]> git.immae.eu Git - github/Chocobozzz/PeerTube.git/blob - server/tests/plugins/external-auth.ts
e421fd2245d0ecc692c1b2889e5126abc57861b8
[github/Chocobozzz/PeerTube.git] / server / tests / plugins / external-auth.ts
1 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
2
3 import 'mocha'
4 import { expect } from 'chai'
5 import { HttpStatusCode } from '@shared/core-utils'
6 import {
7 cleanupTests,
8 createUser,
9 decodeQueryString,
10 flushAndRunServer,
11 getMyUserInformation,
12 PluginsCommand,
13 ServerInfo,
14 setAccessTokensToServers,
15 updateMyUser,
16 wait
17 } from '@shared/extra-utils'
18 import { User, UserRole } from '@shared/models'
19
20 async function loginExternal (options: {
21 server: ServerInfo
22 npmName: string
23 authName: string
24 username: string
25 query?: any
26 statusCodeExpected?: HttpStatusCode
27 statusCodeExpectedStep2?: HttpStatusCode
28 }) {
29 const res = await options.server.pluginsCommand.getExternalAuth({
30 npmName: options.npmName,
31 npmVersion: '0.0.1',
32 authName: options.authName,
33 query: options.query,
34 expectedStatus: options.statusCodeExpected || HttpStatusCode.FOUND_302
35 })
36
37 if (res.status !== HttpStatusCode.FOUND_302) return
38
39 const location = res.header.location
40 const { externalAuthToken } = decodeQueryString(location)
41
42 const resLogin = await options.server.loginCommand.loginUsingExternalToken({
43 username: options.username,
44 externalAuthToken: externalAuthToken as string,
45 expectedStatus: options.statusCodeExpectedStep2
46 })
47
48 return resLogin.body
49 }
50
51 describe('Test external auth plugins', function () {
52 let server: ServerInfo
53
54 let cyanAccessToken: string
55 let cyanRefreshToken: string
56
57 let kefkaAccessToken: string
58 let kefkaRefreshToken: string
59
60 let externalAuthToken: string
61
62 before(async function () {
63 this.timeout(30000)
64
65 server = await flushAndRunServer(1)
66 await setAccessTokensToServers([ server ])
67
68 for (const suffix of [ 'one', 'two', 'three' ]) {
69 await server.pluginsCommand.install({ path: PluginsCommand.getPluginTestPath('-external-auth-' + suffix) })
70 }
71 })
72
73 it('Should display the correct configuration', async function () {
74 const config = await server.configCommand.getConfig()
75
76 const auths = config.plugin.registeredExternalAuths
77 expect(auths).to.have.lengthOf(8)
78
79 const auth2 = auths.find((a) => a.authName === 'external-auth-2')
80 expect(auth2).to.exist
81 expect(auth2.authDisplayName).to.equal('External Auth 2')
82 expect(auth2.npmName).to.equal('peertube-plugin-test-external-auth-one')
83 })
84
85 it('Should redirect for a Cyan login', async function () {
86 const res = await server.pluginsCommand.getExternalAuth({
87 npmName: 'test-external-auth-one',
88 npmVersion: '0.0.1',
89 authName: 'external-auth-1',
90 query: {
91 username: 'cyan'
92 },
93 expectedStatus: HttpStatusCode.FOUND_302
94 })
95
96 const location = res.header.location
97 expect(location.startsWith('/login?')).to.be.true
98
99 const searchParams = decodeQueryString(location)
100
101 expect(searchParams.externalAuthToken).to.exist
102 expect(searchParams.username).to.equal('cyan')
103
104 externalAuthToken = searchParams.externalAuthToken as string
105 })
106
107 it('Should reject auto external login with a missing or invalid token', async function () {
108 const command = server.loginCommand
109
110 await command.loginUsingExternalToken({ username: 'cyan', externalAuthToken: '', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
111 await command.loginUsingExternalToken({ username: 'cyan', externalAuthToken: 'blabla', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
112 })
113
114 it('Should reject auto external login with a missing or invalid username', async function () {
115 const command = server.loginCommand
116
117 await command.loginUsingExternalToken({ username: '', externalAuthToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
118 await command.loginUsingExternalToken({ username: '', externalAuthToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
119 })
120
121 it('Should reject auto external login with an expired token', async function () {
