diff --git a/package.json b/package.json index c2205e81656..bcb56c88cc1 100644 --- a/package.json +++ b/package.json @@ -82,6 +82,7 @@ "test:codegen": "node playwright/codegen.ts", "test:e2e": "playwright test --project=default", "test:e2e:ssl": "playwright test --project=ssl", + "test:e2e:auth": "playwright test --project=auth", "lint": "cross-env NODE_OPTIONS=\"--max_old_space_size=4096\" npx eslint", "lint:fix": "cross-env NODE_OPTIONS=\"--max_old_space_size=4096\" npx eslint --fix", "prepare": "husky" diff --git a/packages/bruno-app/src/components/CollectionSettings/Auth/AuthMode/index.js b/packages/bruno-app/src/components/CollectionSettings/Auth/AuthMode/index.js index 1abcb4ae9a9..0770ac0ead3 100644 --- a/packages/bruno-app/src/components/CollectionSettings/Auth/AuthMode/index.js +++ b/packages/bruno-app/src/components/CollectionSettings/Auth/AuthMode/index.js @@ -51,6 +51,11 @@ const AuthMode = ({ collection }) => { label: 'NTLM Auth', onClick: () => onModeChange('ntlm') }, + { + id: 'oauth1', + label: 'OAuth 1.0', + onClick: () => onModeChange('oauth1') + }, { id: 'oauth2', label: 'OAuth 2.0', diff --git a/packages/bruno-app/src/components/CollectionSettings/Auth/Oauth1/index.js b/packages/bruno-app/src/components/CollectionSettings/Auth/Oauth1/index.js new file mode 100644 index 00000000000..786a227571b --- /dev/null +++ b/packages/bruno-app/src/components/CollectionSettings/Auth/Oauth1/index.js @@ -0,0 +1,26 @@ +import React from 'react'; +import get from 'lodash/get'; +import { useDispatch } from 'react-redux'; +import OAuth1 from 'components/RequestPane/Auth/OAuth1'; +import { updateCollectionAuth } from 'providers/ReduxStore/slices/collections'; +import { saveCollectionSettings } from 'providers/ReduxStore/slices/collections/actions'; + +const CollectionOAuth1 = ({ collection }) => { + const dispatch = useDispatch(); + const request = collection.draft?.root + ? get(collection, 'draft.root.request', {}) + : get(collection, 'root.request', {}); + + const save = () => dispatch(saveCollectionSettings(collection.uid)); + + return ( + + ); +}; + +export default CollectionOAuth1; diff --git a/packages/bruno-app/src/components/CollectionSettings/Auth/index.js b/packages/bruno-app/src/components/CollectionSettings/Auth/index.js index a74208d3dd9..228d29a258a 100644 --- a/packages/bruno-app/src/components/CollectionSettings/Auth/index.js +++ b/packages/bruno-app/src/components/CollectionSettings/Auth/index.js @@ -12,6 +12,7 @@ import { saveCollectionSettings } from 'providers/ReduxStore/slices/collections/ import StyledWrapper from './StyledWrapper'; import OAuth2 from './OAuth2'; import NTLMAuth from './NTLMAuth'; +import OAuth1 from './Oauth1'; import Button from 'ui/Button'; const Auth = ({ collection }) => { @@ -37,6 +38,9 @@ const Auth = ({ collection }) => { case 'ntlm': { return ; } + case 'oauth1': { + return ; + } case 'oauth2': { return ; } diff --git a/packages/bruno-app/src/components/FolderSettings/Auth/index.js b/packages/bruno-app/src/components/FolderSettings/Auth/index.js index a1995a20538..14c5d25639d 100644 --- a/packages/bruno-app/src/components/FolderSettings/Auth/index.js +++ b/packages/bruno-app/src/components/FolderSettings/Auth/index.js @@ -14,6 +14,7 @@ import BasicAuth from 'components/RequestPane/Auth/BasicAuth'; import BearerAuth from 'components/RequestPane/Auth/BearerAuth'; import DigestAuth from 'components/RequestPane/Auth/DigestAuth'; import NTLMAuth from 'components/RequestPane/Auth/NTLMAuth'; +import OAuth1 from 'components/RequestPane/Auth/OAuth1'; import WsseAuth from 'components/RequestPane/Auth/WsseAuth'; import ApiKeyAuth from 'components/RequestPane/Auth/ApiKeyAuth'; import AwsV4Auth from 'components/RequestPane/Auth/AwsV4Auth'; @@ -143,6 +144,17 @@ const Auth = ({ collection, folder }) => { /> ); } + case 'oauth1': { + return ( + handleSave()} + /> + ); + } case 'wsse': { return ( { label: 'NTLM Auth', onClick: () => onModeChange('ntlm') }, + { + id: 'oauth1', + label: 'OAuth 1.0', + onClick: () => onModeChange('oauth1') + }, { id: 'oauth2', label: 'OAuth 2.0', diff --git a/packages/bruno-app/src/components/RequestPane/Auth/AuthMode/index.js b/packages/bruno-app/src/components/RequestPane/Auth/AuthMode/index.js index 2cd19f9c4d3..4897d0e9c02 100644 --- a/packages/bruno-app/src/components/RequestPane/Auth/AuthMode/index.js +++ b/packages/bruno-app/src/components/RequestPane/Auth/AuthMode/index.js @@ -47,6 +47,11 @@ const AuthMode = ({ item, collection }) => { label: 'NTLM Auth', onClick: () => onModeChange('ntlm') }, + { + id: 'oauth1', + label: 'OAuth 1.0', + onClick: () => onModeChange('oauth1') + }, { id: 'oauth2', label: 'OAuth 2.0', diff --git a/packages/bruno-app/src/components/RequestPane/Auth/OAuth1/StyledWrapper.js b/packages/bruno-app/src/components/RequestPane/Auth/OAuth1/StyledWrapper.js new file mode 100644 index 00000000000..c28e1786607 --- /dev/null +++ b/packages/bruno-app/src/components/RequestPane/Auth/OAuth1/StyledWrapper.js @@ -0,0 +1,90 @@ +import styled from 'styled-components'; +import { rgba } from 'polished'; + +const Wrapper = styled.div` + .oauth1-icon-container { + background-color: ${(props) => rgba(props.theme.primary.solid, 0.1)}; + } + + label { + font-size: ${(props) => props.theme.font.size.sm}; + color: ${(props) => props.theme.colors.text.subtext1}; + } + + .oauth1-section-label { + color: ${(props) => props.theme.text}; + } + + .single-line-editor-wrapper { + max-width: 400px; + padding: 0.15rem 0.4rem; + border-radius: 3px; + border: solid 1px ${(props) => props.theme.input.border}; + background-color: ${(props) => props.theme.input.bg}; + } + + .oauth1-dropdown-selector { + font-size: ${(props) => props.theme.font.size.sm}; + padding: 0.2rem 0px; + border-radius: 3px; + border: solid 1px ${(props) => props.theme.input.border}; + background-color: ${(props) => props.theme.input.bg}; + min-width: 100px; + + .dropdown { + width: fit-content; + min-width: 100px; + + div[data-tippy-root] { + width: fit-content; + min-width: 100px; + } + .tippy-box { + width: fit-content; + max-width: none !important; + min-width: 100px; + + .tippy-content { + width: fit-content; + max-width: none !important; + min-width: 100px; + } + } + } + + .oauth1-dropdown-label { + width: fit-content; + justify-content: space-between; + padding: 0 0.5rem; + min-width: 100px; + } + + .dropdown-item { + padding: 0.2rem 0.6rem !important; + } + } + + .private-key-editor-wrapper { + padding: 0.15rem 0.4rem; + border-radius: 3px; + border: solid 1px ${(props) => props.theme.input.border}; + background-color: ${(props) => props.theme.input.bg}; + max-width: 400px; + overflow: hidden; + } + + input[type='checkbox'] { + cursor: pointer; + accent-color: ${(props) => props.theme.primary.solid}; + } + + .transition-transform { + transition: transform 0.15s ease; + } + + .rotate-90 { + transform: rotate(90deg); + } +`; + +export default Wrapper; diff --git a/packages/bruno-app/src/components/RequestPane/Auth/OAuth1/index.js b/packages/bruno-app/src/components/RequestPane/Auth/OAuth1/index.js new file mode 100644 index 00000000000..fb7865fcca4 --- /dev/null +++ b/packages/bruno-app/src/components/RequestPane/Auth/OAuth1/index.js @@ -0,0 +1,426 @@ +import React, { useState } from 'react'; +import get from 'lodash/get'; +import { useTheme } from 'providers/Theme'; +import { useDispatch } from 'react-redux'; +import path from 'utils/common/path'; +import { IconSettings, IconShieldLock, IconAdjustmentsHorizontal, IconCaretDown, IconChevronRight, IconFile, IconX, IconUpload } from '@tabler/icons'; +import MenuDropdown from 'ui/MenuDropdown'; +import SingleLineEditor from 'components/SingleLineEditor'; +import MultiLineEditor from 'components/MultiLineEditor'; +import SensitiveFieldWarning from 'components/SensitiveFieldWarning'; +import { useDetectSensitiveField } from 'hooks/useDetectSensitiveField'; +import { sendRequest, browseFiles } from 'providers/ReduxStore/slices/collections/actions'; +import StyledWrapper from './StyledWrapper'; + +const signatureMethodLabels = { + 'HMAC-SHA1': 'HMAC-SHA1', + 'HMAC-SHA256': 'HMAC-SHA256', + 'HMAC-SHA512': 'HMAC-SHA512', + 'RSA-SHA1': 'RSA-SHA1', + 'RSA-SHA256': 'RSA-SHA256', + 'RSA-SHA512': 'RSA-SHA512', + 'PLAINTEXT': 'PLAINTEXT' +}; + +const addParamsToLabels = { + header: 'Header', + queryparams: 'Query Params', + body: 'Body' +}; + +const OAuth1 = ({ item = {}, collection, request, save, updateAuth }) => { + const dispatch = useDispatch(); + const { storedTheme } = useTheme(); + const oauth1 = get(request, 'auth.oauth1', {}); + const [advancedOpen, setAdvancedOpen] = useState(false); + + const { isSensitive } = useDetectSensitiveField(collection); + const consumerSecretSensitive = isSensitive(oauth1.consumerSecret); + const tokenSecretSensitive = isSensitive(oauth1.tokenSecret); + const privateKeySensitive = isSensitive(oauth1.privateKey); + + const handleRun = item?.uid ? () => dispatch(sendRequest(item, collection.uid)) : undefined; + const handleSave = () => save(); + + const handleChange = (field, value) => { + dispatch( + updateAuth({ + mode: 'oauth1', + collectionUid: collection.uid, + itemUid: item.uid, + content: { + ...oauth1, + [field]: value + } + }) + ); + }; + + const handlePrivateKeyChange = (val) => { + if (val && /^@file\(/.test(val.trim())) return; + handleChange('privateKey', val); + }; + + const handleBrowse = () => { + dispatch(browseFiles([], [])) + .then((filePaths) => { + if (filePaths && filePaths.length > 0) { + let filePath = filePaths[0]; + const collectionDir = collection.pathname; + filePath = path.relative(collectionDir, filePath); + dispatch( + updateAuth({ + mode: 'oauth1', + collectionUid: collection.uid, + itemUid: item.uid, + content: { + ...oauth1, + privateKey: filePath, + privateKeyType: 'file' + } + }) + ); + } + }) + .catch((error) => console.error(error)); + }; + + const handleClearFile = () => { + dispatch( + updateAuth({ + mode: 'oauth1', + collectionUid: collection.uid, + itemUid: item.uid, + content: { + ...oauth1, + privateKey: '', + privateKeyType: 'text' + } + }) + ); + }; + + const privateKeyValue = oauth1.privateKey || ''; + const isFileRef = oauth1.privateKeyType === 'file'; + const fileName = isFileRef ? privateKeyValue.split('/').pop().split('\\').pop() : ''; + + return ( + + {/* Configuration Section */} +
+
+ +
+ + Configuration + +
+ +
+ +
+ handleChange('consumerKey', val)} + onRun={handleRun} + collection={collection} + item={item} + isCompact + /> +
+
+ + {!oauth1.signatureMethod?.startsWith('RSA-') && ( +
+ +
+ handleChange('consumerSecret', val)} + onRun={handleRun} + collection={collection} + item={item} + isSecret={true} + isCompact + /> + {consumerSecretSensitive.showWarning && } +
+
+ )} + +
+ +
+ handleChange('accessToken', val)} + onRun={handleRun} + collection={collection} + item={item} + isCompact + /> +
+
+ +
+ +
+ handleChange('tokenSecret', val)} + onRun={handleRun} + collection={collection} + item={item} + isSecret={true} + isCompact + /> + {tokenSecretSensitive.showWarning && } +
+
+ + {/* Signature Section */} +
+
+ +
+ + Signature + +
+ +
+ +
+ ({ + id: value, + label, + onClick: () => handleChange('signatureMethod', value) + }))} + selectedItemId={oauth1.signatureMethod} + placement="bottom-end" + > +
+ {signatureMethodLabels[oauth1.signatureMethod] || 'HMAC-SHA1'} + +
+ +
+
+ + {oauth1.signatureMethod?.startsWith('RSA-') && ( +
+ + {isFileRef ? ( +
+ + {fileName} + +
+ ) : ( +
+
+ + {privateKeySensitive.showWarning && } +
+
+ +
+
+ )} +
+ )} + +
+ +
+ ({ + id: value, + label, + onClick: () => handleChange('addParamsTo', value) + }))} + selectedItemId={oauth1.addParamsTo} + placement="bottom-end" + > +
+ {addParamsToLabels[oauth1.addParamsTo] || 'Header'} + +
+ +
+
+ +
+ +
+ handleChange('includeBodyHash', e.target.checked)} + /> + +
+
+ + {/* Advanced Section (collapsible) */} +
setAdvancedOpen(!advancedOpen)} + > +
+ +
+ + Advanced + + +
+ + {advancedOpen && ( + <> +
+ +
+ handleChange('callbackUrl', val)} + onRun={handleRun} + collection={collection} + item={item} + isCompact + /> +
+
+ +
+ +
+ handleChange('verifier', val)} + onRun={handleRun} + collection={collection} + item={item} + isCompact + /> +
+
+ +
+ +
+ handleChange('timestamp', val)} + onRun={handleRun} + collection={collection} + item={item} + isCompact + /> +
+
+ +
+ +
+ handleChange('nonce', val)} + onRun={handleRun} + collection={collection} + item={item} + isCompact + /> +
+
+ +
+ +
+ handleChange('version', val)} + onRun={handleRun} + collection={collection} + item={item} + isCompact + /> +
+
+ +
+ +
+ handleChange('realm', val)} + onRun={handleRun} + collection={collection} + item={item} + isCompact + /> +
+
+ + )} + + ); +}; + +export default OAuth1; diff --git a/packages/bruno-app/src/components/RequestPane/Auth/index.js b/packages/bruno-app/src/components/RequestPane/Auth/index.js index 1de8fdfa36e..4a6926d75fe 100644 --- a/packages/bruno-app/src/components/RequestPane/Auth/index.js +++ b/packages/bruno-app/src/components/RequestPane/Auth/index.js @@ -6,6 +6,7 @@ import BasicAuth from './BasicAuth'; import DigestAuth from './DigestAuth'; import WsseAuth from './WsseAuth'; import NTLMAuth from './NTLMAuth'; +import OAuth1 from './OAuth1'; import { updateAuth } from 'providers/ReduxStore/slices/collections'; import { saveRequest } from 'providers/ReduxStore/slices/collections/actions'; import { useDispatch } from 'react-redux'; @@ -90,6 +91,9 @@ const Auth = ({ item, collection }) => { case 'ntlm': { return ; } + case 'oauth1': { + return ; + } case 'oauth2': { return ; } diff --git a/packages/bruno-app/src/components/RequestPane/WSRequestPane/WSAuth/index.js b/packages/bruno-app/src/components/RequestPane/WSRequestPane/WSAuth/index.js index 2ca88195f6c..ac11af49b71 100644 --- a/packages/bruno-app/src/components/RequestPane/WSRequestPane/WSAuth/index.js +++ b/packages/bruno-app/src/components/RequestPane/WSRequestPane/WSAuth/index.js @@ -93,12 +93,12 @@ const WSAuth = ({ item, collection }) => { case 'inherit': { const source = getEffectiveAuthSource(); - // Check if inherited auth is OAuth2 - not supported for WebSockets - if (source?.auth?.mode === 'oauth2') { + // Check if inherited auth is OAuth1/OAuth2 - not supported for WebSockets + if (source?.auth?.mode === 'oauth1' || source?.auth?.mode === 'oauth2') { return ( <>
- OAuth 2 not yet supported by WebSockets. Using no auth instead. + {source.auth.mode === 'oauth1' ? 'OAuth 1.0' : 'OAuth 2'} not yet supported by WebSockets. Using no auth instead.
