|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505 |
- // Copyright 2014 The Go Authors. All rights reserved.
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
- package oauth2
-
- import (
- "errors"
- "fmt"
- "io/ioutil"
- "net/http"
- "net/http/httptest"
- "net/url"
- "testing"
- "time"
-
- "golang.org/x/net/context"
- )
-
- type mockTransport struct {
- rt func(req *http.Request) (resp *http.Response, err error)
- }
-
- func (t *mockTransport) RoundTrip(req *http.Request) (resp *http.Response, err error) {
- return t.rt(req)
- }
-
- func newConf(url string) *Config {
- return &Config{
- ClientID: "CLIENT_ID",
- ClientSecret: "CLIENT_SECRET",
- RedirectURL: "REDIRECT_URL",
- Scopes: []string{"scope1", "scope2"},
- Endpoint: Endpoint{
- AuthURL: url + "/auth",
- TokenURL: url + "/token",
- },
- }
- }
-
- func TestAuthCodeURL(t *testing.T) {
- conf := newConf("server")
- url := conf.AuthCodeURL("foo", AccessTypeOffline, ApprovalForce)
- const want = "server/auth?access_type=offline&approval_prompt=force&client_id=CLIENT_ID&redirect_uri=REDIRECT_URL&response_type=code&scope=scope1+scope2&state=foo"
- if got := url; got != want {
- t.Errorf("got auth code URL = %q; want %q", got, want)
- }
- }
-
- func TestAuthCodeURL_CustomParam(t *testing.T) {
- conf := newConf("server")
- param := SetAuthURLParam("foo", "bar")
- url := conf.AuthCodeURL("baz", param)
- const want = "server/auth?client_id=CLIENT_ID&foo=bar&redirect_uri=REDIRECT_URL&response_type=code&scope=scope1+scope2&state=baz"
- if got := url; got != want {
- t.Errorf("got auth code = %q; want %q", got, want)
- }
- }
-
- func TestAuthCodeURL_Optional(t *testing.T) {
- conf := &Config{
- ClientID: "CLIENT_ID",
- Endpoint: Endpoint{
- AuthURL: "/auth-url",
- TokenURL: "/token-url",
- },
- }
- url := conf.AuthCodeURL("")
- const want = "/auth-url?client_id=CLIENT_ID&response_type=code"
- if got := url; got != want {
- t.Fatalf("got auth code = %q; want %q", got, want)
- }
- }
-
- func TestURLUnsafeClientConfig(t *testing.T) {
- ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- if got, want := r.Header.Get("Authorization"), "Basic Q0xJRU5UX0lEJTNGJTNGOkNMSUVOVF9TRUNSRVQlM0YlM0Y="; got != want {
- t.Errorf("Authorization header = %q; want %q", got, want)
- }
-
- w.Header().Set("Content-Type", "application/x-www-form-urlencoded")
- w.Write([]byte("access_token=90d64460d14870c08c81352a05dedd3465940a7c&scope=user&token_type=bearer"))
- }))
- defer ts.Close()
- conf := newConf(ts.URL)
- conf.ClientID = "CLIENT_ID??"
- conf.ClientSecret = "CLIENT_SECRET??"
