1 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
3 import { expect } from 'chai'
4 import { wait } from '@shared/core-utils'
5 import { HttpStatusCode, UserAdminFlag, UserRole } from '@shared/models'
12 setAccessTokensToServers
13 } from '@shared/server-commands'
15 async function loginExternal (options: {
16 server: PeerTubeServer
21 expectedStatus?: HttpStatusCode
22 expectedStatusStep2?: HttpStatusCode
24 const res = await options.server.plugins.getExternalAuth({
25 npmName: options.npmName,
27 authName: options.authName,
29 expectedStatus: options.expectedStatus || HttpStatusCode.FOUND_302
32 if (res.status !== HttpStatusCode.FOUND_302) return
34 const location = res.header.location
35 const { externalAuthToken } = decodeQueryString(location)
37 const resLogin = await options.server.login.loginUsingExternalToken({
38 username: options.username,
39 externalAuthToken: externalAuthToken as string,
40 expectedStatus: options.expectedStatusStep2
46 describe('Test external auth plugins', function () {
47 let server: PeerTubeServer
49 let cyanAccessToken: string
50 let cyanRefreshToken: string
52 let kefkaAccessToken: string
53 let kefkaRefreshToken: string
55 let externalAuthToken: string
57 before(async function () {
60 server = await createSingleServer(1, {
68 await setAccessTokensToServers([ server ])
70 for (const suffix of [ 'one', 'two', 'three' ]) {
71 await server.plugins.install({ path: PluginsCommand.getPluginTestPath('-external-auth-' + suffix) })
75 it('Should display the correct configuration', async function () {
76 const config = await server.config.getConfig()
78 const auths = config.plugin.registeredExternalAuths
79 expect(auths).to.have.lengthOf(9)
81 const auth2 = auths.find((a) => a.authName === 'external-auth-2')
82 expect(auth2).to.exist
83 expect(auth2.authDisplayName).to.equal('External Auth 2')
84 expect(auth2.npmName).to.equal('peertube-plugin-test-external-auth-one')
87 it('Should redirect for a Cyan login', async function () {
88 const res = await server.plugins.getExternalAuth({
89 npmName: 'test-external-auth-one',
91 authName: 'external-auth-1',
95 expectedStatus: HttpStatusCode.FOUND_302
98 const location = res.header.location
99 expect(location.startsWith('/login?')).to.be.true
101 const searchParams = decodeQueryString(location)
103 expect(searchParams.externalAuthToken).to.exist
104 expect(searchParams.username).to.equal('cyan')
106 externalAuthToken = searchParams.externalAuthToken as string
109 it('Should reject auto external login with a missing or invalid token', async function () {
110 const command = server.login
112 await command.loginUsingExternalToken({ username: 'cyan', externalAuthToken: '', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
113 await command.loginUsingExternalToken({ username: 'cyan', externalAuthToken: 'blabla', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
116 it('Should reject auto external login with a missing or invalid username', async function () {
117 const command = server.login
119 await command.loginUsingExternalToken({ username: '', externalAuthToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
120 await command.loginUsingExternalToken({ username: '', externalAuthToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
123 it('Should reject auto external login with an expired token', async function () {
128 await server.login.loginUsingExternalToken({
131 expectedStatus: HttpStatusCode.BAD_REQUEST_400
134 await server.servers.waitUntilLog('expired external auth token', 4)
137 it('Should auto login Cyan, create the user and use the token', async function () {
139 const res = await loginExternal({
141 npmName: 'test-external-auth-one',
142 authName: 'external-auth-1',
149 cyanAccessToken = res.access_token
150 cyanRefreshToken = res.refresh_token
154 const body = await server.users.getMyInfo({ token: cyanAccessToken })
155 expect(body.username).to.equal('cyan')
156 expect(body.account.displayName).to.equal('cyan')
157 expect(body.email).to.equal('cyan@example.com')
158 expect(body.role.id).to.equal(UserRole.USER)
159 expect(body.adminFlags).to.equal(UserAdminFlag.NONE)
160 expect(body.videoQuota).to.equal(5242880)
161 expect(body.videoQuotaDaily).to.equal(-1)
165 it('Should auto login Kefka, create the user and use the token', async function () {
167 const res = await loginExternal({
169 npmName: 'test-external-auth-one',
170 authName: 'external-auth-2',
174 kefkaAccessToken = res.access_token
175 kefkaRefreshToken = res.refresh_token
179 const body = await server.users.getMyInfo({ token: kefkaAccessToken })
180 expect(body.username).to.equal('kefka')
181 expect(body.account.displayName).to.equal('Kefka Palazzo')
182 expect(body.email).to.equal('kefka@example.com')
183 expect(body.role.id).to.equal(UserRole.ADMINISTRATOR)
184 expect(body.adminFlags).to.equal(UserAdminFlag.BYPASS_VIDEO_AUTO_BLACKLIST)
185 expect(body.videoQuota).to.equal(42000)
186 expect(body.videoQuotaDaily).to.equal(42100)
190 it('Should refresh Cyan token, but not Kefka token', async function () {
192 const resRefresh = await server.login.refreshToken({ refreshToken: cyanRefreshToken })
193 cyanAccessToken = resRefresh.body.access_token
194 cyanRefreshToken = resRefresh.body.refresh_token
196 const body = await server.users.getMyInfo({ token: cyanAccessToken })
197 expect(body.username).to.equal('cyan')
201 await server.login.refreshToken({ refreshToken: kefkaRefreshToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
205 it('Should update Cyan profile', async function () {
206 await server.users.updateMe({
207 token: cyanAccessToken,
208 displayName: 'Cyan Garamonde',
