2019-04-30 08:27:42 +08:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2015-10-11 17:41:23 +08:00
|
|
|
require 'rails_helper'
|
2014-05-23 06:13:25 +08:00
|
|
|
|
|
|
|
describe Auth::DefaultCurrentUserProvider do
|
|
|
|
|
2017-02-01 06:21:37 +08:00
|
|
|
class TestProvider < Auth::DefaultCurrentUserProvider
|
|
|
|
attr_reader :env
|
2018-09-04 14:17:05 +08:00
|
|
|
def initialize(env)
|
|
|
|
super(env)
|
2017-02-01 06:21:37 +08:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2017-07-28 09:20:09 +08:00
|
|
|
def provider(url, opts = nil)
|
|
|
|
opts ||= { method: "GET" }
|
2014-05-23 06:13:25 +08:00
|
|
|
env = Rack::MockRequest.env_for(url, opts)
|
2018-09-04 14:17:05 +08:00
|
|
|
TestProvider.new(env)
|
2014-05-23 06:13:25 +08:00
|
|
|
end
|
|
|
|
|
2017-12-12 16:40:35 +08:00
|
|
|
it "can be used to pretend that a user doesn't exist" do
|
|
|
|
provider = TestProvider.new({})
|
|
|
|
expect(provider.current_user).to eq(nil)
|
|
|
|
end
|
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
context "server api" do
|
2014-05-23 06:13:25 +08:00
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
it "raises errors for incorrect api_key" do
|
|
|
|
expect {
|
|
|
|
provider("/?api_key=INCORRECT").current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess, /API username or key is invalid/)
|
|
|
|
end
|
2017-02-18 00:02:33 +08:00
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
it "finds a user for a correct per-user api key" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1)
|
2018-10-25 20:38:57 +08:00
|
|
|
good_provider = provider("/?api_key=hello")
|
|
|
|
expect(good_provider.current_user.id).to eq(user.id)
|
|
|
|
expect(good_provider.is_api?).to eq(true)
|
|
|
|
expect(good_provider.is_user_api?).to eq(false)
|
|
|
|
expect(good_provider.should_update_last_seen?).to eq(false)
|
2017-02-18 00:02:33 +08:00
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
user.update_columns(active: false)
|
2017-02-18 00:02:33 +08:00
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
expect {
|
|
|
|
provider("/?api_key=hello").current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
2017-02-18 00:02:33 +08:00
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
user.update_columns(active: true, suspended_till: 1.day.from_now)
|
2014-05-23 06:13:25 +08:00
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
expect {
|
|
|
|
provider("/?api_key=hello").current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
|
|
|
end
|
2014-05-23 06:13:25 +08:00
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
it "raises for a user pretending" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
user2 = Fabricate(:user)
|
2019-09-03 16:10:29 +08:00
|
|
|
key = ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1)
|
2014-05-23 06:13:25 +08:00
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
expect {
|
|
|
|
provider("/?api_key=hello&api_username=#{user2.username.downcase}").current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
2019-09-03 16:10:29 +08:00
|
|
|
|
2019-11-05 22:10:23 +08:00
|
|
|
key.reload
|
|
|
|
expect(key.last_used_at).to eq(nil)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "raises for a revoked key" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
key = ApiKey.create!(key: "hello")
|
|
|
|
expect(
|
|
|
|
provider("/?api_key=hello&api_username=#{user.username.downcase}").current_user.id
|
|
|
|
).to eq(user.id)
|
|
|
|
|
|
|
|
key.reload.update(revoked_at: Time.zone.now, last_used_at: nil)
|
|
|
|
expect(key.reload.last_used_at).to eq(nil)
|
|
|
|
|
|
|
|
expect {
|
|
|
|
provider("/?api_key=hello&api_username=#{user.username.downcase}").current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
|
|
|
|
2019-09-03 16:10:29 +08:00
|
|
|
key.reload
|
|
|
|
expect(key.last_used_at).to eq(nil)
|
2017-12-11 08:07:22 +08:00
|
|
|
end
|
2014-11-20 12:21:49 +08:00
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
it "raises for a user with a mismatching ip" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1, allowed_ips: ['10.0.0.0/24'])
|
2014-11-20 12:21:49 +08:00
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
expect {
|
|
|
|
