Add E2E tests for device code grant flow.

Handle more errors for device code.
Dispatch a BSOD for an any unhandled exception from auth flow state
This commit is contained in:
ErickSkrauch 2024-12-17 23:11:39 +01:00
parent b0975f0b0f
commit be08857edc
No known key found for this signature in database
GPG Key ID: 669339FCBB30EE0E
20 changed files with 267 additions and 176 deletions

@ -19,7 +19,6 @@ import {
activate as activateEndpoint, activate as activateEndpoint,
resendActivation as resendActivationEndpoint, resendActivation as resendActivationEndpoint,
} from 'app/services/api/signup'; } from 'app/services/api/signup';
import dispatchBsod from 'app/components/ui/bsod/dispatchBsod';
import { create as createPopup } from 'app/components/ui/popup/actions'; import { create as createPopup } from 'app/components/ui/popup/actions';
import ContactForm from 'app/components/contact'; import ContactForm from 'app/components/contact';
import { Account } from 'app/components/accounts/reducer'; import { Account } from 'app/components/accounts/reducer';
@ -455,11 +454,6 @@ function handleOauthParamsValidation(
userMessage?: string; userMessage?: string;
} = {}, } = {},
) { ) {
// TODO: it would be better to dispatch BSOD from the initial request performers
if (resp.error !== 'invalid_user_code') {
dispatchBsod();
}
localStorage.removeItem('oauthData'); localStorage.removeItem('oauthData');
// eslint-disable-next-line no-alert // eslint-disable-next-line no-alert

@ -31,7 +31,7 @@ const AuthError: ComponentType<Props> = ({ error, onClose }) => {
}, [error, onClose]); }, [error, onClose]);
return ( return (
<PanelBodyHeader type="error" onClose={onClose}> <PanelBodyHeader type="error" onClose={onClose} data-testid="auth-error">
{resolveError(error)} {resolveError(error)}
</PanelBodyHeader> </PanelBodyHeader>
); );

@ -20,7 +20,6 @@ export default class DeviceCodeBody extends BaseAuthBody {
<Input <Input
{...this.bindField('user_code')} {...this.bindField('user_code')}
icon="key" icon="key"
name="user_cide"
autoFocus autoFocus
required required
placeholder={nodes as string} placeholder={nodes as string}

@ -57,7 +57,7 @@ interface PanelBodyHeaderProps extends PropsWithChildren<any> {
onClose?: () => void; onClose?: () => void;
} }
export const PanelBodyHeader: FC<PanelBodyHeaderProps> = ({ type = 'default', onClose, children }) => { export const PanelBodyHeader: FC<PanelBodyHeaderProps> = ({ type = 'default', onClose, children, ...props }) => {
const [isClosed, setIsClosed] = useState<boolean>(false); const [isClosed, setIsClosed] = useState<boolean>(false);
const handleCloseClick = useCallback(() => { const handleCloseClick = useCallback(() => {
setIsClosed(true); setIsClosed(true);
@ -71,6 +71,7 @@ export const PanelBodyHeader: FC<PanelBodyHeaderProps> = ({ type = 'default', on
[styles.errorBodyHeader]: type === 'error', [styles.errorBodyHeader]: type === 'error',
[styles.isClosed]: isClosed, [styles.isClosed]: isClosed,
})} })}
{...props}
> >
{type === 'error' && <span className={styles.close} onClick={handleCloseClick} />} {type === 'error' && <span className={styles.close} onClick={handleCloseClick} />}
{children} {children}

@ -13,6 +13,10 @@ const AuthFlowRouteContents: FC<Props> = ({ component: WantedComponent, location
const [component, setComponent] = useState<ReactElement | null>(null); const [component, setComponent] = useState<ReactElement | null>(null);
useEffect(() => { useEffect(() => {
// Promise that will be resolved after handleRequest might contain already non-actual component to render,
// so set it to false in the effect's clear function to prevent unwanted UI state
let isActual = true;
authFlow.handleRequest( authFlow.handleRequest(
{ {
path: location.pathname, path: location.pathname,
@ -21,11 +25,15 @@ const AuthFlowRouteContents: FC<Props> = ({ component: WantedComponent, location
}, },
history.push, history.push,
() => { () => {
if (isMounted()) { if (isActual && isMounted()) {
setComponent(<WantedComponent history={history} location={location} match={match} />); setComponent(<WantedComponent history={history} location={location} match={match} />);
} }
}, },
); );
return () => {
isActual = false;
};
}, [location.pathname, location.search]); }, [location.pathname, location.search]);
return component; return component;