); diff --git a/packages/bruno-app/src/providers/ReduxStore/slices/collections/index.js b/packages/bruno-app/src/providers/ReduxStore/slices/collections/index.js index dc7220c74e1..4df5b00df0e 100644 --- a/packages/bruno-app/src/providers/ReduxStore/slices/collections/index.js +++ b/packages/bruno-app/src/providers/ReduxStore/slices/collections/index.js @@ -1017,6 +1017,10 @@ export const collectionsSlice = createSlice({ item.draft.request.auth.mode = 'ntlm'; item.draft.request.auth.ntlm = action.payload.content; break; + case 'oauth1': + item.draft.request.auth.mode = 'oauth1'; + item.draft.request.auth.oauth1 = action.payload.content; + break; case 'oauth2': item.draft.request.auth.mode = 'oauth2'; item.draft.request.auth.oauth2 = action.payload.content; @@ -2121,6 +2125,9 @@ export const collectionsSlice = createSlice({ case 'ntlm': set(collection, 'draft.root.request.auth.ntlm', action.payload.content); break; + case 'oauth1': + set(collection, 'draft.root.request.auth.oauth1', action.payload.content); + break; case 'oauth2': set(collection, 'draft.root.request.auth.oauth2', action.payload.content); break; @@ -2454,6 +2461,9 @@ export const collectionsSlice = createSlice({ case 'ntlm': set(folder, 'draft.request.auth.ntlm', action.payload.content); break; + case 'oauth1': + set(folder, 'draft.request.auth.oauth1', action.payload.content); + break; case 'apikey': set(folder, 'draft.request.auth.apikey', action.payload.content); break; diff --git a/packages/bruno-app/src/utils/codegenerator/auth.js b/packages/bruno-app/src/utils/codegenerator/auth.js index 51da6d3c9af..04bdf4da122 100644 --- a/packages/bruno-app/src/utils/codegenerator/auth.js +++ b/packages/bruno-app/src/utils/codegenerator/auth.js @@ -46,6 +46,10 @@ export const getAuthHeaders = (requestAuth, collection = null, item = null) => { ]; } return []; + case 'oauth1': + // OAuth1 requires runtime signing (nonce, timestamp, signature) that + // cannot be pre-computed for a static code snippet. + return []; case 'oauth2': { const oauth2Config = get(requestAuth, 'oauth2', {}); const tokenPlacement = get(oauth2Config, 'tokenPlacement', 'header'); diff --git a/packages/bruno-app/src/utils/collections/index.js b/packages/bruno-app/src/utils/collections/index.js index 16ba2e95f58..35e66b1d80d 100644 --- a/packages/bruno-app/src/utils/collections/index.js +++ b/packages/bruno-app/src/utils/collections/index.js @@ -384,6 +384,25 @@ export const transformCollectionToSaveToExportAsFile = (collection, options = {} domain: get(si.request, 'auth.ntlm.domain', '') }; break; + case 'oauth1': + di.request.auth.oauth1 = { + consumerKey: get(si.request, 'auth.oauth1.consumerKey', ''), + consumerSecret: get(si.request, 'auth.oauth1.consumerSecret', ''), + accessToken: get(si.request, 'auth.oauth1.accessToken', ''), + tokenSecret: get(si.request, 'auth.oauth1.tokenSecret', ''), + callbackUrl: get(si.request, 'auth.oauth1.callbackUrl', ''), + verifier: get(si.request, 'auth.oauth1.verifier', ''), + signatureMethod: get(si.request, 'auth.oauth1.signatureMethod', 'HMAC-SHA1'), + privateKey: get(si.request, 'auth.oauth1.privateKey', ''), + privateKeyType: get(si.request, 'auth.oauth1.privateKeyType', 'text'), + timestamp: get(si.request, 'auth.oauth1.timestamp', ''), + nonce: get(si.request, 'auth.oauth1.nonce', ''), + version: get(si.request, 'auth.oauth1.version', '1.0'), + realm: get(si.request, 'auth.oauth1.realm', ''), + addParamsTo: get(si.request, 'auth.oauth1.addParamsTo', 'header'), + includeBodyHash: get(si.request, 'auth.oauth1.includeBodyHash', false) + }; + break; case 'oauth2': let grantType = get(si.request, 'auth.oauth2.grantType', ''); switch (grantType) { @@ -921,6 +940,10 @@ export const humanizeRequestAuthMode = (mode) => { label = 'NTLM'; break; } + case 'oauth1': { + label = 'OAuth 1.0'; + break; + } case 'oauth2': { label = 'OAuth 2.0'; break; diff --git a/packages/bruno-cli/src/runner/interpolate-vars.js b/packages/bruno-cli/src/runner/interpolate-vars.js index 7fcf860bde9..ccdd925d70c 100644 --- a/packages/bruno-cli/src/runner/interpolate-vars.js +++ b/packages/bruno-cli/src/runner/interpolate-vars.js @@ -277,6 +277,22 @@ const interpolateVars = (request, envVariables = {}, runtimeVariables = {}, proc request.ntlmConfig.domain = _interpolate(request.ntlmConfig.domain) || ''; } + // interpolate vars for oauth1config auth + if (request.oauth1config) { + request.oauth1config.consumerKey = _interpolate(request.oauth1config.consumerKey) || ''; + request.oauth1config.consumerSecret = _interpolate(request.oauth1config.consumerSecret) || ''; + request.oauth1config.accessToken = _interpolate(request.oauth1config.accessToken) || ''; + request.oauth1config.tokenSecret = _interpolate(request.oauth1config.tokenSecret) || ''; + request.oauth1config.callbackUrl = _interpolate(request.oauth1config.callbackUrl) || ''; + request.oauth1config.verifier = _interpolate(request.oauth1config.verifier) || ''; + request.oauth1config.signatureMethod = _interpolate(request.oauth1config.signatureMethod) || request.oauth1config.signatureMethod || 'HMAC-SHA1'; + request.oauth1config.privateKey = _interpolate(request.oauth1config.privateKey) || ''; + request.oauth1config.timestamp = _interpolate(request.oauth1config.timestamp) || ''; + request.oauth1config.nonce = _interpolate(request.oauth1config.nonce) || ''; + request.oauth1config.version = _interpolate(request.oauth1config.version) || ''; + request.oauth1config.realm = _interpolate(request.oauth1config.realm) || ''; + } + if (request?.auth) delete request.auth; if (request) return request; diff --git a/packages/bruno-cli/src/runner/prepare-request.js b/packages/bruno-cli/src/runner/prepare-request.js index 0c1a6d80612..6edb9bd9ba7 100644 --- a/packages/bruno-cli/src/runner/prepare-request.js +++ b/packages/bruno-cli/src/runner/prepare-request.js @@ -149,6 +149,26 @@ const prepareRequest = async (item = {}, collection = {}) => { }; } + if (collectionAuth.mode === 'oauth1') { + axiosRequest.oauth1config = { + consumerKey: get(collectionAuth, 'oauth1.consumerKey'), + consumerSecret: get(collectionAuth, 'oauth1.consumerSecret'), + accessToken: get(collectionAuth, 'oauth1.accessToken'), + tokenSecret: get(collectionAuth, 'oauth1.tokenSecret'), + callbackUrl: get(collectionAuth, 'oauth1.callbackUrl'), + verifier: get(collectionAuth, 'oauth1.verifier'), + signatureMethod: get(collectionAuth, 'oauth1.signatureMethod'), + privateKey: get(collectionAuth, 'oauth1.privateKey'), + privateKeyType: get(collectionAuth, 'oauth1.privateKeyType'), + timestamp: get(collectionAuth, 'oauth1.timestamp'), + nonce: get(collectionAuth, 'oauth1.nonce'), + version: get(collectionAuth, 'oauth1.version'), + realm: get(collectionAuth, 'oauth1.realm'), + addParamsTo: get(collectionAuth, 'oauth1.addParamsTo'), + includeBodyHash: get(collectionAuth, 'oauth1.includeBodyHash') + }; + } + if (collectionAuth.mode === 'wsse') { const username = get(collectionAuth, 'wsse.username', ''); const password = get(collectionAuth, 'wsse.password', ''); @@ -166,8 +186,6 @@ const prepareRequest = async (item = {}, collection = {}) => { 'X-WSSE' ] = `UsernameToken Username="${username}", PasswordDigest="${digest}", Nonce="${nonce}", Created="${ts}"`; } - - console.log('axiosRequest', axiosRequest); } if (request.auth && request.auth.mode !== 'inherit') { @@ -197,6 +215,26 @@ const prepareRequest = async (item = {}, collection = {}) => { }; } + if (request.auth.mode === 'oauth1') { + axiosRequest.oauth1config = { + consumerKey: get(request, 'auth.oauth1.consumerKey'), + consumerSecret: get(request, 'auth.oauth1.consumerSecret'), + accessToken: get(request, 'auth.oauth1.accessToken'), + tokenSecret: get(request, 'auth.oauth1.tokenSecret'), + callbackUrl: get(request, 'auth.oauth1.callbackUrl'), + verifier: get(request, 'auth.oauth1.verifier'), + signatureMethod: get(request, 'auth.oauth1.signatureMethod'), + privateKey: get(request, 'auth.oauth1.privateKey'), + privateKeyType: get(request, 'auth.oauth1.privateKeyType'), + timestamp: get(request, 'auth.oauth1.timestamp'), + nonce: get(request, 'auth.oauth1.nonce'), + version: get(request, 'auth.oauth1.version'), + realm: get(request, 'auth.oauth1.realm'), + addParamsTo: get(request, 'auth.oauth1.addParamsTo'), + includeBodyHash: get(request, 'auth.oauth1.includeBodyHash') + }; + } + if (request.auth.mode === 'bearer') { axiosRequest.headers['Authorization'] = `Bearer ${get(request, 'auth.bearer.token', '')}`; } diff --git a/packages/bruno-cli/src/runner/run-single-request.js b/packages/bruno-cli/src/runner/run-single-request.js index 44ad9e54ec1..4a822cc6bca 100644 --- a/packages/bruno-cli/src/runner/run-single-request.js +++ b/packages/bruno-cli/src/runner/run-single-request.js @@ -22,7 +22,7 @@ const { getCookieStringForUrl, saveCookies } = require('../utils/cookies'); const { createFormData } = require('../utils/form-data'); const protocolRegex = /^([-+\w]{1,25})(:?\/\/|:)/; const { NtlmClient } = require('axios-ntlm'); -const { addDigestInterceptor, getHttpHttpsAgents, makeAxiosInstance: makeAxiosInstanceForOauth2 } = require('@usebruno/requests'); +const { addDigestInterceptor, getHttpHttpsAgents, makeAxiosInstance: makeAxiosInstanceForOauth2, applyOAuth1ToRequest } = require('@usebruno/requests'); const { getCACertificates, transformProxyConfig, getOrCreateHttpsAgent, getOrCreateHttpAgent } = require('@usebruno/requests'); const { getOAuth2Token, getFormattedOauth2Credentials } = require('../utils/oauth2'); const tokenStore = require('../store/tokenStore'); @@ -696,6 +696,14 @@ const runSingleRequest = async function ( delete request.ntlmConfig; } + if (request.oauth1config) { + try { + applyOAuth1ToRequest(request, collectionPath); + } catch (error) { + throw new Error(`OAuth1 signing failed: ${error.message}`); + } + } + if (request.awsv4config) { // todo: make this happen in prepare-request.js // interpolate the aws v4 config diff --git a/packages/bruno-converters/src/opencollection/common/auth.ts b/packages/bruno-converters/src/opencollection/common/auth.ts index c6a24c479be..44fa9b2d78d 100644 --- a/packages/bruno-converters/src/opencollection/common/auth.ts +++ b/packages/bruno-converters/src/opencollection/common/auth.ts @@ -7,8 +7,10 @@ import type { AuthAwsV4, AuthApiKey, AuthWsse, + AuthOAuth1, AuthOAuth2, BrunoAuth, + BrunoAuthOauth1, BrunoOAuth2 } from '../types'; @@ -275,6 +277,31 @@ export const fromOpenCollectionAuth = (auth: Auth | undefined): BrunoAuth => { }; } + case 'oauth1': { + const oauth1Auth = auth as AuthOAuth1; + return { + ...defaultAuth, + mode: 'oauth1', + oauth1: { + consumerKey: oauth1Auth.consumerKey || null, + consumerSecret: oauth1Auth.consumerSecret || null, + accessToken: oauth1Auth.accessToken || null, + tokenSecret: oauth1Auth.tokenSecret || null, + callbackUrl: oauth1Auth.callbackUrl || null, + verifier: oauth1Auth.verifier || null, + signatureMethod: (oauth1Auth.signatureMethod as BrunoAuthOauth1['signatureMethod']) || 'HMAC-SHA1', + privateKey: (typeof oauth1Auth.privateKey === 'object' && oauth1Auth.privateKey ? oauth1Auth.privateKey.value : oauth1Auth.privateKey) || null, + privateKeyType: (typeof oauth1Auth.privateKey === 'object' && oauth1Auth.privateKey ? oauth1Auth.privateKey.type : 'text') as BrunoAuthOauth1['privateKeyType'], + timestamp: oauth1Auth.timestamp || null, + nonce: oauth1Auth.nonce || null, + version: oauth1Auth.version || '1.0', + realm: oauth1Auth.realm || null, + addParamsTo: (oauth1Auth.addParamsTo as BrunoAuthOauth1['addParamsTo']) || 'header', + includeBodyHash: oauth1Auth.includeBodyHash || false + } + }; + } + case 'oauth2': return fromOpenCollectionOAuth2(auth as AuthOAuth2); @@ -461,6 +488,29 @@ export const toOpenCollectionAuth = (auth: BrunoAuth | null | undefined): Auth | password: auth.wsse?.password || '' }; + case 'oauth1': { + const oauth1: AuthOAuth1 = { + type: 'oauth1', + consumerKey: auth.oauth1?.consumerKey || '', + consumerSecret: auth.oauth1?.consumerSecret || '', + accessToken: auth.oauth1?.accessToken || '', + tokenSecret: auth.oauth1?.tokenSecret || '', + callbackUrl: auth.oauth1?.callbackUrl || '', + verifier: auth.oauth1?.verifier || '', + signatureMethod: auth.oauth1?.signatureMethod || 'HMAC-SHA1', + privateKey: auth.oauth1?.privateKeyType === 'file' + ? { type: 'file' as const, value: auth.oauth1?.privateKey || '' } + : (auth.oauth1?.privateKey || ''), + timestamp: auth.oauth1?.timestamp || '', + nonce: auth.oauth1?.nonce || '', + version: auth.oauth1?.version || '1.0', + realm: auth.oauth1?.realm || '', + addParamsTo: auth.oauth1?.addParamsTo || 'header', + includeBodyHash: auth.oauth1?.includeBodyHash || false + }; + return oauth1; + } + case 'oauth2': return toOpenCollectionOAuth2(auth.oauth2); diff --git a/packages/bruno-converters/src/opencollection/types.ts b/packages/bruno-converters/src/opencollection/types.ts index b03dd9e1731..3b6afdf23fb 100644 --- a/packages/bruno-converters/src/opencollection/types.ts +++ b/packages/bruno-converters/src/opencollection/types.ts @@ -102,7 +102,8 @@ export type { AuthNTLM, AuthAwsV4, AuthApiKey, - AuthWsse + AuthWsse, + AuthOAuth1 } from '@opencollection/types/common/auth'; export type { AuthOAuth2 } from '@opencollection/types/common/auth-oauth2'; @@ -140,6 +141,7 @@ export type { AuthNTLM as BrunoAuthNTLM, AuthWsse as BrunoAuthWsse, AuthApiKey as BrunoAuthApiKey, + AuthOauth1 as BrunoAuthOauth1, OAuth2 as BrunoOAuth2 } from '@usebruno/schema-types/common/auth'; export type { MultipartFormEntry as BrunoMultipartFormEntry, MultipartForm as BrunoMultipartForm } from '@usebruno/schema-types/common/multipart-form'; diff --git a/packages/bruno-converters/src/postman/postman-to-bruno.js b/packages/bruno-converters/src/postman/postman-to-bruno.js index de5f0570724..2a3b2a5cc96 100644 --- a/packages/bruno-converters/src/postman/postman-to-bruno.js +++ b/packages/bruno-converters/src/postman/postman-to-bruno.js @@ -11,6 +11,7 @@ const AUTH_TYPES = Object.freeze({ AWSV4: 'awsv4', APIKEY: 'apikey', DIGEST: 'digest', + OAUTH1: 'oauth1', OAUTH2: 'oauth2', NOAUTH: 'noauth', NONE: 'none' @@ -226,6 +227,25 @@ export const processAuth = (auth, requestObject, isCollection = false) => { password: authValues.password || '' }; break; + case AUTH_TYPES.OAUTH1: + requestObject.auth.oauth1 = { + consumerKey: authValues.consumerKey || '', + consumerSecret: authValues.consumerSecret || '', + accessToken: authValues.token || '', + tokenSecret: authValues.tokenSecret || '', + callbackUrl: authValues.callback || null, + verifier: authValues.verifier || null, + signatureMethod: authValues.signatureMethod || 'HMAC-SHA1', + privateKey: authValues.privateKey || null, + privateKeyType: 'text', + timestamp: authValues.timestamp || null, + nonce: authValues.nonce || null, + version: authValues.version || '1.0', + realm: authValues.realm || null, + addParamsTo: authValues.addParamsToHeader === false ? 'queryparams' : 'header', + includeBodyHash: authValues.includeBodyHash || false + }; + break; case AUTH_TYPES.OAUTH2: const findValueUsingKey = (key) => authValues[key] || ''; @@ -327,6 +347,7 @@ const importPostmanV2CollectionItem = (brunoParent, item, { useWorkers = false } bearer: null, awsv4: null, apikey: null, + oauth1: null, oauth2: null, digest: null }, @@ -391,6 +412,7 @@ const importPostmanV2CollectionItem = (brunoParent, item, { useWorkers = false } bearer: null, awsv4: null, apikey: null, + oauth1: null, oauth2: null, digest: null }, @@ -788,6 +810,7 @@ const importPostmanV2Collection = async (collection, { useWorkers = false }) => bearer: null, awsv4: null, apikey: null, + oauth1: null, oauth2: null, digest: null }, diff --git a/packages/bruno-electron/src/ipc/network/index.js b/packages/bruno-electron/src/ipc/network/index.js index dbbe2e12e0e..7e94ae931cd 100644 --- a/packages/bruno-electron/src/ipc/network/index.js +++ b/packages/bruno-electron/src/ipc/network/index.js @@ -1,6 +1,7 @@ const https = require('https'); const axios = require('axios'); const path = require('path'); +const { applyOAuth1ToRequest } = require('@usebruno/requests'); const qs = require('qs'); const decomment = require('decomment'); const contentDispositionParser = require('content-disposition'); @@ -158,6 +159,14 @@ const configureRequest = async ( delete request.ntlmConfig; } + if (request.oauth1config) { + try { + applyOAuth1ToRequest(request, collectionPath); + } catch (error) { + throw new Error(`OAuth1 signing failed: ${error.message}`); + } + } + if (request.oauth2) { let requestCopy = cloneDeep(request); const { oauth2: { grantType, tokenPlacement, tokenHeaderPrefix, tokenQueryKey, tokenSource, accessTokenUrl, refreshTokenUrl } = {}, collectionVariables, folderVariables, requestVariables } = requestCopy || {}; diff --git a/packages/bruno-electron/src/ipc/network/interpolate-vars.js b/packages/bruno-electron/src/ipc/network/interpolate-vars.js index f90d35dac01..7e7bf1f7f9a 100644 --- a/packages/bruno-electron/src/ipc/network/interpolate-vars.js +++ b/packages/bruno-electron/src/ipc/network/interpolate-vars.js @@ -361,6 +361,22 @@ const interpolateVars = (request, envVariables = {}, runtimeVariables = {}, proc request.ntlmConfig.domain = _interpolate(request.ntlmConfig.domain) || ''; } + // interpolate vars for oauth1config auth + if (request.oauth1config) { + request.oauth1config.consumerKey = _interpolate(request.oauth1config.consumerKey) || ''; + request.oauth1config.consumerSecret = _interpolate(request.oauth1config.consumerSecret) || ''; + request.oauth1config.accessToken = _interpolate(request.oauth1config.accessToken) || ''; + request.oauth1config.tokenSecret = _interpolate(request.oauth1config.tokenSecret) || ''; + request.oauth1config.callbackUrl = _interpolate(request.oauth1config.callbackUrl) || ''; + request.oauth1config.verifier = _interpolate(request.oauth1config.verifier) || ''; + request.oauth1config.signatureMethod = _interpolate(request.oauth1config.signatureMethod) || request.oauth1config.signatureMethod || 'HMAC-SHA1'; + request.oauth1config.privateKey = _interpolate(request.oauth1config.privateKey) || ''; + request.oauth1config.timestamp = _interpolate(request.oauth1config.timestamp) || ''; + request.oauth1config.nonce = _interpolate(request.oauth1config.nonce) || ''; + request.oauth1config.version = _interpolate(request.oauth1config.version) || ''; + request.oauth1config.realm = _interpolate(request.oauth1config.realm) || ''; + } + if (request?.auth) delete request.auth; return request; diff --git a/packages/bruno-electron/src/ipc/network/prepare-grpc-request.js b/packages/bruno-electron/src/ipc/network/prepare-grpc-request.js index e8e68b64707..798b9ae5b21 100644 --- a/packages/bruno-electron/src/ipc/network/prepare-grpc-request.js +++ b/packages/bruno-electron/src/ipc/network/prepare-grpc-request.js @@ -167,7 +167,7 @@ const prepareGrpcRequest = async (item, collection, environment, runtimeVariable oauth2CredentialVariables: request.oauth2CredentialVariables }; - grpcRequest = setAuthHeaders(grpcRequest, request, collectionRoot); + grpcRequest = setAuthHeaders(grpcRequest, request, collectionRoot, collection?.pathname); interpolateVars(grpcRequest, envVars, runtimeVariables, processEnvVars, promptVariables); processHeaders(grpcRequest.headers); diff --git a/packages/bruno-electron/src/ipc/network/prepare-request.js b/packages/bruno-electron/src/ipc/network/prepare-request.js index c9bd2203363..de2b9c5f2fd 100644 --- a/packages/bruno-electron/src/ipc/network/prepare-request.js +++ b/packages/bruno-electron/src/ipc/network/prepare-request.js @@ -8,7 +8,7 @@ const { isLargeFile } = require('../../utils/filesystem'); const STREAMING_FILE_SIZE_THRESHOLD = 20 * 1024 * 1024; // 20MB -const setAuthHeaders = (axiosRequest, request, collectionRoot) => { +const setAuthHeaders = (axiosRequest, request, collectionRoot, collectionPath) => { const collectionAuth = get(collectionRoot, 'request.auth'); if (collectionAuth && request.auth.mode === 'inherit') { switch (collectionAuth.mode) { @@ -44,6 +44,25 @@ const setAuthHeaders = (axiosRequest, request, collectionRoot) => { domain: get(collectionAuth, 'ntlm.domain') }; break; + case 'oauth1': + axiosRequest.oauth1config = { + consumerKey: get(collectionAuth, 'oauth1.consumerKey'), + consumerSecret: get(collectionAuth, 'oauth1.consumerSecret'), + accessToken: