1 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
4 import { expect } from 'chai'
5 import { HttpStatusCode } from '@shared/core-utils'
14 setAccessTokensToServers,
17 } from '@shared/extra-utils'
18 import { User, UserRole } from '@shared/models'
20 async function loginExternal (options: {
26 statusCodeExpected?: HttpStatusCode
27 statusCodeExpectedStep2?: HttpStatusCode
29 const res = await options.server.pluginsCommand.getExternalAuth({
30 npmName: options.npmName,
32 authName: options.authName,
34 expectedStatus: options.statusCodeExpected || HttpStatusCode.FOUND_302
37 if (res.status !== HttpStatusCode.FOUND_302) return
39 const location = res.header.location
40 const { externalAuthToken } = decodeQueryString(location)
42 const resLogin = await options.server.loginCommand.loginUsingExternalToken({
43 username: options.username,
44 externalAuthToken: externalAuthToken as string,
45 expectedStatus: options.statusCodeExpectedStep2
51 describe('Test external auth plugins', function () {
52 let server: ServerInfo
54 let cyanAccessToken: string
55 let cyanRefreshToken: string
57 let kefkaAccessToken: string
58 let kefkaRefreshToken: string
60 let externalAuthToken: string
62 before(async function () {
65 server = await flushAndRunServer(1)
66 await setAccessTokensToServers([ server ])
68 for (const suffix of [ 'one', 'two', 'three' ]) {
69 await server.pluginsCommand.install({ path: PluginsCommand.getPluginTestPath('-external-auth-' + suffix) })
73 it('Should display the correct configuration', async function () {
74 const config = await server.configCommand.getConfig()
76 const auths = config.plugin.registeredExternalAuths
77 expect(auths).to.have.lengthOf(8)
79 const auth2 = auths.find((a) => a.authName === 'external-auth-2')
80 expect(auth2).to.exist
81 expect(auth2.authDisplayName).to.equal('External Auth 2')
82 expect(auth2.npmName).to.equal('peertube-plugin-test-external-auth-one')
85 it('Should redirect for a Cyan login', async function () {
86 const res = await server.pluginsCommand.getExternalAuth({
87 npmName: 'test-external-auth-one',
89 authName: 'external-auth-1',
93 expectedStatus: HttpStatusCode.FOUND_302
96 const location = res.header.location
97 expect(location.startsWith('/login?')).to.be.true
99 const searchParams = decodeQueryString(location)
101 expect(searchParams.externalAuthToken).to.exist
102 expect(searchParams.username).to.equal('cyan')
104 externalAuthToken = searchParams.externalAuthToken as string
107 it('Should reject auto external login with a missing or invalid token', async function () {
108 const command = server.loginCommand
110 await command.loginUsingExternalToken({ username: 'cyan', externalAuthToken: '', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
111 await command.loginUsingExternalToken({ username: 'cyan', externalAuthToken: 'blabla', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
114 it('Should reject auto external login with a missing or invalid username', async function () {
115 const command = server.loginCommand
117 await command.loginUsingExternalToken({ username: '', externalAuthToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
118 await command.loginUsingExternalToken({ username: '', externalAuthToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
121 it('Should reject auto external login with an expired token', async function () {
126 await server.loginCommand.loginUsingExternalToken({
129 expectedStatus: HttpStatusCode.BAD_REQUEST_400
132 await server.serversCommand.waitUntilLog('expired external auth token', 2)
135 it('Should auto login Cyan, create the user and use the token', async function () {
137 const res = await loginExternal({
139 npmName: 'test-external-auth-one',
140 authName: 'external-auth-1',
147 cyanAccessToken = res.access_token
148 cyanRefreshToken = res.refresh_token
152 const res = await getMyUserInformation(server.url, cyanAccessToken)
154 const body: User = res.body
155 expect(body.username).to.equal('cyan')
156 expect(body.account.displayName).to.equal('cyan')
157 expect(body.email).to.equal('cyan@example.com')
158 expect(body.role).to.equal(UserRole.USER)
162 it('Should auto login Kefka, create the user and use the token', async function () {
164 const res = await loginExternal({
166 npmName: 'test-external-auth-one',
167 authName: 'external-auth-2',
171 kefkaAccessToken = res.access_token
172 kefkaRefreshToken = res.refresh_token
176 const res = await getMyUserInformation(server.url, kefkaAccessToken)
178 const body: User = res.body
179 expect(body.username).to.equal('kefka')
180 expect(body.account.displayName).to.equal('Kefka Palazzo')
181 expect(body.email).to.equal('kefka@example.com')
182 expect(body.role).to.equal(UserRole.ADMINISTRATOR)
186 it('Should refresh Cyan token, but not Kefka token', async function () {
188 const resRefresh = await server.loginCommand.refreshToken({ refreshToken: cyanRefreshToken })
189 cyanAccessToken = resRefresh.body.access_token
190 cyanRefreshToken = resRefresh.body.refresh_token
192 const res = await getMyUserInformation(server.url, cyanAccessToken)
193 const user: User = res.body
194 expect(user.username).to.equal('cyan')
198 await server.loginCommand.refreshToken({ refreshToken: kefkaRefreshToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