@ -1,5 +1,3 @@
import logger from 'app/services/logger';
import AbstractState from './AbstractState'; import AbstractState from './AbstractState';
import { AuthContext } from './AuthFlow'; import { AuthContext } from './AuthFlow';
import CompleteState from './CompleteState'; import CompleteState from './CompleteState';
@ -16,10 +14,7 @@ export default class AcceptRulesState extends AbstractState {
} }
resolve(context: AuthContext): Promise<void> | void { resolve(context: AuthContext): Promise<void> | void {
context return context.run('acceptRules').then(() => context.setState(new CompleteState()));
.run('acceptRules')
.then(() => context.setState(new CompleteState()))
.catch((err = {}) => err.errors || logger.warn('Error accepting rules', err));
} }
reject(context: AuthContext, payload: Record<string, any>): void { reject(context: AuthContext, payload: Record<string, any>): void {

@ -1,4 +1,3 @@
import logger from 'app/services/logger';
import { AuthContext } from 'app/services/authFlow'; import { AuthContext } from 'app/services/authFlow';
import AbstractState from './AbstractState'; import AbstractState from './AbstractState';
@ -12,10 +11,7 @@ export default class ActivationState extends AbstractState {
} }
resolve(context: AuthContext, payload: { key: string }): Promise<void> | void { resolve(context: AuthContext, payload: { key: string }): Promise<void> | void {
context return context.run('activate', payload.key).then(() => context.setState(new CompleteState()));
.run('activate', payload.key)
.then(() => context.setState(new CompleteState()))
.catch((err = {}) => err.errors || logger.warn('Error activating account', err));
} }
reject(context: AuthContext): void { reject(context: AuthContext): void {

@ -10,8 +10,9 @@ import {
} from 'app/components/accounts/actions'; } from 'app/components/accounts/actions';
import * as actions from 'app/components/auth/actions'; import * as actions from 'app/components/auth/actions';
import { updateUser } from 'app/components/user/actions'; import { updateUser } from 'app/components/user/actions';
import FinishState from './FinishState'; import dispatchBsod from 'app/components/ui/bsod/dispatchBsod';
import FinishState from './FinishState';
import RegisterState from './RegisterState'; import RegisterState from './RegisterState';
import LoginState from './LoginState'; import LoginState from './LoginState';
import InitOAuthAuthCodeFlowState from './InitOAuthAuthCodeFlowState'; import InitOAuthAuthCodeFlowState from './InitOAuthAuthCodeFlowState';
@ -121,11 +122,23 @@ export default class AuthFlow implements AuthContext {
} }
resolve(payload: Record<string, any> = {}) { resolve(payload: Record<string, any> = {}) {
this.state.resolve(this, payload); const maybePromise = this.state.resolve(this, payload);
if (maybePromise && maybePromise.catch) {
maybePromise.catch((err) => {
dispatchBsod();
throw err;
});
}
} }
reject(payload: Record<string, any> = {}) { reject(payload: Record<string, any> = {}) {
try {
this.state.reject(this, payload); this.state.reject(this, payload);
} catch (err) {
dispatchBsod();
throw err;
}
} }
goBack() { goBack() {
@ -133,11 +146,11 @@ export default class AuthFlow implements AuthContext {
} }
run<T extends ActionId>(actionId: T, payload?: Parameters<typeof availableActions[T]>[0]): Promise<any> { run<T extends ActionId>(actionId: T, payload?: Parameters<typeof availableActions[T]>[0]): Promise<any> {
// @ts-ignore the extended version of redux with thunk will return the correct promise // @ts-expect-error the extended version of redux with thunk will return the correct promise
return Promise.resolve(this.dispatch(this.actions[actionId](payload))); return Promise.resolve(this.dispatch(this.actions[actionId](payload)));
} }
setState(state: State) { setState(state: State): Promise<void> | void {
this.state?.leave(this); this.state?.leave(this);
this.prevState = this.state; this.prevState = this.state;
this.state = state; this.state = state;
@ -256,8 +269,6 @@ export default class AuthFlow implements AuthContext {
/** /**
* Tries to restore last oauth request, if it was stored in localStorage * Tries to restore last oauth request, if it was stored in localStorage
* in last 2 hours * in last 2 hours
*
* @returns {bool} - whether oauth state is being restored
*/ */
private restoreOAuthState(): boolean { private restoreOAuthState(): boolean {
if (this.oAuthStateRestored) { if (this.oAuthStateRestored) {

