discourse/spec/integration/twitter_omniauth_spec.rb
Blake Erickson 17bdffc900 SECURITY: When enabled only allow Discourse Connect logins
If Discourse Connect is enabled no other methods for account creation or
authentication should be allowed.
2024-12-19 13:13:23 -03:00

138 lines
4.7 KiB
Ruby

# frozen_string_literal: true
describe "Twitter OAuth 1.0a" do
let(:access_token) { "twitter_access_token_448" }
let(:consumer_key) { "abcdef11223344" }
let(:consumer_secret) { "adddcccdddd99922" }
let(:oauth_token_secret) { "twitter_temp_code_544254" }
fab!(:user1) { Fabricate(:user) }
def setup_twitter_email_stub(email:)
body = {
contributors_enabled: true,
created_at: "Sat May 09 17:58:22 +0000 2009",
default_profile: false,
default_profile_image: false,
description:
"I taught your phone that thing you like. The Mobile Partner Engineer @Twitter. ",
favourites_count: 588,
follow_request_sent: nil,
followers_count: 10_625,
following: nil,
friends_count: 1181,
geo_enabled: true,
id: 38_895_958,
id_str: "38895958",
is_translator: false,
lang: "en",
listed_count: 190,
location: "San Francisco",
name: "Sean Cook",
notifications: nil,
profile_background_color: "1A1B1F",
profile_background_image_url:
"http://a0.twimg.com/profile_background_images/495742332/purty_wood.png",
profile_background_image_url_https:
"https://si0.twimg.com/profile_background_images/495742332/purty_wood.png",
profile_background_tile: true,
profile_image_url: "http://a0.twimg.com/profile_images/1751506047/dead_sexy_normal.JPG",
profile_image_url_https:
"https://si0.twimg.com/profile_images/1751506047/dead_sexy_normal.JPG",
profile_link_color: "2FC2EF",
profile_sidebar_border_color: "181A1E",
profile_sidebar_fill_color: "252429",
profile_text_color: "666666",
profile_use_background_image: true,
protected: false,
screen_name: "theSeanCook",
show_all_inline_media: true,
statuses_count: 2609,
time_zone: "Pacific Time (US & Canada)",
url: nil,
utc_offset: -28_800,
verified: true,
email: email,
}
stub_request(:get, "https://api.twitter.com/1.1/account/verify_credentials.json").with(
query: {
include_email: true,
include_entities: false,
skip_status: true,
},
).to_return(status: 200, body: JSON.dump(body))
end
before do
SiteSetting.enable_twitter_logins = true
SiteSetting.twitter_consumer_key = consumer_key
SiteSetting.twitter_consumer_secret = consumer_secret
stub_request(:post, "https://api.twitter.com/oauth/request_token").to_return(
status: 200,
body:
Rack::Utils.build_query(
oauth_token: access_token,
oauth_token_secret: oauth_token_secret,
oauth_callback_confirmed: true,
),
headers: {
"Content-Type" => "application/x-www-form-urlencoded",
},
)
stub_request(:post, "https://api.twitter.com/oauth/access_token").to_return(
status: 200,
body:
Rack::Utils.build_query(
oauth_token: access_token,
oauth_token_secret: oauth_token_secret,
user_id: "43423432422",
screen_name: "twitterapi",
),
)
end
it "signs in the user if the API response from twitter includes an email (implies it's verified) and the email matches an existing user's" do
post "/auth/twitter"
expect(response.status).to eq(302)
expect(response.location).to start_with("https://api.twitter.com/oauth/authenticate")
setup_twitter_email_stub(email: user1.email)
post "/auth/twitter/callback", params: { state: session["omniauth.state"] }
expect(response.status).to eq(302)
expect(response.location).to eq("http://test.localhost/")
expect(session[:current_user_id]).to eq(user1.id)
end
it "doesn't sign in the user discourse connect is enabled" do
SiteSetting.discourse_connect_url = "https://example.com/sso"
SiteSetting.enable_discourse_connect = true
post "/auth/twitter"
expect(response.status).to eq(302)
expect(response.location).to start_with("https://api.twitter.com/oauth/authenticate")
setup_twitter_email_stub(email: user1.email)
post "/auth/twitter/callback", params: { state: session["omniauth.state"] }
expect(response.status).to eq(403)
expect(session[:current_user_id]).to be_blank
end
it "doesn't sign in anyone if the API response from twitter doesn't include an email (implying the user's email on twitter isn't verified)" do
post "/auth/twitter"
expect(response.status).to eq(302)
expect(response.location).to start_with("https://api.twitter.com/oauth/authenticate")
setup_twitter_email_stub(email: nil)
post "/auth/twitter/callback", params: { state: session["omniauth.state"] }
expect(response.status).to eq(302)
expect(response.location).to eq("http://test.localhost/")
expect(session[:current_user_id]).to be_blank
end
end