provider("/?api_key=hello&api_username=#{user.username.downcase}", "REMOTE_ADDR" => "10.1.0.1").current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
2014-11-20 12:21:49 +08:00
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
end
|
2014-11-20 12:21:49 +08:00
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
it "allows a user with a matching ip" do
|
2019-09-03 16:10:29 +08:00
|
|
|
freeze_time
|
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
user = Fabricate(:user)
|
2019-09-03 16:10:29 +08:00
|
|
|
key = ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1, allowed_ips: ['100.0.0.0/24'])
|
2014-11-24 14:16:11 +08:00
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
found_user = provider("/?api_key=hello&api_username=#{user.username.downcase}",
|
|
|
|
"REMOTE_ADDR" => "100.0.0.22").current_user
|
2014-11-20 12:21:49 +08:00
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
expect(found_user.id).to eq(user.id)
|
2014-11-20 12:21:49 +08:00
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
found_user = provider("/?api_key=hello&api_username=#{user.username.downcase}",
|
|
|
|
"HTTP_X_FORWARDED_FOR" => "10.1.1.1, 100.0.0.22").current_user
|
|
|
|
expect(found_user.id).to eq(user.id)
|
|
|
|
|
2019-09-03 16:10:29 +08:00
|
|
|
key.reload
|
|
|
|
expect(key.last_used_at).to eq_time(Time.zone.now)
|
2017-12-11 08:07:22 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
it "finds a user for a correct system api key" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", created_by_id: -1)
|
|
|
|
expect(provider("/?api_key=hello&api_username=#{user.username.downcase}").current_user.id).to eq(user.id)
|
|
|
|
end
|
|
|
|
|
2019-03-13 07:16:42 +08:00
|
|
|
it "raises for a mismatched api_key param and header username" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", created_by_id: -1)
|
|
|
|
params = { "HTTP_API_USERNAME" => user.username.downcase }
|
|
|
|
expect {
|
|
|
|
provider("/?api_key=hello", params).current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
|
|
|
end
|
|
|
|
|
2018-01-12 14:37:57 +08:00
|
|
|
it "finds a user for a correct system api key with external id" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", created_by_id: -1)
|
|
|
|
SingleSignOnRecord.create(user_id: user.id, external_id: "abc", last_payload: '')
|
|
|
|
expect(provider("/?api_key=hello&api_user_external_id=abc").current_user.id).to eq(user.id)
|
|
|
|
end
|
|
|
|
|
2019-03-13 07:16:42 +08:00
|
|
|
it "raises for a mismatched api_key param and header external id" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", created_by_id: -1)
|
|
|
|
SingleSignOnRecord.create(user_id: user.id, external_id: "abc", last_payload: '')
|
|
|
|
params = { "HTTP_API_USER_EXTERNAL_ID" => "abc" }
|
|
|
|
expect {
|
|
|
|
provider("/?api_key=hello", params).current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
|
|
|
end
|
|
|
|
|
2018-01-12 14:37:57 +08:00
|
|
|
it "finds a user for a correct system api key with id" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", created_by_id: -1)
|
|
|
|
expect(provider("/?api_key=hello&api_user_id=#{user.id}").current_user.id).to eq(user.id)
|
|
|
|
end
|
|
|
|
|
2019-03-13 07:16:42 +08:00
|
|
|
it "raises for a mismatched api_key param and header user id" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", created_by_id: -1)
|
|
|
|
params = { "HTTP_API_USER_ID" => user.id }
|
|
|
|
expect {
|
|
|
|
provider("/?api_key=hello", params).current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
|
|
|
end
|
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
context "rate limiting" do
|
|
|
|
before do
|
|
|
|
RateLimiter.enable
|
|
|
|
end
|
|
|
|
|
|
|
|
after do
|
|
|
|
RateLimiter.disable
|
|
|
|
end
|
|
|
|
|
|
|
|
it "rate limits api requests per api key" do
|
|
|
|
global_setting :max_admin_api_reqs_per_key_per_minute, 3
|
|
|
|
|
2017-12-15 08:42:20 +08:00
|
|
|
freeze_time
|
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
user = Fabricate(:user)
|
|
|
|
key = SecureRandom.hex
|
|
|
|
api_key = ApiKey.create!(key: key, created_by_id: -1)
|
|
|
|
|
|
|
|
provider("/?api_key=#{key}&api_username=#{user.username.downcase}").current_user
|
|
|
|
provider("/?api_key=#{key}&api_username=system").current_user
|
|
|
|
