gotosocial/internal/api/auth/revoke_test.go

// GoToSocial
// Copyright (C) GoToSocial Authors admin@gotosocial.org
// SPDX-License-Identifier: AGPL-3.0-or-later
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package auth_test

import (
	"bytes"
	"context"
	"encoding/json"
	"io"
	"net/http"
	"testing"

	"github.com/stretchr/testify/suite"
	"github.com/superseriousbusiness/gotosocial/internal/db"
	"github.com/superseriousbusiness/gotosocial/testrig"
)

type RevokeTestSuite struct {
	AuthStandardTestSuite
}

func (suite *RevokeTestSuite) TestRevokeOK() {
	var (
		app   = suite.testApplications["application_1"]
		token = suite.testTokens["local_account_1"]
	)

	// Prepare request form.
	requestBody, w, err := testrig.CreateMultipartFormData(
		nil,
		map[string][]string{
			"token":         {token.Access},
			"client_id":     {app.ClientID},
			"client_secret": {app.ClientSecret},
		})
	if err != nil {
		panic(err)
	}

	// Prepare request ctx.
	ctx, recorder := suite.newContext(
		http.MethodPost,
		"/oauth/revoke",
		requestBody.Bytes(),
		w.FormDataContentType(),
	)

	// Submit the revoke request.
	suite.authModule.TokenRevokePOSTHandler(ctx)

	// Check response code.
	// We don't really care about body.
	suite.Equal(http.StatusOK, recorder.Code)
	result := recorder.Result()
	defer result.Body.Close()

	// Ensure token now gone.
	_, err = suite.state.DB.GetTokenByAccess(
		context.Background(),
		token.Access,
	)
	suite.ErrorIs(err, db.ErrNoEntries)
}

func (suite *RevokeTestSuite) TestRevokeWrongSecret() {
	var (
		app   = suite.testApplications["application_1"]
		token = suite.testTokens["local_account_1"]
	)

	// Prepare request form.
	requestBody, w, err := testrig.CreateMultipartFormData(
		nil,
		map[string][]string{
			"token":         {token.Access},
			"client_id":     {app.ClientID},
			"client_secret": {"Not the right secret :( :( :("},
		})
	if err != nil {
		panic(err)
	}

	// Prepare request ctx.
	ctx, recorder := suite.newContext(
		http.MethodPost,
		"/oauth/revoke",
		requestBody.Bytes(),
		w.FormDataContentType(),
	)

	// Submit the revoke request.
	suite.authModule.TokenRevokePOSTHandler(ctx)

	// Check response code + body.
	suite.Equal(http.StatusForbidden, recorder.Code)
	result := recorder.Result()
	defer result.Body.Close()

	// Read json bytes.
	b, err := io.ReadAll(result.Body)
	if err != nil {
		suite.FailNow(err.Error())
	}

	// Indent nicely.
	dst := bytes.Buffer{}
	if err := json.Indent(&dst, b, "", "  "); err != nil {
		suite.FailNow(err.Error())
	}

	suite.Equal(`{
  "error": "unauthorized_client",
  "error_description": "Forbidden: You are not authorized to revoke this token"
}`, dst.String())

	// Ensure token still there.
	_, err = suite.state.DB.GetTokenByAccess(
		context.Background(),
		token.Access,
	)
	suite.NoError(err)
}

func (suite *RevokeTestSuite) TestRevokeNoClientID() {
	var (
		app   = suite.testApplications["application_1"]
		token = suite.testTokens["local_account_1"]
	)

	// Prepare request form.
	requestBody, w, err := testrig.CreateMultipartFormData(
		nil,
		map[string][]string{
			"token":         {token.Access},
			"client_secret": {app.ClientSecret},
		})
	if err != nil {
		panic(err)
	}

	// Prepare request ctx.
	ctx, recorder := suite.newContext(
		http.MethodPost,
		"/oauth/revoke",
		requestBody.Bytes(),
		w.FormDataContentType(),
	)

	// Submit the revoke request.
	suite.authModule.TokenRevokePOSTHandler(ctx)

	// Check response code + body.
	suite.Equal(http.StatusBadRequest, recorder.Code)
	result := recorder.Result()
	defer result.Body.Close()

	// Read json bytes.
	b, err := io.ReadAll(result.Body)
	if err != nil {
		suite.FailNow(err.Error())
	}

	// Indent nicely.
	dst := bytes.Buffer{}
	if err := json.Indent(&dst, b, "", "  "); err != nil {
		suite.FailNow(err.Error())
	}

	suite.Equal(`{
  "error": "invalid_request",
  "error_description": "Bad Request: client_id not set"
}`, dst.String())

	// Ensure token still there.
	_, err = suite.state.DB.GetTokenByAccess(
		context.Background(),
		token.Access,
	)
	suite.NoError(err)
}

func TestRevokeTestSuite(t *testing.T) {
	suite.Run(t, new(RevokeTestSuite))
}
[feature] Implement /oauth/revoke for token revocation (#3983) 2025-04-10 16:24:17 +02:00			`// GoToSocial`
			`// Copyright (C) GoToSocial Authors admin@gotosocial.org`
			`// SPDX-License-Identifier: AGPL-3.0-or-later`
			`//`
			`// This program is free software: you can redistribute it and/or modify`
			`// it under the terms of the GNU Affero General Public License as published by`
			`// the Free Software Foundation, either version 3 of the License, or`
			`// (at your option) any later version.`
			`//`
			`// This program is distributed in the hope that it will be useful,`
			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`// GNU Affero General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU Affero General Public License`
			`// along with this program. If not, see <http://www.gnu.org/licenses/>.`

