Page MenuHomePhabricator
Create Task
Maniphest T416556

Improve test coverage of OAuth1 authorization and token exchange
Open, Needs TriagePublic
Actions

Description

SpecialMWOAuth/authorize is the special page endpoint that handles OAuth1 consumer authorization, which is part of a 3-legged security handshake. This flow will likely involve multiple requests to accomplish the handshake.

Integration tests should be written to cover the logic of the OAuth1 authorization flow and the DB interaction. Also, related unit tests should be written for self-contained logic where necessary. It's probably possible to use SpecialPageTestBase, since this will involve testing a special page and ApiTestCase for action API-related functionality.

Impact

Related Objects
Search...

Event Timeline

DAlangi_WMF created this task.Thu, Feb 5, 9:11 AM
DAlangi_WMF updated the task description. (Show Details)Thu, Feb 5, 9:21 AM
DAlangi_WMF moved this task from Essential Work to OKR Work on the MediaWiki-Platform-Team (Q3 Kanban Board) board.Thu, Feb 5, 10:01 AM
OWresch-WMF moved this task from OKR Work to Next on the MediaWiki-Platform-Team (Q3 Kanban Board) board.Thu, Feb 5, 10:06 AM
Tgr renamed this task from Improve test coverage of SpecialMWOAuth/authorize to Improve test coverage of OAuth1 authorization and token exchange.Thu, Feb 5, 10:17 PM
Tgr added a comment.Thu, Feb 5, 10:29 PM

The three legs are SpecialMWOAuth/initiate, SpecialMWOAuth/authorize, SpecialMWOAuth/token. The first and third are de facto API endpoints but for legacy reasons implemented via the special page.

There's also SpecialMWOAuth/authenticate as an alternative second leg, which skips showing the dialog in some cases.

We should probably have tests for the various security aspects (incorrect signature, replay attack).

Tgr added a comment.Thu, Feb 5, 10:32 PM

Should ideally test with/without display=popup (though not sure if SpecialPageTestBase can handle that).

Would be nice to test the flow where the user is not logged in and is sent to the login page before the second step, but that seems hard to pull off in a PHPUnit test. (Maybe a reason to look at Symfony Webkit etc, but if everything else is doable without it, might not be worth the complexity to introduce it for just one workflow path.)

DAlangi_WMF updated the task description. (Show Details)Sat, Feb 7, 6:09 AM
SLong-WMF moved this task from Backlog to Tracking Only on the QS-Test-Automation board.Tue, Feb 10, 6:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits