Merge branch 'oauth-login-failure-bug' into 'develop'

Correctly handle invalid credentials on auth login. Closes #407 See merge request pleroma/pleroma!728
2019-01-28 10:49:03 +00:00 · 2019-01-28 10:49:03 +00:00 · 74ed1b4d87
parent b380b4898d 1825118fd4
commit 74ed1b4d87
2 changed files with 27 additions and 1 deletions
--- a/lib/pleroma/web/oauth/fallback_controller.ex
+++ b/lib/pleroma/web/oauth/fallback_controller.ex
@ -9,7 +9,8 @@ defmodule Pleroma.Web.OAuth.FallbackController do
  # No user/password
  def call(conn, _) do
    conn
+    |> put_status(:unauthorized)
    |> put_flash(:error, "Invalid Username/Password")
-    |> OAuthController.authorize(conn.params)
+    |> OAuthController.authorize(conn.params["authorization"])
  end
 end
--- a/test/web/oauth/oauth_controller_test.exs
+++ b/test/web/oauth/oauth_controller_test.exs
@ -34,6 +34,31 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
    assert Repo.get_by(Authorization, token: code)
  end

+  test "correctly handles wrong credentials", %{conn: conn} do
+    user = insert(:user)
+    app = insert(:oauth_app)
+
+    result =
+      conn
+      |> post("/oauth/authorize", %{
+        "authorization" => %{
+          "name" => user.nickname,
+          "password" => "wrong",
+          "client_id" => app.client_id,
+          "redirect_uri" => app.redirect_uris,
+          "state" => "statepassed"
+        }
+      })
+      |> html_response(:unauthorized)
+
+    # Keep the details
+    assert result =~ app.client_id
+    assert result =~ app.redirect_uris
+
+    # Error message
+    assert result =~ "Invalid"
+  end
+
  test "issues a token for an all-body request" do
    user = insert(:user)
    app = insert(:oauth_app)