@ -1,4 +1,5 @@
import type { Account } from 'app/components/accounts/reducer'; import type { Account } from 'app/components/accounts/reducer';
import logger from 'app/services/logger';
import AbstractState from './AbstractState'; import AbstractState from './AbstractState';
import { AuthContext } from './AuthFlow'; import { AuthContext } from './AuthFlow';
@ -21,10 +22,16 @@ export default class ChooseAccountState extends AbstractState {
// So if there is no `id` property, it's an empty object // So if there is no `id` property, it's an empty object
resolve(context: AuthContext, payload: Account): Promise<void> | void { resolve(context: AuthContext, payload: Account): Promise<void> | void {
if (payload.id) { if (payload.id) {
return context return (
context
.run('authenticate', payload) .run('authenticate', payload)
.then(() => context.run('setAccountSwitcher', false)) .then(() => context.run('setAccountSwitcher', false))
.then(() => context.setState(new CompleteState())); .then(() => context.setState(new CompleteState()))
// By default, this error must cause a BSOD. But by I don't know why reasons it shouldn't,
// because somebody somewhere catches an invalid authentication result and routes the user
// to the password entering form. To keep this behavior we catch all errors, log it and suppress
.catch((err) => err.errors || logger.warn('Error choosing an account', err))
);
} }
// log in to another account // log in to another account

@ -92,16 +92,21 @@ export default class CompleteState extends AbstractState {
user.isDeleted || user.isDeleted ||
hasPrompt(oauth.prompt, PROMPT_ACCOUNT_CHOOSE)) hasPrompt(oauth.prompt, PROMPT_ACCOUNT_CHOOSE))
) { ) {
context.setState(new ChooseAccountState()); return context.setState(new ChooseAccountState());
} else if (user.isDeleted) { }
if (user.isDeleted) {
// you shall not pass // you shall not pass
// if we are here, this means that user have already seen account // if we are here, this means that user have already seen account
// switcher and now we should redirect him to his profile, // switcher and now we should redirect him to his profile,
// because oauth is not available for deleted accounts // because oauth is not available for deleted accounts
context.navigate('/'); return context.navigate('/');
} else if (oauth.code) { }
context.setState(new FinishState());
} else { if (oauth.code) {
return context.setState(new FinishState());
}
const data: Record<string, any> = {}; const data: Record<string, any> = {};
if (typeof this.isPermissionsAccepted !== 'undefined') { if (typeof this.isPermissionsAccepted !== 'undefined') {
@ -132,5 +137,4 @@ export default class CompleteState extends AbstractState {
} }
}); });
} }
}
} }

@ -6,7 +6,7 @@ export default class DeviceCodeState extends AbstractState {
async resolve(context: AuthContext, payload: { user_code: string }): Promise<void> { async resolve(context: AuthContext, payload: { user_code: string }): Promise<void> {
const { query } = context.getRequest(); const { query } = context.getRequest();
context return context
.run('oAuthValidate', { .run('oAuthValidate', {
params: { params: {
userCode: payload.user_code, userCode: payload.user_code,
@ -16,7 +16,7 @@ export default class DeviceCodeState extends AbstractState {
}) })
.then(() => context.setState(new CompleteState())) .then(() => context.setState(new CompleteState()))
.catch((err) => { .catch((err) => {
if (err.error === 'invalid_user_code') { if (['invalid_user_code', 'expired_token', 'used_user_code'].includes(err.error)) {
return context.run('setErrors', { [err.parameter]: err.error }); return context.run('setErrors', { [err.parameter]: err.error });
} }