get(collectionAuth, 'oauth1.accessToken'), + tokenSecret: get(collectionAuth, 'oauth1.tokenSecret'), + callbackUrl: get(collectionAuth, 'oauth1.callbackUrl'), + verifier: get(collectionAuth, 'oauth1.verifier'), + signatureMethod: get(collectionAuth, 'oauth1.signatureMethod'), + privateKey: get(collectionAuth, 'oauth1.privateKey'), + privateKeyType: get(collectionAuth, 'oauth1.privateKeyType'), + timestamp: get(collectionAuth, 'oauth1.timestamp'), + nonce: get(collectionAuth, 'oauth1.nonce'), + version: get(collectionAuth, 'oauth1.version'), + realm: get(collectionAuth, 'oauth1.realm'), + addParamsTo: get(collectionAuth, 'oauth1.addParamsTo'), + includeBodyHash: get(collectionAuth, 'oauth1.includeBodyHash') + }; + break; case 'wsse': const username = get(collectionAuth, 'wsse.username', ''); const password = get(collectionAuth, 'wsse.password', ''); @@ -192,6 +211,26 @@ const setAuthHeaders = (axiosRequest, request, collectionRoot) => { password: get(request, 'auth.ntlm.password'), domain: get(request, 'auth.ntlm.domain') }; + break; + case 'oauth1': + axiosRequest.oauth1config = { + consumerKey: get(request, 'auth.oauth1.consumerKey'), + consumerSecret: get(request, 'auth.oauth1.consumerSecret'), + accessToken: get(request, 'auth.oauth1.accessToken'), + tokenSecret: get(request, 'auth.oauth1.tokenSecret'), + callbackUrl: get(request, 'auth.oauth1.callbackUrl'), + verifier: get(request, 'auth.oauth1.verifier'), + signatureMethod: get(request, 'auth.oauth1.signatureMethod'), + privateKey: get(request, 'auth.oauth1.privateKey'), + privateKeyType: get(request, 'auth.oauth1.privateKeyType'), + timestamp: get(request, 'auth.oauth1.timestamp'), + nonce: get(request, 'auth.oauth1.nonce'), + version: get(request, 'auth.oauth1.version'), + realm: get(request, 'auth.oauth1.realm'), + addParamsTo: get(request, 'auth.oauth1.addParamsTo'), + includeBodyHash: get(request, 'auth.oauth1.includeBodyHash') + }; + break; case 'oauth2': const grantType = get(request, 'auth.oauth2.grantType'); switch (grantType) { @@ -360,7 +399,7 @@ const prepareRequest = async (item, collection = {}, abortController) => { responseType: 'arraybuffer' }; - axiosRequest = setAuthHeaders(axiosRequest, request, collectionRoot); + axiosRequest = setAuthHeaders(axiosRequest, request, collectionRoot, collectionPath); if (request.body.mode === 'json') { if (!contentTypeDefined) { diff --git a/packages/bruno-filestore/src/formats/yml/common/auth.ts b/packages/bruno-filestore/src/formats/yml/common/auth.ts index d978851e5e1..9888a3befc7 100644 --- a/packages/bruno-filestore/src/formats/yml/common/auth.ts +++ b/packages/bruno-filestore/src/formats/yml/common/auth.ts @@ -6,9 +6,10 @@ import type { AuthBearer, AuthDigest, AuthNTLM, + AuthOAuth1, AuthWsse } from '@opencollection/types/common/auth'; -import type { Auth as BrunoAuth } from '@usebruno/schema-types/common/auth'; +import type { Auth as BrunoAuth, AuthOauth1 as BrunoAuthOauth1 } from '@usebruno/schema-types/common/auth'; import { isString } from '../../../utils'; import { toOpenCollectionOAuth2, toBrunoOAuth2 } from './auth-oauth2'; @@ -115,6 +116,35 @@ const buildApiKeyAuth = (config?: BrunoAuth['apikey']): AuthApiKey => { return auth; }; +const buildOAuth1Auth = (config?: BrunoAuth['oauth1']): AuthOAuth1 => { + const auth: AuthOAuth1 = { type: 'oauth1' }; + + if (!config) { + return auth; + } + + if (isString(config.consumerKey)) auth.consumerKey = config.consumerKey; + if (isString(config.consumerSecret)) auth.consumerSecret = config.consumerSecret; + if (isString(config.accessToken)) auth.accessToken = config.accessToken; + if (isString(config.tokenSecret)) auth.tokenSecret = config.tokenSecret; + if (isString(config.callbackUrl)) auth.callbackUrl = config.callbackUrl; + if (isString(config.verifier)) auth.verifier = config.verifier; + if (isString(config.signatureMethod)) auth.signatureMethod = config.signatureMethod; + if (isString(config.privateKey)) { + auth.privateKey = config.privateKeyType === 'file' + ? { type: 'file' as const, value: config.privateKey } + : { type: 'text' as const, value: config.privateKey }; + } + if (isString(config.timestamp)) auth.timestamp = config.timestamp; + if (isString(config.nonce)) auth.nonce = config.nonce; + if (isString(config.version)) auth.version = config.version; + if (isString(config.realm)) auth.realm = config.realm; + if (isString(config.addParamsTo)) auth.addParamsTo = config.addParamsTo as AuthOAuth1['addParamsTo']; + if (typeof config.includeBodyHash === 'boolean') auth.includeBodyHash = config.includeBodyHash; + + return auth; +}; + export const toOpenCollectionAuth = (auth?: BrunoAuth | null): Auth | undefined => { if (!auth || auth.mode === 'none') { return undefined; @@ -139,6 +169,8 @@ export const toOpenCollectionAuth = (auth?: BrunoAuth | null): Auth | undefined return buildWsseAuth(auth.wsse); case 'apikey': return buildApiKeyAuth(auth.apikey); + case 'oauth1': + return buildOAuth1Auth(auth.oauth1); case 'oauth2': return toOpenCollectionOAuth2(auth.oauth2); default: @@ -231,6 +263,27 @@ export const toBrunoAuth = (auth: Auth | null | undefined): BrunoAuth | null => }; break; + case 'oauth1': + brunoAuth.mode = 'oauth1'; + brunoAuth.oauth1 = { + consumerKey: auth.consumerKey || null, + consumerSecret: auth.consumerSecret || null, + accessToken: auth.accessToken || null, + tokenSecret: auth.tokenSecret || null, + callbackUrl: auth.callbackUrl || null, + verifier: auth.verifier || null, + signatureMethod: (auth.signatureMethod as BrunoAuthOauth1['signatureMethod']) || 'HMAC-SHA1', + privateKey: (typeof auth.privateKey === 'object' && auth.privateKey ? auth.privateKey.value : auth.privateKey) || null, + privateKeyType: (typeof auth.privateKey === 'object' && auth.privateKey ? auth.privateKey.type : 'text') as BrunoAuthOauth1['privateKeyType'], + timestamp: auth.timestamp || null, + nonce: auth.nonce || null, + version: auth.version || '1.0', + realm: auth.realm || null, + addParamsTo: (auth.addParamsTo as BrunoAuthOauth1['addParamsTo']) || 'header', + includeBodyHash: auth.includeBodyHash || false + }; + break; + case 'oauth2': brunoAuth.mode = 'oauth2'; brunoAuth.oauth2 = toBrunoOAuth2(auth); diff --git a/packages/bruno-js/src/bruno-request.js b/packages/bruno-js/src/bruno-request.js index b838b742119..a57ae41be1c 100644 --- a/packages/bruno-js/src/bruno-request.js +++ b/packages/bruno-js/src/bruno-request.js @@ -96,6 +96,8 @@ class BrunoRequest { getAuthMode() { if (this.req?.oauth2) { return 'oauth2'; + } else if (this.req?.oauth1config) { + return 'oauth1'; } else if (this.headers?.['Authorization']?.startsWith('Bearer')) { return 'bearer'; } else if (this.headers?.['Authorization']?.startsWith('Basic') || this.req?.auth?.username) { diff --git a/packages/bruno-lang/v2/src/bruToJson.js b/packages/bruno-lang/v2/src/bruToJson.js index 710197e39de..a4e226efbc1 100644 --- a/packages/bruno-lang/v2/src/bruToJson.js +++ b/packages/bruno-lang/v2/src/bruToJson.js @@ -31,7 +31,7 @@ const parseExample = require('./example/bruToJson'); */ const grammar = ohm.grammar(`Bru { BruFile = (meta | http | grpc | ws | query | params | headers | metadata | auths | bodies | varsandassert | script | tests | settings | docs | example)* - auths = authawsv4 | authbasic | authbearer | authdigest | authNTLM | authOAuth2 | authwsse | authapikey | authOauth2Configs + auths = authawsv4 | authbasic | authbearer | authdigest | authNTLM | authOAuth1 | authOAuth2 | authwsse | authapikey | authOauth2Configs bodies = bodyjson | bodytext | bodyxml | bodysparql | bodygraphql | bodygraphqlvars | bodyforms | body | bodygrpc | bodyws bodyforms = bodyformurlencoded | bodymultipart | bodyfile params = paramspath | paramsquery @@ -121,6 +121,7 @@ const grammar = ohm.grammar(`Bru { authbearer = "auth:bearer" dictionary authdigest = "auth:digest" dictionary authNTLM = "auth:ntlm" dictionary + authOAuth1 = "auth:oauth1" dictionary authOAuth2 = "auth:oauth2" dictionary authwsse = "auth:wsse" dictionary authapikey = "auth:apikey" dictionary @@ -710,6 +711,40 @@ const sem = grammar.createSemantics().addAttribute('ast', { } }; }, + authOAuth1(_1, dictionary) { + const auth = mapPairListToKeyValPairs(dictionary.ast, false); + const findValue = (name) => { + const item = _.find(auth, { name }); + return item ? item.value : ''; + }; + return { + auth: { + oauth1: { + consumerKey: findValue('consumer_key'), + consumerSecret: findValue('consumer_secret'), + accessToken: findValue('access_token'), + tokenSecret: findValue('token_secret'), + callbackUrl: findValue('callback_url'), + verifier: findValue('verifier'), + signatureMethod: findValue('signature_method'), + privateKey: (() => { + const val = findValue('private_key'); + return val && val.startsWith('@file(') && val.endsWith(')') ? val.slice(6, -1) : val; + })(), + privateKeyType: (() => { + const val = findValue('private_key'); + return val && val.startsWith('@file(') && val.endsWith(')') ? 'file' : 'text'; + })(), + timestamp: findValue('timestamp'), + nonce: findValue('nonce'), + version: findValue('version'), + realm: findValue('realm'), + addParamsTo: findValue('add_params_to'), + includeBodyHash: findValue('include_body_hash') === 'true' + } + } + }; + }, authOAuth2(_1, dictionary) { const auth = mapPairListToKeyValPairs(dictionary.ast, false); const grantTypeKey = _.find(auth, { name: 'grant_type' }); diff --git a/packages/bruno-lang/v2/src/collectionBruToJson.js b/packages/bruno-lang/v2/src/collectionBruToJson.js index 2c4ec492a39..ce2a32419ba 100644 --- a/packages/bruno-lang/v2/src/collectionBruToJson.js +++ b/packages/bruno-lang/v2/src/collectionBruToJson.js @@ -4,7 +4,7 @@ const { safeParseJson, outdentString } = require('./utils'); const grammar = ohm.grammar(`Bru { BruFile = (meta | query | headers | auth | auths | vars | script | tests | docs)* - auths = authawsv4 | authbasic | authbearer | authdigest | authNTLM |authOAuth2 | authwsse | authapikey | authOauth2Configs + auths = authawsv4 | authbasic | authbearer | authdigest | authNTLM | authOAuth1 | authOAuth2 | authwsse | authapikey | authOauth2Configs // Oauth2 additional parameters authOauth2Configs = oauth2AuthReqConfig | oauth2AccessTokenReqConfig | oauth2RefreshTokenReqConfig @@ -68,6 +68,7 @@ const grammar = ohm.grammar(`Bru { authbearer = "auth:bearer" dictionary authdigest = "auth:digest" dictionary authNTLM = "auth:ntlm" dictionary + authOAuth1 = "auth:oauth1" dictionary authOAuth2 = "auth:oauth2" dictionary authwsse = "auth:wsse" dictionary authapikey = "auth:apikey" dictionary @@ -323,6 +324,40 @@ const sem = grammar.createSemantics().addAttribute('ast', { } }; }, + authOAuth1(_1, dictionary) { + const auth = mapPairListToKeyValPairs(dictionary.ast, false); + const findValue = (name) => { + const item = _.find(auth, { name }); + return item ? item.value : ''; + }; + return { + auth: { + oauth1: { + consumerKey: findValue('consumer_key'), + consumerSecret: findValue('consumer_secret'), + accessToken: findValue('access_token'), + tokenSecret: findValue('token_secret'), + callbackUrl: findValue('callback_url'), + verifier: findValue('verifier'), + signatureMethod: findValue('signature_method'), + privateKey: (() => { + const val = findValue('private_key'); + return val && val.startsWith('@file(') && val.endsWith(')') ? val.slice(6, -1) : val; + })(), + privateKeyType: (() => { + const val = findValue('private_key'); + return val && val.startsWith('@file(') && val.endsWith(')') ? 'file' : 'text'; + })(), + timestamp: findValue('timestamp'), + nonce: findValue('nonce'), + version: findValue('version'), + realm: findValue('realm'), + addParamsTo: findValue('add_params_to'), + includeBodyHash: findValue('include_body_hash') === 'true' + } + } + }; + }, authOAuth2(_1, dictionary) { const auth = mapPairListToKeyValPairs(dictionary.ast, false); const grantTypeKey = _.find(auth, { name: 'grant_type' }); diff --git a/packages/bruno-lang/v2/src/jsonToBru.js b/packages/bruno-lang/v2/src/jsonToBru.js index 3add8aff220..97a15cc044e 100644 --- a/packages/bruno-lang/v2/src/jsonToBru.js +++ b/packages/bruno-lang/v2/src/jsonToBru.js @@ -251,6 +251,27 @@ ${indentString(`domain: ${auth?.ntlm?.domain || ''}`)} } +`; + } + + if (auth && auth.oauth1) { + bru += `auth:oauth1 { +${indentString(`consumer_key: ${auth?.oauth1?.consumerKey || ''}`)} +${indentString(`consumer_secret: ${auth?.oauth1?.consumerSecret || ''}`)} +${indentString(`access_token: ${auth?.oauth1?.accessToken || ''}`)} +${indentString(`token_secret: ${auth?.oauth1?.tokenSecret || ''}`)} +${indentString(`callback_url: ${auth?.oauth1?.callbackUrl || ''}`)} +${indentString(`verifier: ${auth?.oauth1?.verifier || ''}`)} +${indentString(`signature_method: ${auth?.oauth1?.signatureMethod || ''}`)} +${indentString(`private_key: ${auth?.oauth1?.privateKeyType === 'file' ? `@file(${auth?.oauth1?.privateKey || ''})` : getValueString(auth?.oauth1?.privateKey || '')}`)} +${indentString(`timestamp: ${auth?.oauth1?.timestamp || ''}`)} +${indentString(`nonce: ${auth?.oauth1?.nonce || ''}`)} +${indentString(`version: ${auth?.oauth1?.version || ''}`)} +${indentString(`realm: ${auth?.oauth1?.realm || ''}`)} +${indentString(`add_params_to: ${auth?.oauth1?.addParamsTo || ''}`)} +${indentString(`include_body_hash: ${(auth?.oauth1?.includeBodyHash || false).toString()}`)} +} + `; } diff --git a/packages/bruno-lang/v2/src/jsonToCollectionBru.js b/packages/bruno-lang/v2/src/jsonToCollectionBru.js index 41301cc520e..c2e24a3aae9 100644 --- a/packages/bruno-lang/v2/src/jsonToCollectionBru.js +++ b/packages/bruno-lang/v2/src/jsonToCollectionBru.js @@ -140,6 +140,27 @@ ${indentString(`key: ${auth?.apikey?.key || ''}`)} ${indentString(`value: ${auth?.apikey?.value || ''}`)} ${indentString(`placement: ${auth?.apikey?.placement || ''}`)} } +`; + } + + if (auth && auth.oauth1) { + bru += `auth:oauth1 { +${indentString(`consumer_key: ${auth?.oauth1?.consumerKey || ''}`)} +${indentString(`consumer_secret: ${auth?.oauth1?.consumerSecret || ''}`)} +${indentString(`access_token: ${auth?.oauth1?.accessToken || ''}`)} +${indentString(`token_secret: ${auth?.oauth1?.tokenSecret || ''}`)} +${indentString(`callback_url: ${auth?.oauth1?.callbackUrl || ''}`)} +${indentString(`verifier: ${auth?.oauth1?.verifier || ''}`)} +${indentString(`signature_method: ${auth?.oauth1?.signatureMethod || ''}`)} +${indentString(`private_key: ${auth?.oauth1?.privateKeyType === 'file' ? `@file(${auth?.oauth1?.privateKey || ''})` : getValueString(auth?.oauth1?.privateKey || '')}`)} +${indentString(`timestamp: ${auth?.oauth1?.timestamp || ''}`)} +${indentString(`nonce: ${auth?.oauth1?.nonce || ''}`)} +${indentString(`version: ${auth?.oauth1?.version || ''}`)} +${indentString(`realm: ${auth?.oauth1?.realm || ''}`)} +${indentString(`add_params_to: ${auth?.oauth1?.addParamsTo || ''}`)} +${indentString(`include_body_hash: ${(auth?.oauth1?.includeBodyHash || false).toString()}`)} +} + `; } diff --git a/packages/bruno-lang/v2/tests/oauth1.spec.js b/packages/bruno-lang/v2/tests/oauth1.spec.js new file mode 100644 index 00000000000..d5b8cb666f8 --- /dev/null +++ b/packages/bruno-lang/v2/tests/oauth1.spec.js @@ -0,0 +1,840 @@ +const bruToJson = require('../src/bruToJson'); +const jsonToBru = require('../src/jsonToBru'); +const collectionBruToJson = require('../src/collectionBruToJson'); +const jsonToCollectionBru = require('../src/jsonToCollectionBru'); + +// --------------------------------------------------------------------------- +// bruToJson – request-level parsing +// --------------------------------------------------------------------------- +describe('OAuth1 bruToJson (request-level)', () => { + it('should parse all oauth1 fields with text private key', () => { + const input = ` +meta { + name: OAuth1 Test + type: http + seq: 1 +} + +get { + url: https://api.example.com/resource + body: none + auth: oauth1 +} + +auth:oauth1 { + consumer_key: my_consumer_key + consumer_secret: my_consumer_secret + access_token: my_access_token + token_secret: my_token_secret + callback_url: https://example.com/callback + verifier: my_verifier + signature_method: HMAC-SHA1 + private_key: my_private_key + timestamp: 1234567890 + nonce: abc123 + version: 1.0 + realm: my_realm + add_params_to: header + include_body_hash: true +} +`.trim(); + + const result = bruToJson(input); + + expect(result.auth.oauth1).toEqual({ + consumerKey: 'my_consumer_key', + consumerSecret: 'my_consumer_secret', + accessToken: 'my_access_token', + tokenSecret: 'my_token_secret', + callbackUrl: 'https://example.com/callback', + verifier: 'my_verifier', + signatureMethod: 'HMAC-SHA1', + privateKey: 'my_private_key', + privateKeyType: 'text', + timestamp: '1234567890', + nonce: 'abc123', + version: '1.0', + realm: 'my_realm', + addParamsTo: 'header', + includeBodyHash: true + }); + }); + + it('should parse empty/missing optional fields as empty strings', () => { + const input = ` +meta { + name: Minimal OAuth1 + type: http +} + +get { + url: https://api.example.com/resource + auth: oauth1 +} + +auth:oauth1 { + consumer_key: ck + consumer_secret: + access_token: + token_secret: + callback_url: + verifier: + signature_method: HMAC-SHA1 + private_key: + timestamp: + nonce: + version: + realm: + add_params_to: header + include_body_hash: false +} +`.trim(); + + const result = bruToJson(input); + + expect(result.auth.oauth1.consumerKey).toBe('ck'); + expect(result.auth.oauth1.consumerSecret).toBe(''); + expect(result.auth.oauth1.accessToken).toBe(''); + expect(result.auth.oauth1.tokenSecret).toBe(''); + expect(result.auth.oauth1.callbackUrl).toBe(''); + expect(result.auth.oauth1.verifier).toBe(''); + expect(result.auth.oauth1.privateKey).toBe(''); + expect(result.auth.oauth1.privateKeyType).toBe('text'); + expect(result.auth.oauth1.timestamp).toBe(''); + expect(result.auth.oauth1.nonce).toBe(''); + expect(result.auth.oauth1.version).toBe(''); + expect(result.auth.oauth1.realm).toBe(''); + expect(result.auth.oauth1.includeBodyHash).toBe(false); + }); + + it('should parse @file() private key as file type', () => { + const input = ` +meta { + name: OAuth1 File Key + type: http +} + +get { + url: https://api.example.com/resource + auth: oauth1 +} + +auth:oauth1 { + consumer_key: ck + consumer_secret: + access_token: at + token_secret: ts + callback_url: + verifier: + signature_method: RSA-SHA1 + private_key: @file(keys/my-private-key.pem) + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} +`.trim(); + + const result = bruToJson(input); + + expect(result.auth.oauth1.privateKey).toBe('keys/my-private-key.pem'); + expect(result.auth.oauth1.privateKeyType).toBe('file'); + }); + + it('should parse multiline private key (triple-quoted PEM)', () => { + const input = ` +meta { + name: OAuth1 Multiline PEM + type: http +} + +get { + url: https://api.example.com/resource + auth: oauth1 +} + +auth:oauth1 { + consumer_key: ck + consumer_secret: cs + access_token: at + token_secret: ts + callback_url: + verifier: + signature_method: RSA-SHA1 + private_key: ''' + -----BEGIN FAKE TEST KEY----- + TESTREPLACEMENTdGhpcyBpcyBub3QgYQ== + -----END FAKE TEST KEY----- + ''' + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} +`.trim(); + + const result = bruToJson(input); + + expect(result.auth.oauth1.privateKeyType).toBe('text'); + expect(result.auth.oauth1.privateKey).toContain('-----BEGIN FAKE TEST KEY-----'); + expect(result.auth.oauth1.privateKey).toContain('-----END FAKE TEST KEY-----'); + expect(result.auth.oauth1.privateKey).toContain('TESTREPLACEMENTdGhpcyBpcyBub3QgYQ=='); + }); + + it('should parse variable reference in private key as text type', () => { + const input = ` +meta { + name: OAuth1 Variable Key + type: http +} + +get { + url: https://api.example.com/resource + auth: oauth1 +} + +auth:oauth1 { + consumer_key: ck + consumer_secret: + access_token: at + token_secret: ts + callback_url: + verifier: + signature_method: RSA-SHA1 + private_key: {{my_private_key}} + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} +`.trim(); + + const result = bruToJson(input); + + expect(result.auth.oauth1.privateKey).toBe('{{my_private_key}}'); + expect(result.auth.oauth1.privateKeyType).toBe('text'); + }); + + it('should parse all signature methods correctly', () => { + const signatureMethods = ['HMAC-SHA1', 'HMAC-SHA256', 