nekobus
/
mastodon_neko
forked from closed-social/mastodon
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
闭社主体 forked from https://github.com/tootsuite/mastodon
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4686 Commits
2 Branches
112 MiB
Tree: 481fac7c84
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '481fac7c84'
${ noResults }
mastodon_neko/spec/controllers/concerns/signature_verification_spec.rb

114 lines
2.7 KiB
Raw Normal View History

HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug)
7 years ago
Add Digest header to requests with body, handle acct and URI keyId (#4565)
7 years ago
HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug)
7 years ago
Add Digest header to requests with body, handle acct and URI keyId (#4565)
7 years ago
HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug)
7 years ago
Add Digest header to requests with body, handle acct and URI keyId (#4565)
7 years ago
HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug)
7 years ago
Add Digest header to requests with body, handle acct and URI keyId (#4565)
7 years ago
HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug)
7 years ago
Add Digest header to requests with body, handle acct and URI keyId (#4565)
7 years ago
HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug)
7 years ago
Add Digest header to requests with body, handle acct and URI keyId (#4565)
7 years ago
HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug)
7 years ago
Add Digest header to requests with body, handle acct and URI keyId (#4565)
7 years ago
HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug)
7 years ago
Add Digest header to requests with body, handle acct and URI keyId (#4565)
7 years ago
HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug)
7 years ago
 
  1. # frozen_string_literal: true
  2. 

  3. require 'rails_helper'
  4. 

  5. describe ApplicationController, type: :controller do
  6.   controller do
  7.     include SignatureVerification
  8. 

  9.     def success
  10.       head 200

  11.     end
  12. 

  13.     def alternative_success
  14.       head 200

  15.     end
  16.   end
  17. 

  18.   before do
  19.     routes.draw { match via: [:get, :post], 'success' => 'anonymous#success' }
  20.   end
  21. 

  22.   context 'without signature header' do
  23.     before do
  24.       get :success
  25.     end
  26. 

  27.     describe '#signed_request?' do
  28.       it 'returns false' do
  29.         expect(controller.signed_request?).to be false
  30.       end
  31.     end
  32. 

  33.     describe '#signed_request_account' do
  34.       it 'returns nil' do
  35.         expect(controller.signed_request_account).to be_nil
  36.       end
  37.     end
  38.   end
  39. 

  40.   context 'with signature header' do
  41.     let!(:author) { Fabricate(:account) }
  42. 

  43.     context 'without body' do
  44.       before do
  45.         get :success
  46. 

  47.         fake_request = Request.new(:get, request.url)
  48.         fake_request.on_behalf_of(author)
  49. 

  50.         request.headers.merge!(fake_request.headers)
  51.       end
  52. 

  53.       describe '#signed_request?' do
  54.         it 'returns true' do
  55.           expect(controller.signed_request?).to be true
  56.         end
  57.       end
  58. 

  59.       describe '#signed_request_account' do
  60.         it 'returns an account' do
  61.           expect(controller.signed_request_account).to eq author
  62.         end
  63. 

  64.         it 'returns nil when path does not match' do
  65.           request.path = '/alternative-path'
  66.           expect(controller.signed_request_account).to be_nil
  67.         end
  68. 

  69.         it 'returns nil when method does not match' do
  70.           post :success
  71.           expect(controller.signed_request_account).to be_nil
  72.         end
  73.       end
  74.     end
  75. 

  76.     context 'with body' do
  77.       before do
  78.         post :success, body: 'Hello world'
  79. 

  80.         fake_request = Request.new(:post, request.url, body: 'Hello world')
  81.         fake_request.on_behalf_of(author)
  82. 

  83.         request.headers.merge!(fake_request.headers)
  84.       end
  85. 

  86.       describe '#signed_request?' do
  87.         it 'returns true' do
  88.           expect(controller.signed_request?).to be true
  89.         end
  90.       end
  91. 

  92.       describe '#signed_request_account' do
  93.         it 'returns an account' do
  94.           expect(controller.signed_request_account).to eq author
  95.         end
  96. 

  97.         it 'returns nil when path does not match' do
  98.           request.path = '/alternative-path'
  99.           expect(controller.signed_request_account).to be_nil
  100.         end
  101. 

  102.         it 'returns nil when method does not match' do
  103.           get :success
  104.           expect(controller.signed_request_account).to be_nil
  105.         end
  106. 

  107.         it 'returns nil when body has been tampered' do
  108.           request.headers['RAW_POST_DATA'] = 'doo doo doo'
  109.           expect(controller.signed_request_account).to be_nil
  110.         end
  111.       end
  112.     end
  113.   end
  114. end