provider("/?api_key=#{key}&api_username=#{user.username.downcase}").current_user
|
|
|
|
|
|
|
|
expect do
|
|
|
|
provider("/?api_key=#{key}&api_username=system").current_user
|
|
|
|
end.to raise_error(RateLimiter::LimitExceeded)
|
|
|
|
|
2017-12-15 08:42:20 +08:00
|
|
|
freeze_time 59.seconds.from_now
|
|
|
|
|
|
|
|
expect do
|
|
|
|
provider("/?api_key=#{key}&api_username=system").current_user
|
|
|
|
end.to raise_error(RateLimiter::LimitExceeded)
|
|
|
|
|
|
|
|
freeze_time 2.seconds.from_now
|
|
|
|
|
|
|
|
# 1 minute elapsed
|
|
|
|
provider("/?api_key=#{key}&api_username=system").current_user
|
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
# should not rake limit a random key
|
|
|
|
api_key.destroy
|
|
|
|
key = SecureRandom.hex
|
|
|
|
ApiKey.create!(key: key, created_by_id: -1)
|
|
|
|
provider("/?api_key=#{key}&api_username=#{user.username.downcase}").current_user
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|
2014-11-20 12:21:49 +08:00
|
|
|
|
2014-05-23 06:13:25 +08:00
|
|
|
end
|
|
|
|
|
2019-03-09 00:13:31 +08:00
|
|
|
context "server header api" do
|
|
|
|
|
|
|
|
it "raises errors for incorrect api_key" do
|
|
|
|
params = { "HTTP_API_KEY" => "INCORRECT" }
|
|
|
|
expect {
|
|
|
|
provider("/", params).current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess, /API username or key is invalid/)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "finds a user for a correct per-user api key" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1)
|
|
|
|
params = { "HTTP_API_KEY" => "hello" }
|
|
|
|
|
|
|
|
good_provider = provider("/", params)
|
|
|
|
expect(good_provider.current_user.id).to eq(user.id)
|
|
|
|
expect(good_provider.is_api?).to eq(true)
|
|
|
|
expect(good_provider.is_user_api?).to eq(false)
|
|
|
|
expect(good_provider.should_update_last_seen?).to eq(false)
|
|
|
|
|
|
|
|
user.update_columns(active: false)
|
|
|
|
|
|
|
|
expect {
|
|
|
|
provider("/", params).current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
|
|
|
|
|
|
|
user.update_columns(active: true, suspended_till: 1.day.from_now)
|
|
|
|
|
|
|
|
expect {
|
|
|
|
provider("/", params).current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "raises for a user pretending" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
user2 = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1)
|
|
|
|
params = { "HTTP_API_KEY" => "hello", "HTTP_API_USERNAME" => user2.username.downcase }
|
|
|
|
|
|
|
|
expect {
|
|
|
|
provider("/", params).current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "raises for a user with a mismatching ip" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1, allowed_ips: ['10.0.0.0/24'])
|
|
|
|
params = {
|
|
|
|
"HTTP_API_KEY" => "hello",
|
|
|
|
"HTTP_API_USERNAME" => user.username.downcase,
|
|
|
|
"REMOTE_ADDR" => "10.1.0.1"
|
|
|
|
}
|
|
|
|
|
|
|
|
expect {
|
|
|
|
provider("/", params).current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
it "allows a user with a matching ip" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1, allowed_ips: ['100.0.0.0/24'])
|
|
|
|
params = {
|
|
|
|
"HTTP_API_KEY" => "hello",
|
|
|
|
"HTTP_API_USERNAME" => user.username.downcase,
|
|
|
|
"REMOTE_ADDR" => "100.0.0.22",
|
|
|
|
}
|
|
|
|
|
|
|
|
found_user = provider("/", params).current_user
|
|
|
|
|
|
|
|
expect(found_user.id).to eq(user.id)
|
|
|
|
|
|
|
|
params = {
|
|
|
|
"HTTP_API_KEY" => "hello",
|
|
|
|
"HTTP_API_USERNAME" => user.username.downcase,
|
|
|
|
"HTTP_X_FORWARDED_FOR" => "10.1.1.1, 100.0.0.22"
|
|
|
|
}
|
|
|
|
|
|
|
|
found_user = provider("/", params).current_user
|
|
|
|
expect(found_user.id).to eq(user.id)
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
it "finds a user for a correct system api key" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", created_by_id: -1)
|
|
|
|
params = { "HTTP_API_KEY" => "hello", "HTTP_API_USERNAME" => user.username.downcase }
|
|
|
|
expect(provider("/", params).current_user.id).to eq(user.id)
|
|
|
|
end
|
|
|
|
|
2019-03-13 07:16:42 +08:00
|
|
|
it "raises for a mismatched api_key header and param username" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", created_by_id: -1)
|
|
|
|
params = { "HTTP_API_KEY" => "hello" }
|
|
|
|
expect {
|
|
|
|