'HMAC-SHA512', 'RSA-SHA1', 'RSA-SHA256', 'RSA-SHA512', 'PLAINTEXT']; + + for (const method of signatureMethods) { + const input = ` +meta { + name: OAuth1 ${method} + type: http +} + +get { + url: https://api.example.com/resource + auth: oauth1 +} + +auth:oauth1 { + consumer_key: ck + consumer_secret: cs + access_token: at + token_secret: ts + callback_url: + verifier: + signature_method: ${method} + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} +`.trim(); + + const result = bruToJson(input); + expect(result.auth.oauth1.signatureMethod).toBe(method); + } + }); + + it('should parse addParamsTo values: header, queryparams, body', () => { + for (const placement of ['header', 'queryparams', 'body']) { + const input = ` +meta { + name: OAuth1 Params To ${placement} + type: http +} + +get { + url: https://api.example.com/resource + auth: oauth1 +} + +auth:oauth1 { + consumer_key: ck + consumer_secret: cs + access_token: at + token_secret: ts + callback_url: + verifier: + signature_method: HMAC-SHA1 + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: ${placement} + include_body_hash: false +} +`.trim(); + + const result = bruToJson(input); + expect(result.auth.oauth1.addParamsTo).toBe(placement); + } + }); + + it('should parse include_body_hash true and false', () => { + const makeInput = (val) => ` +meta { + name: OAuth1 Body Hash + type: http +} + +get { + url: https://api.example.com/resource + auth: oauth1 +} + +auth:oauth1 { + consumer_key: ck + consumer_secret: cs + access_token: + token_secret: + callback_url: + verifier: + signature_method: HMAC-SHA1 + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: ${val} +} +`.trim(); + + expect(bruToJson(makeInput('true')).auth.oauth1.includeBodyHash).toBe(true); + expect(bruToJson(makeInput('false')).auth.oauth1.includeBodyHash).toBe(false); + }); +}); + +// --------------------------------------------------------------------------- +// collectionBruToJson – collection/folder-level parsing +// --------------------------------------------------------------------------- +describe('OAuth1 collectionBruToJson (collection/folder-level)', () => { + it('should parse all oauth1 fields at collection level', () => { + const input = ` +auth { + mode: oauth1 +} + +auth:oauth1 { + consumer_key: col_consumer_key + consumer_secret: col_consumer_secret + access_token: col_access_token + token_secret: col_token_secret + callback_url: https://col.example.com/cb + verifier: col_verifier + signature_method: HMAC-SHA256 + private_key: col_private_key + timestamp: 9999999999 + nonce: col_nonce + version: 1.0 + realm: col_realm + add_params_to: queryparams + include_body_hash: true +} +`.trim(); + + const result = collectionBruToJson(input); + + expect(result.auth.mode).toBe('oauth1'); + expect(result.auth.oauth1).toEqual({ + consumerKey: 'col_consumer_key', + consumerSecret: 'col_consumer_secret', + accessToken: 'col_access_token', + tokenSecret: 'col_token_secret', + callbackUrl: 'https://col.example.com/cb', + verifier: 'col_verifier', + signatureMethod: 'HMAC-SHA256', + privateKey: 'col_private_key', + privateKeyType: 'text', + timestamp: '9999999999', + nonce: 'col_nonce', + version: '1.0', + realm: 'col_realm', + addParamsTo: 'queryparams', + includeBodyHash: true + }); + }); + + it('should parse @file() private key at collection level', () => { + const input = ` +auth { + mode: oauth1 +} + +auth:oauth1 { + consumer_key: ck + consumer_secret: + access_token: + token_secret: + callback_url: + verifier: + signature_method: RSA-SHA1 + private_key: @file(certs/private.pem) + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} +`.trim(); + + const result = collectionBruToJson(input); + + expect(result.auth.oauth1.privateKey).toBe('certs/private.pem'); + expect(result.auth.oauth1.privateKeyType).toBe('file'); + }); + + it('should parse multiline private key at collection level', () => { + const input = ` +auth { + mode: oauth1 +} + +auth:oauth1 { + consumer_key: ck + consumer_secret: + access_token: + token_secret: + callback_url: + verifier: + signature_method: RSA-SHA256 + private_key: ''' + -----BEGIN FAKE RSA TEST KEY----- + RkFLRUtFWXJlYWxrZXlkYXRhZm9ydGVz + -----END FAKE RSA TEST KEY----- + ''' + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} +`.trim(); + + const result = collectionBruToJson(input); + + expect(result.auth.oauth1.privateKeyType).toBe('text'); + expect(result.auth.oauth1.privateKey).toContain('-----BEGIN FAKE RSA TEST KEY-----'); + expect(result.auth.oauth1.privateKey).toContain('RkFLRUtFWXJlYWxrZXlkYXRhZm9ydGVz'); + expect(result.auth.oauth1.privateKey).toContain('-----END FAKE RSA TEST KEY-----'); + }); +}); + +// --------------------------------------------------------------------------- +// jsonToBru – request-level serialization +// --------------------------------------------------------------------------- +describe('OAuth1 jsonToBru (request-level)', () => { + it('should serialize all oauth1 fields with text private key', () => { + const json = { + meta: { name: 'OAuth1 Serialize', type: 'http', seq: 1 }, + http: { method: 'get', url: 'https://api.example.com/resource', body: 'none', auth: 'oauth1' }, + auth: { + oauth1: { + consumerKey: 'ck', + consumerSecret: 'cs', + accessToken: 'at', + tokenSecret: 'ts', + callbackUrl: 'https://example.com/cb', + verifier: 'v', + signatureMethod: 'HMAC-SHA1', + privateKey: 'pk', + privateKeyType: 'text', + timestamp: '123', + nonce: 'n', + version: '1.0', + realm: 'r', + addParamsTo: 'header', + includeBodyHash: false + } + } + }; + + const bru = jsonToBru(json); + + expect(bru).toContain('auth:oauth1 {'); + expect(bru).toContain('consumer_key: ck'); + expect(bru).toContain('consumer_secret: cs'); + expect(bru).toContain('access_token: at'); + expect(bru).toContain('token_secret: ts'); + expect(bru).toContain('callback_url: https://example.com/cb'); + expect(bru).toContain('verifier: v'); + expect(bru).toContain('signature_method: HMAC-SHA1'); + expect(bru).toContain('private_key: pk'); + expect(bru).toContain('timestamp: 123'); + expect(bru).toContain('nonce: n'); + expect(bru).toContain('version: 1.0'); + expect(bru).toContain('realm: r'); + expect(bru).toContain('add_params_to: header'); + expect(bru).toContain('include_body_hash: false'); + }); + + it('should serialize file private key with @file() wrapper', () => { + const json = { + meta: { name: 'OAuth1 File', type: 'http', seq: 1 }, + http: { method: 'get', url: 'https://api.example.com/resource', auth: 'oauth1' }, + auth: { + oauth1: { + consumerKey: 'ck', + consumerSecret: '', + accessToken: '', + tokenSecret: '', + callbackUrl: '', + verifier: '', + signatureMethod: 'RSA-SHA1', + privateKey: 'keys/private.pem', + privateKeyType: 'file', + timestamp: '', + nonce: '', + version: '1.0', + realm: '', + addParamsTo: 'header', + includeBodyHash: false + } + } + }; + + const bru = jsonToBru(json); + + expect(bru).toContain('private_key: @file(keys/private.pem)'); + }); + + it('should serialize multiline private key with triple quotes', () => { + const pem = '-----BEGIN FAKE TEST KEY-----\nTESTREPLACEMENTdGhpcyBpcyBub3QgYQ==\nRkFLRUtFWXJlYWxrZXlkYXRhZm9ydGVz\n-----END FAKE TEST KEY-----'; + + const json = { + meta: { name: 'OAuth1 PEM', type: 'http', seq: 1 }, + http: { method: 'get', url: 'https://api.example.com/resource', auth: 'oauth1' }, + auth: { + oauth1: { + consumerKey: 'ck', + consumerSecret: '', + accessToken: '', + tokenSecret: '', + callbackUrl: '', + verifier: '', + signatureMethod: 'RSA-SHA1', + privateKey: pem, + privateKeyType: 'text', + timestamp: '', + nonce: '', + version: '1.0', + realm: '', + addParamsTo: 'header', + includeBodyHash: false + } + } + }; + + const bru = jsonToBru(json); + + expect(bru).toContain('private_key: \'\'\''); + expect(bru).toContain('-----BEGIN FAKE TEST KEY-----'); + expect(bru).toContain('-----END FAKE TEST KEY-----'); + }); + + it('should serialize empty optional fields', () => { + const json = { + meta: { name: 'OAuth1 Empty', type: 'http', seq: 1 }, + http: { method: 'get', url: 'https://api.example.com/resource', auth: 'oauth1' }, + auth: { + oauth1: { + consumerKey: 'ck', + consumerSecret: '', + accessToken: '', + tokenSecret: '', + callbackUrl: '', + verifier: '', + signatureMethod: 'HMAC-SHA1', + privateKey: '', + privateKeyType: 'text', + timestamp: '', + nonce: '', + version: '', + realm: '', + addParamsTo: 'header', + includeBodyHash: false + } + } + }; + + const bru = jsonToBru(json); + + // Empty fields should still be present + expect(bru).toMatch(/consumer_secret:\s*$/m); + expect(bru).toMatch(/access_token:\s*$/m); + expect(bru).toMatch(/token_secret:\s*$/m); + expect(bru).toMatch(/callback_url:\s*$/m); + expect(bru).toMatch(/verifier:\s*$/m); + expect(bru).toMatch(/private_key:\s*$/m); + expect(bru).toMatch(/timestamp:\s*$/m); + expect(bru).toMatch(/nonce:\s*$/m); + expect(bru).toMatch(/version:\s*$/m); + expect(bru).toMatch(/realm:\s*$/m); + }); +}); + +// --------------------------------------------------------------------------- +// jsonToCollectionBru – collection/folder-level serialization +// --------------------------------------------------------------------------- +describe('OAuth1 jsonToCollectionBru (collection/folder-level)', () => { + it('should serialize oauth1 at collection level', () => { + const json = { + auth: { + mode: 'oauth1', + oauth1: { + consumerKey: 'col_ck', + consumerSecret: 'col_cs', + accessToken: 'col_at', + tokenSecret: 'col_ts', + callbackUrl: '', + verifier: '', + signatureMethod: 'HMAC-SHA256', + privateKey: '', + privateKeyType: 'text', + timestamp: '', + nonce: '', + version: '1.0', + realm: '', + addParamsTo: 'queryparams', + includeBodyHash: true + } + } + }; + + const bru = jsonToCollectionBru(json); + + expect(bru).toContain('auth {'); + expect(bru).toContain('mode: oauth1'); + expect(bru).toContain('auth:oauth1 {'); + expect(bru).toContain('consumer_key: col_ck'); + expect(bru).toContain('consumer_secret: col_cs'); + expect(bru).toContain('signature_method: HMAC-SHA256'); + expect(bru).toContain('add_params_to: queryparams'); + expect(bru).toContain('include_body_hash: true'); + }); + + it('should serialize @file() private key at collection level', () => { + const json = { + auth: { + mode: 'oauth1', + oauth1: { + consumerKey: 'ck', + consumerSecret: '', + accessToken: '', + tokenSecret: '', + callbackUrl: '', + verifier: '', + signatureMethod: 'RSA-SHA1', + privateKey: 'certs/key.pem', + privateKeyType: 'file', + timestamp: '', + nonce: '', + version: '1.0', + realm: '', + addParamsTo: 'header', + includeBodyHash: false + } + } + }; + + const bru = jsonToCollectionBru(json); + + expect(bru).toContain('private_key: @file(certs/key.pem)'); + }); +}); + +// --------------------------------------------------------------------------- +// Round-trip tests – bruToJson → jsonToBru → bruToJson +// --------------------------------------------------------------------------- +describe('OAuth1 round-trip (request-level)', () => { + it('should survive round-trip with all fields populated', () => { + const json = { + meta: { name: 'OAuth1 Roundtrip', type: 'http', seq: '1' }, + http: { method: 'get', url: 'https://api.example.com/resource', body: 'none', auth: 'oauth1' }, + auth: { + oauth1: { + consumerKey: 'ck', + consumerSecret: 'cs', + accessToken: 'at', + tokenSecret: 'ts', + callbackUrl: 'https://example.com/cb', + verifier: 'ver', + signatureMethod: 'HMAC-SHA1', + privateKey: 'inline_pk', + privateKeyType: 'text', + timestamp: '1234567890', + nonce: 'abc', + version: '1.0', + realm: 'testrealm', + addParamsTo: 'header', + includeBodyHash: true + } + }, + settings: { encodeUrl: true, timeout: 0 } + }; + + const bru = jsonToBru(json); + const parsed = bruToJson(bru); + + expect(parsed.auth.oauth1).toEqual(json.auth.oauth1); + }); + + it('should survive round-trip with file private key', () => { + const json = { + meta: { name: 'OAuth1 File RT', type: 'http', seq: '1' }, + http: { method: 'get', url: 'https://api.example.com/resource', auth: 'oauth1' }, + auth: { + oauth1: { + consumerKey: 'ck', + consumerSecret: '', + accessToken: 'at', + tokenSecret: 'ts', + callbackUrl: '', + verifier: '', + signatureMethod: 'RSA-SHA1', + privateKey: 'keys/private.pem', + privateKeyType: 'file', + timestamp: '', + nonce: '', + version: '1.0', + realm: '', + addParamsTo: 'header', + includeBodyHash: false + } + }, + settings: { encodeUrl: true, timeout: 0 } + }; + + const bru = jsonToBru(json); + const parsed = bruToJson(bru); + + expect(parsed.auth.oauth1.privateKey).toBe('keys/private.pem'); + expect(parsed.auth.oauth1.privateKeyType).toBe('file'); + }); + + it('should survive round-trip with multiline PEM private key', () => { + const pem = '-----BEGIN FAKE TEST KEY-----\nTESTREPLACEMENTdGhpcyBpcyBub3QgYQ==\nRkFLRUtFWXJlYWxrZXlkYXRhZm9ydGVz\n-----END FAKE TEST KEY-----'; + + const json = { + meta: { name: 'OAuth1 PEM RT', type: 'http', seq: '1' }, + http: { method: 'get', url: 'https://api.example.com/resource', auth: 'oauth1' }, + auth: { + oauth1: { + consumerKey: 'ck', + consumerSecret: '', + accessToken: '', + tokenSecret: '', + callbackUrl: '', + verifier: '', + signatureMethod: 'RSA-SHA256', + privateKey: pem, + privateKeyType: 'text', + timestamp: '', + nonce: '', + version: '1.0', + realm: '', + addParamsTo: 'header', + includeBodyHash: false + } + }, + settings: { encodeUrl: true, timeout: 0 } + }; + + const bru = jsonToBru(json); + const parsed = bruToJson(bru); + + expect(parsed.auth.oauth1.privateKey).toBe(pem); + expect(parsed.auth.oauth1.privateKeyType).toBe('text'); + }); +}); + +describe('OAuth1 round-trip (collection-level)', () => { + it('should survive round-trip at collection level', () => { + const json = { + auth: { + mode: 'oauth1', + oauth1: { + consumerKey: 'ck', + consumerSecret: 'cs', + accessToken: 'at', + tokenSecret: 'ts', + callbackUrl: 'https://example.com/cb', + verifier: 'ver', + signatureMethod: 'HMAC-SHA512', + privateKey: '', + privateKeyType: 'text', + timestamp: '', + nonce: '', + version: '1.0', + realm: '', + addParamsTo: 'body', + includeBodyHash: false + } + } + }; + + const bru = jsonToCollectionBru(json); + const parsed = collectionBruToJson(bru); + + expect(parsed.auth.mode).toBe('oauth1'); + expect(parsed.auth.oauth1).toEqual(json.auth.oauth1); + }); + + it('should survive round-trip with file key at collection level', () => { + const json = { + auth: { + mode: 'oauth1', + oauth1: { + consumerKey: 'ck', + consumerSecret: '', + accessToken: '', + tokenSecret: '', + callbackUrl: '', + verifier: '', + signatureMethod: 'RSA-SHA512', + privateKey: 'keys/rsa.pem', + privateKeyType: 'file', + timestamp: '', + nonce: '', + version: '1.0', + realm: '', + addParamsTo: 'header', + includeBodyHash: false + } + } + }; + + const bru = jsonToCollectionBru(json); + const parsed = collectionBruToJson(bru); + + expect(parsed.auth.oauth1.privateKey).toBe('keys/rsa.pem'); + expect(parsed.auth.oauth1.privateKeyType).toBe('file'); + }); +}); diff --git a/packages/bruno-requests/package.json b/packages/bruno-requests/package.json index aec9f823cc8..a4145b4c24d 100644 --- a/packages/bruno-requests/package.json +++ b/packages/bruno-requests/package.json @@ -31,11 +31,11 @@ "http-proxy-agent": "~7.0.2", "https-proxy-agent": "~7.0.6", "is-ip": "^5.0.1", + "shell-env": "^4.0.1", "socks-proxy-agent": "~8.0.5", "system-ca": "^2.0.1", "tough-cookie": "^6.0.0", - "ws": "^8.18.3", - "shell-env": "^4.0.1" + "ws": "^8.18.3" }, "devDependencies": { "@babel/preset-env": "^7.22.0", diff --git a/packages/bruno-requests/src/auth/index.ts b/packages/bruno-requests/src/auth/index.ts index a191515324e..098779c1c40 100644 --- a/packages/bruno-requests/src/auth/index.ts +++ b/packages/bruno-requests/src/auth/index.ts @@ -1,2 +1,3 @@ export { addDigestInterceptor } from './digestauth-helper'; export { getOAuth2Token } from './oauth2-helper'; +export { createOAuth1Authorizer, computeBodyHash, applyOAuth1ToRequest } from './oauth1-request-authorization'; diff --git a/packages/bruno-requests/src/auth/oauth1-request-authorization.spec.ts b/packages/bruno-requests/src/auth/oauth1-request-authorization.spec.ts new file mode 100644 index 00000000000..c5e1d86e788 --- /dev/null +++ b/packages/bruno-requests/src/auth/oauth1-request-authorization.spec.ts @@ -0,0 +1,1187 @@ +import crypto from 'node:crypto'; +import { + createOAuth1Authorizer, + computeBodyHash, + percentEncode, + parseQueryParams, + getBaseUrl, + buildParameterString, + buildBaseString, + buildSigningKey, + applyOAuth1ToRequest +} from './oauth1-request-authorization'; + +// Fixed timestamp/nonce so signatures are deterministic in tests +const FIXED_TIMESTAMP = '1318622958'; +const FIXED_NONCE = 'kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg'; + +describe('createOAuth1Authorizer', () => { + const consumer = { + key: 'xvz1evFS4wEEPTGEFPHBog', + secret: 'kAcSOqF21Fu85e7zjz7ZN2U4ZRhfV3WpwPAoE3Z7kBw' + }; + const token = { + key: '370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb', + secret: 'LswwdoUaIvS8ltyTt5jkRh4J50vUPVVHtR2YPi5kE' + }; + + describe('authorize()', () => { + it('should return all required oauth_* parameters', () => { + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA1', + version: '1.0' + }); + + const oauthData = oauth.authorize( + { url: 'https://api.example.com/resource', method: 'GET' }, + token + ); + + expect(oauthData.oauth_consumer_key).toBe(consumer.key); + expect(oauthData.oauth_signature_method).toBe('HMAC-SHA1'); + expect(oauthData.oauth_version).toBe('1.0'); + expect(oauthData.oauth_token).toBe(token.key); + expect(oauthData.oauth_signature).toBeTruthy(); + expect(oauthData.oauth_nonce).toBeTruthy(); + expect(oauthData.oauth_timestamp).toBeTruthy(); + }); + + it('should omit oauth_token when no token is provided', () => { + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA1' + }); + + const oauthData = oauth.authorize( + { url: 'https://example.com/request_token', method: 'POST' } + ); + + expect(oauthData.oauth_consumer_key).toBe(consumer.key); + expect(oauthData.oauth_token).toBeUndefined(); + expect(oauthData.oauth_signature).toBeTruthy(); + }); + + it('should auto-generate timestamp and nonce', () => { + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA1' + }); + + const oauthData = oauth.authorize( + { url: 'https://example.com/resource', method: 'GET' } + ); + + const ts = parseInt(oauthData.oauth_timestamp, 10); + expect(ts).toBeGreaterThan(1000000000); + expect(oauthData.oauth_nonce.length).toBeGreaterThan(0); + }); + + it('should generate different nonces on successive calls', () => { + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA1' + }); + + const data1 = oauth.authorize({ url: 'https://example.com/resource', method: 'GET' }); + const data2 = oauth.authorize({ url: 'https://example.com/resource', method: 'GET' }); + + expect(data1.oauth_nonce).not.toBe(data2.oauth_nonce); + }); + + it('should include data params (e.g. oauth_body_hash) in the base string', () => { + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA1' + }); + + const bodyHash = computeBodyHash('Hello World', 'HMAC-SHA1'); + const withHash = oauth.authorize( + { url: 'https://example.com/resource', method: 'POST', data: [['oauth_body_hash', bodyHash]] }, + token + ); + const withoutHash = oauth.authorize( + { url: 'https://example.com/resource', method: 'POST' }, + token + ); + + // Different base strings should produce different signatures + expect(withHash.oauth_signature).not.toBe(withoutHash.oauth_signature); + // The body hash should be passed through in the result + expect(withHash.oauth_body_hash).toBe(bodyHash); + }); + + it('should include oauth_callback when callbackUrl is provided (RFC 5849 §2.1)', () => { + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA1' + }); + + const oauthData = oauth.authorize( + { url: 'https://example.com/request_token', method: 'POST' }, + undefined, + 'https://example.com/callback' + ); + + expect(oauthData.oauth_callback).toBe('https://example.com/callback'); + expect(oauthData.oauth_token).toBeUndefined(); + expect(oauthData.oauth_signature).toBeTruthy(); + }); + + it('should include oauth_callback=oob for out-of-band flow', () => { + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA1' + }); + + const