blob: f8ad55fb059015eb6a32e5fefc09ac0aefc98eb9 [file] [log] [blame]
use Mojo::Base -strict;
use Test::More;
use Test::Mojo::WithRoles 'Session';
use Mojo::File qw/path/;
use Data::Dumper;
# Start Fake server #
my $mount_point = '/realapi/';
$ENV{KALAMAR_API} = $mount_point;
my $t = Test::Mojo::WithRoles->new('Kalamar' => {
Kalamar => {
plugins => ['Auth']
'Kalamar-Auth' => {
client_id => 2,
client_secret => 'k414m4r-s3cr3t',
oauth2 => 1,
experimental_client_registration => 1
# Mount fake backend
# Get the fixture path
my $fixtures_path = path(Mojo::File->new(__FILE__)->dirname, '..', 'server');
my $fake_backend = $t->app->plugin(
Mount => {
$mount_point =>
# Configure fake backend
my $fake_backend_app = $fake_backend->pattern->defaults->{app};
# Set general app logger for simplicity
my $access_token = $fake_backend_app->get_token('access_token');
my $refresh_token = $fake_backend_app->get_token('refresh_token');
my $access_token_2 = $fake_backend_app->get_token('access_token_2');
my $refresh_token_2 = $fake_backend_app->get_token('refresh_token_2');
# Some routes to modify the session
# This expires the session
cb => sub {
my $c = shift;
$c->session(auth_exp => 0);
return $c->render(text => 'okay')
# This expires the session and removes the refresh token
cb => sub {
my $c = shift;
$c->session(auth_exp => 0);
delete $c->session->{auth_r};
return $c->render(text => 'okay')
# This sets an invalid token
cb => sub {
my $c = shift;
$c->session(auth_exp => time + 1000);
$c->session(auth_r => $refresh_token_2);
$c->session(auth => 'Bearer inv4lid');
return $c->render(text => 'okay')
# This sets an invalid token
cb => sub {
my $c = shift;
$c->session(auth_exp => time + 1000);
delete $c->session->{auth_r};
$c->session(auth => 'Bearer inv4lid');
return $c->render(text => 'okay')
# This sets an invalid refresh token
cb => sub {
my $c = shift;
$c->session(auth_exp => 0);
$c->session(auth => 'Bearer inv4lid');
$c->session(auth_r => 'inv4lid');
return $c->render(text => 'okay')
->content_is('Fake server available');
->text_like('h1 span', qr/KorAP: Find .Baum./i)
->text_like('#total-results', qr/\d+$/)
->element_exists_not(' a')
->element_exists('form[action=/user/login] input[name=handle_or_email]')
$t->post_ok('/user/login' => form => { handle_or_email => 'test', pwd => 'fail' })
->header_is('Location' => '/');
->text_is('div.notify-error', 'Bad CSRF token')
->element_exists_not(' a')
$t->post_ok('/user/login' => form => { handle_or_email => 'test', pwd => 'pass' })
->header_is('Location' => '/');
my $csrf = $t->get_ok('/')
->text_is('div.notify-error', 'Bad CSRF token')
->element_exists_not(' a')
$t->post_ok('/user/login' => form => {
handle_or_email => 'test',
pwd => 'ldaperr',
csrf_token => $csrf
->header_is('Location' => '/');
$csrf = $t->get_ok('/')
->text_is('div.notify-error', '2022: LDAP Authentication failed due to unknown user or password!')
->element_exists_not(' a')
$t->post_ok('/user/login' => form => {
handle_or_email => 'test',
pwd => 'unknown',
csrf_token => $csrf
->header_is('Location' => '/');
$csrf = $t->get_ok('/')
->text_is('div.notify-error', '2022: LDAP Authentication failed due to unknown user or password!')
->element_exists_not(' a')
$t->post_ok('/user/login' => form => {
handle_or_email => 'test',
pwd => 'pass',
csrf_token => $csrf
->header_is('Location' => '/');
->text_is('div.notify-success', 'Login successful')
# Now the user is logged in and should be able to
# search with authorization
->session_is('/auth', 'Bearer ' . $access_token)
->session_is('/auth_r', $refresh_token)
->session_is('/user', 'test')
->text_like('h1 span', qr/KorAP: Find .Baum./i)
->text_like('#total-results', qr/\d+$/)
->element_exists(' a')
->element_exists(' a.logout[title~="test"]')
->text_like('h1 span', qr/KorAP: Find .Paum./i)
->text_is('#total-results', '')
# Logout
->header_is('Location' => '/');
->text_is('div.notify-success', 'Logout successful')
->text_like('h1 span', qr/KorAP: Find .Baum./i)
->text_like('#total-results', qr/\d+$/)
->text_like('h1 span', qr/KorAP: Find .Paum./i)
->text_is('#total-results', '')
->text_is('p.hint', 'Maybe you need to log in first?')
