server/tests/api/users/oauth.ts


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192

/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */

import { expect } from 'chai'
import { wait } from '@shared/core-utils'
import { HttpStatusCode, OAuth2ErrorCode, PeerTubeProblemDocument } from '@shared/models'
import { cleanupTests, createSingleServer, killallServers, PeerTubeServer, setAccessTokensToServers } from '@shared/server-commands'

describe('Test oauth', function () {
  let server: PeerTubeServer

  before(async function () {
    this.timeout(30000)

    server = await createSingleServer(1, {
      rates_limit: {
        login: {
          max: 30
        }
      }
    })

    await setAccessTokensToServers([ server ])
  })

  describe('OAuth client', function () {

    function expectInvalidClient (body: PeerTubeProblemDocument) {
      expect(body.code).to.equal(OAuth2ErrorCode.INVALID_CLIENT)
      expect(body.error).to.contain('client is invalid')
      expect(body.type.startsWith('https://')).to.be.true
      expect(body.type).to.contain(OAuth2ErrorCode.INVALID_CLIENT)
    }

    it('Should create a new client')

    it('Should return the first client')

    it('Should remove the last client')

    it('Should not login with an invalid client id', async function () {
      const client = { id: 'client', secret: server.store.client.secret }
      const body = await server.login.login({ client, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })

      expectInvalidClient(body)
    })

    it('Should not login with an invalid client secret', async function () {
      const client = { id: server.store.client.id, secret: 'coucou' }
      const body = await server.login.login({ client, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })

      expectInvalidClient(body)
    })
  })

  describe('Login', function () {

    function expectInvalidCredentials (body: PeerTubeProblemDocument) {
      expect(body.code).to.equal(OAuth2ErrorCode.INVALID_GRANT)
      expect(body.error).to.contain('credentials are invalid')
      expect(body.type.startsWith('https://')).to.be.true
      expect(body.type).to.contain(OAuth2ErrorCode.INVALID_GRANT)
    }

    it('Should not login with an invalid username', async function () {
      const user = { username: 'captain crochet', password: server.store.user.password }
      const body = await server.login.login({ user, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })

      expectInvalidCredentials(body)
    })

    it('Should not login with an invalid password', async function () {
      const user = { username: server.store.user.username, password: 'mew_three' }
      const body = await server.login.login({ user, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })

      expectInvalidCredentials(body)
    })

    it('Should be able to login', async function () {
      await server.login.login({ expectedStatus: HttpStatusCode.OK_200 })
    })

    it('Should be able to login with an insensitive username', async function () {
      const user = { username: 'RoOt', password: server.store.user.password }
      await server.login.login({ user, expectedStatus: HttpStatusCode.OK_200 })

      const user2 = { username: 'rOoT', password: server.store.user.password }
      await server.login.login({ user: user2, expectedStatus: HttpStatusCode.OK_200 })

      const user3 = { username: 'ROOt', password: server.store.user.password }
      await server.login.login({ user: user3, expectedStatus: HttpStatusCode.OK_200 })
    })
  })

  describe('Logout', function () {

    it('Should logout (revoke token)', async function () {
      await server.login.logout({ token: server.accessToken })
    })

    it('Should not be able to get the user information', async function () {
      await server.users.getMyInfo({ expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
    })

    it('Should not be able to upload a video', async function () {
      await server.videos.upload({ attributes: { name: 'video' }, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
    })

    it('Should be able to login again', async function () {
      const body = await server.login.login()
      server.accessToken = body.access_token
      server.refreshToken = body.refresh_token
    })

    it('Should be able to get my user information again', async function () {
      await server.users.getMyInfo()
    })

    it('Should have an expired access token', async function () {
      this.timeout(60000)

      await server.sql.setTokenField(server.accessToken, 'accessTokenExpiresAt', new Date().toISOString())
      await server.sql.setTokenField(server.accessToken, 'refreshTokenExpiresAt', new Date().toISOString())

      await killallServers([ server ])
      await server.run()

      await server.users.getMyInfo({ expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
    })

    it('Should not be able to refresh an access token with an expired refresh token', async function () {
      await server.login.refreshToken({ refreshToken: server.refreshToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
    })

    it('Should refresh the token', async function () {
      this.timeout(50000)

      const futureDate = new Date(new Date().getTime() + 1000 * 60).toISOString()
      await server.sql.setTokenField(server.accessToken, 'refreshTokenExpiresAt', futureDate)

      await killallServers([ server ])
      await server.run()

      const res = await server.login.refreshToken({ refreshToken: server.refreshToken })
      server.accessToken = res.body.access_token
      server.refreshToken = res.body.refresh_token
    })

    it('Should be able to get my user information again', async function () {
      await server.users.getMyInfo()
    })
  })

  describe('Custom token lifetime', function () {
    before(async function () {
      this.timeout(120_000)

      await server.kill()
      await server.run({
        oauth2: {
          token_lifetime: {
            access_token: '2 seconds',
            refresh_token: '2 seconds'
          }
        }
      })
    })

    it('Should have a very short access token lifetime', async function () {
      this.timeout(50000)

      const { access_token: accessToken } = await server.login.login()
      await server.users.getMyInfo({ token: accessToken })

      await wait(3000)
      await server.users.getMyInfo({ token: accessToken, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
    })

    it('Should have a very short refresh token lifetime', async function () {
      this.timeout(50000)

      const { refresh_token: refreshToken } = await server.login.login()
      await server.login.refreshToken({ refreshToken })

      await wait(3000)
      await server.login.refreshToken({ refreshToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
    })
  })

  after(async function () {
    await cleanupTests([ server ])
  })
})