provider("/?api_username=#{user.username.downcase}", params).current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
|
|
|
end
|
|
|
|
|
2019-03-09 00:13:31 +08:00
|
|
|
it "finds a user for a correct system api key with external id" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", created_by_id: -1)
|
|
|
|
SingleSignOnRecord.create(user_id: user.id, external_id: "abc", last_payload: '')
|
|
|
|
params = { "HTTP_API_KEY" => "hello", "HTTP_API_USER_EXTERNAL_ID" => "abc" }
|
|
|
|
expect(provider("/", params).current_user.id).to eq(user.id)
|
|
|
|
end
|
|
|
|
|
2019-03-13 07:16:42 +08:00
|
|
|
it "raises for a mismatched api_key header and param external id" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", created_by_id: -1)
|
|
|
|
SingleSignOnRecord.create(user_id: user.id, external_id: "abc", last_payload: '')
|
|
|
|
params = { "HTTP_API_KEY" => "hello" }
|
|
|
|
expect {
|
|
|
|
provider("/?api_user_external_id=abc", params).current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
|
|
|
end
|
|
|
|
|
2019-03-09 00:13:31 +08:00
|
|
|
it "finds a user for a correct system api key with id" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", created_by_id: -1)
|
|
|
|
params = { "HTTP_API_KEY" => "hello", "HTTP_API_USER_ID" => user.id }
|
|
|
|
expect(provider("/", params).current_user.id).to eq(user.id)
|
|
|
|
end
|
|
|
|
|
2019-03-13 07:16:42 +08:00
|
|
|
it "raises for a mismatched api_key header and param user id" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", created_by_id: -1)
|
|
|
|
params = { "HTTP_API_KEY" => "hello" }
|
|
|
|
expect {
|
|
|
|
provider("/?api_user_id=#{user.id}", params).current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
|
|
|
end
|
|
|
|
|
2019-03-09 00:13:31 +08:00
|
|
|
context "rate limiting" do
|
|
|
|
before do
|
|
|
|
RateLimiter.enable
|
|
|
|
end
|
|
|
|
|
|
|
|
after do
|
|
|
|
RateLimiter.disable
|
|
|
|
end
|
|
|
|
|
|
|
|
it "rate limits api requests per api key" do
|
|
|
|
global_setting :max_admin_api_reqs_per_key_per_minute, 3
|
|
|
|
|
|
|
|
freeze_time
|
|
|
|
|
|
|
|
user = Fabricate(:user)
|
|
|
|
key = SecureRandom.hex
|
|
|
|
api_key = ApiKey.create!(key: key, created_by_id: -1)
|
|
|
|
params = { "HTTP_API_KEY" => key, "HTTP_API_USERNAME" => user.username.downcase }
|
|
|
|
system_params = params.merge("HTTP_API_USERNAME" => "system")
|
|
|
|
|
|
|
|
provider("/", params).current_user
|
|
|
|
provider("/", system_params).current_user
|
|
|
|
provider("/", params).current_user
|
|
|
|
|
|
|
|
expect do
|
|
|
|
provider("/", system_params).current_user
|
|
|
|
end.to raise_error(RateLimiter::LimitExceeded)
|
|
|
|
|
|
|
|
freeze_time 59.seconds.from_now
|
|
|
|
|
|
|
|
expect do
|
|
|
|
provider("/", system_params).current_user
|
|
|
|
end.to raise_error(RateLimiter::LimitExceeded)
|
|
|
|
|
|
|
|
freeze_time 2.seconds.from_now
|
|
|
|
|
|
|
|
# 1 minute elapsed
|
|
|
|
provider("/", system_params).current_user
|
|
|
|
|
|
|
|
# should not rate limit a random key
|
|
|
|
api_key.destroy
|
|
|
|
key = SecureRandom.hex
|
|
|
|
ApiKey.create!(key: key, created_by_id: -1)
|
|
|
|
params = { "HTTP_API_KEY" => key, "HTTP_API_USERNAME" => user.username.downcase }
|
|
|
|
provider("/", params).current_user
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
2019-01-21 13:29:29 +08:00
|
|
|
describe "#current_user" do
|
2019-05-07 11:12:20 +08:00
|
|
|
fab!(:user) { Fabricate(:user) }
|
2019-01-22 18:07:48 +08:00
|
|
|
|
|
|
|
let(:unhashed_token) do
|
|
|
|
new_provider = provider('/')
|
|
|
|
cookies = {}
|
|
|
|
new_provider.log_on_user(user, {}, cookies)
|
|
|
|
cookies["_t"][:value]
|
|
|
|
end
|
|
|
|
|
2019-01-21 13:29:29 +08:00
|
|
|
after do
|
|
|
|
$redis.flushall
|
|
|
|
end
|
|
|
|
|
|
|
|
it "should not update last seen for suspended users" do
|
|
|
|
freeze_time
|
|
|
|
|
2018-07-18 23:04:57 +08:00
|
|
|
provider2 = provider("/", "HTTP_COOKIE" => "_t=#{unhashed_token}")
|
|
|
|
u = provider2.current_user
|
|
|
|
u.reload
|
2019-03-28 14:28:01 +08:00
|
|
|
expect(u.last_seen_at).to eq_time(Time.now)
|
2018-07-18 23:04:57 +08:00
|
|
|
|
|
|
|
freeze_time 20.minutes.from_now
|
|
|
|
|
|
|
|
u.last_seen_at = nil
|
|
|
|
u.suspended_till = 1.year.from_now
|
|
|
|
u.save!
