From 40bf161ff0e76ea737d7c2ec55f62f2bfe5d6222 Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Wed, 5 Jun 2024 12:33:10 +0200 Subject: [PATCH] test(oauth): coverage for the redirection of a denied grant See 886a675f62233dcde3ac0d7b2181484f29344f26 Return `access_denied` error when an OAuth2 request is denied (cherry picked from commit 32c882af91cf0c0f68a486876680b38095fa53a0) --- release-notes/8.0.0/fix/4026.md | 1 + tests/integration/oauth_test.go | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 release-notes/8.0.0/fix/4026.md diff --git a/release-notes/8.0.0/fix/4026.md b/release-notes/8.0.0/fix/4026.md new file mode 100644 index 0000000000..747c3a789e --- /dev/null +++ b/release-notes/8.0.0/fix/4026.md @@ -0,0 +1 @@ +- when an OAuth grant request submitted to a Forgejo user is denied, the server from which the request originates is not notified that it has been denied diff --git a/tests/integration/oauth_test.go b/tests/integration/oauth_test.go index 1da1c6f9c0..cffb8b5814 100644 --- a/tests/integration/oauth_test.go +++ b/tests/integration/oauth_test.go @@ -554,3 +554,24 @@ func TestSignUpViaOAuthWithMissingFields(t *testing.T) { resp := MakeRequest(t, req, http.StatusSeeOther) assert.Equal(t, test.RedirectURL(resp), "/user/link_account") } + +func TestOAuth_GrantApplicationOAuth(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=a&response_type=code&state=thestate") + ctx := loginUser(t, "user4") + resp := ctx.MakeRequest(t, req, http.StatusOK) + + htmlDoc := NewHTMLParser(t, resp.Body) + htmlDoc.AssertElement(t, "#authorize-app", true) + + req = NewRequestWithValues(t, "POST", "/login/oauth/grant", map[string]string{ + "_csrf": htmlDoc.GetCSRF(), + "client_id": "da7da3ba-9a13-4167-856f-3899de0b0138", + "redirect_uri": "a", + "state": "thestate", + "granted": "false", + }) + resp = ctx.MakeRequest(t, req, http.StatusSeeOther) + assert.Contains(t, test.RedirectURL(resp), "error=access_denied&error_description=the+request+is+denied") +}