t/net/oauth2/authorizationserver/implicitgrant_tests.pm

package implicitgrant_tests;

use strict;
use warnings;

use Test::Most;
use Test::Exception;

sub callbacks {
	my ( $Grant ) = @_;
	return (
		verify_client_cb => sub { return Net::OAuth2::AuthorizationServer::ImplicitGrant::_verify_client( $Grant,@_ ) },
		store_access_token_cb => sub { return Net::OAuth2::AuthorizationServer::ImplicitGrant::_store_access_token( $Grant,@_ ) },
		verify_access_token_cb => sub { return Net::OAuth2::AuthorizationServer::ImplicitGrant::_verify_access_token( $Grant,@_ ) },
	);
}

sub clients {

	return {
		test_client => {
			scopes => {
				eat   => 1,
				drink => 0,
				sleep => 1,
			},
		},
		test_client_with_redirect_uri => {
			redirect_uri => 'https://foo.bar.baz.com',
			scopes => {
				eat   => 1,
				drink => 0,
				sleep => 1,
			},
		},
		test_client_must_use_auth_code => {
			client_secret => 'weeee',
			scopes => {
				eat   => 1,
				drink => 0,
				sleep => 1,
			},
		},
	};
}

sub run_tests {
	my ( $Grant,$args ) = @_;

	$args //= {};

	can_ok(
		$Grant,
		qw/
			clients
		/
	);

	note( "verify_client" );

	my %invalid_client = (
		client_id => 'test_client_must_use_auth_code',
		scopes    => [ qw/ eat sleep / ],
	);

	my ( $res,$error ) = $Grant->verify_client( %invalid_client );

	ok( ! $res,'->verify_client, client cannot use implicit grant' );
	is( $error,'unauthorized_client','has error' );

	%invalid_client = (
		client_id => 'test_client_with_redirect_uri',
		scopes    => [ qw/ eat sleep / ],
	);

	( $res,$error ) = $Grant->verify_client( %invalid_client );

	ok( ! $res,'->verify_client, lacks redirect_uri' );
	is( $error,'invalid_request','has error' );

	$invalid_client{'redirect_uri'} = 'http://not.right.com';

	( $res,$error ) = $Grant->verify_client( %invalid_client );

	ok( ! $res,'->verify_client, incorrect redirect_uri' );
	is( $error,'invalid_request','has error' );

	$invalid_client{'redirect_uri'} = 'https://foo.bar.baz.com';

	( $res,$error ) = $Grant->verify_client( %invalid_client );

	ok( $res,'->verify_client, correct redirect_uri' );
	ok( ! $error,'has no error' );

	my %valid_client = (
		client_id => 'test_client',
		scopes    => [ qw/ eat sleep / ],
	);

	( $res,$error ) = $Grant->verify_client( %valid_client );

	ok( $res,'->verify_client, allowed scopes' );
	ok( ! $error,'has no error' );

	foreach my $t (
		[ { scopes => [ qw/ eat sleep yawn / ] },'invalid_scope','invalid scopes' ],
		[ { client_id => 'another_client' },'unauthorized_client','invalid client' ],
	) {
		( $res,$error ) = $Grant->verify_client( %valid_client,%{ $t->[0] } );

		ok( ! $res,'->verify_client, ' . $t->[2] );
		is( $error,$t->[1],'has error' );
	}

    foreach my $t (
		[ { scopes => [ qw/ eat sleep drink / ] },[ qw / eat sleep / ],'disallowed scopes' ],
    ) {
        my $scopes;
        ( $res, $error, $scopes ) = $Grant->verify_client( %valid_client,%{ $t->[0] } );

        ok ( $res, '->verify_client, ' . $t->[2] );
        cmp_deeply( $scopes, $t->[1], 'has reduced scopes' );
    }

	note( "store_access_token" );

	ok( my $access_token = $Grant->token(
		client_id    => 'test_client',
		scopes       => [ qw/ eat sleep / ],
		type         => 'access',
		user_id      => 1,
	),'->token (access token)' );

	$args->{token_format_tests}->( $access_token,'access' )
		if $args->{token_format_tests};

	ok( $Grant->store_access_token(
		client_id     => 'test_client',
		access_token  => $access_token,
		scopes       => [ qw/ eat sleep / ],
	),'->store_access_token' );

	note( "verify_access_token" );

	( $res,$error ) = $Grant->verify_access_token(
		access_token     => $access_token,
		scopes           => [ qw/ eat sleep / ],
	);

	ok( $res,'->verify_access_token, valid access token' );
	ok( ! $error,'has no error' );

	( $res,$error ) = $Grant->verify_access_token(
		access_token     => $access_token,
		scopes           => [ qw/ drink / ],
	);

	ok( ! $res,'->verify_access_token, invalid scope' );
	is( $error,'invalid_grant','has error' );

	( $res,$error ) = $Grant->verify_token_and_scope(
		auth_header      => "Bearer $access_token",
		scopes           => [ qw/ eat sleep / ],
	);

	ok( $res,'->verify_token_and_scope, valid access token' );
	ok( ! $error,'has no error' );

	my $og_access_token = $access_token;
	chop( $access_token );

	( $res,$error ) = $Grant->verify_access_token(
		access_token     => $access_token,
		scopes           => [ qw/ eat sleep / ],
	);

	ok( ! $res,'->verify_access_token, token fiddled with' );
	is( $error,'invalid_grant','has error' );

	unless ( $args->{cannot_revoke} ) {

		( $res,$error ) = $Grant->verify_access_token(
			access_token     => $access_token,
			scopes           => [ qw/ eat sleep / ],
		);

		ok( ! $res,'->verify_access_token, access token revoked' );
		is( $error,'invalid_grant','has error' );
	}

	return $og_access_token;
}

1;
	Global
`s`	Focus search bar
`?`	Bring up this help dialog
	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)
	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse
	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)