- _, err := conf.Exchange(context.Background(), "exchange-code")
- if err != nil {
- t.Error(err)
- }
- }
-
- func TestExchangeRequest(t *testing.T) {
- ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- if r.URL.String() != "/token" {
- t.Errorf("Unexpected exchange request URL, %v is found.", r.URL)
- }
- headerAuth := r.Header.Get("Authorization")
- if headerAuth != "Basic Q0xJRU5UX0lEOkNMSUVOVF9TRUNSRVQ=" {
- t.Errorf("Unexpected authorization header, %v is found.", headerAuth)
- }
- headerContentType := r.Header.Get("Content-Type")
- if headerContentType != "application/x-www-form-urlencoded" {
- t.Errorf("Unexpected Content-Type header, %v is found.", headerContentType)
- }
- body, err := ioutil.ReadAll(r.Body)
- if err != nil {
- t.Errorf("Failed reading request body: %s.", err)
- }
- if string(body) != "code=exchange-code&grant_type=authorization_code&redirect_uri=REDIRECT_URL" {
- t.Errorf("Unexpected exchange payload, %v is found.", string(body))
- }
- w.Header().Set("Content-Type", "application/x-www-form-urlencoded")
- w.Write([]byte("access_token=90d64460d14870c08c81352a05dedd3465940a7c&scope=user&token_type=bearer"))
- }))
- defer ts.Close()
- conf := newConf(ts.URL)
- tok, err := conf.Exchange(context.Background(), "exchange-code")
- if err != nil {
- t.Error(err)
- }
- if !tok.Valid() {
- t.Fatalf("Token invalid. Got: %#v", tok)
- }
- if tok.AccessToken != "90d64460d14870c08c81352a05dedd3465940a7c" {
- t.Errorf("Unexpected access token, %#v.", tok.AccessToken)
- }
- if tok.TokenType != "bearer" {
- t.Errorf("Unexpected token type, %#v.", tok.TokenType)
- }
- scope := tok.Extra("scope")
- if scope != "user" {
- t.Errorf("Unexpected value for scope: %v", scope)
- }
- }
-
- func TestExchangeRequest_JSONResponse(t *testing.T) {
- ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- if r.URL.String() != "/token" {
- t.Errorf("Unexpected exchange request URL, %v is found.", r.URL)
- }
- headerAuth := r.Header.Get("Authorization")
- if headerAuth != "Basic Q0xJRU5UX0lEOkNMSUVOVF9TRUNSRVQ=" {
- t.Errorf("Unexpected authorization header, %v is found.", headerAuth)
- }
- headerContentType := r.Header.Get("Content-Type")
- if headerContentType != "application/x-www-form-urlencoded" {
- t.Errorf("Unexpected Content-Type header, %v is found.", headerContentType)
- }
- body, err := ioutil.ReadAll(r.Body)
- if err != nil {
- t.Errorf("Failed reading request body: %s.", err)
- }
- if string(body) != "code=exchange-code&grant_type=authorization_code&redirect_uri=REDIRECT_URL" {
- t.Errorf("Unexpected exchange payload, %v is found.", string(body))
- }
- w.Header().Set("Content-Type", "application/json")
- w.Write([]byte(`{"access_token": "90d64460d14870c08c81352a05dedd3465940a7c", "scope": "user", "token_type": "bearer", "expires_in": 86400}`))
- }))
- defer ts.Close()
- conf := newConf(ts.URL)
- tok, err := conf.Exchange(context.Background(), "exchange-code")
- if err != nil {
- t.Error(err)
- }
- if !tok.Valid() {
- t.Fatalf("Token invalid. Got: %#v", tok)
- }
- if tok.AccessToken != "90d64460d14870c08c81352a05dedd3465940a7c" {
- t.Errorf("Unexpected access token, %#v.", tok.AccessToken)
- }
- if tok.TokenType != "bearer" {
- t.Errorf("Unexpected token type, %#v.", tok.TokenType)
- }
- scope := tok.Extra("scope")
- if scope != "user" {
- t.Errorf("Unexpected value for scope: %v", scope)
- }
- expiresIn := tok.Extra("expires_in")
- if expiresIn != float64(86400) {
- t.Errorf("Unexpected non-numeric value for expires_in: %v", expiresIn)
- }
- }
-
- func TestExtraValueRetrieval(t *testing.T) {