|
|
|
|
|
|
|
|
$redis.del("user:#{user.id}:#{Time.now.to_date}")
|
|
|
|
provider2 = provider("/", "HTTP_COOKIE" => "_t=#{unhashed_token}")
|
|
|
|
expect(provider2.current_user).to eq(nil)
|
|
|
|
|
|
|
|
u.reload
|
|
|
|
expect(u.last_seen_at).to eq(nil)
|
|
|
|
end
|
2019-01-22 18:07:48 +08:00
|
|
|
|
|
|
|
describe "when readonly mode is enabled due to postgres" do
|
|
|
|
before do
|
|
|
|
Discourse.enable_readonly_mode(Discourse::PG_READONLY_MODE_KEY)
|
|
|
|
end
|
|
|
|
|
2019-01-22 18:21:32 +08:00
|
|
|
after do
|
2019-01-22 18:07:48 +08:00
|
|
|
Discourse.disable_readonly_mode(Discourse::PG_READONLY_MODE_KEY)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "should not update last seen at" do
|
|
|
|
provider2 = provider("/", "HTTP_COOKIE" => "_t=#{unhashed_token}")
|
|
|
|
u = provider2.current_user
|
|
|
|
u.reload
|
|
|
|
expect(u.last_seen_at).to eq(nil)
|
|
|
|
end
|
|
|
|
end
|
2018-07-18 23:04:57 +08:00
|
|
|
end
|
|
|
|
|
2019-04-16 00:34:34 +08:00
|
|
|
it "should update last seen for non ajax" do
|
|
|
|
expect(provider("/topic/anything/goes", method: "POST").should_update_last_seen?).to eq(true)
|
|
|
|
expect(provider("/topic/anything/goes", method: "GET").should_update_last_seen?).to eq(true)
|
|
|
|
end
|
|
|
|
|
2017-03-01 01:34:57 +08:00
|
|
|
it "should update ajax reqs with discourse visible" do
|
|
|
|
expect(provider("/topic/anything/goes",
|
|
|
|
:method => "POST",
|
|
|
|
"HTTP_X_REQUESTED_WITH" => "XMLHttpRequest",
|
|
|
|
"HTTP_DISCOURSE_VISIBLE" => "true"
|
|
|
|
).should_update_last_seen?).to eq(true)
|
|
|
|
end
|
|
|
|
|
2019-04-16 00:34:34 +08:00
|
|
|
it "should not update last seen for ajax calls without Discourse-Visible header" do
|
|
|
|
expect(provider("/topic/anything/goes",
|
|
|
|
:method => "POST",
|
|
|
|
"HTTP_X_REQUESTED_WITH" => "XMLHttpRequest"
|
|
|
|
).should_update_last_seen?).to eq(false)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "should update last seen for API calls with Discourse-Visible header" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1)
|
|
|
|
params = { :method => "POST",
|
|
|
|
"HTTP_X_REQUESTED_WITH" => "XMLHttpRequest",
|
|
|
|
"HTTP_API_KEY" => "hello"
|
|
|
|
}
|
|
|
|
|
|
|
|
expect(provider("/topic/anything/goes", params).should_update_last_seen?).to eq(false)
|
|
|
|
expect(provider("/topic/anything/goes", params.merge("HTTP_DISCOURSE_VISIBLE" => "true")).should_update_last_seen?).to eq(true)
|
2014-05-23 06:13:25 +08:00
|
|
|
end
|
2016-07-25 10:07:31 +08:00
|
|
|
|
2017-02-01 06:21:37 +08:00
|
|
|
it "correctly rotates tokens" do
|
2016-07-25 10:07:31 +08:00
|
|
|
SiteSetting.maximum_session_age = 3
|
|
|
|
user = Fabricate(:user)
|
2017-02-01 06:21:37 +08:00
|
|
|
@provider = provider('/')
|
|
|
|
cookies = {}
|
|
|
|
@provider.log_on_user(user, {}, cookies)
|
|
|
|
|
|
|
|
unhashed_token = cookies["_t"][:value]
|
|
|
|
|
|
|
|
token = UserAuthToken.find_by(user_id: user.id)
|
|
|
|
|
|
|
|
expect(token.auth_token_seen).to eq(false)
|
|
|
|
expect(token.auth_token).not_to eq(unhashed_token)
|
|
|
|
expect(token.auth_token).to eq(UserAuthToken.hash_token(unhashed_token))
|
|
|
|
|
|
|
|
# at this point we are going to try to rotate token
|
|
|
|
freeze_time 20.minutes.from_now
|
|
|
|
|
|
|
|
provider2 = provider("/", "HTTP_COOKIE" => "_t=#{unhashed_token}")
|
|
|
|
provider2.current_user
|
|
|
|
|
|
|
|
token.reload
|
|
|
|
expect(token.auth_token_seen).to eq(true)
|
2016-07-25 10:07:31 +08:00
|
|
|
|
|
|
|
cookies = {}
|
2017-02-01 06:21:37 +08:00
|
|
|
provider2.refresh_session(user, {}, cookies)
|
|
|
|
expect(cookies["_t"][:value]).not_to eq(unhashed_token)
|
|
|
|
|
|
|
|
token.reload
|
|
|
|
expect(token.auth_token_seen).to eq(false)
|
|
|
|
|
|
|
|
freeze_time 21.minutes.from_now
|
|
|
|
|
|
|
|
old_token = token.prev_auth_token
|
|
|
|
unverified_token = token.auth_token
|
|
|
|
|
|
|
|
# old token should still work
|
|
|
|
provider2 = provider("/", "HTTP_COOKIE" => "_t=#{unhashed_token}")
|
|
|
|
expect(provider2.current_user.id).to eq(user.id)
|
|
|
|
|
|
|
|
provider2.refresh_session(user, {}, cookies)
|
|
|
|
|
|
|
|
token.reload
|
|
|
|
|
|
|
|
# because this should cause a rotation since we can safely
|
|
|
|
# assume it never reached the client
|
|
|
|
expect(token.prev_auth_token).to eq(old_token)
|
|
|
|
expect(token.auth_token).not_to eq(unverified_token)
|
2016-07-25 10:07:31 +08:00
|
|
|
|
2016-07-26 09:37:41 +08:00
|
|
|
end
|
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
context "rate limiting" do
|
2016-07-28 10:58:49 +08:00
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
before do
|
|
|
|
RateLimiter.enable
|
|
|
|
end
|
2016-07-28 10:58:49 +08:00
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
after do
|
|
|
|
RateLimiter.disable
|
|
|
|
end
|
2016-07-28 10:58:49 +08:00
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
it "can only try 10 bad cookies a minute" do
|
|
|
|
user = Fabricate(:user)
|
|
|
|
token = UserAuthToken.generate!(user_id: user.id)
|
2016-08-09 08:02:18 +08:00
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
provider('/').log_on_user(user, {}, {})
|
2016-07-28 10:58:49 +08:00
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
RateLimiter.new(nil, "cookie_auth_10.0.0.1", 10, 60).clear!
|
|
|
|
RateLimiter.new(nil, "cookie_auth_10.0.0.2", 10, 60).clear!
