gitlab-org--gitlab-foss/spec/requests/api/doorkeeper_access_spec.rb
Markus Koller 93daeee164 Don't allow blocked users to authenticate through other means
Gitlab::Auth.find_with_user_password is currently used in these places:

- resource_owner_from_credentials in config/initializers/doorkeeper.rb,
  which is used for the OAuth Resource Owner Password Credentials flow

- the /session API call in lib/api/session.rb, which is used to reveal
  the user's current authentication_token

In both cases users should only be authenticated if they're in the
active state.
2017-03-07 15:00:29 +01:00

60 lines
1.6 KiB
Ruby

require 'spec_helper'
describe API::API, api: true do
include ApiHelpers
let!(:user) { create(:user) }
let!(:application) { Doorkeeper::Application.create!(name: "MyApp", redirect_uri: "https://app.com", owner: user) }
let!(:token) { Doorkeeper::AccessToken.create! application_id: application.id, resource_owner_id: user.id, scopes: "api" }
describe "unauthenticated" do
it "returns authentication success" do
get api("/user"), access_token: token.token
expect(response).to have_http_status(200)
end
include_examples 'user login request with unique ip limit' do
def request
get api('/user'), access_token: token.token
end
end
end
describe "when token invalid" do
it "returns authentication error" do
get api("/user"), access_token: "123a"
expect(response).to have_http_status(401)
end
end
describe "authorization by private token" do
it "returns authentication success" do
get api("/user", user)
expect(response).to have_http_status(200)
end
include_examples 'user login request with unique ip limit' do
def request
get api('/user', user)
end
end
end
describe "when user is blocked" do
it "returns authentication error" do
user.block
get api("/user"), access_token: token.token
expect(response).to have_http_status(401)
end
end
describe "when user is ldap_blocked" do
it "returns authentication error" do
user.ldap_block
get api("/user"), access_token: token.token
expect(response).to have_http_status(401)
end
end
end