Refactoring + expanding tests for /api/v1/apps

2023-02-10 15:10:10 -08:00 · 2023-02-10 15:10:10 -08:00 · f622c34891
commit f622c34891
--- a/backend/test/mastodon.spec.ts
+++ b/backend/test/mastodon.spec.ts
@ -3,7 +3,6 @@ import type { JWK } from 'wildebeest/backend/src/webpush/jwk'
 import type { Env } from 'wildebeest/backend/src/types/env'
 import * as v1_instance from 'wildebeest/functions/api/v1/instance'
 import * as v2_instance from 'wildebeest/functions/api/v2/instance'
-import * as apps from 'wildebeest/functions/api/v1/apps'
 import * as custom_emojis from 'wildebeest/functions/api/v1/custom_emojis'
 import * as mutes from 'wildebeest/functions/api/v1/mutes'
 import * as blocks from 'wildebeest/functions/api/v1/blocks'
@ -16,7 +15,7 @@ import { enrichStatus } from 'wildebeest/backend/src/mastodon/microformats'
 const userKEK = 'test_kek'
 const domain = 'cloudflare.com'

-async function generateVAPIDKeys(): Promise<JWK> {
+export async function generateVAPIDKeys(): Promise<JWK> {
 	const keyPair = (await crypto.subtle.generateKey({ name: 'ECDSA', namedCurve: 'P-256' }, true, [
 		'sign',
 		'verify',
@ -100,51 +99,6 @@ describe('Mastodon APIs', () => {
 		})
 	})

