sendnrw/misskey
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(backend/oauth): allow CORS for token endpoint (#12814)

Browse Source 
* feat(backend/oauth): allow CORS for token endpoint

* no need to explicitly set origin to `*`

* Update CHANGELOG.md
This commit is contained in:
Kagami Sascha Rosylight
2023-12-27 07:10:24 +01:00
committed by GitHub
parent c96bc36fed
commit ad346b6f36
10 changed files with 242 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
packages/backend/test/e2e/nodeinfo.ts Normal file
View File

@@ -0,0 +1,40 @@
/*
* SPDX-FileCopyrightText: syuilo and other misskey contributors
* SPDX-License-Identifier: AGPL-3.0-only
*/
process.env.NODE_ENV = 'test';
import * as assert from 'assert';
import { relativeFetch, startServer } from '../utils.js';
import type { INestApplicationContext } from '@nestjs/common';
describe('nodeinfo', () => {
let app: INestApplicationContext;
beforeAll(async () => {
app = await startServer();
}, 1000 * 60 * 2);
afterAll(async () => {
await app.close();
});
test('nodeinfo 2.1', async () => {
const res = await relativeFetch('nodeinfo/2.1');
assert.ok(res.ok);
assert.strictEqual(res.headers.get('Access-Control-Allow-Origin'), '*');
const nodeInfo = await res.json() as any;
assert.strictEqual(nodeInfo.software.name, 'misskey');
});
test('nodeinfo 2.0', async () => {
const res = await relativeFetch('nodeinfo/2.0');
assert.ok(res.ok);
assert.strictEqual(res.headers.get('Access-Control-Allow-Origin'), '*');
const nodeInfo = await res.json() as any;
assert.strictEqual(nodeInfo.software.name, 'misskey');
});
});

20
packages/backend/test/e2e/oauth.ts
View File

@@ -941,4 +941,24 @@ describe('OAuth', () => {
const response = await fetch(new URL('/oauth/foo', host));
assert.strictEqual(response.status, 404);
});
describe('CORS', () => {
test('Token endpoint should support CORS', async () => {
const response = await fetch(new URL('/oauth/token', host), { method: 'POST' });
assert.ok(!response.ok);
assert.strictEqual(response.headers.get('Access-Control-Allow-Origin'), '*');
});
test('Authorize endpoint should not support CORS', async () => {
const response = await fetch(new URL('/oauth/authorize', host), { method: 'GET' });
assert.ok(!response.ok);
assert.ok(!response.headers.has('Access-Control-Allow-Origin'));
});
test('Decision endpoint should not support CORS', async () => {
const response = await fetch(new URL('/oauth/decision', host), { method: 'POST' });
assert.ok(!response.ok);
assert.ok(!response.headers.has('Access-Control-Allow-Origin'));
});
});
});

111
packages/backend/test/e2e/well-known.ts Normal file
View File

@@ -0,0 +1,111 @@
/*
* SPDX-FileCopyrightText: syuilo and other misskey contributors
* SPDX-License-Identifier: AGPL-3.0-only
*/
process.env.NODE_ENV = 'test';
import * as assert from 'assert';
import { host, origin, relativeFetch, signup, startServer } from '../utils.js';
import type { INestApplicationContext } from '@nestjs/common';
import type * as misskey from 'misskey-js';
describe('.well-known', () => {
let app: INestApplicationContext;
let alice: misskey.entities.User;
beforeAll(async () => {
app = await startServer();
alice = await signup({ username: 'alice' });
}, 1000 * 60 * 2);
afterAll(async () => {
await app.close();
});
test('nodeinfo', async () => {
const res = await relativeFetch('.well-known/nodeinfo');
assert.ok(res.ok);
assert.strictEqual(res.headers.get('Access-Control-Allow-Origin'), '*');
const nodeInfo = await res.json();
assert.deepStrictEqual(nodeInfo, {
links: [{
rel: 'http://nodeinfo.diaspora.software/ns/schema/2.1',
href: `${origin}/nodeinfo/2.1`,
}, {
rel: 'http://nodeinfo.diaspora.software/ns/schema/2.0',
href: `${origin}/nodeinfo/2.0`,
}],
});
});
test('webfinger', async () => {
const preflight = await relativeFetch(`.well-known/webfinger?resource=acct:alice@${host}`, {
method: 'options',
headers: {
'Access-Control-Request-Method': 'GET',
Origin: 'http://example.com',
},
});
assert.ok(preflight.ok);
assert.strictEqual(preflight.headers.get('Access-Control-Allow-Headers'), 'Accept');
const res = await relativeFetch(`.well-known/webfinger?resource=acct:alice@${host}`);
assert.ok(res.ok);
assert.strictEqual(res.headers.get('Access-Control-Allow-Origin'), '*');
assert.strictEqual(res.headers.get('Access-Control-Expose-Headers'), 'Vary');
assert.strictEqual(res.headers.get('Vary'), 'Accept');
const webfinger = await res.json();
assert.deepStrictEqual(webfinger, {
subject: `acct:alice@${host}`,
links: [{
rel: 'self',
type: 'application/activity+json',
href: `${origin}/users/${alice.id}`,
}, {
rel: 'http://webfinger.net/rel/profile-page',
type: 'text/html',
href: `${origin}/@alice`,
}, {
rel: 'http://ostatus.org/schema/1.0/subscribe',
template: `${origin}/authorize-follow?acct={uri}`,
}],
});
});
test('host-meta', async () => {
const res = await relativeFetch('.well-known/host-meta');
assert.ok(res.ok);
assert.strictEqual(res.headers.get('Access-Control-Allow-Origin'), '*');
});
test('host-meta.json', async () => {
const res = await relativeFetch('.well-known/host-meta.json');
assert.ok(res.ok);
assert.strictEqual(res.headers.get('Access-Control-Allow-Origin'), '*');
const hostMeta = await res.json();
assert.deepStrictEqual(hostMeta, {
links: [{
rel: 'lrdd',
type: 'application/jrd+json',
template: `${origin}/.well-known/webfinger?resource={uri}`,
}],
});
});
test('oauth-authorization-server', async () => {
const res = await relativeFetch('.well-known/oauth-authorization-server');
assert.ok(res.ok);
assert.strictEqual(res.headers.get('Access-Control-Allow-Origin'), '*');
const serverInfo = await res.json() as any;
assert.strictEqual(serverInfo.issuer, origin);
assert.strictEqual(serverInfo.authorization_endpoint, `${origin}/oauth/authorize`);
assert.strictEqual(serverInfo.token_endpoint, `${origin}/oauth/token`);
});
});

2
packages/backend/test/utils.ts
View File

@@ -26,6 +26,8 @@ interface UserToken {
const config = loadConfig();
export const port = config.port;
export const origin = config.url;
export const host = new URL(config.url).host;
export const cookie = (me: UserToken): string => {
return `token=${me.token};`;