diff options
| author | Julien Veyssier <julien-nc@posteo.net> | 2023-06-12 17:36:49 +0200 |
|---|---|---|
| committer | Julien Veyssier <julien-nc@posteo.net> | 2023-06-19 11:18:06 +0200 |
| commit | 629adc318ffd1c96b89083b492a4b31815c88438 (patch) | |
| tree | dfe7aac60b6b16e7266388486790e8bf38bf3cd8 /apps/oauth2/tests/Controller/OauthApiControllerTest.php | |
| parent | 59f63a72cb8c7803f9fa433ceac97d7ce35688ac (diff) | |
| download | nextcloud-server-629adc318ffd1c96b89083b492a4b31815c88438.tar.gz nextcloud-server-629adc318ffd1c96b89083b492a4b31815c88438.zip | |
add bruteforce protection in OauthApiController
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
Diffstat (limited to 'apps/oauth2/tests/Controller/OauthApiControllerTest.php')
| -rw-r--r-- | apps/oauth2/tests/Controller/OauthApiControllerTest.php | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/apps/oauth2/tests/Controller/OauthApiControllerTest.php b/apps/oauth2/tests/Controller/OauthApiControllerTest.php index eb9311dbbc7..c65302532a9 100644 --- a/apps/oauth2/tests/Controller/OauthApiControllerTest.php +++ b/apps/oauth2/tests/Controller/OauthApiControllerTest.php @@ -104,6 +104,7 @@ class OauthApiControllerTest extends TestCase { $expected = new JSONResponse([ 'error' => 'invalid_grant', ], Http::STATUS_BAD_REQUEST); + $expected->throttle(['invalid_grant' => 'foo']); $this->assertEquals($expected, $this->oauthApiController->getToken('foo', null, null, null, null)); } @@ -112,6 +113,7 @@ class OauthApiControllerTest extends TestCase { $expected = new JSONResponse([ 'error' => 'invalid_request', ], Http::STATUS_BAD_REQUEST); + $expected->throttle(['invalid_request' => 'token not found', 'code' => 'invalidcode']); $this->accessTokenMapper->method('getByCode') ->with('invalidcode') @@ -124,6 +126,7 @@ class OauthApiControllerTest extends TestCase { $expected = new JSONResponse([ 'error' => 'invalid_request', ], Http::STATUS_BAD_REQUEST); + $expected->throttle(['invalid_request' => 'token not found', 'code' => 'invalidrefresh']); $this->accessTokenMapper->method('getByCode') ->with('invalidrefresh') @@ -136,6 +139,7 @@ class OauthApiControllerTest extends TestCase { $expected = new JSONResponse([ 'error' => 'invalid_request', ], Http::STATUS_BAD_REQUEST); + $expected->throttle(['invalid_request' => 'client not found', 'client_id' => 42]); $accessToken = new AccessToken(); $accessToken->setClientId(42); @@ -169,6 +173,7 @@ class OauthApiControllerTest extends TestCase { $expected = new JSONResponse([ 'error' => 'invalid_client', ], Http::STATUS_BAD_REQUEST); + $expected->throttle(['invalid_client' => 'client ID or secret does not match']); $accessToken = new AccessToken(); $accessToken->setClientId(42); @@ -191,6 +196,7 @@ class OauthApiControllerTest extends TestCase { $expected = new JSONResponse([ 'error' => 'invalid_request', ], Http::STATUS_BAD_REQUEST); + $expected->throttle(['invalid_request' => 'token is invalid']); $accessToken = new AccessToken(); $accessToken->setClientId(42); |