2020-04-29 09:04:42 +02:00
|
|
|
/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
|
|
|
|
|
|
|
|
import { expect } from 'chai'
|
2021-12-17 11:58:15 +01:00
|
|
|
import { wait } from '@shared/core-utils'
|
|
|
|
import { HttpStatusCode, UserRole } from '@shared/models'
|
2020-04-29 09:04:42 +02:00
|
|
|
import {
|
2021-07-07 10:33:49 +02:00
|
|
|
cleanupTests,
|
2021-07-16 09:47:51 +02:00
|
|
|
createSingleServer,
|
2021-07-16 14:27:30 +02:00
|
|
|
decodeQueryString,
|
2021-07-16 09:47:51 +02:00
|
|
|
PeerTubeServer,
|
2021-07-16 14:27:30 +02:00
|
|
|
PluginsCommand,
|
2021-12-17 11:58:15 +01:00
|
|
|
setAccessTokensToServers
|
2021-12-17 09:29:23 +01:00
|
|
|
} from '@shared/server-commands'
|
2020-04-29 09:04:42 +02:00
|
|
|
|
|
|
|
async function loginExternal (options: {
|
2021-07-16 09:47:51 +02:00
|
|
|
server: PeerTubeServer
|
2020-04-29 09:04:42 +02:00
|
|
|
npmName: string
|
|
|
|
authName: string
|
|
|
|
username: string
|
|
|
|
query?: any
|
2021-07-16 10:42:24 +02:00
|
|
|
expectedStatus?: HttpStatusCode
|
|
|
|
expectedStatusStep2?: HttpStatusCode
|
2020-04-29 09:04:42 +02:00
|
|
|
}) {
|
2021-07-16 09:04:35 +02:00
|
|
|
const res = await options.server.plugins.getExternalAuth({
|
2020-04-29 09:04:42 +02:00
|
|
|
npmName: options.npmName,
|
|
|
|
npmVersion: '0.0.1',
|
|
|
|
authName: options.authName,
|
|
|
|
query: options.query,
|
2021-07-16 10:42:24 +02:00
|
|
|
expectedStatus: options.expectedStatus || HttpStatusCode.FOUND_302
|
2020-04-29 09:04:42 +02:00
|
|
|
})
|
|
|
|
|
2020-12-07 14:32:36 +01:00
|
|
|
if (res.status !== HttpStatusCode.FOUND_302) return
|
2020-04-29 09:04:42 +02:00
|
|
|
|
|
|
|
const location = res.header.location
|
|
|
|
const { externalAuthToken } = decodeQueryString(location)
|
|
|
|
|
2021-07-16 09:04:35 +02:00
|
|
|
const resLogin = await options.server.login.loginUsingExternalToken({
|
2021-07-13 11:05:15 +02:00
|
|
|
username: options.username,
|
|
|
|
externalAuthToken: externalAuthToken as string,
|
2021-07-16 10:42:24 +02:00
|
|
|
expectedStatus: options.expectedStatusStep2
|
2021-07-13 11:05:15 +02:00
|
|
|
})
|
2020-04-29 09:04:42 +02:00
|
|
|
|
|
|
|
return resLogin.body
|
|
|
|
}
|
|
|
|
|
|
|
|
describe('Test external auth plugins', function () {
|
2021-07-16 09:47:51 +02:00
|
|
|
let server: PeerTubeServer
|
2020-04-29 09:04:42 +02:00
|
|
|
|
|
|
|
let cyanAccessToken: string
|
|
|
|
let cyanRefreshToken: string
|
|
|
|
|
|
|
|
let kefkaAccessToken: string
|
|
|
|
let kefkaRefreshToken: string
|
|
|
|
|
|
|
|
let externalAuthToken: string
|
|
|
|
|
|
|
|
before(async function () {
|
|
|
|
this.timeout(30000)
|
|
|
|
|
2022-08-03 10:10:26 +02:00
|
|
|
server = await createSingleServer(1, {
|
|
|
|
rates_limit: {
|
|
|
|
login: {
|
|
|
|
max: 30
|
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
2020-04-29 09:04:42 +02:00
|
|
|
await setAccessTokensToServers([ server ])
|
|
|
|
|
2020-11-20 15:36:43 +01:00
|
|
|
for (const suffix of [ 'one', 'two', 'three' ]) {
|
2021-07-16 09:04:35 +02:00
|
|
|