|
2016-08-09 08:02:18 +08:00
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
ip = "10.0.0.1"
|
|
|
|
env = { "HTTP_COOKIE" => "_t=#{SecureRandom.hex}", "REMOTE_ADDR" => ip }
|
2017-02-01 06:21:37 +08:00
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
10.times do
|
|
|
|
provider('/', env).current_user
|
|
|
|
end
|
2017-12-04 15:17:18 +08:00
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
expect {
|
|
|
|
provider('/', env).current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
2017-12-04 15:17:18 +08:00
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
expect {
|
|
|
|
env["HTTP_COOKIE"] = "_t=#{token.unhashed_auth_token}"
|
|
|
|
provider("/", env).current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
|
|
|
|
|
|
|
env["REMOTE_ADDR"] = "10.0.0.2"
|
|
|
|
|
|
|
|
expect {
|
|
|
|
provider('/', env).current_user
|
|
|
|
}.not_to raise_error
|
|
|
|
end
|
2016-07-28 10:58:49 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
it "correctly removes invalid cookies" do
|
2017-07-28 09:20:09 +08:00
|
|
|
cookies = { "_t" => SecureRandom.hex }
|
2017-02-23 01:36:58 +08:00
|
|
|
provider('/').refresh_session(nil, {}, cookies)
|
2016-07-28 10:58:49 +08:00
|
|
|
expect(cookies.key?("_t")).to eq(false)
|
|
|
|
end
|
|
|
|
|
2017-02-01 06:21:37 +08:00
|
|
|
it "logging on user always creates a new token" do
|
2016-07-26 09:37:41 +08:00
|
|
|
user = Fabricate(:user)
|
2016-07-25 10:07:31 +08:00
|
|
|
|
2016-07-26 09:37:41 +08:00
|
|
|
provider('/').log_on_user(user, {}, {})
|
|
|
|
provider('/').log_on_user(user, {}, {})
|
2017-02-01 06:21:37 +08:00
|
|
|
|
|
|
|
expect(UserAuthToken.where(user_id: user.id).count).to eq(2)
|
2016-07-25 10:07:31 +08:00
|
|
|
end
|
|
|
|
|
2017-02-24 01:01:28 +08:00
|
|
|
it "sets secure, same site lax cookies" do
|
|
|
|
SiteSetting.force_https = false
|
|
|
|
SiteSetting.same_site_cookies = "Lax"
|
|
|
|
|
|
|
|
user = Fabricate(:user)
|
|
|
|
cookies = {}
|
|
|
|
provider('/').log_on_user(user, {}, cookies)
|
|
|
|
|
|
|
|
expect(cookies["_t"][:same_site]).to eq("Lax")
|
|
|
|
expect(cookies["_t"][:httponly]).to eq(true)
|
|
|
|
expect(cookies["_t"][:secure]).to eq(false)
|
|
|
|
|
|
|
|
SiteSetting.force_https = true
|
|
|
|
SiteSetting.same_site_cookies = "Disabled"
|
|
|
|
|
|
|
|
cookies = {}
|
|
|
|
provider('/').log_on_user(user, {}, cookies)
|
|
|
|
|
|
|
|
expect(cookies["_t"][:secure]).to eq(true)
|
|
|
|
expect(cookies["_t"].key?(:same_site)).to eq(false)
|
|
|
|
end
|
|
|
|
|
2016-07-25 10:07:31 +08:00
|
|
|
it "correctly expires session" do
|
|
|
|
SiteSetting.maximum_session_age = 2
|
|
|
|
user = Fabricate(:user)
|
2017-02-01 06:21:37 +08:00
|
|
|
token = UserAuthToken.generate!(user_id: user.id)
|
|
|
|
|
2016-07-25 10:07:31 +08:00
|
|
|
provider('/').log_on_user(user, {}, {})
|
|
|
|
|
2017-02-01 06:21:37 +08:00
|
|
|
expect(provider("/", "HTTP_COOKIE" => "_t=#{token.unhashed_auth_token}").current_user.id).to eq(user.id)
|
2016-07-25 10:07:31 +08:00
|
|
|
|
|
|
|
freeze_time 3.hours.from_now
|
2017-02-01 06:21:37 +08:00
|
|
|
expect(provider("/", "HTTP_COOKIE" => "_t=#{token.unhashed_auth_token}").current_user).to eq(nil)
|
2016-07-25 10:07:31 +08:00
|
|
|
end
|
2016-08-15 15:58:33 +08:00
|
|
|
|
2018-05-13 23:00:02 +08:00
|
|
|
it "always unstage users" do
|
|
|
|
staged_user = Fabricate(:user, staged: true)
|
|
|
|
provider("/").log_on_user(staged_user, {}, {})
|
|
|
|
staged_user.reload
|
|
|
|
expect(staged_user.staged).to eq(false)
|
|
|
|
end
|
|
|
|
|
2016-08-15 15:58:33 +08:00
|
|
|
context "user api" do
|
2019-05-07 11:12:20 +08:00
|
|
|
fab! :user do
|
2016-08-15 15:58:33 +08:00
|
|
|
Fabricate(:user)
|
|
|
|
end
|
|
|
|
|
|
|
|
let :api_key do
|
|
|
|
UserApiKey.create!(
|
|
|
|
application_name: 'my app',
|
|
|
|
client_id: '1234',
|
2016-10-14 13:05:27 +08:00
|
|
|
scopes: ['read'],
|
2016-08-15 15:58:33 +08:00