@ -1,5 +1,3 @@
import logger from 'app/services/logger';
import AbstractState from './AbstractState'; import AbstractState from './AbstractState';
import { AuthContext } from './AuthFlow'; import { AuthContext } from './AuthFlow';
import LoginState from './LoginState'; import LoginState from './LoginState';
@ -11,13 +9,10 @@ export default class ForgotPasswordState extends AbstractState {
} }
resolve(context: AuthContext, payload: { login: string; captcha: string }): Promise<void> | void { resolve(context: AuthContext, payload: { login: string; captcha: string }): Promise<void> | void {
context return context.run('forgotPassword', payload).then(() => {
.run('forgotPassword', payload)
.then(() => {
context.run('setLogin', payload.login); context.run('setLogin', payload.login);
context.setState(new RecoverPasswordState()); context.setState(new RecoverPasswordState());
}) });
.catch((err = {}) => err.errors || logger.warn('Error requesting password recoverage', err));
} }
goBack(context: AuthContext): void { goBack(context: AuthContext): void {

@ -16,7 +16,8 @@ export default class InitOAuthDeviceCodeFlowState extends AbstractState {
description: query.get('description')!, description: query.get('description')!,
prompt: query.get('prompt')!, prompt: query.get('prompt')!,
}); });
await context.setState(new CompleteState());
return context.setState(new CompleteState());
} catch { } catch {
// Ok, fallback to the default // Ok, fallback to the default
} }

@ -30,7 +30,7 @@ export default class LoginState extends AbstractState {
login: string; login: string;
}, },
): Promise<void> | void { ): Promise<void> | void {
context return context
.run('login', payload) .run('login', payload)
.then(() => context.setState(new PasswordState())) .then(() => context.setState(new PasswordState()))
.catch((err = {}) => err.errors || logger.warn('Error validating login', err)); .catch((err = {}) => err.errors || logger.warn('Error validating login', err));

@ -12,15 +12,15 @@ export default class PermissionsState extends AbstractState {
} }
resolve(context: AuthContext): Promise<void> | void { resolve(context: AuthContext): Promise<void> | void {
this.process(context, true); return this.process(context, true);
} }
reject(context: AuthContext): void { reject(context: AuthContext): void {
this.process(context, false); this.process(context, false);
} }
process(context: AuthContext, accept: boolean): void { process(context: AuthContext, accept: boolean): Promise<void> | void {
context.setState( return context.setState(
new CompleteState({ new CompleteState({
accept, accept,
}), }),

@ -1,5 +1,3 @@
import logger from 'app/services/logger';
import AbstractState from './AbstractState'; import AbstractState from './AbstractState';
import { AuthContext } from './AuthFlow'; import { AuthContext } from './AuthFlow';
import LoginState from './LoginState'; import LoginState from './LoginState';
@ -17,10 +15,7 @@ export default class RecoverPasswordState extends AbstractState {
context: AuthContext, context: AuthContext,
payload: { key: string; newPassword: string; newRePassword: string }, payload: { key: string; newPassword: string; newRePassword: string },
): Promise<void> | void { ): Promise<void> | void {
context return context.run('recoverPassword', payload).then(() => context.setState(new CompleteState()));
.run('recoverPassword', payload)
.then(() => context.setState(new CompleteState()))
.catch((err = {}) => err.errors || logger.warn('Error recovering password', err));
} }
goBack(context: AuthContext): void { goBack(context: AuthContext): void {

@ -1,5 +1,3 @@
import logger from 'app/services/logger';
import AbstractState from './AbstractState'; import AbstractState from './AbstractState';
import { AuthContext } from './AuthFlow'; import { AuthContext } from './AuthFlow';
import CompleteState from './CompleteState'; import CompleteState from './CompleteState';
@ -22,10 +20,7 @@ export default class RegisterState extends AbstractState {
rulesAgreement: boolean; rulesAgreement: boolean;
}, },
): Promise<void> | void { ): Promise<void> | void {
context return context.run('register', payload).then(() => context.setState(new CompleteState()));
.run('register', payload)
.then(() => context.setState(new CompleteState()))
.catch((err = {}) => err.errors || logger.warn('Error registering', err));
} }
reject(context: AuthContext, payload: Record<string, any>): void { reject(context: AuthContext, payload: Record<string, any>): void {

