Skip to content

Commit

Permalink
Add failing tests where the session is abused for interactive auth.
Browse files Browse the repository at this point in the history
  • Loading branch information
@clokep
clokep committed Mar 11, 2020
1 parent 955648a commit 833cbf7
Showing 1 changed file with 134 additions and 0 deletions.
134 changes: 134 additions & 0 deletions tests/10apidoc/12device_management.pl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -335,3 +335,137 @@ sub matrix_delete_device {
matrix_delete_device( $user, $DEVICE_ID, undef );
})->main::expect_http_401;
};


test "The deleted device must be consistent through an interactive auth session",
requires => [ local_user_fixture( with_events => 0 ) ],

do => sub {
my ( $user ) = @_;

my $DEVICE_ID = "login_device";
my $SECOND_DEVICE_ID = "second_device";

# Create two devices.
matrix_login_again_with_user(
$user,
device_id => $DEVICE_ID,
initial_device_display_name => "device display",
)->then( sub {
matrix_login_again_with_user(
$user,
device_id => $SECOND_DEVICE_ID,
initial_device_display_name => "device display",
)
})->then( sub {
# Initiate the interactive authentication session with the first device.
matrix_delete_device( $user, $DEVICE_ID, {} );
})->main::expect_http_401->then( sub {
my ( $resp ) = @_;

my $body = decode_json $resp->content;

log_if_fail( "Response to empty body", $body );

assert_json_keys( $body, qw( session params flows ));

# Continue the interactive authentication session (by providing
# credentials), but attempt to delete the second device.
matrix_delete_device( $user, $SECOND_DEVICE_ID, {
auth => {
type => "m.login.password",
user => $user->user_id,
password => $user->password,
session => $body->{session},
}
})->main::expect_http_403;
})->then( sub {
# TODO The device delete should be rejected.
# The device should still exist.
matrix_get_device( $user, $SECOND_DEVICE_ID );
})->then( sub {
my ( $device ) = @_;
assert_json_keys(
$device,
qw( device_id user_id display_name ),
);
assert_eq( $device->{device_id}, $SECOND_DEVICE_ID );
assert_eq( $device->{display_name}, "device display" );
Future->done( 1 );
});
};


test "Reusing a session ID is not allowed",
requires => [ local_user_fixture( with_events => 0 ) ],

do => sub {
my ( $user ) = @_;

my $DEVICE_ID = "login_device";
my $session;

# Create a device.
matrix_login_again_with_user(
$user,
device_id => $DEVICE_ID,
initial_device_display_name => "device display",
)->then( sub {
# Initiate the interactive authentication session with the first device.
matrix_delete_device( $user, $DEVICE_ID, {} );
})->main::expect_http_401->then( sub {
my ( $resp ) = @_;

my $body = decode_json $resp->content;

log_if_fail( "Response to empty body", $body );

assert_json_keys( $body, qw( session params flows ));
$session = $body->{session};

# Finish the interactive authentication session (by providing
# credentials).
matrix_delete_device( $user, $DEVICE_ID, {
auth => {
type => "m.login.password",
user => $user->user_id,
password => $user->password,
session => $session,
}
});
})->then( sub {
# The device should no longer exist.
matrix_get_device( $user, $DEVICE_ID )
->main::expect_http_404;
})->then( sub {
# Create the device a second time.
matrix_login_again_with_user(
$user,
device_id => $DEVICE_ID,
initial_device_display_name => "device display",
)
})->then( sub {
# Attempt to delete the device using the old session.
matrix_delete_device( $user, $DEVICE_ID, {
auth => {
type => "m.login.password",
user => $user->user_id,
password => $user->password,
session => $session,
}
})->main::expect_http_403;
})->then( sub {
# TODO The device delete should be rejected.
# The device should still exist.
matrix_get_device( $user, $DEVICE_ID );
})->then( sub {
my ( $device ) = @_;
assert_json_keys(
$device,
qw( device_id user_id display_name ),
);
assert_eq( $device->{device_id}, $DEVICE_ID );
assert_eq( $device->{display_name}, "device display" );
Future->done( 1 );
});
};

0 comments on commit 833cbf7

Please sign in to comment.