|
|
|
key: SecureRandom.hex,
|
|
|
|
user_id: user.id
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
2018-08-22 10:56:49 +08:00
|
|
|
it "can clear old duplicate keys correctly" do
|
|
|
|
dupe = UserApiKey.create!(
|
|
|
|
application_name: 'my app',
|
|
|
|
client_id: '12345',
|
|
|
|
scopes: ['read'],
|
|
|
|
key: SecureRandom.hex,
|
|
|
|
user_id: user.id
|
|
|
|
)
|
|
|
|
|
|
|
|
params = {
|
|
|
|
"REQUEST_METHOD" => "GET",
|
|
|
|
"HTTP_USER_API_KEY" => api_key.key,
|
|
|
|
"HTTP_USER_API_CLIENT_ID" => dupe.client_id,
|
|
|
|
}
|
|
|
|
|
|
|
|
good_provider = provider("/", params)
|
|
|
|
expect(good_provider.current_user.id).to eq(user.id)
|
|
|
|
expect(UserApiKey.find_by(id: dupe.id)).to eq(nil)
|
|
|
|
end
|
|
|
|
|
2016-08-15 15:58:33 +08:00
|
|
|
it "allows user API access correctly" do
|
|
|
|
params = {
|
|
|
|
"REQUEST_METHOD" => "GET",
|
2016-08-18 12:38:33 +08:00
|
|
|
"HTTP_USER_API_KEY" => api_key.key,
|
2016-08-15 15:58:33 +08:00
|
|
|
}
|
|
|
|
|
2016-12-16 09:05:20 +08:00
|
|
|
good_provider = provider("/", params)
|
|
|
|
|
|
|
|
expect(good_provider.current_user.id).to eq(user.id)
|
|
|
|
expect(good_provider.is_api?).to eq(false)
|
|
|
|
expect(good_provider.is_user_api?).to eq(true)
|
2018-10-25 20:38:57 +08:00
|
|
|
expect(good_provider.should_update_last_seen?).to eq(false)
|
2016-08-15 15:58:33 +08:00
|
|
|
|
|
|
|
expect {
|
2017-07-28 09:20:09 +08:00
|
|
|
provider("/", params.merge("REQUEST_METHOD" => "POST")).current_user
|
2016-08-15 15:58:33 +08:00
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
|
|
|
|
2017-02-18 00:02:33 +08:00
|
|
|
user.update_columns(suspended_till: 1.year.from_now)
|
|
|
|
|
|
|
|
expect {
|
|
|
|
provider("/", params).current_user
|
|
|
|
}.to raise_error(Discourse::InvalidAccess)
|
|
|
|
|
2016-08-15 15:58:33 +08:00
|
|
|
end
|
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
context "rate limiting" do
|
2016-08-15 15:58:33 +08:00
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
before do
|
|
|
|
RateLimiter.enable
|
|
|
|
end
|
2016-08-15 15:58:33 +08:00
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
after do
|
|
|
|
RateLimiter.disable
|
|
|
|
end
|
2016-08-15 15:58:33 +08:00
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
it "rate limits api usage" do
|
|
|
|
limiter1 = RateLimiter.new(nil, "user_api_day_#{api_key.key}", 10, 60)
|
|
|
|
limiter2 = RateLimiter.new(nil, "user_api_min_#{api_key.key}", 10, 60)
|
|
|
|
limiter1.clear!
|
|
|
|
limiter2.clear!
|
2016-08-15 15:58:33 +08:00
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
global_setting :max_user_api_reqs_per_day, 3
|
|
|
|
global_setting :max_user_api_reqs_per_minute, 4
|
2016-08-15 15:58:33 +08:00
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
params = {
|
|
|
|
"REQUEST_METHOD" => "GET",
|
|
|
|
"HTTP_USER_API_KEY" => api_key.key,
|
|
|
|
}
|
2016-08-15 15:58:33 +08:00
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
3.times do
|
|
|
|
provider("/", params).current_user
|
|
|
|
end
|
2016-08-15 15:58:33 +08:00
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
expect {
|
|
|
|
provider("/", params).current_user
|
|
|
|
}.to raise_error(RateLimiter::LimitExceeded)
|
2017-12-04 15:17:18 +08:00
|
|
|
|
2017-12-11 08:07:22 +08:00
|
|
|
global_setting :max_user_api_reqs_per_day, 4
|
|
|
|
global_setting :max_user_api_reqs_per_minute, 3
|
2016-08-15 15:58:33 +08:00
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
limiter1.clear!
|
|
|
|
limiter2.clear!
|
|
|
|
|
|
|
|
3.times do
|
|
|
|
provider("/", params).current_user
|
|
|
|
end
|
2017-12-04 15:17:18 +08:00
|
|
|
|
2017-12-04 18:23:11 +08:00
|
|
|
expect {
|
|
|
|
provider("/", params).current_user
|
|
|
|
}.to raise_error(RateLimiter::LimitExceeded)
|
|
|
|
|
|
|
|
end
|
2016-08-15 15:58:33 +08:00
|
|
|
end
|
|
|
|
end
|
2014-05-23 06:13:25 +08:00
|
|
|
end
|