Skip to content

Commit 4ce7e90

Browse files
jaredhansonjaredhanson
committed
Test case for PLAINTEXT signature in ConsumerStrategy.
1 parent 8bc787e commit 4ce7e90

File tree

2 files changed

+220
-1
lines changed

2 files changed

+220
-1
lines changed

lib/passport-http-oauth/strategies/consumer.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -248,7 +248,7 @@ ConsumerStrategy.prototype.authenticate = function(req) {
248248
var computedSignature = utils.plaintext(consumerSecret, tokenSecret);
249249

250250
if (signature !== computedSignature) {
251-
return self.fail(self._challenge());
251+
return self.fail(self._challenge('signature_invalid'));
252252
}
253253
} else {
254254
return self.fail(self._challenge('signature_method_rejected'), 400);

test/strategies/consumer-test.js

Lines changed: 219 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,62 @@ vows.describe('ConsumerStrategy').addBatch({
7777
},
7878
},
7979

80+
'strategy handling a valid request without a request token using PLAINTEXT signature': {
81+
topic: function() {
82+
var strategy = new ConsumerStrategy(
83+
// consumer callback
84+
function(consumerKey, done) {
85+
done(null, { id: '1' }, 'ssh-secret');
86+
},
87+
// token callback
88+
function(requestToken, done) {
89+
done(new Error('token callback should not be called'));
90+
}
91+
);
92+
return strategy;
93+
},
94+
95+
'after augmenting with actions': {
96+
topic: function(strategy) {
97+
var self = this;
98+
var req = {};
99+
strategy.success = function(user, info) {
100+
self.callback(null, user, info);
101+
}
102+
strategy.fail = function(challenge, status) {
103+
self.callback(new Error('should not be called'));
104+
}
105+
strategy.error = function(err) {
106+
self.callback(new Error('should not be called'));
107+
}
108+
109+
req.url = '/oauth/request_token';
110+
req.method = 'POST';
111+
req.headers = {};
112+
req.headers['host'] = '127.0.0.1:3000';
113+
req.headers['authorization'] = 'OAuth oauth_callback="http%3A%2F%2Fmacbook-air.local.jaredhanson.net%3A3001%2Foauth%2Fcallback",oauth_consumer_key="abc123",oauth_nonce="s9ncyMbjTtZyoEYi25dHaRyWI9nIilRQ",oauth_signature_method="PLAINTEXT",oauth_timestamp="1341196367",oauth_version="1.0",oauth_signature="ssh-secret%2526"';
114+
req.query = url.parse(req.url, true).query;
115+
req.connection = { encrypted: false };
116+
process.nextTick(function () {
117+
strategy.authenticate(req);
118+
});
119+
},
120+
121+
'should not generate an error' : function(err, user, info) {
122+
assert.isNull(err);
123+
},
124+
'should authenticate' : function(err, user, info) {
125+
assert.equal(user.id, '1');
126+
},
127+
'should set scheme to OAuth' : function(err, user, info) {
128+
assert.equal(info.scheme, 'OAuth');
129+
},
130+
'should set callbackURL' : function(err, user, info) {
131+
assert.equal(info.oauth.callbackURL, 'http://macbook-air.local.jaredhanson.net:3001/oauth/callback');
132+
},
133+
},
134+
},
135+
80136
'strategy handling a valid request without a request token placing credentials in header with all-caps scheme': {
81137
topic: function() {
82138
var strategy = new ConsumerStrategy(
@@ -360,6 +416,59 @@ vows.describe('ConsumerStrategy').addBatch({
360416
},
361417
},
362418

419+
'strategy handling a valid request without a request token using PLAINTEXT signature where consumer secret is wrong': {
420+
topic: function() {
421+
var strategy = new ConsumerStrategy(
422+
// consumer callback
423+
function(consumerKey, done) {
424+
done(null, { id: '1' }, 'ssh-secret-wrong');
425+
},
426+
// token callback
427+
function(requestToken, done) {
428+
done(new Error('token callback should not be called'));
429+
}
430+
);
431+
return strategy;
432+
},
433+
434+
'after augmenting with actions': {
435+
topic: function(strategy) {
436+
var self = this;
437+
var req = {};
438+
strategy.success = function(user, info) {
439+
self.callback(new Error('should not be called'));
440+
}
441+
strategy.fail = function(challenge, status) {
442+
self.callback(null, challenge, status);
443+
}
444+
strategy.error = function(err) {
445+
self.callback(new Error('should not be called'));
446+
}
447+
448+
req.url = '/oauth/request_token';
449+
req.method = 'POST';
450+
req.headers = {};
451+
req.headers['host'] = '127.0.0.1:3000';
452+
req.headers['authorization'] = 'OAuth oauth_callback="http%3A%2F%2Fmacbook-air.local.jaredhanson.net%3A3001%2Foauth%2Fcallback",oauth_consumer_key="abc123",oauth_nonce="s9ncyMbjTtZyoEYi25dHaRyWI9nIilRQ",oauth_signature_method="PLAINTEXT",oauth_timestamp="1341196367",oauth_version="1.0",oauth_signature="ssh-secret%2526"';
453+
req.query = url.parse(req.url, true).query;
454+
req.connection = { encrypted: false };
455+
process.nextTick(function () {
456+
strategy.authenticate(req);
457+
});
458+
},
459+
460+
'should not generate an error' : function(err, challenge, status) {
461+
assert.isNull(err);
462+
},
463+
'should respond with challenge' : function(err, challenge, status) {
464+
assert.equal(challenge, 'OAuth realm="Clients", oauth_problem="signature_invalid"');
465+
},
466+
'should respond with default status' : function(err, challenge, status) {
467+
assert.isUndefined(status);
468+
},
469+
},
470+
},
471+
363472
'strategy handling a valid request without a request token using unkown signature method': {
364473
topic: function() {
365474
var strategy = new ConsumerStrategy(
@@ -586,6 +695,63 @@ vows.describe('ConsumerStrategy').addBatch({
586695
},
587696
},
588697

