aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJulien Veyssier <julien-nc@posteo.net>2023-08-29 12:37:30 +0200
committerJulien Veyssier <julien-nc@posteo.net>2023-10-05 14:24:02 +0200
commitddfc124767a211e4007c11a016633b33a3b1ca76 (patch)
treee3b587a3db5733e8b5716100be4a808535439e10
parent779e1d51ac1d50c5625a1cc403d732d74b364ccf (diff)
downloadnextcloud-server-ddfc124767a211e4007c11a016633b33a3b1ca76.tar.gz
nextcloud-server-ddfc124767a211e4007c11a016633b33a3b1ca76.zip
add test for refusing to get an oauth token from a code when we're not in authorization state
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
-rw-r--r--apps/oauth2/tests/Controller/OauthApiControllerTest.php27
1 files changed, 27 insertions, 0 deletions
diff --git a/apps/oauth2/tests/Controller/OauthApiControllerTest.php b/apps/oauth2/tests/Controller/OauthApiControllerTest.php
index f9db388713b..2ff49b92fa7 100644
--- a/apps/oauth2/tests/Controller/OauthApiControllerTest.php
+++ b/apps/oauth2/tests/Controller/OauthApiControllerTest.php
@@ -151,6 +151,33 @@ class OauthApiControllerTest extends TestCase {
$this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'validcode', null, null, null));
}
+ public function testGetTokenWithCodeForActiveToken() {
+ // if a token has already delivered oauth tokens,
+ // it should not be possible to get a new oauth token from a valid authorization code
+ $tokenCreatedAt = 100;
+
+ $expected = new JSONResponse([
+ 'error' => 'invalid_request',
+ ], Http::STATUS_BAD_REQUEST);
+ $expected->throttle(['invalid_request' => 'authorization_code_received_for_active_token']);
+
+ $accessToken = new AccessToken();
+ $accessToken->setClientId(42);
+ $accessToken->setCreatedAt($tokenCreatedAt);
+ $accessToken->setTokenCount(1);
+
+ $this->accessTokenMapper->method('getByCode')
+ ->with('validcode')
+ ->willReturn($accessToken);
+
+ $tsNow = $tokenCreatedAt + 1;
+ $dateNow = (new \DateTimeImmutable())->setTimestamp($tsNow);
+ $this->timeFactory->method('now')
+ ->willReturn($dateNow);
+
+ $this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'validcode', null, null, null));
+ }
+
public function testGetTokenClientDoesNotExist() {
// In this test, the token's authorization code is valid and has not expired
// and we check what happens when the associated Oauth client does not exist