- values := url.Values{}
- kvmap := map[string]string{
- "scope": "user", "token_type": "bearer", "expires_in": "86400.92",
- "server_time": "1443571905.5606415", "referer_ip": "10.0.0.1",
- "etag": "\"afZYj912P4alikMz_P11982\"", "request_id": "86400",
- "untrimmed": " untrimmed ",
- }
- for key, value := range kvmap {
- values.Set(key, value)
- }
-
- tok := Token{raw: values}
- scope := tok.Extra("scope")
- if got, want := scope, "user"; got != want {
- t.Errorf("got scope = %q; want %q", got, want)
- }
- serverTime := tok.Extra("server_time")
- if got, want := serverTime, 1443571905.5606415; got != want {
- t.Errorf("got server_time value = %v; want %v", got, want)
- }
- refererIP := tok.Extra("referer_ip")
- if got, want := refererIP, "10.0.0.1"; got != want {
- t.Errorf("got referer_ip value = %v, want %v", got, want)
- }
- expiresIn := tok.Extra("expires_in")
- if got, want := expiresIn, 86400.92; got != want {
- t.Errorf("got expires_in value = %v, want %v", got, want)
- }
- requestID := tok.Extra("request_id")
- if got, want := requestID, int64(86400); got != want {
- t.Errorf("got request_id value = %v, want %v", got, want)
- }
- untrimmed := tok.Extra("untrimmed")
- if got, want := untrimmed, " untrimmed "; got != want {
- t.Errorf("got untrimmed = %q; want %q", got, want)
- }
- }
-
- const day = 24 * time.Hour
-
- func TestExchangeRequest_JSONResponse_Expiry(t *testing.T) {
- seconds := int32(day.Seconds())
- for _, c := range []struct {
- expires string
- want bool
- }{
- {fmt.Sprintf(`"expires_in": %d`, seconds), true},
- {fmt.Sprintf(`"expires_in": "%d"`, seconds), true}, // PayPal case
- {fmt.Sprintf(`"expires": %d`, seconds), true}, // Facebook case
- {`"expires": false`, false}, // wrong type
- {`"expires": {}`, false}, // wrong type
- {`"expires": "zzz"`, false}, // wrong value
- } {
- testExchangeRequest_JSONResponse_expiry(t, c.expires, c.want)
- }
- }
-
- func testExchangeRequest_JSONResponse_expiry(t *testing.T, exp string, want bool) {
- ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- w.Header().Set("Content-Type", "application/json")
- w.Write([]byte(fmt.Sprintf(`{"access_token": "90d", "scope": "user", "token_type": "bearer", %s}`, exp)))
- }))
- defer ts.Close()
- conf := newConf(ts.URL)
- t1 := time.Now().Add(day)
- tok, err := conf.Exchange(context.Background(), "exchange-code")
- t2 := time.Now().Add(day)
-
- if got := (err == nil); got != want {
- if want {
- t.Errorf("unexpected error: got %v", err)
- } else {
- t.Errorf("unexpected success")
- }
- }
- if !want {
- return
- }
- if !tok.Valid() {
- t.Fatalf("Token invalid. Got: %#v", tok)
- }
- expiry := tok.Expiry
- if expiry.Before(t1) || expiry.After(t2) {
- t.Errorf("Unexpected value for Expiry: %v (shold be between %v and %v)", expiry, t1, t2)
- }
- }
-
- func TestExchangeRequest_BadResponse(t *testing.T) {
- ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- w.Header().Set("Content-Type", "application/json")
- w.Write([]byte(`{"scope": "user", "token_type": "bearer"}`))
- }))
- defer ts.Close()
- conf := newConf(ts.URL)
- _, err := conf.Exchange(context.Background(), "code")
- if err == nil {
- t.Error("expected error from missing access_token")
- }
- }
-
- func TestExchangeRequest_BadResponseType(t *testing.T) {
- ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- w.Header().Set("Content-Type", "application/json")
- w.Write([]byte(`{"access_token":123, "scope": "user", "token_type": "bearer"}`))
- }))
- defer ts.Close()
- conf := newConf(ts.URL)