209 description: 'Retainer to the king of Doma'
212 const body = await server.users.getMyInfo({ token: cyanAccessToken })
213 expect(body.account.displayName).to.equal('Cyan Garamonde')
214 expect(body.account.description).to.equal('Retainer to the king of Doma')
217 it('Should logout Cyan', async function () {
218 await server.login.logout({ token: cyanAccessToken })
221 it('Should have logged out Cyan', async function () {
222 await server.servers.waitUntilLog('On logout cyan')
224 await server.users.getMyInfo({ token: cyanAccessToken, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
227 it('Should login Cyan and keep the old existing profile', async function () {
229 const res = await loginExternal({
231 npmName: 'test-external-auth-one',
232 authName: 'external-auth-1',
239 cyanAccessToken = res.access_token
242 const body = await server.users.getMyInfo({ token: cyanAccessToken })
243 expect(body.username).to.equal('cyan')
244 expect(body.account.displayName).to.equal('Cyan Garamonde')
245 expect(body.account.description).to.equal('Retainer to the king of Doma')
246 expect(body.role.id).to.equal(UserRole.USER)
249 it('Should not update an external auth email', async function () {
250 await server.users.updateMe({
251 token: cyanAccessToken,
252 email: 'toto@example.com',
253 currentPassword: 'toto',
254 expectedStatus: HttpStatusCode.BAD_REQUEST_400
258 it('Should reject token of Kefka by the plugin hook', async function () {
263 await server.users.getMyInfo({ token: kefkaAccessToken, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
266 it('Should unregister external-auth-2 and do not login existing Kefka', async function () {
267 await server.plugins.updateSettings({
268 npmName: 'peertube-plugin-test-external-auth-one',
269 settings: { disableKefka: true }
272 await server.login.login({ user: { username: 'kefka', password: 'fake' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
274 await loginExternal({
276 npmName: 'test-external-auth-one',
277 authName: 'external-auth-2',
282 expectedStatus: HttpStatusCode.NOT_FOUND_404
286 it('Should have disabled this auth', async function () {
287 const config = await server.config.getConfig()
289 const auths = config.plugin.registeredExternalAuths
290 expect(auths).to.have.lengthOf(8)
292 const auth1 = auths.find(a => a.authName === 'external-auth-2')
293 expect(auth1).to.not.exist
296 it('Should uninstall the plugin one and do not login Cyan', async function () {
297 await server.plugins.uninstall({ npmName: 'peertube-plugin-test-external-auth-one' })
299 await loginExternal({
301 npmName: 'test-external-auth-one',
302 authName: 'external-auth-1',
307 expectedStatus: HttpStatusCode.NOT_FOUND_404
310 await server.login.login({ user: { username: 'cyan', password: null }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
311 await server.login.login({ user: { username: 'cyan', password: '' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
312 await server.login.login({ user: { username: 'cyan', password: 'fake' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
315 it('Should not login kefka with another plugin', async function () {
316 await loginExternal({
318 npmName: 'test-external-auth-two',
319 authName: 'external-auth-4',
321 expectedStatusStep2: HttpStatusCode.BAD_REQUEST_400
324 await loginExternal({
326 npmName: 'test-external-auth-two',
327 authName: 'external-auth-4',
329 expectedStatusStep2: HttpStatusCode.BAD_REQUEST_400
333 it('Should not login an existing user email', async function () {
334 await server.users.create({ username: 'existing_user', password: 'super_password' })
336 await loginExternal({
338 npmName: 'test-external-auth-two',
339 authName: 'external-auth-6',
340 username: 'existing_user',
341 expectedStatusStep2: HttpStatusCode.BAD_REQUEST_400
345 it('Should be able to login an existing user username and channel', async function () {
346 await server.users.create({ username: 'existing_user2' })
347 await server.users.create({ username: 'existing_user2-1_channel' })
349 // Test twice to ensure we don't generate a username on every login
350 for (let i = 0; i < 2; i++) {
351 const res = await loginExternal({
353 npmName: 'test-external-auth-two',
354 authName: 'external-auth-7',
355 username: 'existing_user2'
358 const token = res.access_token
360 const myInfo = await server.users.getMyInfo({ token })
361 expect(myInfo.username).to.equal('existing_user2-1')
363 expect(myInfo.videoChannels[0].name).to.equal('existing_user2-1_channel-1')
367 it('Should display the correct configuration', async function () {
368 const config = await server.config.getConfig()
370 const auths = config.plugin.registeredExternalAuths
371 expect(auths).to.have.lengthOf(7)
373 const auth2 = auths.find((a) => a.authName === 'external-auth-2')
374 expect(auth2).to.not.exist
377 after(async function () {
378 await cleanupTests([ server ])
381 it('Should forward the redirectUrl if the plugin returns one', async function () {
382 const resLogin = await loginExternal({
384 npmName: 'test-external-auth-three',
385 authName: 'external-auth-7',
389 const { redirectUrl } = await server.login.logout({ token: resLogin.access_token })
390 expect(redirectUrl).to.equal('https://example.com/redirectUrl')
393 it('Should call the plugin\'s onLogout method with the request', async function () {
394 const resLogin = await loginExternal({
396 npmName: 'test-external-auth-three',
397 authName: 'external-auth-8',
401 const { redirectUrl } = await server.login.logout({ token: resLogin.access_token })
402 expect(redirectUrl).to.equal('https://example.com/redirectUrl?access_token=' + resLogin.access_token)