oauthData = oauth.authorize( + { url: 'https://example.com/request_token', method: 'POST' }, + undefined, + 'oob' + ); + + expect(oauthData.oauth_callback).toBe('oob'); + }); + + it('should not include oauth_callback when callbackUrl is not provided', () => { + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA1' + }); + + const oauthData = oauth.authorize( + { url: 'https://example.com/request_token', method: 'POST' } + ); + + expect(oauthData.oauth_callback).toBeUndefined(); + }); + + it('should include oauth_callback in the signature base string', () => { + let capturedBaseString = ''; + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA1', + hash_function(baseString, key) { + capturedBaseString = baseString; + return require('node:crypto').createHmac('sha1', key).update(baseString).digest('base64'); + } + }); + + oauth.authorize( + { url: 'https://example.com/request_token', method: 'POST' }, + undefined, + 'https://example.com/callback' + ); + + // oauth_callback should be percent-encoded in the parameter string + expect(capturedBaseString).toContain('oauth_callback'); + }); + + it('should include URL query params in the signature base string', () => { + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA1' + }); + + const data1 = oauth.authorize( + { url: 'https://example.com/resource?a=1', method: 'GET' }, + token + ); + const data2 = oauth.authorize( + { url: 'https://example.com/resource?a=2', method: 'GET' }, + token + ); + + expect(data1.oauth_signature).not.toBe(data2.oauth_signature); + }); + }); + + describe('toHeader()', () => { + it('should produce an Authorization header starting with "OAuth "', () => { + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA1' + }); + + const oauthData = oauth.authorize( + { url: 'https://example.com/resource', method: 'GET' }, + token + ); + const header = oauth.toHeader(oauthData); + + expect(header.Authorization).toMatch(/^OAuth /); + }); + + it('should include all oauth_* parameters in the header', () => { + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA1' + }); + + const oauthData = oauth.authorize( + { url: 'https://example.com/resource', method: 'GET' }, + token + ); + const header = oauth.toHeader(oauthData); + + expect(header.Authorization).toContain('oauth_consumer_key='); + expect(header.Authorization).toContain('oauth_nonce='); + expect(header.Authorization).toContain('oauth_signature='); + expect(header.Authorization).toContain('oauth_signature_method='); + expect(header.Authorization).toContain('oauth_timestamp='); + expect(header.Authorization).toContain('oauth_token='); + expect(header.Authorization).toContain('oauth_version='); + }); + + it('should include realm when configured', () => { + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA1', + realm: 'Example' + }); + + const oauthData = oauth.authorize( + { url: 'https://example.com/resource', method: 'GET' } + ); + const header = oauth.toHeader(oauthData); + + expect(header.Authorization).toMatch(/^OAuth realm="Example", /); + }); + + it('should not include realm when not configured', () => { + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA1' + }); + + const oauthData = oauth.authorize( + { url: 'https://example.com/resource', method: 'GET' } + ); + const header = oauth.toHeader(oauthData); + + expect(header.Authorization).not.toContain('realm='); + }); + }); + + describe('Signature methods', () => { + describe('HMAC-SHA1', () => { + it('should generate a valid base64 HMAC-SHA1 signature', () => { + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA1' + }); + + const oauthData = oauth.authorize( + { url: 'https://example.com/resource', method: 'GET' }, + token + ); + + expect(oauthData.oauth_signature).toMatch(/^[A-Za-z0-9+/=]+$/); + }); + }); + + describe('HMAC-SHA256', () => { + it('should generate a valid HMAC-SHA256 signature', () => { + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA256' + }); + + const oauthData = oauth.authorize( + { url: 'https://example.com/resource', method: 'GET' }, + token + ); + + expect(oauthData.oauth_signature_method).toBe('HMAC-SHA256'); + expect(oauthData.oauth_signature).toMatch(/^[A-Za-z0-9+/=]+$/); + }); + + it('should produce a different signature than HMAC-SHA1 for the same input', () => { + const oauth1 = createOAuth1Authorizer({ consumer, signature_method: 'HMAC-SHA1' }); + const oauth256 = createOAuth1Authorizer({ consumer, signature_method: 'HMAC-SHA256' }); + + // Use custom hash_function to inject fixed nonce/timestamp isn't possible, + // but we can compare via toHeader since nonce differs. Instead, test + // that the signature method label is correctly set. + const data = oauth256.authorize( + { url: 'https://example.com/resource', method: 'GET' }, + token + ); + expect(data.oauth_signature_method).toBe('HMAC-SHA256'); + }); + }); + + describe('HMAC-SHA512', () => { + it('should generate a valid HMAC-SHA512 signature', () => { + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA512' + }); + + const oauthData = oauth.authorize( + { url: 'https://example.com/resource', method: 'GET' }, + token + ); + + expect(oauthData.oauth_signature_method).toBe('HMAC-SHA512'); + expect(oauthData.oauth_signature).toMatch(/^[A-Za-z0-9+/=]+$/); + }); + + it('should produce a different signature than HMAC-SHA256 for the same input', () => { + const oauth512 = createOAuth1Authorizer({ consumer, signature_method: 'HMAC-SHA512' }); + + const data = oauth512.authorize( + { url: 'https://example.com/resource', method: 'GET' }, + token + ); + expect(data.oauth_signature_method).toBe('HMAC-SHA512'); + }); + }); + + describe('PLAINTEXT', () => { + it('should use the signing key as the signature', () => { + const oauth = createOAuth1Authorizer({ + consumer: { key: 'consumer', secret: 'cs' }, + signature_method: 'PLAINTEXT' + }); + + const oauthData = oauth.authorize( + { url: 'https://example.com/resource', method: 'GET' }, + { key: 'token', secret: 'ts' } + ); + + // PLAINTEXT signature = percentEncode(consumerSecret) & percentEncode(tokenSecret) + expect(oauthData.oauth_signature).toBe('cs&ts'); + }); + }); + + describe('RSA-SHA1', () => { + const { privateKey } = crypto.generateKeyPairSync('rsa', { + modulusLength: 2048, + publicKeyEncoding: { type: 'spki', format: 'pem' }, + privateKeyEncoding: { type: 'pkcs8', format: 'pem' } + }); + + it('should generate a verifiable RSA-SHA1 signature', () => { + const oauth = createOAuth1Authorizer({ + consumer: { key: 'consumer_key', secret: 'consumer_secret' }, + signature_method: 'RSA-SHA1', + private_key: privateKey + }); + + const oauthData = oauth.authorize( + { url: 'https://example.com/resource', method: 'GET' } + ); + + expect(oauthData.oauth_signature_method).toBe('RSA-SHA1'); + expect(oauthData.oauth_signature).toMatch(/^[A-Za-z0-9+/=]+$/); + }); + + it('should throw if no private key is provided', () => { + const oauth = createOAuth1Authorizer({ + consumer: { key: 'consumer_key', secret: 'consumer_secret' }, + signature_method: 'RSA-SHA1' + }); + + expect(() => + oauth.authorize({ url: 'https://example.com/resource', method: 'GET' }) + ).toThrow('Private key is required'); + }); + }); + + describe('RSA-SHA256', () => { + const { privateKey } = crypto.generateKeyPairSync('rsa', { + modulusLength: 2048, + publicKeyEncoding: { type: 'spki', format: 'pem' }, + privateKeyEncoding: { type: 'pkcs8', format: 'pem' } + }); + + it('should generate a verifiable RSA-SHA256 signature', () => { + const oauth = createOAuth1Authorizer({ + consumer: { key: 'consumer_key', secret: 'consumer_secret' }, + signature_method: 'RSA-SHA256', + private_key: privateKey + }); + + const oauthData = oauth.authorize( + { url: 'https://example.com/resource', method: 'GET' } + ); + + expect(oauthData.oauth_signature_method).toBe('RSA-SHA256'); + expect(oauthData.oauth_signature).toMatch(/^[A-Za-z0-9+/=]+$/); + }); + + it('should throw if no private key is provided', () => { + const oauth = createOAuth1Authorizer({ + consumer: { key: 'consumer_key', secret: 'consumer_secret' }, + signature_method: 'RSA-SHA256' + }); + + expect(() => + oauth.authorize({ url: 'https://example.com/resource', method: 'GET' }) + ).toThrow('Private key is required'); + }); + }); + + describe('RSA-SHA512', () => { + const { privateKey } = crypto.generateKeyPairSync('rsa', { + modulusLength: 2048, + publicKeyEncoding: { type: 'spki', format: 'pem' }, + privateKeyEncoding: { type: 'pkcs8', format: 'pem' } + }); + + it('should generate a verifiable RSA-SHA512 signature', () => { + const oauth = createOAuth1Authorizer({ + consumer: { key: 'consumer_key', secret: 'consumer_secret' }, + signature_method: 'RSA-SHA512', + private_key: privateKey + }); + + const oauthData = oauth.authorize( + { url: 'https://example.com/resource', method: 'GET' } + ); + + expect(oauthData.oauth_signature_method).toBe('RSA-SHA512'); + expect(oauthData.oauth_signature).toMatch(/^[A-Za-z0-9+/=]+$/); + }); + + it('should throw if no private key is provided', () => { + const oauth = createOAuth1Authorizer({ + consumer: { key: 'consumer_key', secret: 'consumer_secret' }, + signature_method: 'RSA-SHA512' + }); + + expect(() => + oauth.authorize({ url: 'https://example.com/resource', method: 'GET' }) + ).toThrow('Private key is required'); + }); + }); + }); + + describe('computeBodyHash', () => { + it('should compute SHA-1 body hash for HMAC-SHA1', () => { + const body = 'Hello World'; + const expected = crypto.createHash('sha1').update(body).digest('base64'); + + expect(computeBodyHash(body, 'HMAC-SHA1')).toBe(expected); + }); + + it('should compute SHA-256 body hash for HMAC-SHA256', () => { + const body = 'Hello World'; + const expected = crypto.createHash('sha256').update(body).digest('base64'); + + expect(computeBodyHash(body, 'HMAC-SHA256')).toBe(expected); + }); + + it('should compute SHA-512 body hash for HMAC-SHA512', () => { + const body = 'Hello World'; + const expected = crypto.createHash('sha512').update(body).digest('base64'); + + expect(computeBodyHash(body, 'HMAC-SHA512')).toBe(expected); + }); + + it('should use SHA-1 for RSA-SHA1', () => { + const body = 'Hello World'; + const expected = crypto.createHash('sha1').update(body).digest('base64'); + + expect(computeBodyHash(body, 'RSA-SHA1')).toBe(expected); + }); + + it('should compute SHA-256 body hash for RSA-SHA256', () => { + const body = 'Hello World'; + const expected = crypto.createHash('sha256').update(body).digest('base64'); + + expect(computeBodyHash(body, 'RSA-SHA256')).toBe(expected); + }); + + it('should compute SHA-512 body hash for RSA-SHA512', () => { + const body = 'Hello World'; + const expected = crypto.createHash('sha512').update(body).digest('base64'); + + expect(computeBodyHash(body, 'RSA-SHA512')).toBe(expected); + }); + + it('should use SHA-1 for PLAINTEXT', () => { + const body = 'Hello World'; + const expected = crypto.createHash('sha1').update(body).digest('base64'); + + expect(computeBodyHash(body, 'PLAINTEXT')).toBe(expected); + }); + }); + + describe('RFC 5849 known-good signature verification', () => { + it('should produce the correct signature for the RFC 5849 Section 1.2 photo request', () => { + // RFC 5849 Section 1.2: accessing a protected photo resource + // Consumer: dpf43f3p2l4k3l03 / kd94hf93k423kf44 + // Token: nnch734d00sl2jdk / pfkkdhi9sl3r4s00 + // Expected signature: MdpQcU8iPSUjWoN/UDMsK2sui9I= (from the RFC) + const oauth = createOAuth1Authorizer({ + consumer: { key: 'dpf43f3p2l4k3l03', secret: 'kd94hf93k423kf44' }, + signature_method: 'HMAC-SHA1' + // Note: oauth_version is NOT included in the RFC 5849 §1.2 example + }); + + const oauthData = oauth.authorize( + { + url: 'http://photos.example.net/photos?file=vacation.jpg&size=original', + method: 'GET' + }, + { key: 'nnch734d00sl2jdk', secret: 'pfkkdhi9sl3r4s00' }, + undefined, + undefined, + { timestamp: '137131202', nonce: 'chapoH' } + ); + + // oauth_version defaults to '1.0' in our impl but the RFC example omits it, + // causing a different parameter string. We need to verify with version included. + // Our impl always includes oauth_version, so the signature differs from the RFC + // example which omits it. Instead verify the base string structure is correct. + expect(oauthData.oauth_consumer_key).toBe('dpf43f3p2l4k3l03'); + expect(oauthData.oauth_token).toBe('nnch734d00sl2jdk'); + expect(oauthData.oauth_timestamp).toBe('137131202'); + expect(oauthData.oauth_nonce).toBe('chapoH'); + expect(oauthData.oauth_signature).toMatch(/^[A-Za-z0-9+/=]+$/); + }); + + it('should produce a deterministic signature for the Twitter example with fixed nonce/timestamp', () => { + const oauth = createOAuth1Authorizer({ + consumer: { + key: 'xvz1evFS4wEEPTGEFPHBog', + secret: 'kAcSOqF21Fu85e7zjz7ZN2U4ZRhfV3WpwPAoE3Z7kBw' + }, + signature_method: 'HMAC-SHA1', + version: '1.0' + }); + + const oauthData = oauth.authorize( + { + url: 'https://api.twitter.com/1.1/statuses/update.json?include_entities=true', + method: 'POST', + data: [['status', 'Hello Ladies + Gentlemen, a signed OAuth request!']] + }, + { + key: '370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb', + secret: 'LswwdoUaIvS8ltyTt5jkRh4J50vUPVVHtR2YPi5kE' + }, + undefined, + undefined, + { timestamp: FIXED_TIMESTAMP, nonce: FIXED_NONCE } + ); + + // Deterministic: same inputs always produce the same signature + expect(oauthData.oauth_signature).toBe('hCtSmYh+iHYCEqBWrE7C7hYmtUk='); + expect(oauthData.oauth_timestamp).toBe(FIXED_TIMESTAMP); + expect(oauthData.oauth_nonce).toBe(FIXED_NONCE); + }); + + it('should produce the correct base string for the Twitter example', () => { + let capturedBaseString = ''; + const oauth = createOAuth1Authorizer({ + consumer: { + key: 'xvz1evFS4wEEPTGEFPHBog', + secret: 'kAcSOqF21Fu85e7zjz7ZN2U4ZRhfV3WpwPAoE3Z7kBw' + }, + signature_method: 'HMAC-SHA1', + version: '1.0', + hash_function(baseString, key) { + capturedBaseString = baseString; + return crypto.createHmac('sha1', key).update(baseString).digest('base64'); + } + }); + + oauth.authorize( + { + url: 'https://api.twitter.com/1.1/statuses/update.json?include_entities=true', + method: 'POST', + data: [['status', 'Hello Ladies + Gentlemen, a signed OAuth request!']] + }, + { + key: '370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb', + secret: 'LswwdoUaIvS8ltyTt5jkRh4J50vUPVVHtR2YPi5kE' + }, + undefined, + undefined, + { timestamp: FIXED_TIMESTAMP, nonce: FIXED_NONCE } + ); + + // Verify base string structure per RFC 5849 §3.4.1 + const expectedBaseString + = 'POST&https%3A%2F%2Fapi.twitter.com%2F1.1%2Fstatuses%2Fupdate.json&' + + 'include_entities%3Dtrue' + + '%26oauth_consumer_key%3Dxvz1evFS4wEEPTGEFPHBog' + + '%26oauth_nonce%3DkYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg' + + '%26oauth_signature_method%3DHMAC-SHA1' + + '%26oauth_timestamp%3D1318622958' + + '%26oauth_token%3D370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb' + + '%26oauth_version%3D1.0' + + '%26status%3DHello%2520Ladies%2520%252B%2520Gentlemen%252C%2520a%2520signed%2520OAuth%2520request%2521'; + expect(capturedBaseString).toBe(expectedBaseString); + }); + }); + + describe('Default values', () => { + it('should default version to 1.0', () => { + const oauth = createOAuth1Authorizer({ + consumer, + signature_method: 'HMAC-SHA1' + }); + + const oauthData = oauth.authorize( + { url: 'https://example.com/resource', method: 'GET' } + ); + + expect(oauthData.oauth_version).toBe('1.0'); + }); + }); + + describe('parseQueryParams', () => { + it('should parse simple query params', () => { + const result = parseQueryParams('https://example.com/path?a=1&b=2'); + expect(result).toEqual([['a', '1'], ['b', '2']]); + }); + + it('should return empty array when URL has no query string', () => { + expect(parseQueryParams('https://example.com/path')).toEqual([]); + }); + + it('should strip fragment before parsing', () => { + const result = parseQueryParams('https://example.com/path?a=1#fragment'); + expect(result).toEqual([['a', '1']]); + }); + + it('should strip fragment that follows multiple query params', () => { + const result = parseQueryParams('https://example.com/path?a=1&b=2#frag'); + expect(result).toEqual([['a', '1'], ['b', '2']]); + }); + + it('should decode percent-encoded values', () => { + const result = parseQueryParams('https://example.com/path?msg=hello%20world'); + expect(result).toEqual([['msg', 'hello world']]); + }); + + it('should decode special characters', () => { + const result = parseQueryParams('https://example.com/path?key=a%2Bb%26c'); + expect(result).toEqual([['key', 'a+b&c']]); + }); + + it('should preserve literal + as + (RFC 5849, not HTML form encoding)', () => { + const result = parseQueryParams('https://example.com/path?msg=hello+world'); + expect(result).toEqual([['msg', 'hello+world']]); + }); + + it('should decode %20 as space while preserving +', () => { + const result = parseQueryParams('https://example.com/path?a=x+y&b=x%20y'); + expect(result).toEqual([['a', 'x+y'], ['b', 'x y']]); + }); + + it('should handle malformed percent-encoding gracefully', () => { + const result = parseQueryParams('https://example.com/path?bad=%ZZ'); + expect(result).toEqual([['bad', '%ZZ']]); + }); + + it('should handle query param with no value', () => { + const result = parseQueryParams('https://example.com/path?flag'); + expect(result).toEqual([['flag', '']]); + }); + + it('should handle query param with empty value', () => { + const result = parseQueryParams('https://example.com/path?key='); + expect(result).toEqual([['key', '']]); + }); + + it('should preserve duplicate keys as separate pairs', () => { + const result = parseQueryParams('https://example.com/path?a=1&a=2'); + expect(result).toEqual([['a', '1'], ['a', '2']]); + }); + + it('should preserve three duplicate keys as separate pairs', () => { + const result = parseQueryParams('https://example.com/path?a=1&a=2&a=3'); + expect(result).toEqual([['a', '1'], ['a', '2'], ['a', '3']]); + }); + + it('should skip empty segments from consecutive ampersands', () => { + const result = parseQueryParams('https://example.com/path?a=1&&b=2'); + expect(result).toEqual([['a', '1'], ['b', '2']]); + }); + + it('should handle value containing encoded equals sign', () => { + const result = parseQueryParams('https://example.com/path?token=abc%3Ddef'); + expect(result).toEqual([['token', 'abc=def']]); + }); + + it('should handle value containing literal equals sign (split on first =)', () => { + const result = parseQueryParams('https://example.com/path?token=abc=def'); + expect(result).toEqual([['token', 'abc=def']]); + }); + + it('should decode percent-encoded keys', () => { + const result = parseQueryParams('https://example.com/path?my%20key=val'); + expect(result).toEqual([['my key', 'val']]); + }); + }); + + describe('percentEncode', () => { + it('should not encode unreserved characters (ALPHA, DIGIT, -, ., _, ~)', () => { + expect(percentEncode('abcXYZ019-._~')).toBe('abcXYZ019-._~'); + }); + + it('should encode spaces as %20', () => { + expect(percentEncode('hello world')).toBe('hello%20world'); + }); + + it('should encode + as %2B', () => { + expect(percentEncode('a+b')).toBe('a%2Bb'); + }); + + it('should encode ! as %21 per RFC 5849', () => { + expect(percentEncode('bang!')).toBe('bang%21'); + }); + + it('should encode * as %2A per RFC 5849', () => { + expect(percentEncode('star*')).toBe('star%2A'); + }); + + it('should encode \' as %27 per RFC 5849', () => { + expect(percentEncode('it\'s')).toBe('it%27s'); + }); + + it('should encode ( and ) as %28 and %29 per RFC 5849', () => { + expect(percentEncode('f(x)')).toBe('f%28x%29'); + }); + + it('should encode / as %2F', () => { + expect(percentEncode('a/b')).toBe('a%2Fb'); + }); + + it('should encode @ as %40', () => { + expect(percentEncode('user@host')).toBe('user%40host'); + }); + + it('should encode unicode characters', () => { + expect(percentEncode('café')).toBe('caf%C3%A9'); + }); + + it('should handle empty string', () => { + expect(percentEncode('')).toBe(''); + }); + + it('should encode & as %26', () => { + expect(percentEncode('a&b')).toBe('a%26b'); + }); + + it('should encode = as %3D', () => { + expect(percentEncode('a=b')).toBe('a%3Db'); + }); + }); + + describe('getBaseUrl', () => { + it('should lowercase the