@ -1,5 +1,4 @@
import { AuthContext } from 'app/services/authFlow'; import { AuthContext } from 'app/services/authFlow';
import logger from 'app/services/logger';
import AbstractState from './AbstractState'; import AbstractState from './AbstractState';
import ActivationState from './ActivationState'; import ActivationState from './ActivationState';
@ -11,10 +10,7 @@ export default class ResendActivationState extends AbstractState {
} }
resolve(context: AuthContext, payload: { email: string; captcha: string }): Promise<void> | void { resolve(context: AuthContext, payload: { email: string; captcha: string }): Promise<void> | void {
context return context.run('resendActivation', payload).then(() => context.setState(new ActivationState()));
.run('resendActivation', payload)
.then(() => context.setState(new ActivationState()))
.catch((err = {}) => err.errors || logger.warn('Error resending activation', err));
} }
reject(context: AuthContext): void { reject(context: AuthContext): void {

@ -129,6 +129,13 @@ const errorsMap: Record<string, (props?: Record<string, any>) => ReactElement> =
'error.redirectUri_invalid': () => <Message key="redirectUriInvalid" defaultMessage="Redirect URI is invalid" />, 'error.redirectUri_invalid': () => <Message key="redirectUriInvalid" defaultMessage="Redirect URI is invalid" />,
invalid_user_code: () => <Message key="invalidUserCode" defaultMessage="Invalid Device Code" />, invalid_user_code: () => <Message key="invalidUserCode" defaultMessage="Invalid Device Code" />,
expired_token: () => (
<Message
key="expiredUserCode"
defaultMessage="The code has expired. Start the authorization flow in the application again."
/>
),
used_user_code: () => <Message key="usedUserCode" defaultMessage="This code has been already used" />,
}; };
interface ErrorLiteral { interface ErrorLiteral {