			`package auth_test`

			`import (`
			`"bytes"`
			`"context"`
			`"encoding/json"`
			`"io"`
			`"net/http"`
			`"testing"`

			`"github.com/stretchr/testify/suite"`
			`"github.com/superseriousbusiness/gotosocial/internal/db"`
			`"github.com/superseriousbusiness/gotosocial/testrig"`
			`)`

			`type RevokeTestSuite struct {`
			`AuthStandardTestSuite`
			`}`

			`func (suite *RevokeTestSuite) TestRevokeOK() {`
			`var (`
			`app = suite.testApplications["application_1"]`
			`token = suite.testTokens["local_account_1"]`
			`)`

			`// Prepare request form.`
			`requestBody, w, err := testrig.CreateMultipartFormData(`
			`nil,`
			`map[string][]string{`
			`"token": {token.Access},`
			`"client_id": {app.ClientID},`
			`"client_secret": {app.ClientSecret},`
			`})`
			`if err != nil {`
			`panic(err)`
			`}`

			`// Prepare request ctx.`
			`ctx, recorder := suite.newContext(`
			`http.MethodPost,`
			`"/oauth/revoke",`
			`requestBody.Bytes(),`
			`w.FormDataContentType(),`
			`)`

			`// Submit the revoke request.`
			`suite.authModule.TokenRevokePOSTHandler(ctx)`

			`// Check response code.`
			`// We don't really care about body.`
			`suite.Equal(http.StatusOK, recorder.Code)`
			`result := recorder.Result()`
			`defer result.Body.Close()`

			`// Ensure token now gone.`
			`_, err = suite.state.DB.GetTokenByAccess(`
			`context.Background(),`
			`token.Access,`
			`)`
			`suite.ErrorIs(err, db.ErrNoEntries)`
			`}`

			`func (suite *RevokeTestSuite) TestRevokeWrongSecret() {`
			`var (`
			`app = suite.testApplications["application_1"]`
			`token = suite.testTokens["local_account_1"]`
			`)`

			`// Prepare request form.`
			`requestBody, w, err := testrig.CreateMultipartFormData(`
			`nil,`
			`map[string][]string{`
			`"token": {token.Access},`
			`"client_id": {app.ClientID},`
			`"client_secret": {"Not the right secret :( :( :("},`
			`})`
			`if err != nil {`
			`panic(err)`
			`}`

			`// Prepare request ctx.`
			`ctx, recorder := suite.newContext(`
			`http.MethodPost,`
			`"/oauth/revoke",`
			`requestBody.Bytes(),`
			`w.FormDataContentType(),`
			`)`

			`// Submit the revoke request.`
			`suite.authModule.TokenRevokePOSTHandler(ctx)`

			`// Check response code + body.`
			`suite.Equal(http.StatusForbidden, recorder.Code)`
			`result := recorder.Result()`
			`defer result.Body.Close()`

			`// Read json bytes.`
			`b, err := io.ReadAll(result.Body)`
			`if err != nil {`
			`suite.FailNow(err.Error())`
			`}`

			`// Indent nicely.`
			`dst := bytes.Buffer{}`
			`if err := json.Indent(&dst, b, "", " "); err != nil {`
			`suite.FailNow(err.Error())`
			`}`

			suite.Equal(`{
			`"error": "unauthorized_client",`
			`"error_description": "Forbidden: You are not authorized to revoke this token"`
			}`, dst.String())

			`// Ensure token still there.`
			`_, err = suite.state.DB.GetTokenByAccess(`
			`context.Background(),`
			`token.Access,`
			`)`
			`suite.NoError(err)`
			`}`

			`func (suite *RevokeTestSuite) TestRevokeNoClientID() {`
			`var (`
			`app = suite.testApplications["application_1"]`
			`token = suite.testTokens["local_account_1"]`
			`)`

			`// Prepare request form.`
			`requestBody, w, err := testrig.CreateMultipartFormData(`
			`nil,`
			`map[string][]string{`
			`"token": {token.Access},`
			`"client_secret": {app.ClientSecret},`
			`})`
			`if err != nil {`
			`panic(err)`
			`}`

			`// Prepare request ctx.`
			`ctx, recorder := suite.newContext(`
			`http.MethodPost,`
			`"/oauth/revoke",`
			`requestBody.Bytes(),`
			`w.FormDataContentType(),`
			`)`

			`// Submit the revoke request.`
			`suite.authModule.TokenRevokePOSTHandler(ctx)`

			`// Check response code + body.`
			`suite.Equal(http.StatusBadRequest, recorder.Code)`
			`result := recorder.Result()`
			`defer result.Body.Close()`

			`// Read json bytes.`
			`b, err := io.ReadAll(result.Body)`
			`if err != nil {`
			`suite.FailNow(err.Error())`
			`}`

			`// Indent nicely.`
			`dst := bytes.Buffer{}`
			`if err := json.Indent(&dst, b, "", " "); err != nil {`
			`suite.FailNow(err.Error())`
			`}`

			suite.Equal(`{
			`"error": "invalid_request",`
			`"error_description": "Bad Request: client_id not set"`
			}`, dst.String())

			`// Ensure token still there.`
			`_, err = suite.state.DB.GetTokenByAccess(`
			`context.Background(),`
			`token.Access,`
			`)`
			`suite.NoError(err)`
			`}`

			`func TestRevokeTestSuite(t *testing.T) {`
			`suite.Run(t, new(RevokeTestSuite))`
			`}`