202 it('Should update Cyan profile', async function () {
205 accessToken: cyanAccessToken,
206 displayName: 'Cyan Garamonde',
207 description: 'Retainer to the king of Doma'
210 const res = await getMyUserInformation(server.url, cyanAccessToken)
212 const body: User = res.body
213 expect(body.account.displayName).to.equal('Cyan Garamonde')
214 expect(body.account.description).to.equal('Retainer to the king of Doma')
217 it('Should logout Cyan', async function () {
218 await server.loginCommand.logout({ token: cyanAccessToken })
221 it('Should have logged out Cyan', async function () {
222 await server.serversCommand.waitUntilLog('On logout cyan')
224 await getMyUserInformation(server.url, cyanAccessToken, HttpStatusCode.UNAUTHORIZED_401)
227 it('Should login Cyan and keep the old existing profile', async function () {
229 const res = await loginExternal({
231 npmName: 'test-external-auth-one',
232 authName: 'external-auth-1',
239 cyanAccessToken = res.access_token
242 const res = await getMyUserInformation(server.url, cyanAccessToken)
244 const body: User = res.body
245 expect(body.username).to.equal('cyan')
246 expect(body.account.displayName).to.equal('Cyan Garamonde')
247 expect(body.account.description).to.equal('Retainer to the king of Doma')
248 expect(body.role).to.equal(UserRole.USER)
251 it('Should not update an external auth email', async function () {
254 accessToken: cyanAccessToken,
255 email: 'toto@example.com',
256 currentPassword: 'toto',
257 statusCodeExpected: HttpStatusCode.BAD_REQUEST_400
261 it('Should reject token of Kefka by the plugin hook', async function () {
266 await getMyUserInformation(server.url, kefkaAccessToken, HttpStatusCode.UNAUTHORIZED_401)
269 it('Should unregister external-auth-2 and do not login existing Kefka', async function () {
270 await server.pluginsCommand.updateSettings({
271 npmName: 'peertube-plugin-test-external-auth-one',
272 settings: { disableKefka: true }
275 await server.loginCommand.login({ user: { username: 'kefka', password: 'fake' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
277 await loginExternal({
279 npmName: 'test-external-auth-one',
280 authName: 'external-auth-2',
285 statusCodeExpected: HttpStatusCode.NOT_FOUND_404
289 it('Should have disabled this auth', async function () {
290 const config = await server.configCommand.getConfig()
292 const auths = config.plugin.registeredExternalAuths
293 expect(auths).to.have.lengthOf(7)
295 const auth1 = auths.find(a => a.authName === 'external-auth-2')
296 expect(auth1).to.not.exist
299 it('Should uninstall the plugin one and do not login Cyan', async function () {
300 await server.pluginsCommand.uninstall({ npmName: 'peertube-plugin-test-external-auth-one' })
302 await loginExternal({
304 npmName: 'test-external-auth-one',
305 authName: 'external-auth-1',
310 statusCodeExpected: HttpStatusCode.NOT_FOUND_404
313 await server.loginCommand.login({ user: { username: 'cyan', password: null }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
314 await server.loginCommand.login({ user: { username: 'cyan', password: '' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
315 await server.loginCommand.login({ user: { username: 'cyan', password: 'fake' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
318 it('Should not login kefka with another plugin', async function () {
319 await loginExternal({
321 npmName: 'test-external-auth-two',
322 authName: 'external-auth-4',
324 statusCodeExpectedStep2: HttpStatusCode.BAD_REQUEST_400
327 await loginExternal({
329 npmName: 'test-external-auth-two',
330 authName: 'external-auth-4',
332 statusCodeExpectedStep2: HttpStatusCode.BAD_REQUEST_400
336 it('Should not login an existing user', async function () {
339 accessToken: server.accessToken,
340 username: 'existing_user',
341 password: 'super_password'
344 await loginExternal({
346 npmName: 'test-external-auth-two',
347 authName: 'external-auth-6',
348 username: 'existing_user',
349 statusCodeExpectedStep2: HttpStatusCode.BAD_REQUEST_400
353 it('Should display the correct configuration', async function () {
354 const config = await server.configCommand.getConfig()
356 const auths = config.plugin.registeredExternalAuths
357 expect(auths).to.have.lengthOf(6)
359 const auth2 = auths.find((a) => a.authName === 'external-auth-2')
360 expect(auth2).to.not.exist
363 after(async function () {
364 await cleanupTests([ server ])
367 it('Should forward the redirectUrl if the plugin returns one', async function () {
368 const resLogin = await loginExternal({
370 npmName: 'test-external-auth-three',
371 authName: 'external-auth-7',
375 const { redirectUrl } = await server.loginCommand.logout({ token: resLogin.access_token })
376 expect(redirectUrl).to.equal('https://example.com/redirectUrl')
379 it('Should call the plugin\'s onLogout method with the request', async function () {
380 const resLogin = await loginExternal({
382 npmName: 'test-external-auth-three',
383 authName: 'external-auth-8',
387 const { redirectUrl } = await server.loginCommand.logout({ token: resLogin.access_token })
388 expect(redirectUrl).to.equal('https://example.com/redirectUrl?access_token=' + resLogin.access_token)