@ -10,6 +10,7 @@ const defaults = {
}; };
describe('OAuth', () => { describe('OAuth', () => {
describe('AuthCode grant flow', () => {
it('should complete oauth', () => { it('should complete oauth', () => {
cy.login({ accounts: ['default'] }); cy.login({ accounts: ['default'] });
@ -41,6 +42,145 @@ describe('OAuth', () => {
cy.url().should('equal', 'https://dev.ely.by/'); cy.url().should('equal', 'https://dev.ely.by/');
}); });
describe('static pages', () => {
it('should authenticate using static page', () => {
cy.server();
cy.route({
method: 'POST',
url: '/api/oauth2/v1/complete**',
}).as('complete');
cy.login({ accounts: ['default'] });
cy.visit(
`/oauth2/v1/ely?${new URLSearchParams({
...defaults,
client_id: 'tlauncher',
redirect_uri: 'static_page',
})}`,
);
cy.wait('@complete');
cy.url().should('include', 'oauth/finish#{%22auth_code%22:');
});
it('should authenticate using static page with code', () => {
cy.server();
cy.route({
method: 'POST',
url: '/api/oauth2/v1/complete**',
}).as('complete');
cy.login({ accounts: ['default'] });
cy.visit(
`/oauth2/v1/ely?${new URLSearchParams({
...defaults,
client_id: 'tlauncher',
redirect_uri: 'static_page_with_code',
})}`,
);
cy.wait('@complete');
cy.url().should('include', 'oauth/finish#{%22auth_code%22:');
cy.findByTestId('oauth-code-container').should('contain', 'provide the following code');
// just click on copy, but we won't assert if the string was copied
// because it is a little bit complicated
// https://github.com/cypress-io/cypress/issues/2752
cy.findByTestId('oauth-code-container').contains('Copy').click();
});
});
});
describe('DeviceCode grant flow', () => {
it('should complete flow by complete uri', () => {
cy.login({ accounts: ['default'] });
cy.visit('/code?user_code=E2E-APPROVED');
cy.location('pathname').should('eq', '/oauth/finish');
cy.get('[data-e2e-content]').contains('successfully completed');
});
it('should complete flow with manual approve', () => {
cy.login({ accounts: ['default'] });
cy.visit('/code');
cy.get('[name=user_code]').type('E2E-UNAPPROVED{enter}');
cy.location('pathname').should('eq', '/oauth/permissions');
cy.findByTestId('auth-controls').contains('Approve').click();
cy.location('pathname').should('eq', '/oauth/finish');
cy.get('[data-e2e-content]').contains('successfully completed');
});
it('should complete flow with auto approve', () => {
cy.login({ accounts: ['default'] });
cy.visit('/code');
cy.get('[name=user_code]').type('E2E-APPROVED{enter}');
cy.location('pathname').should('eq', '/oauth/finish');
cy.get('[data-e2e-content]').contains('successfully completed');
});
it('should complete flow by declining the code', () => {
cy.login({ accounts: ['default'] });
cy.visit('/code');
cy.get('[name=user_code]').type('E2E-UNAPPROVED{enter}');
cy.location('pathname').should('eq', '/oauth/permissions');
cy.findByTestId('auth-controls-secondary').contains('Decline').click();
cy.location('pathname').should('eq', '/oauth/finish');
cy.get('[data-e2e-content]').contains('was failed');
});
it('should show an error for an unknown code', () => {
cy.login({ accounts: ['default'] });
cy.visit('/code');
cy.get('[name=user_code]').type('UNKNOWN-CODE{enter}');
cy.location('pathname').should('eq', '/code');
cy.findByTestId('auth-error').contains('Invalid Device Code');
});
it('should show an error for an expired code', () => {
cy.login({ accounts: ['default'] });
cy.visit('/code');
cy.get('[name=user_code]').type('E2E-EXPIRED{enter}');
cy.location('pathname').should('eq', '/code');
cy.findByTestId('auth-error').contains('The code has expired');
});
it('should show an error for an expired code', () => {
cy.login({ accounts: ['default'] });
cy.visit('/code');
cy.get('[name=user_code]').type('E2E-COMPLETED{enter}');
cy.location('pathname').should('eq', '/code');
cy.findByTestId('auth-error').contains('This code has been already used');
});
});
describe('AccountSwitcher', () => { describe('AccountSwitcher', () => {
it('should ask to choose an account if user has multiple', () => { it('should ask to choose an account if user has multiple', () => {
cy.login({ accounts: ['default', 'default2'] }).then(({ accounts: [account] }) => { cy.login({ accounts: ['default', 'default2'] }).then(({ accounts: [account] }) => {
@ -408,59 +548,6 @@ describe('OAuth', () => {
cy.url().should('match', /^http:\/\/localhost:8080\/?\?code=[^&]+$/); cy.url().should('match', /^http:\/\/localhost:8080\/?\?code=[^&]+$/);
}); });
}); });
describe('static pages', () => {
it('should authenticate using static page', () => {
cy.server();
cy.route({
method: 'POST',
url: '/api/oauth2/v1/complete**',
}).as('complete');
cy.login({ accounts: ['default'] });
cy.visit(
`/oauth2/v1/ely?${new URLSearchParams({
...defaults,
client_id: 'tlauncher',
redirect_uri: 'static_page',
})}`,
);
cy.wait('@complete');
cy.url().should('include', 'oauth/finish#{%22auth_code%22:');
});
it('should authenticate using static page with code', () => {
cy.server();
cy.route({
method: 'POST',
url: '/api/oauth2/v1/complete**',
}).as('complete');
cy.login({ accounts: ['default'] });
cy.visit(
`/oauth2/v1/ely?${new URLSearchParams({
...defaults,
client_id: 'tlauncher',
redirect_uri: 'static_page_with_code',
})}`,
);
cy.wait('@complete');
cy.url().should('include', 'oauth/finish#{%22auth_code%22:');
cy.findByTestId('oauth-code-container').should('contain', 'provide the following code');
// just click on copy, but we won't assert if the string was copied
// because it is a little bit complicated
// https://github.com/cypress-io/cypress/issues/2752
cy.findByTestId('oauth-code-container').contains('Copy').click();
});
});
}); });
function assertPermissions() { function assertPermissions() {