From cdcf2d747e1fce8adaa540dd3774216ea73806a1 Mon Sep 17 00:00:00 2001
From: cmrd Senya <senya@riseup.net>
Date: Mon, 5 Sep 2016 21:12:11 +0300
Subject: [PATCH] Override forgery settings in controllers

ClientsController and TokenEndpointController are called from the outside,
so CSRF verification prevents them from normal operation.

closes #7062
---
 .../api/openid_connect/clients_controller.rb   |  2 ++
 .../token_endpoint_controller.rb               |  2 ++
 .../openid_connect/clients_controller_spec.rb  |  2 +-
 .../token_endpoint_controller_spec.rb          | 18 ++++++++++++++++++
 spec/factories.rb                              |  9 +++++++++
 spec/spec_helper.rb                            |  6 ++++++
 6 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 spec/controllers/api/openid_connect/token_endpoint_controller_spec.rb

diff --git a/app/controllers/api/openid_connect/clients_controller.rb b/app/controllers/api/openid_connect/clients_controller.rb
index 0a6f7ba94..210c77624 100644
--- a/app/controllers/api/openid_connect/clients_controller.rb
+++ b/app/controllers/api/openid_connect/clients_controller.rb
@@ -1,6 +1,8 @@
 module Api
   module OpenidConnect
     class ClientsController < ApplicationController
+      skip_before_action :verify_authenticity_token
+
       rescue_from OpenIDConnect::HttpError do |e|
         http_error_page_as_json(e)
       end
diff --git a/app/controllers/api/openid_connect/token_endpoint_controller.rb b/app/controllers/api/openid_connect/token_endpoint_controller.rb
index 36b0ed31c..c8fd53c2d 100644
--- a/app/controllers/api/openid_connect/token_endpoint_controller.rb
+++ b/app/controllers/api/openid_connect/token_endpoint_controller.rb
@@ -1,6 +1,8 @@
 module Api
   module OpenidConnect
     class TokenEndpointController < ApplicationController
+      skip_before_action :verify_authenticity_token
+
       def create
         req = Rack::Request.new(request.env)
         if req["client_assertion_type"] == "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
diff --git a/spec/controllers/api/openid_connect/clients_controller_spec.rb b/spec/controllers/api/openid_connect/clients_controller_spec.rb
index 164c82bce..6ac6bc60d 100644
--- a/spec/controllers/api/openid_connect/clients_controller_spec.rb
+++ b/spec/controllers/api/openid_connect/clients_controller_spec.rb
@@ -1,6 +1,6 @@
 require "spec_helper"
 
-describe Api::OpenidConnect::ClientsController, type: :controller do
+describe Api::OpenidConnect::ClientsController, type: :controller, suppress_csrf_verification: :none do
   describe "#create" do
     context "when valid parameters are passed" do
       it "should return a client id" do
diff --git a/spec/controllers/api/openid_connect/token_endpoint_controller_spec.rb b/spec/controllers/api/openid_connect/token_endpoint_controller_spec.rb
new file mode 100644
index 000000000..e1aa5a3eb
--- /dev/null
+++ b/spec/controllers/api/openid_connect/token_endpoint_controller_spec.rb
@@ -0,0 +1,18 @@
+require "spec_helper"
+
+describe Api::OpenidConnect::TokenEndpointController, type: :controller, suppress_csrf_verification: :none do
+  let(:auth) { FactoryGirl.create(:auth_with_read) }
+
+  describe "#create" do
+    it "returns 200 on success" do
+      post :create,
+           grant_type:    "authorization_code",
+           code:          auth.create_code,
+           redirect_uri:  auth.redirect_uri,
+           scope:         auth.scopes.join(" "),
+           client_id:     auth.o_auth_application.client_id,
+           client_secret: auth.o_auth_application.client_secret
+      expect(response.code).to eq("200")
+    end
+  end
+end
diff --git a/spec/factories.rb b/spec/factories.rb
index 72ad1d109..2f8b37d30 100644
--- a/spec/factories.rb
+++ b/spec/factories.rb
@@ -366,18 +366,27 @@ FactoryGirl.define do
     o_auth_application
     user
     scopes %w(openid sub aud profile picture nickname name read)
+    after(:build) {|m|
+      m.redirect_uri = m.o_auth_application.redirect_uris[0]
+    }
   end
 
   factory :auth_with_read_and_ppid, class: Api::OpenidConnect::Authorization do
     association :o_auth_application, factory: :o_auth_application_with_ppid
     user
     scopes %w(openid sub aud profile picture nickname name read)
+    after(:build) {|m|
+      m.redirect_uri = m.o_auth_application.redirect_uris[0]
+    }
   end
 
   factory :auth_with_read_and_write, class: Api::OpenidConnect::Authorization do
     o_auth_application
     user
     scopes %w(openid sub aud profile picture nickname name read write)
+    after(:build) {|m|
+      m.redirect_uri = m.o_auth_application.redirect_uris[0]
+    }
   end
 
   # Factories for the DiasporaFederation-gem
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 9033d2842..601b9c13c 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -143,3 +143,9 @@ Shoulda::Matchers.configure do |config|
     with.library :rails
   end
 end
+
+shared_context suppress_csrf_verification: :none do
+  before do
+    ActionController::Base.allow_forgery_protection = true
+  end
+end