# Get redirect
my $fwd = $t->get_ok('/?q=Baum&ql=poliqarp')
is($fwd, '/?q=Baum&ql=poliqarp', 'Redirect is valid');
$t->post_ok('/user/login' => form => {
handle_or_email => 'test',
pwd => 'pass',
csrf_token => $csrf,
fwd => ''
->header_is('Location' => '/');
->text_is('div.notify-error', 'Redirect failure')
$t->post_ok('/user/login' => form => {
handle_or_email => 'test',
pwd => 'pass',
csrf_token => $csrf,
fwd => $fwd
->header_is('Location' => '/?q=Baum&ql=poliqarp');
->text_is('div.notify-success', 'Login successful')
->session_is('/auth', 'Bearer ' . $access_token)
->session_is('/auth_r', $refresh_token)
->header_isnt('X-Kalamar-Cache', 'true')
# Expire the session
# (makes the token be marked as expired - though it isn't serverside)
## It may be a problem, but the cache is still valid
->text_like('h1 span', qr/KorAP: Find .Baum./i)
->text_like('#total-results', qr/\d+$/)
->header_is('X-Kalamar-Cache', 'true')
# Query without partial cache (unfortunately) (but no total results)
->session_is('/auth', 'Bearer ' . $access_token_2)
->session_is('/auth_r', $refresh_token_2)
->text_is('title', 'KorAP: Find »baum« with Poliqarp')
->element_exists('meta[name="DC.title"][content="KorAP: Find »baum« with Poliqarp"]')
->header_isnt('X-Kalamar-Cache', 'true')
# Expire the session and remove the refresh option
$t->app->defaults(no_cache => 1);
# Query without cache
# The token is invalid and can't be refreshed!
->text_is('div.notify-error','Access token invalid')
->text_is('title', 'KorAP: Find »baum« with Poliqarp')
->element_exists('meta[name="DC.title"][content="KorAP: Find »baum« with Poliqarp"]')
->header_isnt('X-Kalamar-Cache', 'true')
# Query without cache
# The token is invalid and can't be refreshed!
->session_is('/auth', 'Bearer ' . $access_token_2)
->session_is('/auth_r', $refresh_token_2)
->element_exists_not('div.notify-error','Access token invalid')
->text_is('title', 'KorAP: Find »baum« with Poliqarp')
->element_exists('meta[name="DC.title"][content="KorAP: Find »baum« with Poliqarp"]')
->header_isnt('X-Kalamar-Cache', 'true')
# The token is invalid and can't be refreshed!
$csrf = $t->get_ok('/?q=baum&cutoff=true')
->text_is('div.notify-error','Refresh token is expired')
->text_is('title', 'KorAP: Find »baum« with Poliqarp')
# Login:
$t->post_ok('/user/login' => form => {
handle_or_email => 'test',
pwd => 'pass',
csrf_token => $csrf
->header_is('Location' => '/');
->text_is('div.notify-success', 'Login successful')
->text_is('form.form-table legend', 'Register new client application')
->attr_is('form.oauth-register','action', '/settings/oauth/register')
->element_exists_not('ul.client-list > li')
# ->text_is('ul.client-list > li > span.client-name', 'R statistical computing tool ')
# ->text_is('ul.client-list > li > span.client-desc', 'R is a free software environment for statistical computing and graphics.')
# ->text_is('ul.client-list > li > span.client-url a', '')
# ->text_is('ul.client-list > li a.client-unregister', 'Unregister')
# ->attr_is('ul.client-list > li a.client-unregister', 'href', '/settings/oauth/unregister/9aHsGW6QflV13ixNpez?name=R+statistical+computing+tool')
$csrf = $t->post_ok('/settings/oauth/register' => form => {
name => 'MyApp',
type => 'PUBLIC',
desc => 'This is my application'
->text_is('div.notify-error', 'Bad CSRF token')
$t->post_ok('/settings/oauth/register' => form => {
name => 'MyApp',
desc => 'This is my application',
csrf_token => $csrf
->text_is('legend', 'Client Credentials')
->text_is('label[for=client_id]', 'ID of the client application')
->text_is('form.form-table legend', 'Register new client application')
->attr_is('form.oauth-register','action', '/settings/oauth/register')
->text_is('ul.client-list > li > span.client-name a', 'MyApp')
->text_is('ul.client-list > li > span.client-desc', 'This is my application')
->text_is('ul.client-list > li > span.client-url a', '')
->text_is('form ul.client-list > li.client > span.client-name', 'MyApp')
->text_is('form ul.client-list > li.client > span.client-desc', 'This is my application')
->text_is('a.client-unregister', 'Unregister')
->attr_is('a.client-unregister', 'href', '/settings/oauth/unregister/fCBbQkA2NDA3MzM1Yw==?name=MyApp')
$csrf = $t->get_ok('/settings/oauth/unregister/fCBbQkA2NDA3MzM1Yw==?name=MyApp')
->content_like(qr!Do you really want to unregister \<span class="client-name"\>MyApp\<\/span\>?!)
->attr_is('form.form-table input[name=client-id]', 'value', 'fCBbQkA2NDA3MzM1Yw==')
->attr_is('form.form-table input[name=client-name]', 'value', 'MyApp')
$t->post_ok('/settings/oauth/unregister' => form => {
'client-name' => 'MyApp',
'client-id' => 'xxxx==',
'csrf_token' => $csrf
->header_is('Location' => '/settings/oauth')
->text_is('form.form-table legend', 'Register new client application')
->attr_is('form.oauth-register','action', '/settings/oauth/register')
->element_exists('ul.client-list > li')
->text_is('div.notify', 'Unknown client with xxxx==.')
$t->post_ok('/settings/oauth/unregister' => form => {
'client-name' => 'MyApp',
'client-id' => 'fCBbQkA2NDA3MzM1Yw==',
'csrf_token' => $csrf
->header_is('Location' => '/settings/oauth')
->text_is('form.form-table legend', 'Register new client application')
->attr_is('form.oauth-register','action', '/settings/oauth/register')
->element_exists_not('ul.client-list > li')
->text_is('div.notify-success', 'Successfully deleted MyApp')