122 this.timeout(15000)
123
124 await wait(5000)
125
126 await server.loginCommand.loginUsingExternalToken({
127 username: 'cyan',
128 externalAuthToken,
129 expectedStatus: HttpStatusCode.BAD_REQUEST_400
130 })
131
132 await server.serversCommand.waitUntilLog('expired external auth token', 2)
133 })
134
135 it('Should auto login Cyan, create the user and use the token', async function () {
136 {
137 const res = await loginExternal({
138 server,
139 npmName: 'test-external-auth-one',
140 authName: 'external-auth-1',
141 query: {
142 username: 'cyan'
143 },
144 username: 'cyan'
145 })
146
147 cyanAccessToken = res.access_token
148 cyanRefreshToken = res.refresh_token
149 }
150
151 {
152 const res = await getMyUserInformation(server.url, cyanAccessToken)
153
154 const body: User = res.body
155 expect(body.username).to.equal('cyan')
156 expect(body.account.displayName).to.equal('cyan')
157 expect(body.email).to.equal('cyan@example.com')
158 expect(body.role).to.equal(UserRole.USER)
159 }
160 })
161
162 it('Should auto login Kefka, create the user and use the token', async function () {
163 {
164 const res = await loginExternal({
165 server,
166 npmName: 'test-external-auth-one',
167 authName: 'external-auth-2',
168 username: 'kefka'
169 })
170
171 kefkaAccessToken = res.access_token
172 kefkaRefreshToken = res.refresh_token
173 }
174
175 {
176 const res = await getMyUserInformation(server.url, kefkaAccessToken)
177
178 const body: User = res.body
179 expect(body.username).to.equal('kefka')
180 expect(body.account.displayName).to.equal('Kefka Palazzo')
181 expect(body.email).to.equal('kefka@example.com')
182 expect(body.role).to.equal(UserRole.ADMINISTRATOR)
183 }
184 })
185
186 it('Should refresh Cyan token, but not Kefka token', async function () {
187 {
188 const resRefresh = await server.loginCommand.refreshToken({ refreshToken: cyanRefreshToken })
189 cyanAccessToken = resRefresh.body.access_token
190 cyanRefreshToken = resRefresh.body.refresh_token
191
192 const res = await getMyUserInformation(server.url, cyanAccessToken)
193 const user: User = res.body
194 expect(user.username).to.equal('cyan')
195 }
196
197 {
198 await server.loginCommand.refreshToken({ refreshToken: kefkaRefreshToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
199 }
200 })
201
202 it('Should update Cyan profile', async function () {
203 await updateMyUser({
204 url: server.url,
205 accessToken: cyanAccessToken,
206 displayName: 'Cyan Garamonde',
207 description: 'Retainer to the king of Doma'
208 })
209
210 const res = await getMyUserInformation(server.url, cyanAccessToken)
211
212 const body: User = res.body
213 expect(body.account.displayName).to.equal('Cyan Garamonde')
214 expect(body.account.description).to.equal('Retainer to the king of Doma')
215 })
216
217 it('Should logout Cyan', async function () {
218 await server.loginCommand.logout({ token: cyanAccessToken })
219 })
220
221 it('Should have logged out Cyan', async function () {
222 await server.serversCommand.waitUntilLog('On logout cyan')
223
224 await getMyUserInformation(server.url, cyanAccessToken, HttpStatusCode.UNAUTHORIZED_401)
225 })
226
227 it('Should login Cyan and keep the old existing profile', async function () {
228 {
229 const res = await loginExternal({
230 server,
231 npmName: 'test-external-auth-one',
232 authName: 'external-auth-1',
233 query: {
234 username: 'cyan'
235 },
236 username: 'cyan'
237 })
238
239 cyanAccessToken = res.access_token
240 }
241
242 const res = await getMyUserInformation(server.url, cyanAccessToken)
243
244 const body: User = res.body
245 expect(body.username).to.equal('cyan')
246 expect(body.account.displayName).to.equal('Cyan Garamonde')
247 expect(body.account.description).to.equal('Retainer to the king of Doma')
248 expect(body.role).to.equal(UserRole.USER)
249 })
250
251 it('Should not update an external auth email', async function () {
252 await updateMyUser({
253 url: server.url,
254 accessToken: cyanAccessToken,
255 email: 'toto@example.com',
256 currentPassword: 'toto',
257 statusCodeExpected: HttpStatusCode.BAD_REQUEST_400
258 })
259 })
260
261 it('Should reject token of Kefka by the plugin hook', async function () {
