external-auth-1',
 227         query: {
 228           username: 'cyan'
 229         },
 230         username: 'cyan'
 231       })
 232
 233       cyanAccessToken = res.access_token
 234     }
 235
 236     const body = await server.users.getMyInfo({ token: cyanAccessToken })
 237     expect(body.username).to.equal('cyan')
 238     expect(body.account.displayName).to.equal('Cyan Garamonde')
 239     expect(body.account.description).to.equal('Retainer to the king of Doma')
 240     expect(body.role.id).to.equal(UserRole.USER)
 241   })
 242
 243   it('Should not update an external auth email', async function () {
 244     await server.users.updateMe({
 245       token: cyanAccessToken,
 246       email: 'toto@example.com',
 247       currentPassword: 'toto',
 248       expectedStatus: HttpStatusCode.BAD_REQUEST_400
 249     })
 250   })
 251
 252   it('Should reject token of Kefka by the plugin hook', async function () {
 253     this.timeout(10000)
 254
 255     await wait(5000)
 256
 257     await server.users.getMyInfo({ token: kefkaAccessToken, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
 258   })
 259
 260   it('Should unregister external-auth-2 and do not login existing Kefka', async function () {
 261     await server.plugins.updateSettings({
 262       npmName: 'peertube-plugin-test-external-auth-one',
 263       settings: { disableKefka: true }
 264     })
 265
 266     await server.login.login({ user: { username: 'kefka', password: 'fake' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
 267
 268     await loginExternal({
 269       server,
 270       npmName: 'test-external-auth-one',
 271       authName: 'external-auth-2',
 272       query: {
 273         username: 'kefka'
 274       },
 275       username: 'kefka',
 276       expectedStatus: HttpStatusCode.NOT_FOUND_404
 277     })
 278   })
 279
 280   it('Should have disabled this auth', async function () {
 281     const config = await server.config.getConfig()
 282
 283     const auths = config.plugin.registeredExternalAuths
 284     expect(auths).to.have.lengthOf(8)
 285
 286     const auth1 = auths.find(a => a.authName === 'external-auth-2')
 287     expect(auth1).to.not.exist
 288   })
 289
 290   it('Should uninstall the plugin one and do not login Cyan', async function () {
 291     await server.plugins.uninstall({ npmName: 'peertube-plugin-test-external-auth-one' })
 292
 293     await loginExternal({
 294       server,
 295       npmName: 'test-external-auth-one',
 296       authName: 'external-auth-1',
 297       query: {
 298         username: 'cyan'
 299       },
 300       username: 'cyan',
 301       expectedStatus: HttpStatusCode.NOT_FOUND_404
 302     })
 303
 304     await server.login.login({ user: { username: 'cyan', password: null }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
 305     await server.login.login({ user: { username: 'cyan', password: '' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
 306     await server.login.login({ user: { username: 'cyan', password: 'fake' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
 307   })
 308
 309   it('Should not login kefka with another plugin', async function () {
 310     await loginExternal({
 311       server,
 312       npmName: 'test-external-auth-two',
 313       authName: 'external-auth-4',
 314       username: 'kefka2',
 315       expectedStatusStep2: HttpStatusCode.BAD_REQUEST_400
 316     })
 317
 318     await loginExternal({
 319       server,
 320       npmName: 'test-external-auth-two',
 321       authName: 'external-auth-4',
 322       username: 'kefka',
 323       expectedStatusStep2: HttpStatusCode.BAD_REQUEST_400
 324     })
 325   })
 326
 327   it('Should not login an existing user email', async function () {
 328     await server.users.create({ username: 'existing_user', password: 'super_password' })
 329
 330     await loginExternal({
 331       server,
 332       npmName: 'test-external-auth-two',
 333       authName: 'external-auth-6',
 334       username: 'existing_user',
 335       expectedStatusStep2: HttpStatusCode.BAD_REQUEST_400
 336     })
 337   })
 338
 339   it('Should be able to login an existing user username and channel', async function () {
 340     await server.users.create({ username: 'existing_user2' })
 341     await server.users.create({ username: 'existing_user2-1_channel' })
 342
 343     // Test twice to ensure we don't generate a username on every login
 344     for (let i = 0; i < 2; i++) {
 345       const res = await loginExternal({
 346         server,
 347         npmName: 'test-external-auth-two',
 348         authName: 'external-auth-7',
 349         username: 'existing_user2'
 350       })
 351
 352       const token = res.access_token
 353
 354       const myInfo = await server.users.getMyInfo({ token })
 355       expect(myInfo.username).to.equal('existing_user2-1')
 356
 357       expect(myInfo.videoChannels[0].name).to.equal('existing_user2-1_channel-1')
 358     }
 359   })
 360
 361   it('Should display the correct configuration', async function () {
 362     const config = await server.config.getConfig()
 363
 364     const auths = config.plugin.registeredExternalAuths
 365     expect(auths).to.have.lengthOf(7)
 366
 367     const auth2 = auths.find((a) => a.authName === 'external-auth-2')
 368     expect(auth2).to.not.exist
 369   })
 370
 371   after(async function () {
 372     await cleanupTests([ server ])
 373   })
 374
 375   it('Should forward the redirectUrl if the plugin returns one', async function () {
 376     const resLogin = await loginExternal({
 377       server,
 378       npmName: 'test-external-auth-three',
 379       authName: 'external-auth-7',
 380       username: 'cid'
 381     })
 382
 383     const { redirectUrl } = await server.login.logout({ token: resLogin.access_token })
 384     expect(redirectUrl).to.equal('https://example.com/redirectUrl')
 385   })
 386
 387   it('Should call the plugin\'s onLogout method with the request', async function () {
 388     const resLogin = await loginExternal({
 389       server,
 390       npmName: 'test-external-auth-three',
 391       authName: 'external-auth-8',
 392       username: 'cid'
 393     })
 394
 395     const { redirectUrl } = await server.login.logout({ token: resLogin.access_token })
 396     expect(redirectUrl).to.equal('https://example.com/redirectUrl?access_token=' + resLogin.access_token)
 397   })
 398 })