await server.plugins.install({ path: PluginsCommand.getPluginTestPath('-external-auth-' + suffix) })
|
2020-04-29 09:04:42 +02:00
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
it('Should display the correct configuration', async function () {
|
2021-07-16 09:04:35 +02:00
|
|
|
const config = await server.config.getConfig()
|
2020-04-29 09:04:42 +02:00
|
|
|
|
|
|
|
const auths = config.plugin.registeredExternalAuths
|
2022-08-03 10:10:26 +02:00
|
|
|
expect(auths).to.have.lengthOf(9)
|
2020-04-29 09:04:42 +02:00
|
|
|
|
|
|
|
const auth2 = auths.find((a) => a.authName === 'external-auth-2')
|
|
|
|
expect(auth2).to.exist
|
|
|
|
expect(auth2.authDisplayName).to.equal('External Auth 2')
|
|
|
|
expect(auth2.npmName).to.equal('peertube-plugin-test-external-auth-one')
|
|
|
|
})
|
|
|
|
|
|
|
|
it('Should redirect for a Cyan login', async function () {
|
2021-07-16 09:04:35 +02:00
|
|
|
const res = await server.plugins.getExternalAuth({
|
2020-04-29 09:04:42 +02:00
|
|
|
npmName: 'test-external-auth-one',
|
|
|
|
npmVersion: '0.0.1',
|
|
|
|
authName: 'external-auth-1',
|
|
|
|
query: {
|
|
|
|
username: 'cyan'
|
|
|
|
},
|
2021-07-07 10:33:49 +02:00
|
|
|
expectedStatus: HttpStatusCode.FOUND_302
|
2020-04-29 09:04:42 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
const location = res.header.location
|
|
|
|
expect(location.startsWith('/login?')).to.be.true
|
|
|
|
|
|
|
|
const searchParams = decodeQueryString(location)
|
|
|
|
|
|
|
|
expect(searchParams.externalAuthToken).to.exist
|
|
|
|
expect(searchParams.username).to.equal('cyan')
|
|
|
|
|
|
|
|
externalAuthToken = searchParams.externalAuthToken as string
|
|
|
|
})
|
|
|
|
|
|
|
|
it('Should reject auto external login with a missing or invalid token', async function () {
|
2021-07-16 09:04:35 +02:00
|
|
|
const command = server.login
|
2021-07-13 11:05:15 +02:00
|
|
|
|
|
|
|
await command.loginUsingExternalToken({ username: 'cyan', externalAuthToken: '', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
|
|
|
|
await command.loginUsingExternalToken({ username: 'cyan', externalAuthToken: 'blabla', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
|
2020-04-29 09:04:42 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
it('Should reject auto external login with a missing or invalid username', async function () {
|
2021-07-16 09:04:35 +02:00
|
|
|
const command = server.login
|
2021-07-13 11:05:15 +02:00
|
|
|
|
|
|
|
await command.loginUsingExternalToken({ username: '', externalAuthToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
|
|
|
|
await command.loginUsingExternalToken({ username: '', externalAuthToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
|
2020-04-29 09:04:42 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
it('Should reject auto external login with an expired token', async function () {
|
|
|
|
this.timeout(15000)
|
|
|
|
|
|
|
|
await wait(5000)
|
|
|
|
|
2021-07-16 09:04:35 +02:00
|
|
|
await server.login.loginUsingExternalToken({
|
2021-07-13 11:05:15 +02:00
|
|
|
username: 'cyan',
|
|
|
|