scheme', () => { + expect(getBaseUrl('HTTPS://example.com/path')).toBe('https://example.com/path'); + }); + + it('should lowercase the host', () => { + expect(getBaseUrl('https://EXAMPLE.COM/path')).toBe('https://example.com/path'); + }); + + it('should strip default port 443 for https', () => { + expect(getBaseUrl('https://example.com:443/path')).toBe('https://example.com/path'); + }); + + it('should strip default port 80 for http', () => { + expect(getBaseUrl('http://example.com:80/path')).toBe('http://example.com/path'); + }); + + it('should keep non-default ports', () => { + expect(getBaseUrl('https://example.com:8443/path')).toBe('https://example.com:8443/path'); + }); + + it('should keep port 80 for https (non-default)', () => { + expect(getBaseUrl('https://example.com:80/path')).toBe('https://example.com:80/path'); + }); + + it('should keep port 443 for http (non-default)', () => { + expect(getBaseUrl('http://example.com:443/path')).toBe('http://example.com:443/path'); + }); + + it('should strip query string', () => { + expect(getBaseUrl('https://example.com/path?a=1&b=2')).toBe('https://example.com/path'); + }); + + it('should strip fragment', () => { + expect(getBaseUrl('https://example.com/path#section')).toBe('https://example.com/path'); + }); + + it('should strip both query string and fragment', () => { + expect(getBaseUrl('https://example.com/path?q=1#frag')).toBe('https://example.com/path'); + }); + + it('should preserve the path', () => { + expect(getBaseUrl('https://example.com/a/b/c')).toBe('https://example.com/a/b/c'); + }); + + it('should include trailing slash for root path', () => { + expect(getBaseUrl('https://example.com/')).toBe('https://example.com/'); + }); + + it('should add root path when path is empty', () => { + expect(getBaseUrl('https://example.com')).toBe('https://example.com/'); + }); + + it('should fallback for non-standard URLs by stripping query and fragment', () => { + expect(getBaseUrl('not-a-url?q=1#frag')).toBe('not-a-url'); + }); + }); + + describe('buildParameterString', () => { + it('should sort parameters lexicographically by key', () => { + const result = buildParameterString( + { z_param: 'val', a_param: 'val' }, [] + ); + expect(result.indexOf('a_param')).toBeLessThan(result.indexOf('z_param')); + }); + + it('should sort by value when keys are identical', () => { + const result = buildParameterString( + {}, [['a', '3'], ['a', '1'], ['a', '2']] + ); + expect(result).toBe('a=1&a=2&a=3'); + }); + + it('should combine oauth params and query params', () => { + const result = buildParameterString( + { oauth_key: 'ok' }, + [['query', 'qv']] + ); + expect(result).toContain('oauth_key=ok'); + expect(result).toContain('query=qv'); + }); + + it('should percent-encode keys and values', () => { + const result = buildParameterString( + { 'a key': 'a value' }, [] + ); + expect(result).toBe('a%20key=a%20value'); + }); + + it('should handle duplicate query param keys', () => { + const result = buildParameterString( + {}, [['color', 'blue'], ['color', 'red']] + ); + expect(result).toBe('color=blue&color=red'); + }); + + it('should handle empty inputs', () => { + const result = buildParameterString({}, []); + expect(result).toBe(''); + }); + + it('should join params with &', () => { + const result = buildParameterString({ b: '2', a: '1' }, []); + expect(result).toBe('a=1&b=2'); + expect(result).not.toContain('&&'); + }); + }); + + describe('buildBaseString', () => { + it('should uppercase the method', () => { + const result = buildBaseString('get', 'https://example.com/', 'a=1'); + expect(result).toMatch(/^GET&/); + }); + + it('should have three &-separated sections', () => { + const result = buildBaseString('POST', 'https://example.com/', 'a=1'); + const parts = result.split('&'); + expect(parts).toHaveLength(3); + }); + + it('should percent-encode the base URL', () => { + const result = buildBaseString('GET', 'https://example.com/path', 'a=1'); + expect(result).toContain('https%3A%2F%2Fexample.com%2Fpath'); + }); + + it('should percent-encode the parameter string', () => { + const result = buildBaseString('GET', 'https://example.com/', 'a=1&b=2'); + // a=1&b=2 → a%3D1%26b%3D2 + expect(result).toContain('a%3D1%26b%3D2'); + }); + + it('should produce different results for different methods', () => { + const get = buildBaseString('GET', 'https://example.com/', 'a=1'); + const post = buildBaseString('POST', 'https://example.com/', 'a=1'); + expect(get).not.toBe(post); + }); + + it('should handle mixed-case method', () => { + const result = buildBaseString('PaTcH', 'https://example.com/', 'a=1'); + expect(result).toMatch(/^PATCH&/); + }); + + it('should handle empty parameter string', () => { + const result = buildBaseString('GET', 'https://example.com/', ''); + expect(result).toBe('GET&https%3A%2F%2Fexample.com%2F&'); + }); + }); + + describe('buildSigningKey', () => { + it('should combine consumer secret and token secret with &', () => { + expect(buildSigningKey('consumer_secret', 'token_secret')).toBe('consumer_secret&token_secret'); + }); + + it('should use empty token secret', () => { + expect(buildSigningKey('cs', '')).toBe('cs&'); + }); + + it('should percent-encode the consumer secret', () => { + expect(buildSigningKey('secret&with=special', 'ts')).toBe('secret%26with%3Dspecial&ts'); + }); + + it('should percent-encode the token secret', () => { + expect(buildSigningKey('cs', 'token/secret!')).toBe('cs&token%2Fsecret%21'); + }); + + it('should percent-encode both secrets', () => { + expect(buildSigningKey('a b', 'c d')).toBe('a%20b&c%20d'); + }); + + it('should not encode unreserved characters', () => { + expect(buildSigningKey('abc-._~123', 'XYZ-._~789')).toBe('abc-._~123&XYZ-._~789'); + }); + }); +}); + +describe('applyOAuth1ToRequest', () => { + const baseOAuth1Config = { + consumerKey: 'consumer_key', + consumerSecret: 'consumer_secret', + accessToken: 'access_token', + tokenSecret: 'token_secret', + signatureMethod: 'HMAC-SHA1', + timestamp: '1234567890', + nonce: 'testnonce' + }; + + describe('form-encoded body params in signature base string (RFC 5849 §3.4.1.3.1)', () => { + it('should produce different signatures with different form body params', () => { + const req1 = { + url: 'https://example.com/resource', + method: 'POST', + headers: { 'Content-Type': 'application/x-www-form-urlencoded' } as Record, + data: 'foo=bar', + oauth1config: { ...baseOAuth1Config } + }; + + const req2 = { + url: 'https://example.com/resource', + method: 'POST', + headers: { 'Content-Type': 'application/x-www-form-urlencoded' } as Record, + data: 'foo=baz', + oauth1config: { ...baseOAuth1Config } + }; + + applyOAuth1ToRequest(req1); + applyOAuth1ToRequest(req2); + + // Different body params must produce different signatures + expect(req1.headers['Authorization']).not.toBe(req2.headers['Authorization']); + }); + + it('should include multiple form body params in the signature', () => { + const req1 = { + url: 'https://example.com/resource', + method: 'POST', + headers: { 'Content-Type': 'application/x-www-form-urlencoded' } as Record, + data: 'a=1&b=2', + oauth1config: { ...baseOAuth1Config } + }; + + const req2 = { + url: 'https://example.com/resource', + method: 'POST', + headers: { 'Content-Type': 'application/x-www-form-urlencoded' } as Record, + data: 'a=1&b=3', + oauth1config: { ...baseOAuth1Config } + }; + + applyOAuth1ToRequest(req1); + applyOAuth1ToRequest(req2); + + expect(req1.headers['Authorization']).not.toBe(req2.headers['Authorization']); + }); + + it('should produce the same signature with no body vs empty body', () => { + const reqNoBody = { + url: 'https://example.com/resource', + method: 'POST', + headers: { 'Content-Type': 'application/x-www-form-urlencoded' } as Record, + oauth1config: { ...baseOAuth1Config } + }; + + const reqEmptyBody = { + url: 'https://example.com/resource', + method: 'POST', + headers: { 'Content-Type': 'application/x-www-form-urlencoded' } as Record, + data: '', + oauth1config: { ...baseOAuth1Config } + }; + + applyOAuth1ToRequest(reqNoBody); + applyOAuth1ToRequest(reqEmptyBody); + + expect(reqNoBody.headers['Authorization']).toBe(reqEmptyBody.headers['Authorization']); + }); + + it('should NOT include body params for non-form-encoded content types', () => { + const reqJson = { + url: 'https://example.com/resource', + method: 'POST', + headers: { 'Content-Type': 'application/json' } as Record, + data: 'foo=bar', + oauth1config: { ...baseOAuth1Config } + }; + + const reqNoBody = { + url: 'https://example.com/resource', + method: 'POST', + headers: { 'Content-Type': 'application/json' } as Record, + data: 'foo=baz', + oauth1config: { ...baseOAuth1Config } + }; + + applyOAuth1ToRequest(reqJson); + applyOAuth1ToRequest(reqNoBody); + + // JSON body is not included in signature, so both produce the same signature + expect(reqJson.headers['Authorization']).toBe(reqNoBody.headers['Authorization']); + }); + + it('should NOT include body params for GET requests', () => { + const req = { + url: 'https://example.com/resource', + method: 'GET', + headers: { 'Content-Type': 'application/x-www-form-urlencoded' } as Record, + data: 'foo=bar', + oauth1config: { ...baseOAuth1Config } + }; + + const reqNoData = { + url: 'https://example.com/resource', + method: 'GET', + headers: { 'Content-Type': 'application/x-www-form-urlencoded' } as Record, + oauth1config: { ...baseOAuth1Config } + }; + + applyOAuth1ToRequest(req); + applyOAuth1ToRequest(reqNoData); + + // GET has no body per RFC, so body params should not affect signature + expect(req.headers['Authorization']).toBe(reqNoData.headers['Authorization']); + }); + + it('should NOT include body params for HEAD requests', () => { + const req = { + url: 'https://example.com/resource', + method: 'HEAD', + headers: { 'Content-Type': 'application/x-www-form-urlencoded' } as Record, + data: 'foo=bar', + oauth1config: { ...baseOAuth1Config } + }; + + const reqNoData = { + url: 'https://example.com/resource', + method: 'HEAD', + headers: { 'Content-Type': 'application/x-www-form-urlencoded' } as Record, + oauth1config: { ...baseOAuth1Config } + }; + + applyOAuth1ToRequest(req); + applyOAuth1ToRequest(reqNoData); + + expect(req.headers['Authorization']).toBe(reqNoData.headers['Authorization']); + }); + + it('should handle Content-Type with charset parameter', () => { + const req1 = { + url: 'https://example.com/resource', + method: 'POST', + headers: { 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8' } as Record, + data: 'foo=bar', + oauth1config: { ...baseOAuth1Config } + }; + + const req2 = { + url: 'https://example.com/resource', + method: 'POST', + headers: { 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8' } as Record, + data: 'foo=baz', + oauth1config: { ...baseOAuth1Config } + }; + + applyOAuth1ToRequest(req1); + applyOAuth1ToRequest(req2); + + // Body params should still be included despite charset parameter + expect(req1.headers['Authorization']).not.toBe(req2.headers['Authorization']); + }); + + it('should handle case-insensitive Content-Type header key', () => { + const req1 = { + url: 'https://example.com/resource', + method: 'POST', + headers: { 'content-type': 'application/x-www-form-urlencoded' } as Record, + data: 'foo=bar', + oauth1config: { ...baseOAuth1Config } + }; + + const req2 = { + url: 'https://example.com/resource', + method: 'POST', + headers: { 'content-type': 'application/x-www-form-urlencoded' } as Record, + data: 'foo=baz', + oauth1config: { ...baseOAuth1Config } + }; + + applyOAuth1ToRequest(req1); + applyOAuth1ToRequest(req2); + + expect(req1.headers['Authorization']).not.toBe(req2.headers['Authorization']); + }); + + it('should handle null Content-Type header value', () => { + const req = { + url: 'https://example.com/resource', + method: 'GET', + headers: { 'Content-Type': null } as unknown as Record, + oauth1config: { ...baseOAuth1Config } + }; + + // Should not throw + expect(() => applyOAuth1ToRequest(req)).not.toThrow(); + expect(req.headers['Authorization']).toBeTruthy(); + }); + + it('should include duplicate form body params separately in the signature', () => { + // RFC 5849 §3.4.1.3.1: ALL body params must be included, even duplicates + const reqDup = { + url: 'https://example.com/resource', + method: 'POST', + headers: { 'Content-Type': 'application/x-www-form-urlencoded' } as Record, + data: 'a=1&a=2', + oauth1config: { ...baseOAuth1Config } + }; + + const reqSingle = { + url: 'https://example.com/resource', + method: 'POST', + headers: { 'Content-Type': 'application/x-www-form-urlencoded' } as Record, + data: 'a=2', + oauth1config: { ...baseOAuth1Config } + }; + + applyOAuth1ToRequest(reqDup); + applyOAuth1ToRequest(reqSingle); + + // a=1&a=2 must produce a different signature than a=2 alone + expect(reqDup.headers['Authorization']).not.toBe(reqSingle.headers['Authorization']); + }); + }); +}); diff --git a/packages/bruno-requests/src/auth/oauth1-request-authorization.ts b/packages/bruno-requests/src/auth/oauth1-request-authorization.ts new file mode 100644 index 00000000000..c5580979c51 --- /dev/null +++ b/packages/bruno-requests/src/auth/oauth1-request-authorization.ts @@ -0,0 +1,457 @@ +// OAuth 1.0 request authorization (RFC 5849) +// Logic referred from https://github.com/ddo/oauth-1.0a + +import crypto from 'node:crypto'; +import fs from 'node:fs'; +import nodePath from 'node:path'; + +// Private key file cache: avoids re-reading the same file on every request. +// Keyed by absolute path; invalidated when the file's mtime changes. +const privateKeyCache = new Map(); + +function readPrivateKeyFile(filePath: string): string { + const stat = fs.statSync(filePath); + const cached = privateKeyCache.get(filePath); + if (cached && cached.mtimeMs === stat.mtimeMs) { + return cached.content; + } + const content = fs.readFileSync(filePath, 'utf-8'); + privateKeyCache.set(filePath, { mtimeMs: stat.mtimeMs, content }); + return content; +} + +export type SignatureMethod = 'HMAC-SHA1' | 'HMAC-SHA256' | 'HMAC-SHA512' | 'RSA-SHA1' | 'RSA-SHA256' | 'RSA-SHA512' | 'PLAINTEXT'; + +export interface OAuth1Config { + consumer: { key: string; secret: string }; + signature_method: SignatureMethod; + version?: string; + realm?: string; + private_key?: string; + hash_function?: (baseString: string, key: string) => string; +} + +export interface OAuth1RequestData { + url: string; + method: string; + data?: Array<[string, string]>; +} + +export interface OAuth1Token { + key: string; + secret: string; +} + +export interface OAuth1AuthData { + oauth_consumer_key: string; + oauth_nonce: string; + oauth_signature_method: string; + oauth_timestamp: string; + oauth_version: string; + oauth_token?: string; + oauth_signature: string; + oauth_body_hash?: string; + [key: string]: string | undefined; +} + +// RFC 5849 percent-encoding +export function percentEncode(str: string): string { + return encodeURIComponent(str) + .replace(/!/g, '%21') + .replace(/\*/g, '%2A') + .replace(/'/g, '%27') + .replace(/\(/g, '%28') + .replace(/\)/g, '%29'); +} + +// Nonce generation +const NONCE_CHARS = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; +function generateNonce(length = 32): string { + const bytes = crypto.randomBytes(length); + let result = ''; + for (let i = 0; i < length; i++) { + result += NONCE_CHARS[bytes[i] % NONCE_CHARS.length]; + } + return result; +} + +// Timestamp +function generateTimestamp(): string { + return Math.floor(Date.now() / 1000).toString(); +} + +// Parse query string from URL +// Escapes bare '+' before delegating to URLSearchParams, because +// URLSearchParams decodes '+' as space (HTML form convention) but +// RFC 5849 treats '+' as a literal character. +export function parseQueryParams(url: string): Array<[string, string]> { + try { + const parsed = new URL(url); + if (!parsed.search) return []; + + // Escape bare '+' so URLSearchParams preserves them as literal '+' + const safeSearch = parsed.search.slice(1).replace(/\+/g, '%2B'); + const searchParams = new URLSearchParams(safeSearch); + const pairs: Array<[string, string]> = []; + + searchParams.forEach((value, key) => { + pairs.push([key, value]); + }); + return pairs; + } catch { + return []; + } +} + +// Base URL normalized per RFC 5849 §3.4.1.2 +// Lowercase scheme/host, strip default ports, remove query string and fragment +export function getBaseUrl(url: string): string { + try { + const parsed = new URL(url); + const scheme = parsed.protocol.toLowerCase(); + const host = parsed.hostname.toLowerCase(); + const port = parsed.port; + + // Omit default ports (80 for http, 443 for https) + const includePort + = port && !((scheme === 'http:' && port === '80') || (scheme === 'https:' && port === '443')); + + return `${scheme}//${host}${includePort ? ':' + port : ''}${parsed.pathname}`; + } catch { + // Fallback for non-standard URLs: just strip query string and fragment + return url.split('?')[0].split('#')[0]; + } +} + +// Build the normalized parameter string (RFC 5849 §3.4.1.3.2) +export function buildParameterString( + oauthParams: Record, + queryParams: Array<[string, string]> +): string { + const collected: Array<[string, string]> = []; + + for (const [k, v] of Object.entries(oauthParams)) { + collected.push([percentEncode(k), percentEncode(v)]); + } + + for (const [k, v] of queryParams) { + collected.push([percentEncode(k), percentEncode(v)]); + } + + collected.sort((a, b) => { + if (a[0] < b[0]) return -1; + if (a[0] > b[0]) return 1; + if (a[1] < b[1]) return -1; + if (a[1] > b[1]) return 1; + return 0; + }); + + return collected.map(([k, v]) => `${k}=${v}`).join('&'); +} + +// Signature Base String (RFC 5849 §3.4.1) +export function buildBaseString(method: string, baseUrl: string, parameterString: string): string { + return `${method.toUpperCase()}&${percentEncode(baseUrl)}&${percentEncode(parameterString)}`; +} + +// Signing Key (RFC 5849 §3.4.2) +export function buildSigningKey(consumerSecret: string, tokenSecret: string): string { + return `${percentEncode(consumerSecret)}&${percentEncode(tokenSecret)}`; +} + +// Default hash function +function defaultHashFunction( + baseString: string, + key: string, + method: SignatureMethod, + privateKey?: string +): string { + switch (method) { + case 'PLAINTEXT': + return key; + + case 'RSA-SHA1': + case 'RSA-SHA256': + case 'RSA-SHA512': { + if (!privateKey) { + throw new Error(`Private key is required for ${method} signature method`); + } + const algoMap: Record = { + 'RSA-SHA1': 'RSA-SHA1', + 'RSA-SHA256': 'RSA-SHA256', + 'RSA-SHA512': 'RSA-SHA512' + }; + const signer = crypto.createSign(algoMap[method]); + signer.update(baseString); + return signer.sign(privateKey, 'base64'); + } + + case 'HMAC-SHA512': + return crypto.createHmac('sha512', key).update(baseString).digest('base64'); + + case 'HMAC-SHA256': + return crypto.createHmac('sha256', key).update(baseString).digest('base64'); + + case 'HMAC-SHA1': + return crypto.createHmac('sha1', key).update(baseString).digest('base64'); + + default: + throw new Error(`Unsupported OAuth1 signature method: ${method}`); + } +} + +// Body Hash (draft-eaton-oauth-bodyhash-00) +// https://datatracker.ietf.org/doc/id/draft-eaton-oauth-bodyhash-00.html +export function computeBodyHash(body: string, signatureMethod: SignatureMethod): string { + const algoMap: Record = { + 'HMAC-SHA512': 'sha512', + 'HMAC-SHA256': 'sha256', + 'RSA-SHA512': 'sha512', + 'RSA-SHA256': 'sha256' + }; + const algo = algoMap[signatureMethod] || 'sha1'; + return crypto.createHash(algo).update(body).digest('base64'); +} + +/** + * OAuth 1.0 authorization library (RFC 5849). + * + * API mirrors the oauth-1.0a npm package: + * - `authorize(requestData, token?)