1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
import pytest
from authlib.oauth1.rfc5849 import errors
from tests.util import decode_response
from .models import User
def test_invalid_authorization(factory, server):
url = "/oauth/authorize"
request = factory.post(url)
with pytest.raises(errors.MissingRequiredParameterError):
server.check_authorization_request(request)
request = factory.post(url, data={"oauth_token": "a"})
with pytest.raises(errors.InvalidTokenError):
server.check_authorization_request(request)
def test_invalid_initiate(factory, server):
url = "/oauth/initiate"
# Test with non-existent client
request = factory.post(
url,
data={
"oauth_consumer_key": "nonexistent", # Client doesn't exist
"oauth_callback": "oob",
"oauth_signature_method": "PLAINTEXT",
"oauth_signature": "secret&",
},
)
resp = server.create_temporary_credentials_response(request)
data = decode_response(resp.content)
assert data["error"] == "invalid_client"
def test_authorize_denied(factory, plaintext_server):
server = plaintext_server
initiate_url = "/oauth/initiate"
authorize_url = "/oauth/authorize"
# case 1
request = factory.post(
initiate_url,
data={
"oauth_consumer_key": "client",
"oauth_callback": "oob",
"oauth_signature_method": "PLAINTEXT",
"oauth_signature": "secret&",
},
)
resp = server.create_temporary_credentials_response(request)
data = decode_response(resp.content)
assert "oauth_token" in data
request = factory.post(authorize_url, data={"oauth_token": data["oauth_token"]})
resp = server.create_authorization_response(request)
assert resp.status_code == 302
assert "access_denied" in resp["Location"]
assert "https://client.test" in resp["Location"]
# case 2
request = factory.post(
initiate_url,
data={
"oauth_consumer_key": "client",
"oauth_callback": "https://i.test",
"oauth_signature_method": "PLAINTEXT",
"oauth_signature": "secret&",
},
)
resp = server.create_temporary_credentials_response(request)
data = decode_response(resp.content)
assert "oauth_token" in data
request = factory.post(authorize_url, data={"oauth_token": data["oauth_token"]})
resp = server.create_authorization_response(request)
assert resp.status_code == 302
assert "access_denied" in resp["Location"]
assert "https://i.test" in resp["Location"]
def test_authorize_granted(factory, plaintext_server):
server = plaintext_server
user = User.objects.get(username="foo")
initiate_url = "/oauth/initiate"
authorize_url = "/oauth/authorize"
# case 1
request = factory.post(
initiate_url,
data={
"oauth_consumer_key": "client",
"oauth_callback": "oob",
"oauth_signature_method": "PLAINTEXT",
"oauth_signature": "secret&",
},
)
resp = server.create_temporary_credentials_response(request)
data = decode_response(resp.content)
assert "oauth_token" in data
request = factory.post(authorize_url, data={"oauth_token": data["oauth_token"]})
resp = server.create_authorization_response(request, user)
assert resp.status_code == 302
assert "oauth_verifier" in resp["Location"]
assert "https://client.test" in resp["Location"]
# case 2
request = factory.post(
initiate_url,
data={
"oauth_consumer_key": "client",
"oauth_callback": "https://i.test",
"oauth_signature_method": "PLAINTEXT",
"oauth_signature": "secret&",
},
)
resp = server.create_temporary_credentials_response(request)
data = decode_response(resp.content)
assert "oauth_token" in data
request = factory.post(authorize_url, data={"oauth_token": data["oauth_token"]})
resp = server.create_authorization_response(request, user)
assert resp.status_code == 302
assert "oauth_verifier" in resp["Location"]
assert "https://i.test" in resp["Location"]
|