externalAuthToken,
|
|
|
|
expectedStatus: HttpStatusCode.BAD_REQUEST_400
|
|
|
|
})
|
2020-04-29 09:04:42 +02:00
|
|
|
|
2021-12-09 14:05:21 +01:00
|
|
|
await server.servers.waitUntilLog('expired external auth token', 4)
|
2020-04-29 09:04:42 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
it('Should auto login Cyan, create the user and use the token', async function () {
|
|
|
|
{
|
|
|
|
const res = await loginExternal({
|
|
|
|
server,
|
|
|
|
npmName: 'test-external-auth-one',
|
|
|
|
authName: 'external-auth-1',
|
|
|
|
query: {
|
|
|
|
username: 'cyan'
|
|
|
|
},
|
|
|
|
username: 'cyan'
|
|
|
|
})
|
|
|
|
|
|
|
|
cyanAccessToken = res.access_token
|
|
|
|
cyanRefreshToken = res.refresh_token
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
2021-07-16 09:04:35 +02:00
|
|
|
const body = await server.users.getMyInfo({ token: cyanAccessToken })
|
2020-04-29 09:04:42 +02:00
|
|
|
expect(body.username).to.equal('cyan')
|
|
|
|
expect(body.account.displayName).to.equal('cyan')
|
|
|
|
expect(body.email).to.equal('cyan@example.com')
|
|
|
|
expect(body.role).to.equal(UserRole.USER)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
it('Should auto login Kefka, create the user and use the token', async function () {
|
|
|
|
{
|
|
|
|
const res = await loginExternal({
|
|
|
|
server,
|
|
|
|
npmName: 'test-external-auth-one',
|
|
|
|
authName: 'external-auth-2',
|
|
|
|
username: 'kefka'
|
|
|
|
})
|
|
|
|
|
|
|
|
kefkaAccessToken = res.access_token
|
|
|
|
kefkaRefreshToken = res.refresh_token
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
2021-07-16 09:04:35 +02:00
|
|
|
const body = await server.users.getMyInfo({ token: kefkaAccessToken })
|
2020-04-29 09:04:42 +02:00
|
|
|
expect(body.username).to.equal('kefka')
|
|
|
|
expect(body.account.displayName).to.equal('Kefka Palazzo')
|
|
|
|
expect(body.email).to.equal('kefka@example.com')
|
|
|
|
expect(body.role).to.equal(UserRole.ADMINISTRATOR)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
it('Should refresh Cyan token, but not Kefka token', async function () {
|
|
|
|
{
|
2021-07-16 09:04:35 +02:00
|
|
|
const resRefresh = await server.login.refreshToken({ refreshToken: cyanRefreshToken })
|
2020-04-29 09:04:42 +02:00
|
|
|
cyanAccessToken = resRefresh.body.access_token
|
|
|
|
cyanRefreshToken = resRefresh.body.refresh_token
|
|
|
|
|
2021-07-16 09:04:35 +02:00
|
|
|
const body = await server.users.getMyInfo({ token: cyanAccessToken })
|
2021-07-13 14:23:01 +02:00
|
|
|
expect(body.username).to.equal('cyan')
|
2020-04-29 09:04:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
{
|
2021-07-16 09:04:35 +02:00
|
|
|
await server.login.refreshToken({ refreshToken: kefkaRefreshToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
|
2020-04-29 09:04:42 +02:00
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
it('Should update Cyan profile', async function () {
|
2021-07-16 09:04:35 +02:00
|
|
|
await server.users.updateMe({
|
2021-07-13 14:23:01 +02:00
|
|
|
token: cyanAccessToken,
|
2020-04-29 09:04:42 +02:00
