debian-mirror-gitlab/spec/requests/oauth/tokens_controller_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

76 lines
2.4 KiB
Ruby
Raw Normal View History

2021-03-11 19:13:27 +05:30
# frozen_string_literal: true
require 'spec_helper'
2023-03-04 22:38:38 +05:30
RSpec.describe Oauth::TokensController, feature_category: :authentication_and_authorization do
2021-09-04 01:27:46 +05:30
let(:cors_request_headers) { { 'Origin' => 'http://notgitlab.com' } }
let(:other_headers) { {} }
2022-08-27 11:52:29 +05:30
let(:headers) { cors_request_headers.merge(other_headers) }
2022-07-23 23:45:48 +05:30
let(:allowed_methods) { 'POST, OPTIONS' }
2023-01-13 00:05:48 +05:30
let(:authorization_methods) { %w[Authorization X-CSRF-Token X-Requested-With] }
2021-03-11 19:13:27 +05:30
2021-09-04 01:27:46 +05:30
shared_examples 'cross-origin POST request' do
it 'allows cross-origin requests' do
expect(response.headers['Access-Control-Allow-Origin']).to eq '*'
2022-07-23 23:45:48 +05:30
expect(response.headers['Access-Control-Allow-Methods']).to eq allowed_methods
2021-09-04 01:27:46 +05:30
expect(response.headers['Access-Control-Allow-Headers']).to be_nil
expect(response.headers['Access-Control-Allow-Credentials']).to be_nil
end
end
shared_examples 'CORS preflight OPTIONS request' do
it 'returns 200' do
expect(response).to have_gitlab_http_status(:ok)
end
it 'allows cross-origin requests' do
expect(response.headers['Access-Control-Allow-Origin']).to eq '*'
2022-07-23 23:45:48 +05:30
expect(response.headers['Access-Control-Allow-Methods']).to eq allowed_methods
2023-01-13 00:05:48 +05:30
expect(response.headers['Access-Control-Allow-Headers']).to eq authorization_methods
2021-09-04 01:27:46 +05:30
expect(response.headers['Access-Control-Allow-Credentials']).to be_nil
end
end
describe 'POST /oauth/token' do
before do
post '/oauth/token', headers: headers
end
it_behaves_like 'cross-origin POST request'
end
describe 'OPTIONS /oauth/token' do
2023-01-13 00:05:48 +05:30
let(:other_headers) { { 'Access-Control-Request-Headers' => authorization_methods, 'Access-Control-Request-Method' => 'POST' } }
2021-09-04 01:27:46 +05:30
before do
options '/oauth/token', headers: headers
end
it_behaves_like 'CORS preflight OPTIONS request'
end
describe 'POST /oauth/revoke' do
let(:other_headers) { { 'Content-Type' => 'application/x-www-form-urlencoded' } }
before do
post '/oauth/revoke', headers: headers, params: { token: '12345' }
end
it 'returns 200' do
expect(response).to have_gitlab_http_status(:ok)
end
it_behaves_like 'cross-origin POST request'
end
describe 'OPTIONS /oauth/revoke' do
2023-01-13 00:05:48 +05:30
let(:other_headers) { { 'Access-Control-Request-Headers' => authorization_methods, 'Access-Control-Request-Method' => 'POST' } }
2021-09-04 01:27:46 +05:30
before do
options '/oauth/revoke', headers: headers
end
it_behaves_like 'CORS preflight OPTIONS request'
2021-03-11 19:13:27 +05:30
end
end