- _, err := conf.Exchange(context.Background(), "exchange-code")
- if err == nil {
- t.Error("expected error from non-string access_token")
- }
- }
-
- func TestExchangeRequest_NonBasicAuth(t *testing.T) {
- tr := &mockTransport{
- rt: func(r *http.Request) (w *http.Response, err error) {
- headerAuth := r.Header.Get("Authorization")
- if headerAuth != "" {
- t.Errorf("Unexpected authorization header, %v is found.", headerAuth)
- }
- return nil, errors.New("no response")
- },
- }
- c := &http.Client{Transport: tr}
- conf := &Config{
- ClientID: "CLIENT_ID",
- Endpoint: Endpoint{
- AuthURL: "https://accounts.google.com/auth",
- TokenURL: "https://accounts.google.com/token",
- },
- }
-
- ctx := context.WithValue(context.Background(), HTTPClient, c)
- conf.Exchange(ctx, "code")
- }
-
- func TestPasswordCredentialsTokenRequest(t *testing.T) {
- ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- defer r.Body.Close()
- expected := "/token"
- if r.URL.String() != expected {
- t.Errorf("URL = %q; want %q", r.URL, expected)
- }
- headerAuth := r.Header.Get("Authorization")
- expected = "Basic Q0xJRU5UX0lEOkNMSUVOVF9TRUNSRVQ="
- if headerAuth != expected {
- t.Errorf("Authorization header = %q; want %q", headerAuth, expected)
- }
- headerContentType := r.Header.Get("Content-Type")
- expected = "application/x-www-form-urlencoded"
- if headerContentType != expected {
- t.Errorf("Content-Type header = %q; want %q", headerContentType, expected)
- }
- body, err := ioutil.ReadAll(r.Body)
- if err != nil {
- t.Errorf("Failed reading request body: %s.", err)
- }
- expected = "grant_type=password&password=password1&scope=scope1+scope2&username=user1"
- if string(body) != expected {
- t.Errorf("res.Body = %q; want %q", string(body), expected)
- }
- w.Header().Set("Content-Type", "application/x-www-form-urlencoded")
- w.Write([]byte("access_token=90d64460d14870c08c81352a05dedd3465940a7c&scope=user&token_type=bearer"))
- }))
- defer ts.Close()
- conf := newConf(ts.URL)
- tok, err := conf.PasswordCredentialsToken(context.Background(), "user1", "password1")
- if err != nil {
- t.Error(err)
- }
- if !tok.Valid() {
- t.Fatalf("Token invalid. Got: %#v", tok)
- }
- expected := "90d64460d14870c08c81352a05dedd3465940a7c"
- if tok.AccessToken != expected {
- t.Errorf("AccessToken = %q; want %q", tok.AccessToken, expected)
- }
- expected = "bearer"
- if tok.TokenType != expected {
- t.Errorf("TokenType = %q; want %q", tok.TokenType, expected)
- }
- }
-
- func TestTokenRefreshRequest(t *testing.T) {
- ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- if r.URL.String() == "/somethingelse" {
- return
- }
- if r.URL.String() != "/token" {
- t.Errorf("Unexpected token refresh request URL, %v is found.", r.URL)
- }
- headerContentType := r.Header.Get("Content-Type")
- if headerContentType != "application/x-www-form-urlencoded" {
- t.Errorf("Unexpected Content-Type header, %v is found.", headerContentType)
- }
- body, _ := ioutil.ReadAll(r.Body)
- if string(body) != "grant_type=refresh_token&refresh_token=REFRESH_TOKEN" {
- t.Errorf("Unexpected refresh token payload, %v is found.", string(body))
- }
- }))
- defer ts.Close()
- conf := newConf(ts.URL)
- c := conf.Client(context.Background(), &Token{RefreshToken: "REFRESH_TOKEN"})
- c.Get(ts.URL + "/somethingelse")
- }
-
- func TestFetchWithNoRefreshToken(t *testing.T) {
- ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- if r.URL.String() == "/somethingelse" {
- return
- }
- if r.URL.String() != "/token" {
- t.Errorf("Unexpected token refresh request URL, %v is found.", r.URL)