|
|
|
displayName: 'Cyan Garamonde',
|
|
|
|
description: 'Retainer to the king of Doma'
|
|
|
|
})
|
|
|
|
|
2021-07-16 09:04:35 +02:00
|
|
|
const body = await server.users.getMyInfo({ token: cyanAccessToken })
|
2020-04-29 09:04:42 +02:00
|
|
|
expect(body.account.displayName).to.equal('Cyan Garamonde')
|
|
|
|
expect(body.account.description).to.equal('Retainer to the king of Doma')
|
|
|
|
})
|
|
|
|
|
|
|
|
it('Should logout Cyan', async function () {
|
2021-07-16 09:04:35 +02:00
|
|
|
await server.login.logout({ token: cyanAccessToken })
|
2020-04-29 09:04:42 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
it('Should have logged out Cyan', async function () {
|
2021-07-16 09:04:35 +02:00
|
|
|
await server.servers.waitUntilLog('On logout cyan')
|
2020-04-29 09:04:42 +02:00
|
|
|
|
2021-07-16 09:04:35 +02:00
|
|
|
await server.users.getMyInfo({ token: cyanAccessToken, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
|
2020-04-29 09:04:42 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
it('Should login Cyan and keep the old existing profile', async function () {
|
|
|
|
{
|
|
|
|
const res = await loginExternal({
|
|
|
|
server,
|
|
|
|
npmName: 'test-external-auth-one',
|
|
|
|
authName: 'external-auth-1',
|
|
|
|
query: {
|
|
|
|
username: 'cyan'
|
|
|
|
},
|
|
|
|
username: 'cyan'
|
|
|
|
})
|
|
|
|
|
|
|
|
cyanAccessToken = res.access_token
|
|
|
|
}
|
|
|
|
|
2021-07-16 09:04:35 +02:00
|
|
|
const body = await server.users.getMyInfo({ token: cyanAccessToken })
|
2020-04-29 09:04:42 +02:00
|
|
|
expect(body.username).to.equal('cyan')
|
|
|
|
expect(body.account.displayName).to.equal('Cyan Garamonde')
|
|
|
|
expect(body.account.description).to.equal('Retainer to the king of Doma')
|
|
|
|
expect(body.role).to.equal(UserRole.USER)
|
|
|
|
})
|
|
|
|
|
2020-05-20 10:04:44 +02:00
|
|
|
it('Should not update an external auth email', async function () {
|
2021-07-16 09:04:35 +02:00
|
|
|
await server.users.updateMe({
|
2021-07-13 14:23:01 +02:00
|
|
|
token: cyanAccessToken,
|
2020-05-20 10:04:44 +02:00
|
|
|
email: 'toto@example.com',
|
|
|
|
currentPassword: 'toto',
|
2021-07-13 14:23:01 +02:00
|
|
|
expectedStatus: HttpStatusCode.BAD_REQUEST_400
|
2020-05-20 10:04:44 +02:00
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2020-04-29 09:04:42 +02:00
|
|
|
it('Should reject token of Kefka by the plugin hook', async function () {
|
|
|
|
this.timeout(10000)
|
|
|
|
|
|
|
|
await wait(5000)
|
|
|
|
|
2021-07-16 09:04:35 +02:00
|
|
|
await server.users.getMyInfo({ token: kefkaAccessToken, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
|
2020-04-29 09:04:42 +02:00
|
|
|
})
|
|
|
|
|
2020-04-30 10:03:09 +02:00
|
|
|
it('Should unregister external-auth-2 and do not login existing Kefka', async function () {
|
2021-07-16 09:04:35 +02:00
|
|
|
await server.plugins.updateSettings({
|
2020-04-30 10:03:09 +02:00
|
|
|
npmName: 'peertube-plugin-test-external-auth-one',
|
|
|
|
settings: { disableKefka: true }
|
|
|
|
})
|
|
|
|
|
2021-07-16 09:04:35 +02:00
|
|
|