698+
'strategy handling a valid request with a request token using PLAINTEXT signature': {
699+
topic: function() {
700+
var strategy = new ConsumerStrategy(
701+
// consumer callback
702+
function(consumerKey, done) {
703+
done(null, { id: '1' }, 'ssh-secret');
704+
},
705+
// token callback
706+
function(requestToken, done) {
707+
done(null, '3yG0Panskjm5GGwdP5SUHFFXmF7aCl0v');
708+
}
709+
);
710+
return strategy;
711+
},
712+
713+
'after augmenting with actions': {
714+
topic: function(strategy) {
715+
var self = this;
716+
var req = {};
717+
strategy.success = function(user, info) {
718+
self.callback(null, user, info);
719+
}
720+
strategy.fail = function(challenge, status) {
721+
self.callback(new Error('should not be called'));
722+
}
723+
strategy.error = function(err) {
724+
self.callback(new Error('should not be called'));
725+
}
726+
727+
req.url = '/oauth/access_token';
728+
req.method = 'POST';
729+
req.headers = {};
730+
req.headers['host'] = '127.0.0.1:3000';
731+
req.headers['authorization'] = 'OAuth oauth_consumer_key="abc123",oauth_nonce="iiWqS4a7mKrpQWXO07osM9Om0PCDsMHN",oauth_signature_method="PLAINTEXT",oauth_timestamp="1341196375",oauth_token="AbSRoiyN",oauth_verifier="FOXJJYN0",oauth_version="1.0",oauth_signature="ssh-secret%25263yG0Panskjm5GGwdP5SUHFFXmF7aCl0v"';
732+
req.query = url.parse(req.url, true).query;
733+
req.connection = { encrypted: false };
734+
process.nextTick(function () {
735+
strategy.authenticate(req);
736+
});
737+
},
738+
739+
'should not generate an error' : function(err, user, info) {
740+
assert.isNull(err);
741+
},
742+
'should authenticate' : function(err, user, info) {
743+
assert.equal(user.id, '1');
744+
},
745+
'should set scheme to OAuth' : function(err, user, info) {
746+
assert.equal(info.scheme, 'OAuth');
747+
},
748+
'should include token and verifier' : function(err, user, info) {
749+
assert.equal(info.oauth.token, 'AbSRoiyN');
750+
assert.equal(info.oauth.verifier, 'FOXJJYN0');
751+
},
752+
},
753+
},
754+
589755
'strategy handling a valid request with a request token where token callback supplies info': {
590756
topic: function() {
591757
var strategy = new ConsumerStrategy(
@@ -928,6 +1094,59 @@ vows.describe('ConsumerStrategy').addBatch({
9281094
},
9291095
},
9301096

1097+
'strategy handling a valid request with a request token using PLAINTEXT signature where token secret is wrong': {
1098+
topic: function() {
1099+
var strategy = new ConsumerStrategy(
1100+
// consumer callback
1101+
function(consumerKey, done) {
1102+
done(null, { id: '1' }, 'ssh-secret');
1103+
},
1104+
// token callback
1105+
function(requestToken, done) {
1106+
done(null, '3yG0Panskjm5GGwdP5SUHFFXmF7aCl0v-wrong');
1107+
}
1108+
);
1109+
return strategy;
1110+
},
1111+
1112+
'after augmenting with actions': {
1113+
topic: function(strategy) {
1114+
var self = this;
1115+
var req = {};
1116+
strategy.success = function(user, info) {
1117+
self.callback(new Error('should not be called'));
1118+
}
1119+
strategy.fail = function(challenge, status) {
1120+
self.callback(null, challenge, status);
1121+
}
1122+
strategy.error = function(err) {
1123+
self.callback(new Error('should not be called'));
1124+
}
1125+
1126+
req.url = '/oauth/access_token';
1127+
req.method = 'POST';
1128+
req.headers = {};
1129+
req.headers['host'] = '127.0.0.1:3000';
1130+
req.headers['authorization'] = 'OAuth oauth_consumer_key="abc123",oauth_nonce="iiWqS4a7mKrpQWXO07osM9Om0PCDsMHN",oauth_signature_method="PLAINTEXT",oauth_timestamp="1341196375",oauth_token="AbSRoiyN",oauth_verifier="FOXJJYN0",oauth_version="1.0",oauth_signature="ssh-secret%25263yG0Panskjm5GGwdP5SUHFFXmF7aCl0v"';
1131+
req.query = url.parse(req.url, true).query;
1132+
req.connection = { encrypted: false };
1133+
process.nextTick(function () {
1134+
strategy.authenticate(req);
1135+
});
1136+
},
1137+
1138+
'should not generate an error' : function(err, user, info) {
1139+
assert.isNull(err);
1140+
},
1141+
'should respond with challenge' : function(err, challenge, status) {
1142+
assert.equal(challenge, 'OAuth realm="Clients", oauth_problem="signature_invalid"');
1143+
},
1144+
'should respond with default status' : function(err, challenge, status) {
1145+
assert.isUndefined(status);
1146+
},
1147+
},
1148+
},
1149+
9311150
'strategy handling a valid request with a request token where consumer callback fails with an error': {
9321151
topic: function() {
9331152
var strategy = new ConsumerStrategy(

0 commit comments

Comments
 (0)