ec13ccb6d5
These changes ensure that OAuth2 clients cannot create an unlimited number of access tokens (sessions) with their client credentials. Signed-off-by: Michael Mayer <michael@photoprism.app>
89 lines
2.6 KiB
Go
89 lines
2.6 KiB
Go
package api
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/photoprism/photoprism/internal/acl"
|
|
"github.com/photoprism/photoprism/internal/session"
|
|
)
|
|
|
|
func TestAuth(t *testing.T) {
|
|
t.Run("Public", func(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
w := httptest.NewRecorder()
|
|
c, _ := gin.CreateTestContext(w)
|
|
c.Request = &http.Request{
|
|
Header: make(http.Header),
|
|
}
|
|
|
|
// Add authorization header.
|
|
AddRequestAuthorizationHeader(c.Request, session.PublicAuthToken)
|
|
|
|
// Check auth token.
|
|
authToken := AuthToken(c)
|
|
assert.Equal(t, session.PublicAuthToken, authToken)
|
|
|
|
// Check successful authorization in public mode.
|
|
s := Auth(c, acl.ResourceFiles, acl.ActionUpdate)
|
|
assert.NotNil(t, s)
|
|
assert.Equal(t, "admin", s.Username())
|
|
assert.Equal(t, session.PublicID, s.ID)
|
|
assert.Equal(t, http.StatusOK, s.HttpStatus())
|
|
assert.False(t, s.Abort(c))
|
|
|
|
// Check failed authorization in public mode.
|
|
s = Auth(c, acl.ResourceUsers, acl.ActionUpload)
|
|
assert.NotNil(t, s)
|
|
assert.Equal(t, "", s.Username())
|
|
assert.Equal(t, "", s.ID)
|
|
assert.Equal(t, http.StatusForbidden, s.HttpStatus())
|
|
assert.True(t, s.Abort(c))
|
|
})
|
|
}
|
|
|
|
func TestAuthAny(t *testing.T) {
|
|
t.Run("Public", func(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
w := httptest.NewRecorder()
|
|
c, _ := gin.CreateTestContext(w)
|
|
c.Request = &http.Request{
|
|
Header: make(http.Header),
|
|
}
|
|
|
|
// Add authorization header.
|
|
AddRequestAuthorizationHeader(c.Request, session.PublicAuthToken)
|
|
|
|
// Check auth token.
|
|
authToken := AuthToken(c)
|
|
assert.Equal(t, session.PublicAuthToken, authToken)
|
|
|
|
// Check successful authorization in public mode.
|
|
s := AuthAny(c, acl.ResourceFiles, acl.Permissions{acl.ActionUpdate})
|
|
assert.NotNil(t, s)
|
|
assert.Equal(t, "admin", s.Username())
|
|
assert.Equal(t, session.PublicID, s.ID)
|
|
assert.Equal(t, http.StatusOK, s.HttpStatus())
|
|
assert.False(t, s.Abort(c))
|
|
|
|
// Check failed authorization in public mode.
|
|
s = AuthAny(c, acl.ResourceUsers, acl.Permissions{acl.ActionUpload})
|
|
assert.NotNil(t, s)
|
|
assert.Equal(t, "", s.Username())
|
|
assert.Equal(t, "", s.ID)
|
|
assert.Equal(t, http.StatusForbidden, s.HttpStatus())
|
|
assert.True(t, s.Abort(c))
|
|
|
|
// Check successful authorization with multiple actions in public mode.
|
|
s = AuthAny(c, acl.ResourceUsers, acl.Permissions{acl.ActionUpload, acl.ActionView})
|
|
assert.NotNil(t, s)
|
|
assert.Equal(t, "admin", s.Username())
|
|
assert.Equal(t, session.PublicID, s.ID)
|
|
assert.Equal(t, http.StatusOK, s.HttpStatus())
|
|
assert.False(t, s.Abort(c))
|
|
})
|
|
}
|