Require permitted scopes when registering a client (#29718)

2025-06-03 17:05:34 +08:00 · 2024-11-19 21:28:04 +01:00
parent 4f11d16deb
commit ec7de0fd68
12 changed files with 259 additions and 44 deletions
--- a/spec/requests/user_api_key_clients_controller_spec.rb
+++ b/spec/requests/user_api_key_clients_controller_spec.rb
@ -21,41 +21,69 @@ RSpec.describe UserApiKeyClientsController do
    }
  end

-  describe "#register" do
-    context "without a user" do
-      it "returns a 403" do
-        post "/user-api-key-client/register.json", params: args
-        expect(response.status).to eq(403)
+  describe "#show" do
+    context "with a registered client" do
+      before { Fabricate(:user_api_key_client, **args) }
+
+      it "succeeds" do
+        head "/user-api-key-client.json", params: { client_id: args[:client_id] }
+        expect(response.status).to eq(200)
      end
    end

-    context "with a user" do
-      before { sign_in(Fabricate(:user)) }
+    context "without a registered client" do
+      it "returns a 400" do
+        head "/user-api-key-client.json", params: { client_id: args[:client_id] }
+        expect(response.status).to eq(400)
+      end
+    end
+  end

-      it "registers a client" do
-        post "/user-api-key-client/register.json", params: args
-        expect(response.status).to eq(200)
-        expect(
-          UserApiKeyClient.exists?(
-            client_id: args[:client_id],
-            application_name: args[:application_name],
-            auth_redirect: args[:auth_redirect],
-            public_key: args[:public_key],
-          ),
-        ).to eq(true)
+  describe "#create" do
+    context "without scopes" do
+      it "returns a 400" do
+        post "/user-api-key-client.json", params: args
+        expect(response.status).to eq(400)
+      end
+    end
+
+    context "with scopes" do
+      let!(:args_with_scopes) { args.merge(scopes: "user_status") }
+
+      context "when scopes are not allowed" do
+        before { SiteSetting.allow_user_api_key_client_scopes = "" }
+
+        it "returns a 403" do
+          post "/user-api-key-client.json", params: args_with_scopes
+          expect(response.status).to eq(403)
+        end
      end

-      it "updates a registered client" do
-        Fabricate(:user_api_key_client, **args)
-        args[:application_name] = "bar"
-        post "/user-api-key-client/register.json", params: args
-        expect(response.status).to eq(200)
-        expect(
-          UserApiKeyClient.exists?(
-            client_id: args[:client_id],
-            application_name: args[:application_name],
-          ),
-        ).to eq(true)
+      context "when scopes are allowed" do
+        before { SiteSetting.allow_user_api_key_client_scopes = "user_status" }
+
+        it "registers a client" do
+          post "/user-api-key-client.json", params: args_with_scopes
+          expect(response.status).to eq(200)
+          client =
+            UserApiKeyClient.find_by(
+              client_id: args_with_scopes[:client_id],
+              application_name: args_with_scopes[:application_name],
+              auth_redirect: args_with_scopes[:auth_redirect],
+              public_key: args_with_scopes[:public_key],
+            )
+          expect(client.present?).to eq(true)
+          expect(client.scopes.map(&:name)).to match_array(["user_status"])
+        end
+
+        context "if the client is already registered" do
+          before { Fabricate(:user_api_key_client, **args) }
+
+          it "returns a 403" do
+            post "/user-api-key-client.json", params: args_with_scopes
+            expect(response.status).to eq(403)
+          end
+        end
      end
    end
  end
--- a/spec/requests/user_api_keys_controller_spec.rb
+++ b/spec/requests/user_api_keys_controller_spec.rb
@ -305,19 +305,34 @@ RSpec.describe UserApiKeysController do
          application_name: fixed_args[:application_name],
          public_key: public_key,
          auth_redirect: fixed_args[:auth_redirect],
+          scopes: "read",
        )
      end

      before { sign_in(user) }

-      it "does not require allowed_user_api_auth_redirects to contain registered auth_redirect" do
-        post "/user-api-key.json", params: fixed_args
-        expect(response.status).to eq(302)
+      context "with allowed scopes" do
+        it "does not require allowed_user_api_auth_redirects to contain registered auth_redirect" do
+          post "/user-api-key.json", params: fixed_args
+          expect(response.status).to eq(302)
+        end
+
+        it "does not require application_name or public_key params" do
+          post "/user-api-key.json", params: fixed_args.except(:application_name, :public_key)
+          expect(response.status).to eq(302)
+        end
      end

-      it "does not require application_name or public_key params" do
-        post "/user-api-key.json", params: fixed_args.except(:application_name, :public_key)
-        expect(response.status).to eq(302)
+      context "without allowed scopes" do
+        let!(:invalid_scope_args) do
+          fixed_args[:scopes] = "write"
+          fixed_args
+        end
+
+        it "returns a 403" do
+          post "/user-api-key.json", params: invalid_scope_args
+          expect(response.status).to eq(403)
+        end
      end
    end
  end