` - generates signed OAuth params + * - `toHeader(oauthData)` - formats params as an Authorization header + * + * Implements signing from scratch using Node.js crypto. + * Supports HMAC-SHA1, HMAC-SHA256, HMAC-SHA512, RSA-SHA1, RSA-SHA256, RSA-SHA512, and PLAINTEXT. + */ +export function createOAuth1Authorizer(config: OAuth1Config) { + const { + consumer, + signature_method: signatureMethod = 'HMAC-SHA1', + version = '1.0', + realm, + private_key: privateKey, + hash_function: customHashFunction + } = config; + + function authorize( + requestData: OAuth1RequestData, + token?: OAuth1Token, + callbackUrl?: string, + verifier?: string, + overrides?: { timestamp?: string; nonce?: string } + ): OAuth1AuthData { + const oauthParams: Record = { + oauth_consumer_key: consumer.key, + oauth_nonce: overrides?.nonce || generateNonce(), + oauth_signature_method: signatureMethod, + oauth_timestamp: overrides?.timestamp || generateTimestamp(), + oauth_version: version || '1.0' + }; + + if (token?.key) { + oauthParams.oauth_token = token.key; + } + + // RFC 5849 §2.1: oauth_callback is REQUIRED in the Temporary Credentials Request + if (callbackUrl) { + oauthParams.oauth_callback = callbackUrl; + } + + // RFC 5849 §2.3: oauth_verifier is REQUIRED in the Token Credentials Request + if (verifier) { + oauthParams.oauth_verifier = verifier; + } + + // Separate oauth_* extension params (e.g. oauth_body_hash) from body params + // oauth_* params go into oauthParams (included in Authorization header) + // Body params are kept as pairs (preserving duplicates per RFC 5849 §3.4.1.3.2) + const bodyParams: Array<[string, string]> = []; + if (requestData.data) { + for (const [k, v] of requestData.data) { + if (k.startsWith('oauth_')) { + oauthParams[k] = v; + } else { + bodyParams.push([k, v]); + } + } + } + + const extraParams: Array<[string, string]> = [ + ...parseQueryParams(requestData.url), + ...bodyParams + ]; + + const parameterString = buildParameterString(oauthParams, extraParams); + const baseString = buildBaseString(requestData.method, getBaseUrl(requestData.url), parameterString); + + // Build signing key & sign + const tokenSecret = token?.secret || ''; + const signingKey = buildSigningKey(consumer.secret, tokenSecret); + + if (customHashFunction) { + oauthParams.oauth_signature = customHashFunction(baseString, signingKey); + } else { + oauthParams.oauth_signature = defaultHashFunction(baseString, signingKey, signatureMethod, privateKey); + } + + return oauthParams as OAuth1AuthData; + } + + function toHeader(oauthData: OAuth1AuthData): { Authorization: string } { + let header = 'OAuth '; + + if (realm) { + header += `realm="${realm.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}", `; + } + + const parts: string[] = []; + const sortedKeys = Object.keys(oauthData).sort(); + for (const key of sortedKeys) { + if (!key.startsWith('oauth_')) continue; + parts.push(`${percentEncode(key)}="${percentEncode(oauthData[key]!)}"`); + } + + header += parts.join(', '); + return { Authorization: header }; + } + + return { authorize, toHeader }; +} + +/** + * Applies OAuth1 signing to a request object in-place. + * + * Handles the full flow: authorizer creation, body hash, signing with + * optional timestamp/nonce overrides, and placing params in header, + * query string, or body per RFC 5849. + * + * Shared by bruno-electron and bruno-cli to avoid duplication. + */ +export function applyOAuth1ToRequest(request: { + url: string; + method: string; + headers: Record; + data?: any; + oauth1config: { + consumerKey: string; + consumerSecret: string; + accessToken?: string; + tokenSecret?: string; + callbackUrl?: string; + verifier?: string; + signatureMethod?: string; + privateKey?: string; + privateKeyType?: string; + timestamp?: string; + nonce?: string; + version?: string; + realm?: string; + addParamsTo?: string; + includeBodyHash?: boolean; + }; +}, collectionPath?: string): void { + const { + consumerKey, consumerSecret, accessToken, tokenSecret, + callbackUrl, verifier, signatureMethod, privateKey, privateKeyType, timestamp, nonce, + version, realm, addParamsTo, includeBodyHash + } = request.oauth1config; + + // Clear credentials from the request object before any operation that could throw + delete (request as any).oauth1config; + + // Resolve private key: read from file if privateKeyType is 'file', otherwise use as-is + let resolvedPrivateKey: string | undefined; + if (privateKey) { + if (privateKeyType === 'file') { + let filePath = privateKey; + if (collectionPath && !nodePath.isAbsolute(filePath)) { + filePath = nodePath.join(collectionPath, filePath); + } + resolvedPrivateKey = readPrivateKeyFile(filePath); + } else { + resolvedPrivateKey = privateKey.replace(/\\n/g, '\n'); + } + } + + const authorizer = createOAuth1Authorizer({ + consumer: { key: consumerKey, secret: consumerSecret }, + signature_method: (signatureMethod || 'HMAC-SHA1') as SignatureMethod, + version: version || '1.0', + realm: realm || undefined, + private_key: resolvedPrivateKey + }); + + const requestData: OAuth1RequestData = { + url: request.url, + method: request.method + }; + + // Determine if body is form-encoded + const ctKey = Object.keys(request.headers).find((name) => name.toLowerCase() === 'content-type'); + const ctValue = (ctKey ? request.headers[ctKey] : '') || ''; + const isFormUrlEncoded = ctValue.startsWith('application/x-www-form-urlencoded'); + const method = request.method.toUpperCase(); + const hasBody = method !== 'GET' && method !== 'HEAD'; + + // RFC 5849 §3.4.1.3.1: form-encoded body params MUST be included in the signature base string + const dataPairs: Array<[string, string]> = []; + + if (hasBody && isFormUrlEncoded && request.data) { + const bodyStr = typeof request.data === 'string' ? request.data : ''; + if (bodyStr) { + new URLSearchParams(bodyStr).forEach((v, k) => { + dataPairs.push([k, v]); + }); + } + } + + // draft-eaton-oauth-bodyhash-00 §3.2: MUST NOT include oauth_body_hash for form-encoded bodies; + // if no entity body, hash over the empty string + if (includeBodyHash && !isFormUrlEncoded) { + const bodyStr = request.data + ? (typeof request.data === 'string' ? request.data : JSON.stringify(request.data)) + : ''; + const bodyHash = computeBodyHash(bodyStr, (signatureMethod || 'HMAC-SHA1') as SignatureMethod); + dataPairs.push(['oauth_body_hash', bodyHash]); + } + + if (dataPairs.length > 0) { + requestData.data = dataPairs; + } + + const token = accessToken ? { key: accessToken, secret: tokenSecret || '' } : undefined; + const overrides: { timestamp?: string; nonce?: string } = {}; + if (timestamp) overrides.timestamp = timestamp; + if (nonce) overrides.nonce = nonce; + const oauthData = authorizer.authorize(requestData, token, callbackUrl || undefined, verifier || undefined, overrides); + + switch (addParamsTo || 'header') { + case 'header': + request.headers['Authorization'] = authorizer.toHeader(oauthData).Authorization; + break; + case 'queryparams': { + const url = new URL(request.url); + Object.entries(oauthData).forEach(([key, value]) => { + if (value) url.searchParams.set(key, value); + }); + request.url = url.toString(); + break; + } + case 'body': { + const params = new URLSearchParams(isFormUrlEncoded ? request.data : ''); + Object.entries(oauthData).forEach(([key, value]) => { + if (value !== undefined) params.set(key, value); + }); + request.data = params.toString(); + + if (!isFormUrlEncoded) { + if (ctKey) { + request.headers[ctKey] = 'application/x-www-form-urlencoded'; + } else { + request.headers['Content-Type'] = 'application/x-www-form-urlencoded'; + } + } + break; + } + } +} diff --git a/packages/bruno-requests/src/index.ts b/packages/bruno-requests/src/index.ts index 03f2c6fedd0..581fdda8185 100644 --- a/packages/bruno-requests/src/index.ts +++ b/packages/bruno-requests/src/index.ts @@ -1,4 +1,4 @@ -export { addDigestInterceptor, getOAuth2Token } from './auth'; +export { addDigestInterceptor, getOAuth2Token, createOAuth1Authorizer, computeBodyHash, applyOAuth1ToRequest } from './auth'; export { GrpcClient, generateGrpcSampleMessage } from './grpc'; export { WsClient } from './ws/ws-client'; export { default as cookies } from './cookies'; diff --git a/packages/bruno-schema-types/src/common/auth.ts b/packages/bruno-schema-types/src/common/auth.ts index c8a31499b0f..70a80d585a0 100644 --- a/packages/bruno-schema-types/src/common/auth.ts +++ b/packages/bruno-schema-types/src/common/auth.ts @@ -38,6 +38,24 @@ export interface AuthApiKey { placement?: 'header' | 'queryparams' | null; } +export interface AuthOauth1 { + consumerKey?: string | null; + consumerSecret?: string | null; + accessToken?: string | null; + tokenSecret?: string | null; + callbackUrl?: string | null; + verifier?: string | null; + signatureMethod?: 'HMAC-SHA1' | 'HMAC-SHA256' | 'HMAC-SHA512' | 'RSA-SHA1' | 'RSA-SHA256' | 'RSA-SHA512' | 'PLAINTEXT' | null; + privateKey?: string | null; + privateKeyType?: 'file' | 'text' | null; + timestamp?: string | null; + nonce?: string | null; + version?: string | null; + realm?: string | null; + addParamsTo?: 'header' | 'queryparams' | 'body' | null; + includeBodyHash?: boolean | null; +} + export type OAuthGrantType = | 'client_credentials' | 'password' @@ -89,6 +107,7 @@ export type AuthMode | 'bearer' | 'digest' | 'ntlm' + | 'oauth1' | 'oauth2' | 'wsse' | 'apikey'; @@ -100,6 +119,7 @@ export interface Auth { bearer?: AuthBearer | null; digest?: AuthDigest | null; ntlm?: AuthNTLM | null; + oauth1?: AuthOauth1 | null; oauth2?: OAuth2 | null; wsse?: AuthWsse | null; apikey?: AuthApiKey | null; diff --git a/packages/bruno-schema/src/collections/index.js b/packages/bruno-schema/src/collections/index.js index a2f35abb9a7..1590d3adcdc 100644 --- a/packages/bruno-schema/src/collections/index.js +++ b/packages/bruno-schema/src/collections/index.js @@ -199,6 +199,26 @@ const authApiKeySchema = Yup.object({ .noUnknown(true) .strict(); +const authOAuth1Schema = Yup.object({ + consumerKey: Yup.string().nullable(), + consumerSecret: Yup.string().nullable(), + accessToken: Yup.string().nullable(), + tokenSecret: Yup.string().nullable(), + callbackUrl: Yup.string().nullable(), + verifier: Yup.string().nullable(), + signatureMethod: Yup.string().oneOf(['HMAC-SHA1', 'HMAC-SHA256', 'HMAC-SHA512', 'RSA-SHA1', 'RSA-SHA256', 'RSA-SHA512', 'PLAINTEXT']).nullable(), + privateKey: Yup.string().nullable(), + privateKeyType: Yup.string().oneOf(['file', 'text']).nullable(), + timestamp: Yup.string().nullable(), + nonce: Yup.string().nullable(), + version: Yup.string().nullable(), + realm: Yup.string().nullable(), + addParamsTo: Yup.string().oneOf(['header', 'queryparams', 'body']).nullable(), + includeBodyHash: Yup.boolean().nullable() +}) + .noUnknown(true) + .strict(); + const oauth2AuthorizationAdditionalParametersSchema = Yup.object({ name: Yup.string().nullable(), value: Yup.string().nullable(), @@ -337,13 +357,14 @@ const oauth2Schema = Yup.object({ const authSchema = Yup.object({ mode: Yup.string() - .oneOf(['inherit', 'none', 'awsv4', 'basic', 'bearer', 'digest', 'ntlm', 'oauth2', 'wsse', 'apikey']) + .oneOf(['inherit', 'none', 'awsv4', 'basic', 'bearer', 'digest', 'ntlm', 'oauth1', 'oauth2', 'wsse', 'apikey']) .required('mode is required'), awsv4: authAwsV4Schema.nullable(), basic: authBasicSchema.nullable(), bearer: authBearerSchema.nullable(), ntlm: authNTLMSchema.nullable(), digest: authDigestSchema.nullable(), + oauth1: authOAuth1Schema.nullable(), oauth2: oauth2Schema.nullable(), wsse: authWsseSchema.nullable(), apikey: authApiKeySchema.nullable() diff --git a/packages/bruno-tests/src/auth/index.js b/packages/bruno-tests/src/auth/index.js index e26a655294d..49ecf1ade9f 100644 --- a/packages/bruno-tests/src/auth/index.js +++ b/packages/bruno-tests/src/auth/index.js @@ -8,7 +8,9 @@ const authCookie = require('./cookie'); const authOAuth2PasswordCredentials = require('./oauth2/passwordCredentials'); const authOAuth2AuthorizationCode = require('./oauth2/authorizationCode'); const authOAuth2ClientCredentials = require('./oauth2/clientCredentials'); +const authOAuth1 = require('./oauth1'); +router.use('/oauth1', authOAuth1); router.use('/oauth2/password_credentials', authOAuth2PasswordCredentials); router.use('/oauth2/authorization_code', authOAuth2AuthorizationCode); router.use('/oauth2/client_credentials', authOAuth2ClientCredentials); diff --git a/packages/bruno-tests/src/auth/oauth1/index.js b/packages/bruno-tests/src/auth/oauth1/index.js new file mode 100644 index 00000000000..326ec26b09d --- /dev/null +++ b/packages/bruno-tests/src/auth/oauth1/index.js @@ -0,0 +1,559 @@ +const express = require('express'); +const crypto = require('crypto'); +const router = express.Router(); + +// ─── Known Test Credentials ──────────────────────────────────────────────────── + +const consumers = [ + { + key: 'consumer_key_1', + secret: 'consumer_secret_1' + } +]; + +// Pre-provisioned access token for simple one-legged testing +const accessTokens = [ + { + token: 'access_token_1', + secret: 'token_secret_1', + consumerKey: 'consumer_key_1' + } +]; + +// In-memory stores for the three-legged flow +const requestTokens = []; +const usedNonces = new Map(); // key: `${consumerKey}:${nonce}:${timestamp}` + +// RSA key pair for RSA-SHA* signing/verification +const TEST_RSA_PRIVATE_KEY = `-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCf/ioOwb6uGm01 +WjL89sBOKmvMuwyGW33w+ud3eV5dWbHZbJTgCHMtjUVqGE4sVPnX8wfKgb00hVGZ +ZhbRsqquUMJL+7RHZA1G3ZcC2WPmrUvIpi13W7F/+wizRjDrutgK0oc4L7zUPhgE ++d+Qe6JHvFL376hqkD9Z6vd9jVNRDv7D2uJcG+Uc7ePM6yLzQeJILnfvSwxna89G +6YxfbYNjf/VKAcRM6UAR8aRGm/A9Qmdwsy08iRzlM0K5lid7Ath7ADJ+D6ezUIhl +qiI6sVrZdpsFXzuvcxjgAts54XoQsLCDZudTmzMs4BftswULCQFdj6c2oye9QKsu +EoZ0CvwNAgMBAAECggEAA1kIJu2QQIhhB0rEjQfaF5309NW9JK/pag91+claW3hd +q6papc1yIN6MjfRwPlE7i8npZygL03uEAkJhRoYHOEU3AOwFZluw7hiuPkBaQiDC +Ld1RpOZlnRidoqgHV1y+LzZ0ieJwgGhu4ZEbnSRZIvMihqRHJo5aJQGGUuQ60r6w +Z5N6j7GGCV14oGck6+0k/NhYrkhpbyl+AHPZeQ20L9ZaSpl+GD3RUgvx4nOhN1Fx +agovDCKwmRPSpuuBw6Wun1hKC9MuuL89CCy2yZ+MrjQmQJ/onKZKR2fc1I5g2JRu +z7xObQq/tAXIHKM27YYY5J3NcGtsy9tLpdtFDle/wQKBgQDfBaBURNs/ccVMMXSZ +T5lOo337Rv3bGFnoLwURUZrjJNGrHqLzeZvTNt0sXQX6Jbdeb5qnC/icng+QDEod +9hRVDz1rN+2YqG6AMvrX5dQSK1PmkwVHLles4sX7DsZaiKNYFFbXc9rt7kXBwDoE +LXYidqUIqZiOjMqCyNlfyHHnRQKBgQC3ppq7TCEWIfqLzsfOoqaKD/fDOrQLLmor +7RvAdGa+EyVeB1G+NQO00KN6U9W+SNPz0cEUYUZQiAaAghUGkNurrS1shr5k7aTX +pXpXtaA+xSEAd6w8lTl9mAfwZMBCcsfjyjPf1RPjZ6Tj2fdHqnsllSU5843LOqZK +CBXiitdKKQKBgQCVNEloN0zLLE1HxUpxiwxQzRZqtrr9ClST/mkQhhzuW+Kd7fgs +la5HZ0we8vkdun/sARRhL6Qa+7ADugUX+Frv8SsxARDG8eBDilfBevQfV7dg6fk8 +/ucPNgQoC2Fujj1hnvHeYJcWWTN4BSeLRfLj6aZNnlD/BXgyeTbcWtjBVQKBgBhG +npd5hboePbczWzgWSftgBvk4jkoYFZK+4fc7q8UeVMcsIoMJEPdayPFHma5whAvr +wyEFhrzobiuYhlz60v7LgoChAxPmUe7rgdOMP6Vse2NLbmoHs7TFXu9I8h0WfRPA +S8EfsmRR8/rmeghwIZ0jLOuPJUQi+Y45qWLrxW+ZAoGAMXYhio9y93M0nRqjiiCR +YibnhpZxvrNiLPxNiUi/WxcWEvulpmbKxLUhiWJB1ZmRTiGYlnclQXUuRyaOQNTo +5TVAaNzDXayWVbxhx3Lb8NUV+QNUJEJOgjq4+NYw8fUZCr7T64pGGM4DJHPuHCBo +dJv7UByPuMKBIOYpy3Z+iWs= +-----END PRIVATE KEY----- +`; + +const TEST_RSA_PUBLIC_KEY = `-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn/4qDsG+rhptNVoy/PbA +TiprzLsMhlt98Prnd3leXVmx2WyU4AhzLY1FahhOLFT51/MHyoG9NIVRmWYW0bKq +rlDCS/u0R2QNRt2XAtlj5q1LyKYtd1uxf/sIs0Yw67rYCtKHOC+81D4YBPnfkHui +R7xS9++oapA/Wer3fY1TUQ7+w9riXBvlHO3jzOsi80HiSC5370sMZ2vPRumMX22D +Y3/1SgHETOlAEfGkRpvwPUJncLMtPIkc5TNCuZYnewLYewAyfg+ns1CIZaoiOrFa +2XabBV87r3MY4ALbOeF6ELCwg2bnU5szLOAX7bMFCwkBXY+nNqMnvUCrLhKGdAr8 +DQIDAQAB +-----END PUBLIC KEY-----`; + +// ─── RFC 5849 Helpers ─────────────────────────────────────────────────────────── + +function percentEncode(str) { + return encodeURIComponent(str) + .replace(/!/g, '%21') + .replace(/\*/g, '%2A') + .replace(/'/g, '%27') + .replace(/\(/g, '%28') + .replace(/\)/g, '%29'); +} + +function percentDecode(str) { + return decodeURIComponent(str); +} + +function generateUniqueString() { + return crypto.randomBytes(16).toString('hex'); +} + +// RFC 5849 §3.4.1.2 - Base URL normalization +function getBaseUrl(req) { + const protocol = req.protocol; + const host = req.hostname; + const port = req.socket.localPort; + const path = req.baseUrl + req.path; + + const includePort = port && !( + (protocol === 'http' && port === 80) + || (protocol === 'https' && port === 443) + ); + + return `${protocol}://${host}${includePort ? ':' + port : ''}${path}`; +} + +// Parse OAuth Authorization header +function parseOAuthHeader(header) { + if (!header || !header.startsWith('OAuth ')) return null; + + const params = {}; + const paramStr = header.slice(6); // Remove 'OAuth ' + + // Match key="value" pairs, handling commas within values + const regex = /(\w+)="([^"]*)"/g; + let match; + while ((match = regex.exec(paramStr)) !== null) { + const key = percentDecode(match[1]); + const value = percentDecode(match[2]); + if (key !== 'realm') { + params[key] = value; + } + } + return params; +} + +// Collect OAuth params from all sources (header, query, body) +function collectOAuthParams(req) { + // 1. Try Authorization header first + const authHeader = req.headers['authorization']; + const headerParams = parseOAuthHeader(authHeader); + + if (headerParams && headerParams.oauth_consumer_key) { + return { params: headerParams, source: 'header' }; + } + + // 2. Try query params + const queryParams = {}; + let foundInQuery = false; + for (const [key, value] of Object.entries(req.query || {})) { + if (key.startsWith('oauth_')) { + queryParams[key] = value; + foundInQuery = true; + } + } + if (foundInQuery && queryParams.oauth_consumer_key) { + return { params: queryParams, source: 'queryparams' }; + } + + // 3. Try body params (only for application/x-www-form-urlencoded) + const contentType = req.headers['content-type'] || ''; + if (contentType.includes('application/x-www-form-urlencoded') && req.body) { + const bodyParams = {}; + let foundInBody = false; + for (const [key, value] of Object.entries(req.body)) { + if (key.startsWith('oauth_')) { + bodyParams[key] = value; + foundInBody = true; + } + } + if (foundInBody && bodyParams.oauth_consumer_key) { + return { params: bodyParams, source: 'body' }; + } + } + + return { params: null, source: null }; +} + +// Collect all non-oauth parameters from query and body for signature base string +function collectRequestParams(req, oauthParams, oauthSource) { + const collected = []; + + // Include oauth params (except oauth_signature) + for (const [key, value] of Object.entries(oauthParams)) { + if (key !== 'oauth_signature') { + collected.push([percentEncode(key), percentEncode(value)]); + } + } + + // Include query params (skip oauth_* — already collected from oauthParams above) + // RFC 5849 §3.5: each protocol parameter MUST use one and only one transmission method + for (const [key, value] of Object.entries(req.query || {})) { + if (key.startsWith('oauth_')) continue; + if (Array.isArray(value)) { + for (const v of value) { + collected.push([percentEncode(key), percentEncode(v)]); + } + } else { + collected.push([percentEncode(key), percentEncode(value)]); + } + } + + // Include body params for form-urlencoded (skip oauth_* — already collected from oauthParams above) + const contentType = req.headers['content-type'] || ''; + if (contentType.includes('application/x-www-form-urlencoded') && req.body) { + for (const [key, value] of Object.entries(req.body)) { + if (key.startsWith('oauth_')) continue; + if (Array.isArray(value)) { + for (const v of value) { + collected.push([percentEncode(key), percentEncode(v)]); + } + } else { + collected.push([percentEncode(key), percentEncode(value)]); + } + } + } + + // Sort per RFC 5849 §3.4.1.3.2 + collected.sort((a, b) => { + if (a[0] < b[0]) return -1; + if (a[0] > b[0]) return 1; + if (a[1] < b[1]) return -1; + if (a[1] > b[1]) return 1; + return 0; + }); + + return collected.map(([k, v]) => `${k}=${v}`).join('&'); +} + +// Build signature base string (RFC 5849 §3.4.1) +function buildBaseString(method, baseUrl, parameterString) { + return `${method.toUpperCase()}&${percentEncode(baseUrl)}&${percentEncode(parameterString)}`; +} + +// Verify signature +function timingSafeCompare(a, b) { + const bufA = Buffer.from(a); + const bufB = Buffer.from(b); + if (bufA.length !