await server.login.login({ user: { username: 'kefka', password: 'fake' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
|
2020-04-30 10:03:09 +02:00
|
|
|
|
|
|
|
await loginExternal({
|
|
|
|
server,
|
|
|
|
npmName: 'test-external-auth-one',
|
|
|
|
authName: 'external-auth-2',
|
|
|
|
query: {
|
|
|
|
username: 'kefka'
|
|
|
|
},
|
|
|
|
username: 'kefka',
|
2021-07-16 10:42:24 +02:00
|
|
|
expectedStatus: HttpStatusCode.NOT_FOUND_404
|
2020-04-30 10:03:09 +02:00
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
it('Should have disabled this auth', async function () {
|
2021-07-16 09:04:35 +02:00
|
|
|
const config = await server.config.getConfig()
|
2020-04-30 10:03:09 +02:00
|
|
|
|
|
|
|
const auths = config.plugin.registeredExternalAuths
|
2022-08-03 10:10:26 +02:00
|
|
|
expect(auths).to.have.lengthOf(8)
|
2020-04-30 10:03:09 +02:00
|
|
|
|
|
|
|
const auth1 = auths.find(a => a.authName === 'external-auth-2')
|
|
|
|
expect(auth1).to.not.exist
|
|
|
|
})
|
|
|
|
|
2020-04-29 09:04:42 +02:00
|
|
|
it('Should uninstall the plugin one and do not login Cyan', async function () {
|
2021-07-16 09:04:35 +02:00
|
|
|
await server.plugins.uninstall({ npmName: 'peertube-plugin-test-external-auth-one' })
|
2020-04-29 09:04:42 +02:00
|
|
|
|
|
|
|
await loginExternal({
|
|
|
|
server,
|
|
|
|
npmName: 'test-external-auth-one',
|
|
|
|
authName: 'external-auth-1',
|
|
|
|
query: {
|
|
|
|
username: 'cyan'
|
|
|
|
},
|
|
|
|
username: 'cyan',
|
2021-07-16 10:42:24 +02:00
|
|
|
expectedStatus: HttpStatusCode.NOT_FOUND_404
|
2020-04-29 09:04:42 +02:00
|
|
|
})
|
2020-05-11 18:29:06 +02:00
|
|
|
|
2021-07-16 09:04:35 +02:00
|
|
|
await server.login.login({ user: { username: 'cyan', password: null }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
|
|
|
|
await server.login.login({ user: { username: 'cyan', password: '' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
|
|
|
|
await server.login.login({ user: { username: 'cyan', password: 'fake' }, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
|
2020-05-11 18:29:06 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
it('Should not login kefka with another plugin', async function () {
|
|
|
|
await loginExternal({
|
|
|
|
server,
|
|
|
|
npmName: 'test-external-auth-two',
|
|
|
|
authName: 'external-auth-4',
|
|
|
|
username: 'kefka2',
|
2021-07-16 10:42:24 +02:00
|
|
|
expectedStatusStep2: HttpStatusCode.BAD_REQUEST_400
|
2020-05-11 18:29:06 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
await loginExternal({
|
|
|
|
server,
|
|
|
|
npmName: 'test-external-auth-two',
|
|
|
|
authName: 'external-auth-4',
|
|
|
|
username: 'kefka',
|
2021-07-16 10:42:24 +02:00
|
|
|
expectedStatusStep2: HttpStatusCode.BAD_REQUEST_400
|
2020-05-11 18:29:06 +02:00
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2022-08-03 10:10:26 +02:00
|
|
|
it('Should not login an existing user email', async function () {
|
2021-07-16 09:04:35 +02:00
|
|
|
await server.users.create({ username: 'existing_user', password: 'super_password' })
|