- }
- headerContentType := r.Header.Get("Content-Type")
- if headerContentType != "application/x-www-form-urlencoded" {
- t.Errorf("Unexpected Content-Type header, %v is found.", headerContentType)
- }
- body, _ := ioutil.ReadAll(r.Body)
- if string(body) != "client_id=CLIENT_ID&grant_type=refresh_token&refresh_token=REFRESH_TOKEN" {
- t.Errorf("Unexpected refresh token payload, %v is found.", string(body))
- }
- }))
- defer ts.Close()
- conf := newConf(ts.URL)
- c := conf.Client(context.Background(), nil)
- _, err := c.Get(ts.URL + "/somethingelse")
- if err == nil {
- t.Errorf("Fetch should return an error if no refresh token is set")
- }
- }
-
- func TestTokenRetrieveError(t *testing.T) {
- ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- if r.URL.String() != "/token" {
- t.Errorf("Unexpected token refresh request URL, %v is found.", r.URL)
- }
- w.Header().Set("Content-type", "application/json")
- w.WriteHeader(http.StatusBadRequest)
- w.Write([]byte(`{"error": "invalid_grant"}`))
- }))
- defer ts.Close()
- conf := newConf(ts.URL)
- _, err := conf.Exchange(context.Background(), "exchange-code")
- if err == nil {
- t.Fatalf("got no error, expected one")
- }
- _, ok := err.(*RetrieveError)
- if !ok {
- t.Fatalf("got %T error, expected *RetrieveError", err)
- }
- // Test error string for backwards compatibility
- expected := fmt.Sprintf("oauth2: cannot fetch token: %v\nResponse: %s", "400 Bad Request", `{"error": "invalid_grant"}`)
- if errStr := err.Error(); errStr != expected {
- t.Fatalf("got %#v, expected %#v", errStr, expected)
- }
- }
-
- func TestRefreshToken_RefreshTokenReplacement(t *testing.T) {
- ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- w.Header().Set("Content-Type", "application/json")
- w.Write([]byte(`{"access_token":"ACCESS_TOKEN", "scope": "user", "token_type": "bearer", "refresh_token": "NEW_REFRESH_TOKEN"}`))
- return
- }))
- defer ts.Close()
- conf := newConf(ts.URL)
- tkr := conf.TokenSource(context.Background(), &Token{RefreshToken: "OLD_REFRESH_TOKEN"})
- tk, err := tkr.Token()
- if err != nil {
- t.Errorf("got err = %v; want none", err)
- return
- }
- if want := "NEW_REFRESH_TOKEN"; tk.RefreshToken != want {
- t.Errorf("RefreshToken = %q; want %q", tk.RefreshToken, want)
- }
- }
-
- func TestRefreshToken_RefreshTokenPreservation(t *testing.T) {
- ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- w.Header().Set("Content-Type", "application/json")
- w.Write([]byte(`{"access_token":"ACCESS_TOKEN", "scope": "user", "token_type": "bearer"}`))
- return
- }))
- defer ts.Close()
- conf := newConf(ts.URL)
- const oldRefreshToken = "OLD_REFRESH_TOKEN"
- tkr := conf.TokenSource(context.Background(), &Token{RefreshToken: oldRefreshToken})
- tk, err := tkr.Token()
- if err != nil {
- t.Fatalf("got err = %v; want none", err)
- }
- if tk.RefreshToken != oldRefreshToken {
- t.Errorf("RefreshToken = %q; want %q", tk.RefreshToken, oldRefreshToken)
- }
- }
-
- func TestConfigClientWithToken(t *testing.T) {
- tok := &Token{
- AccessToken: "abc123",
- }
- ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- if got, want := r.Header.Get("Authorization"), fmt.Sprintf("Bearer %s", tok.AccessToken); got != want {
- t.Errorf("Authorization header = %q; want %q", got, want)
- }
- return
- }))
- defer ts.Close()
- conf := newConf(ts.URL)
-
- c := conf.Client(context.Background(), tok)
- req, err := http.NewRequest("GET", ts.URL, nil)
- if err != nil {
- t.Error(err)
- }
- _, err = c.Do(req)
- if err != nil {
- t.Error(err)
- }
- }
|