-	describe('apps', () => {
-		test('return the app infos', async () => {
-			const db = await makeDB()
-			const vapidKeys = await generateVAPIDKeys()
-			const request = new Request('https://example.com', {
-				method: 'POST',
-				body: '{"redirect_uris":"mastodon://joinmastodon.org/oauth","website":"https://app.joinmastodon.org/ios","client_name":"Mastodon for iOS","scopes":"read write follow push"}',
-				headers: {
-					'content-type': 'application/json',
-				},
-			})
-
-			const res = await apps.handleRequest(db, request, vapidKeys)
-			assert.equal(res.status, 200)
-			assertCORS(res)
-			assertJSON(res)
-
-			// eslint-disable-next-line @typescript-eslint/no-unused-vars
-			const { name, website, redirect_uri, client_id, client_secret, vapid_key, ...rest } = await res.json<
-				Record<string, string>
-			>()
-
-			assert.equal(name, 'Mastodon for iOS')
-			assert.equal(website, 'https://app.joinmastodon.org/ios')
-			assert.equal(redirect_uri, 'mastodon://joinmastodon.org/oauth')
-			assert.deepEqual(rest, {})
-		})
-
-		test('returns 404 for GET request', async () => {
-			const vapidKeys = await generateVAPIDKeys()
-			const request = new Request('https://example.com')
-			const ctx: any = {
-				next: () => new Response(),
-				data: null,
-				env: {
-					VAPID_JWK: JSON.stringify(vapidKeys),
-				},
-				request,
-			}
-
-			const res = await apps.onRequest(ctx)
-			assert.equal(res.status, 400)
-		})
-	})
-
 	describe('custom emojis', () => {
 		test('returns an empty array', async () => {
 			const res = await custom_emojis.onRequest()
--- a/backend/test/mastodon/apps.spec.ts
+++ b/backend/test/mastodon/apps.spec.ts
@ -0,0 +1,128 @@
+import { makeDB, assertCORS, assertJSON, createTestClient } from '../utils'
+import { TEST_JWT } from '../test-data'
+import { strict as assert } from 'node:assert/strict'
+import * as apps from 'wildebeest/functions/api/v1/apps'
+import * as verify_app from 'wildebeest/functions/api/v1/apps/verify_credentials'
+import { CredentialApp } from 'wildebeest/functions/api/v1/apps/verify_credentials'
+import { VAPIDPublicKey } from 'wildebeest/backend/src/mastodon/subscription'
+import { generateVAPIDKeys } from 'wildebeest/backend/test/mastodon.spec'
+
+describe('Mastodon APIs', () => {
+	describe('/apps', () => {
+    test('POST /apps registers client', async () => {
+      const db = await makeDB()
+      const vapidKeys = await generateVAPIDKeys()
+      const request = new Request('https://example.com', {
+        method: 'POST',
+        body: '{"redirect_uris":"mastodon://joinmastodon.org/oauth","website":"https://app.joinmastodon.org/ios","client_name":"Mastodon for iOS","scopes":"read write follow push"}',
+        headers: {
+          'content-type': 'application/json',
+        },
+      })
+
+      const res = await apps.handleRequest(db, request, vapidKeys)
+      assert.equal(res.status, 200)
+      assertCORS(res)
+      assertJSON(res)
+
+      // eslint-disable-next-line @typescript-eslint/no-unused-vars
+      const { name, website, redirect_uri, client_id, client_secret, vapid_key, ...rest } = await res.json<
+        Record<string, string>
+      >()
+
+      assert.equal(name, 'Mastodon for iOS')
+      assert.equal(website, 'https://app.joinmastodon.org/ios')
+      assert.equal(redirect_uri, 'mastodon://joinmastodon.org/oauth')
+      assert.deepEqual(rest, {})
+    })
+    
+    test('POST /apps returns 422 for malformed requests', async () => {
+      // client_name and redirect_uris are required according to https://docs.joinmastodon.org/methods/apps/#form-data-parameters
+      const db = await makeDB();
+      const vapidKeys = await generateVAPIDKeys();
+      const headers = { 'content-type': 'application/json' };
+
+      const validURIException = new Request('https://example.com', {
+        method: 'POST',
+        body: '{"redirect_uris":"urn:ietf:wg:oauth:2.0:oob","client_name":"Mastodon for iOS"}',
+        headers: headers,
+      })
+      let res = await apps.handleRequest(db, validURIException, vapidKeys)
+      assert.equal(res.status, 200)
+
+      const invalidURIRequest = new Request('https://example.com', {
+        method: 'POST',
+        body: '{"redirect_uris":"joinmastodon.org/oauth","client_name":"Mastodon for iOS"}',
+        headers: headers,
+      })
+      res = await apps.handleRequest(db, invalidURIRequest, vapidKeys)
+      assert.equal(res.status, 422)
+
+      const missingURIRequest = new Request('https://example.com', {
+        method: 'POST',
+        body: '{"client_name":"Mastodon for iOS"}',
+        headers: headers,
+      })
+      res = await apps.handleRequest(db, missingURIRequest, vapidKeys)
+      assert.equal(res.status, 422)
+
+      const missingClientNameRequest = new Request('https://example.com', {
+        method: 'POST',
+        body: '{"redirect_uris":"joinmastodon.org/oauth"}',
+        headers: headers,
+      })
+      res = await apps.handleRequest(db, missingClientNameRequest, vapidKeys)
+      assert.equal(res.status, 422)
+    })
+
+    test('GET  /apps is bad request', async () => {
+      const vapidKeys = await generateVAPIDKeys()
+      const request = new Request('https://example.com')
+      const ctx: any = {
+        next: () => new Response(),
+        data: null,
+        env: {
+          VAPID_JWK: JSON.stringify(vapidKeys),
+        },
+        request,
+      }
+
+      const res = await apps.onRequest(ctx)
+      assert.equal(res.status, 400)
+    })
+
+		test('GET /verify_credentials returns public VAPID key for known clients', async () => {
+			const db = await makeDB()
+			const testScope = 'test abcd'
+			const client = await createTestClient(db, 'https://localhost', testScope)
+      const vapidKeys = await generateVAPIDKeys()
+
+			const headers = { authorization: 'Bearer ' + client.id + '.' + TEST_JWT }
+
+			const req = new Request('https://example.com/api/v1/verify_credentials', { headers })
+
+			const res = await verify_app.handleRequest(db, req, vapidKeys)
+			assert.equal(res.status, 200)
+			assertCORS(res)
+			assertJSON(res)
+
+      const jsonResponse: CredentialApp = await res.json();
+      const publicVAPIDKey = VAPIDPublicKey(vapidKeys)
+      assert.equal(jsonResponse.name, 'test client');
+      assert.equal(jsonResponse.website, 'https://cloudflare.com');
+      assert.equal(jsonResponse.vapid_key, publicVAPIDKey);
+		})
+
+    test('GET /verify_credentials returns 403 for unauthorized clients', async () => {
+			const db = await makeDB()
+      const vapidKeys = await generateVAPIDKeys()
+
+			const headers = { authorization: 'Bearer APPID.' + TEST_JWT }
+
+			const req = new Request('https://example.com/api/v1/verify_credentials', { headers })
+
+			const res = await verify_app.handleRequest(db, req, vapidKeys)
+			assert.equal(res.status, 403)
+		})
+	})
+})