2020-05-11 18:29:06 +02:00
|
|
|
|
|
|
|
await loginExternal({
|
|
|
|
server,
|
|
|
|
npmName: 'test-external-auth-two',
|
|
|
|
authName: 'external-auth-6',
|
|
|
|
username: 'existing_user',
|
2021-07-16 10:42:24 +02:00
|
|
|
expectedStatusStep2: HttpStatusCode.BAD_REQUEST_400
|
2020-05-11 18:29:06 +02:00
|
|
|
})
|
2020-04-29 09:04:42 +02:00
|
|
|
})
|
|
|
|
|
2022-08-03 10:10:26 +02:00
|
|
|
it('Should be able to login an existing user username and channel', async function () {
|
|
|
|
await server.users.create({ username: 'existing_user2' })
|
|
|
|
await server.users.create({ username: 'existing_user2-1_channel' })
|
|
|
|
|
|
|
|
// Test twice to ensure we don't generate a username on every login
|
|
|
|
for (let i = 0; i < 2; i++) {
|
|
|
|
const res = await loginExternal({
|
|
|
|
server,
|
|
|
|
npmName: 'test-external-auth-two',
|
|
|
|
authName: 'external-auth-7',
|
|
|
|
username: 'existing_user2'
|
|
|
|
})
|
|
|
|
|
|
|
|
const token = res.access_token
|
|
|
|
|
|
|
|
const myInfo = await server.users.getMyInfo({ token })
|
|
|
|
expect(myInfo.username).to.equal('existing_user2-1')
|
|
|
|
|
|
|
|
expect(myInfo.videoChannels[0].name).to.equal('existing_user2-1_channel-1')
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
2020-04-29 09:04:42 +02:00
|
|
|
it('Should display the correct configuration', async function () {
|
2021-07-16 09:04:35 +02:00
|
|
|
const config = await server.config.getConfig()
|
2020-04-29 09:04:42 +02:00
|
|
|
|
|
|
|
const auths = config.plugin.registeredExternalAuths
|
2022-08-03 10:10:26 +02:00
|
|
|
expect(auths).to.have.lengthOf(7)
|
2020-04-29 09:04:42 +02:00
|
|
|
|
|
|
|
const auth2 = auths.find((a) => a.authName === 'external-auth-2')
|
|
|
|
expect(auth2).to.not.exist
|
|
|
|
})
|
|
|
|
|
|
|
|
after(async function () {
|
|
|
|
await cleanupTests([ server ])
|
|
|
|
})
|
2020-11-20 15:36:43 +01:00
|
|
|
|
|
|
|
it('Should forward the redirectUrl if the plugin returns one', async function () {
|
|
|
|
const resLogin = await loginExternal({
|
|
|
|
server,
|
|
|
|
npmName: 'test-external-auth-three',
|
|
|
|
authName: 'external-auth-7',
|
|
|
|
username: 'cid'
|
|
|
|
})
|
|
|
|
|
2021-07-16 09:04:35 +02:00
|
|
|
const { redirectUrl } = await server.login.logout({ token: resLogin.access_token })
|
2021-07-13 11:05:15 +02:00
|
|
|
expect(redirectUrl).to.equal('https://example.com/redirectUrl')
|
2020-11-20 15:36:43 +01:00
|
|
|
})
|
|
|
|
|
|
|
|
it('Should call the plugin\'s onLogout method with the request', async function () {
|
|
|
|
const resLogin = await loginExternal({
|
|
|
|
server,
|
|
|
|
npmName: 'test-external-auth-three',
|
|
|
|
authName: 'external-auth-8',
|
|
|
|
username: 'cid'
|
|
|
|
})
|
|
|
|
|
2021-07-16 09:04:35 +02:00
|
|
|
const { redirectUrl } = await server.login.logout({ token: resLogin.access_token })
|
2021-07-13 11:05:15 +02:00
|
|
|
expect(redirectUrl).to.equal('https://example.com/redirectUrl?access_token=' + resLogin.access_token)
|
2020-11-20 15:36:43 +01:00
|
|
|
})
|
2020-04-29 09:04:42 +02:00
|
|
|
})
|