262 this.timeout(10000)
263
264 await wait(5000)
265
266 await getMyUserInformation(server.url, kefkaAccessToken, HttpStatusCode.UNAUTHORIZED_401)
267 })
268
269 it('Should unregister external-auth-2 and do not login existing Kefka', async function () {
270 await server.pluginsCommand.updateSettings({
271 npmName: 'peertube-plugin-test-external-auth-one',
272 settings: { disableKefka: true }
273 })
274
275 await server.loginCommand.login({ user: { username: 'kefka', password: 'fake' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
276
277 await loginExternal({
278 server,
279 npmName: 'test-external-auth-one',
280 authName: 'external-auth-2',
281 query: {
282 username: 'kefka'
283 },
284 username: 'kefka',
285 statusCodeExpected: HttpStatusCode.NOT_FOUND_404
286 })
287 })
288
289 it('Should have disabled this auth', async function () {
290 const config = await server.configCommand.getConfig()
291
292 const auths = config.plugin.registeredExternalAuths
293 expect(auths).to.have.lengthOf(7)
294
295 const auth1 = auths.find(a => a.authName === 'external-auth-2')
296 expect(auth1).to.not.exist
297 })
298
299 it('Should uninstall the plugin one and do not login Cyan', async function () {
300 await server.pluginsCommand.uninstall({ npmName: 'peertube-plugin-test-external-auth-one' })
301
302 await loginExternal({
303 server,
304 npmName: 'test-external-auth-one',
305 authName: 'external-auth-1',
306 query: {
307 username: 'cyan'
308 },
309 username: 'cyan',
310 statusCodeExpected: HttpStatusCode.NOT_FOUND_404
311 })
312
313 await server.loginCommand.login({ user: { username: 'cyan', password: null }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
314 await server.loginCommand.login({ user: { username: 'cyan', password: '' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
315 await server.loginCommand.login({ user: { username: 'cyan', password: 'fake' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
316 })
317
318 it('Should not login kefka with another plugin', async function () {
319 await loginExternal({
320 server,
321 npmName: 'test-external-auth-two',
322 authName: 'external-auth-4',
323 username: 'kefka2',
324 statusCodeExpectedStep2: HttpStatusCode.BAD_REQUEST_400
325 })
326
327 await loginExternal({
328 server,
329 npmName: 'test-external-auth-two',
330 authName: 'external-auth-4',
331 username: 'kefka',
332 statusCodeExpectedStep2: HttpStatusCode.BAD_REQUEST_400
333 })
334 })
335
336 it('Should not login an existing user', async function () {
337 await createUser({
338 url: server.url,
339 accessToken: server.accessToken,
340 username: 'existing_user',
341 password: 'super_password'
342 })
343
344 await loginExternal({
345 server,
346 npmName: 'test-external-auth-two',
347 authName: 'external-auth-6',
348 username: 'existing_user',
349 statusCodeExpectedStep2: HttpStatusCode.BAD_REQUEST_400
350 })
351 })
352
353 it('Should display the correct configuration', async function () {
354 const config = await server.configCommand.getConfig()
355
356 const auths = config.plugin.registeredExternalAuths
357 expect(auths).to.have.lengthOf(6)
358
359 const auth2 = auths.find((a) => a.authName === 'external-auth-2')
360 expect(auth2).to.not.exist
361 })
362
363 after(async function () {
364 await cleanupTests([ server ])
365 })
366
367 it('Should forward the redirectUrl if the plugin returns one', async function () {
368 const resLogin = await loginExternal({
369 server,
370 npmName: 'test-external-auth-three',
371 authName: 'external-auth-7',
372 username: 'cid'
373 })
374
375 const { redirectUrl } = await server.loginCommand.logout({ token: resLogin.access_token })
376 expect(redirectUrl).to.equal('https://example.com/redirectUrl')
377 })
378
379 it('Should call the plugin\'s onLogout method with the request', async function () {
380 const resLogin = await loginExternal({
381 server,
382 npmName: 'test-external-auth-three',
383 authName: 'external-auth-8',
384 username: 'cid'
385 })
386
387 const { redirectUrl } = await server.loginCommand.logout({ token: resLogin.access_token })
388 expect(redirectUrl).to.equal('https://example.com/redirectUrl?access_token=' + resLogin.access_token)
389 })
390 })