== bufB.length) return false; + return crypto.timingSafeEqual(bufA, bufB); +} + +function verifySignature(baseString, signature, signatureMethod, consumerSecret, tokenSecret) { + const signingKey = `${percentEncode(consumerSecret)}&${percentEncode(tokenSecret || '')}`; + + switch (signatureMethod) { + case 'HMAC-SHA1': { + const expected = crypto.createHmac('sha1', signingKey).update(baseString).digest('base64'); + return timingSafeCompare(signature, expected); + } + case 'HMAC-SHA256': { + const expected = crypto.createHmac('sha256', signingKey).update(baseString).digest('base64'); + return timingSafeCompare(signature, expected); + } + case 'HMAC-SHA512': { + const expected = crypto.createHmac('sha512', signingKey).update(baseString).digest('base64'); + return timingSafeCompare(signature, expected); + } + case 'RSA-SHA1': + case 'RSA-SHA256': + case 'RSA-SHA512': { + const algoMap = { 'RSA-SHA1': 'RSA-SHA1', 'RSA-SHA256': 'RSA-SHA256', 'RSA-SHA512': 'RSA-SHA512' }; + const verifier = crypto.createVerify(algoMap[signatureMethod]); + verifier.update(baseString); + return verifier.verify(TEST_RSA_PUBLIC_KEY, signature, 'base64'); + } + case 'PLAINTEXT': { + return timingSafeCompare(signature, signingKey); + } + default: + return false; + } +} + +// Check nonce uniqueness (prevents replay attacks) +function checkNonce(consumerKey, nonce, timestamp) { + const key = `${consumerKey}:${nonce}:${timestamp}`; + if (usedNonces.has(key)) return false; + usedNonces.set(key, Date.now()); + + // Clean up old nonces (older than 10 minutes) + const tenMinutesAgo = Date.now() - 10 * 60 * 1000; + for (const [k, v] of usedNonces.entries()) { + if (v < tenMinutesAgo) usedNonces.delete(k); + } + + return true; +} + +// ─── OAuth 1.0 Signature Verification Middleware ──────────────────────────────── + +function verifyOAuth1Signature(getTokenSecret) { + return (req, res, next) => { + const { params: oauthParams, source: oauthSource } = collectOAuthParams(req); + + if (!oauthParams) { + return res.status(401).json({ error: 'Missing OAuth parameters' }); + } + + const { + oauth_consumer_key, + oauth_signature, + oauth_signature_method, + oauth_nonce, + oauth_timestamp, + oauth_version + } = oauthParams; + + // Validate required params + if (!oauth_consumer_key || !oauth_signature || !oauth_signature_method) { + return res.status(401).json({ error: 'Missing required OAuth parameters' }); + } + + // Validate version if present + if (oauth_version && oauth_version !== '1.0') { + return res.status(401).json({ error: 'Unsupported OAuth version' }); + } + + // Look up consumer + const consumer = consumers.find((c) => c.key === oauth_consumer_key); + if (!consumer) { + return res.status(401).json({ error: 'Unknown consumer' }); + } + + // Check nonce uniqueness (skip for PLAINTEXT which doesn't use nonce/timestamp) + if (oauth_signature_method !== 'PLAINTEXT') { + if (!oauth_nonce || !oauth_timestamp) { + return res.status(401).json({ error: 'Missing nonce or timestamp' }); + } + if (!checkNonce(oauth_consumer_key, oauth_nonce, oauth_timestamp)) { + return res.status(401).json({ error: 'Nonce already used' }); + } + } + + // Get token secret from callback + const tokenSecret = getTokenSecret(oauthParams, req); + + // Build base string and verify signature + const baseUrl = getBaseUrl(req); + const parameterString = collectRequestParams(req, oauthParams, oauthSource); + const baseString = buildBaseString(req.method, baseUrl, parameterString); + + const isValid = verifySignature( + baseString, + oauth_signature, + oauth_signature_method, + consumer.secret, + tokenSecret + ); + + if (!isValid) { + return res.status(401).json({ + error: 'Invalid signature', + debug: { + baseString, + baseUrl, + parameterString, + method: req.method + } + }); + } + + req.oauthConsumer = consumer; + req.oauthParams = oauthParams; + next(); + }; +} + +// ─── Routes ───────────────────────────────────────────────────────────────────── + +// 1. Request Token (Temporary Credentials) - RFC 5849 §2.1 +router.post('/request_token', + verifyOAuth1Signature((oauthParams) => { + // No token secret for request token requests + return ''; + }), + (req, res) => { + const callbackUrl = req.oauthParams.oauth_callback; + + // RFC 5849 §2.1: oauth_callback is REQUIRED + if (!callbackUrl) { + return res.status(400).json({ error: 'Missing required oauth_callback parameter' }); + } + + // RFC 5849 §2.1: must be an absolute URI or "oob" (case sensitive) + if (callbackUrl !== 'oob') { + try { + const parsed = new URL(callbackUrl); + if (!parsed.protocol.startsWith('http')) { + return res.status(400).json({ error: 'oauth_callback must be an absolute HTTP(S) URI or "oob"' }); + } + } catch { + return res.status(400).json({ error: 'oauth_callback must be a valid absolute URI or "oob"' }); + } + } + + const requestToken = { + token: 'rt_' + generateUniqueString(), + secret: 'rts_' + generateUniqueString(), + consumerKey: req.oauthConsumer.key, + callbackUrl, + verifier: null, + authorized: false + }; + + requestTokens.push(requestToken); + + // Return as form-encoded per spec + res.type('application/x-www-form-urlencoded'); + res.send( + `oauth_token=${percentEncode(requestToken.token)}` + + `&oauth_token_secret=${percentEncode(requestToken.secret)}` + + `&oauth_callback_confirmed=true` + ); + } +); + +// 2. Resource Owner Authorization - RFC 5849 §2.2 +router.get('/authorize', (req, res) => { + const { oauth_token } = req.query; + + if (!oauth_token) { + return res.status(400).json({ error: 'Missing oauth_token parameter' }); + } + + const storedToken = requestTokens.find((t) => t.token === oauth_token); + if (!storedToken) { + return res.status(400).json({ error: 'Invalid request token' }); + } + + // Auto-authorize and redirect (simplified for testing) + const verifier = generateUniqueString(); + storedToken.verifier = verifier; + storedToken.authorized = true; + + if (storedToken.callbackUrl === 'oob') { + // Out-of-band: display the verifier + return res.send(` + + +

Authorization Successful

+

Your verification code is: ${verifier}

+ + + `); + } + + // Redirect back to consumer with oauth_token and oauth_verifier + const callbackUrl = new URL(storedToken.callbackUrl); + callbackUrl.searchParams.set('oauth_token', storedToken.token); + callbackUrl.searchParams.set('oauth_verifier', verifier); + res.redirect(callbackUrl.toString()); +}); + +// 3. Access Token (Token Credentials) - RFC 5849 §2.3 +router.post('/access_token', + verifyOAuth1Signature((oauthParams) => { + // Token secret is the request token's secret + const rt = requestTokens.find((t) => t.token === oauthParams.oauth_token); + return rt ? rt.secret : ''; + }), + (req, res) => { + const { oauth_token, oauth_verifier } = req.oauthParams; + + // RFC 5849 §2.3: oauth_token and oauth_verifier are REQUIRED + if (!oauth_token) { + return res.status(400).json({ error: 'Missing required oauth_token parameter' }); + } + if (!oauth_verifier) { + return res.status(400).json({ error: 'Missing required oauth_verifier parameter' }); + } + + const storedToken = requestTokens.find((t) => t.token === oauth_token); + if (!storedToken) { + return res.status(401).json({ error: 'Invalid request token' }); + } + + if (!storedToken.authorized) { + return res.status(401).json({ error: 'Request token not authorized' }); + } + + if (storedToken.verifier !== oauth_verifier) { + return res.status(401).json({ error: 'Invalid verifier' }); + } + + // Issue access token + const accessToken = { + token: 'at_' + generateUniqueString(), + secret: 'ats_' + generateUniqueString(), + consumerKey: req.oauthConsumer.key + }; + accessTokens.push(accessToken); + + // Invalidate request token + const idx = requestTokens.indexOf(storedToken); + if (idx !== -1) requestTokens.splice(idx, 1); + + // Return as form-encoded per spec + res.type('application/x-www-form-urlencoded'); + res.send( + `oauth_token=${percentEncode(accessToken.token)}` + + `&oauth_token_secret=${percentEncode(accessToken.secret)}` + ); + } +); + +// 4. Protected Resource - verifies signed requests with access token +router.get('/resource', + verifyOAuth1Signature((oauthParams) => { + const at = accessTokens.find( + (t) => t.token === oauthParams.oauth_token + ); + return at ? at.secret : ''; + }), + (req, res) => { + res.json({ + resource: { + name: 'oauth1-test-resource', + email: 'oauth1@example.com' + } + }); + } +); + +router.post('/resource', + verifyOAuth1Signature((oauthParams) => { + const at = accessTokens.find( + (t) => t.token === oauthParams.oauth_token + ); + return at ? at.secret : ''; + }), + (req, res) => { + res.json({ + resource: { + name: 'oauth1-test-resource', + email: 'oauth1@example.com' + } + }); + } +); + +// 5. Callback (Consumer-side) - RFC 5849 §2.2 +// Receives the redirect from /authorize with oauth_token and oauth_verifier. +// The consumer then exchanges these for token credentials via /access_token. +router.get('/callback', (req, res) => { + const { oauth_token, oauth_verifier } = req.query; + + if (!oauth_token || !oauth_verifier) { + return res.status(400).json({ error: 'Missing oauth_token or oauth_verifier' }); + } + + // Verify the request token exists and is authorized + const storedToken = requestTokens.find((t) => t.token === oauth_token); + if (!storedToken) { + return res.status(400).json({ error: 'Unknown request token' }); + } + + if (!storedToken.authorized) { + return res.status(400).json({ error: 'Request token not yet authorized' }); + } + + if (storedToken.verifier !== oauth_verifier) { + return res.status(400).json({ error: 'Invalid verifier' }); + } + + res.json({ + oauth_token, + oauth_verifier, + message: 'Callback received. Exchange these for token credentials via POST /access_token.' + }); +}); + +module.exports = router; +module.exports.TEST_RSA_PRIVATE_KEY = TEST_RSA_PRIVATE_KEY; diff --git a/playwright.config.ts b/playwright.config.ts index a36b3054621..f1ec9b2e2a7 100644 --- a/playwright.config.ts +++ b/playwright.config.ts @@ -22,9 +22,14 @@ export default defineConfig({ name: 'default', testDir: './tests', testIgnore: [ - 'ssl/**' // custom CA certificate tests require separate server setup and certificate generation + 'ssl/**', // custom CA certificate tests require separate server setup and certificate generation + 'auth/**' // auth tests have their own project ] }, + { + name: 'auth', + testDir: './tests/auth' + }, { name: 'ssl', testDir: './tests/ssl' diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 200.bru new file mode 100644 index 00000000000..0774bd154c7 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 200.bru @@ -0,0 +1,34 @@ +meta { + name: OAuth1 HMAC-SHA1 200 + type: http + seq: 1 +} + +get { + url: {{localhost}}/api/auth/oauth1/resource + body: none + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: consumer_secret_1 + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + verifier: + signature_method: HMAC-SHA1 + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource + res.body.resource.email: eq oauth1@example.com +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 401.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 401.bru new file mode 100644 index 00000000000..0188f3af379 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 401.bru @@ -0,0 +1,32 @@ +meta { + name: OAuth1 HMAC-SHA1 401 + type: http + seq: 2 +} + +get { + url: {{localhost}}/api/auth/oauth1/resource + body: none + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: wrong_secret + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: HMAC-SHA1 + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} + +assert { + res.status: eq 401 + res.body.error: eq Invalid signature +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 Body 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 Body 200.bru new file mode 100644 index 00000000000..b4962a5cc09 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 Body 200.bru @@ -0,0 +1,46 @@ +meta { + name: OAuth1 HMAC-SHA1 Body 200 + type: http + seq: 17 +} + +post { + url: {{localhost}}/api/auth/oauth1/resource + body: json + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: consumer_secret_1 + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: HMAC-SHA1 + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: body + include_body_hash: true +} + +body:json { + { + "test": "test" + } +} + +body:text { + test +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource +} + +script:post-response { + console.log(req.getBody()); +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 Body JSON 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 Body JSON 200.bru new file mode 100644 index 00000000000..7e7edb95b53 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 Body JSON 200.bru @@ -0,0 +1,38 @@ +meta { + name: OAuth1 HMAC-SHA1 Body JSON 200 + type: http + seq: 21 +} + +post { + url: {{localhost}}/api/auth/oauth1/resource + body: json + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: consumer_secret_1 + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: HMAC-SHA1 + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: body + include_body_hash: false +} + +body:json { + { + "test": "data" + } +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 POST 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 POST 200.bru new file mode 100644 index 00000000000..ab130107ce2 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 POST 200.bru @@ -0,0 +1,32 @@ +meta { + name: OAuth1 HMAC-SHA1 POST 200 + type: http + seq: 3 +} + +post { + url: {{localhost}}/api/auth/oauth1/resource + body: formUrlEncoded + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: consumer_secret_1 + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: HMAC-SHA1 + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 Query Params 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 Query Params 200.bru new file mode 100644 index 00000000000..926986a6e79 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA1 Query Params 200.bru @@ -0,0 +1,32 @@ +meta { + name: OAuth1 HMAC-SHA1 Query Params 200 + type: http + seq: 4 +} + +get { + url: {{localhost}}/api/auth/oauth1/resource + body: none + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: consumer_secret_1 + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: HMAC-SHA1 + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: queryparams + include_body_hash: true +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA256 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA256 200.bru new file mode 100644 index 00000000000..6a6dd84151c --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA256 200.bru @@ -0,0 +1,33 @@ +meta { + name: OAuth1 HMAC-SHA256 200 + type: http + seq: 1 +} + +get { + url: {{localhost}}/api/auth/oauth1/resource + body: none + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: consumer_secret_1 + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: HMAC-SHA256 + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource + res.body.resource.email: eq oauth1@example.com +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA256 401.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA256 401.bru new file mode 100644 index 00000000000..a86eb1285b7 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA256 401.bru @@ -0,0 +1,32 @@ +meta { + name: OAuth1 HMAC-SHA256 401 + type: http + seq: 2 +} + +get { + url: {{localhost}}/api/auth/oauth1/resource + body: none + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: wrong_secret + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: HMAC-SHA256 + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} + +assert { + res.status: eq 401 + res.body.error: eq Invalid signature +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA256 Body 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA256 Body 200.bru new file mode 100644 index 00000000000..cfce5fe0536 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA256 Body 200.bru @@ -0,0 +1,32 @@ +meta { + name: OAuth1 HMAC-SHA256 Body 200 + type: http + seq: 19 +} + +post { + url: {{localhost}}/api/auth/oauth1/resource + body: formUrlEncoded + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: consumer_secret_1 + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: HMAC-SHA256 + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: body + include_body_hash: false +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA512 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA512 200.bru new file mode 100644 index 00000000000..a1e4f0f2353 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA512 200.bru @@ -0,0 +1,33 @@ +meta { + name: OAuth1 HMAC-SHA512 200 + type: http + seq: 1 +} + +get { + url: {{localhost}}/api/auth/oauth1/resource + body: none + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: consumer_secret_1 + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: HMAC-SHA512 + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource + res.body.resource.email: eq oauth1@example.com +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA512 401.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA512 401.bru new file mode 100644 index 00000000000..acf581a6206 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 HMAC-SHA512 401.bru @@ -0,0 +1,32 @@ +meta { + name: OAuth1 HMAC-SHA512 401 + type: http + seq: 2 +} + +get { + url: {{localhost}}/api/auth/oauth1/resource + body: none + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: wrong_secret + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: HMAC-SHA512 + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} + +assert { + res.status: eq 401 + res.body.error: eq Invalid signature +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 PLAINTEXT 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 PLAINTEXT 200.bru new file mode 100644 index 00000000000..19bcf04dfa7 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 PLAINTEXT 200.bru @@ -0,0 +1,33 @@ +meta { + name: OAuth1 PLAINTEXT 200 + type: http + seq: 1 +} + +get { + url: {{localhost}}/api/auth/oauth1/resource + body: none + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: consumer_secret_1 + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: PLAINTEXT + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource + res.body.resource.email: eq oauth1@example.com +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 PLAINTEXT 401.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 PLAINTEXT 401.bru new file mode 100644 index 00000000000..d6d7dfde17d --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 PLAINTEXT 401.bru @@ -0,0 +1,32 @@ +meta { + name: OAuth1 PLAINTEXT 401 + type: http + seq: 2 +} + +get { + url: {{localhost}}/api/auth/oauth1/resource + body: none + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: wrong_secret + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: PLAINTEXT + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} + +assert { + res.status: eq 401 + res.body.error: eq Invalid signature +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 PLAINTEXT Body 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 PLAINTEXT Body 200.bru new file mode 100644 index 00000000000..c17a349fb95 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 PLAINTEXT Body 200.bru @@ -0,0 +1,32 @@ +meta { + name: OAuth1 PLAINTEXT Body 200 + type: http + seq: 18 +} + +post { + url: {{localhost}}/api/auth/oauth1/resource + body: formUrlEncoded + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: consumer_secret_1 + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: PLAINTEXT + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: body + include_body_hash: false +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 PLAINTEXT Query Params 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 PLAINTEXT Query Params 200.bru new file mode 100644 index 00000000000..22145eb6c4c --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 PLAINTEXT Query Params 200.bru @@ -0,0 +1,32 @@ +meta { + name: OAuth1 PLAINTEXT Query Params 200 + type: http + seq: 15 +} + +get { + url: {{localhost}}/api/auth/oauth1/resource + body: none + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: consumer_secret_1 + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: PLAINTEXT + private_key: + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: queryparams + include_body_hash: false +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA1 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA1 200.bru new file mode 100644 index 00000000000..bb9651f7c6b --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA1 200.bru @@ -0,0 +1,71 @@ +meta { + name: OAuth1 RSA-SHA1 200 + type: http + seq: 1 +} + +get { + url: {{localhost}}/api/auth/oauth1/resource + body: none + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + verifier: + signature_method: RSA-SHA1 + private_key: ''' + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCf/ioOwb6uGm01 + WjL89sBOKmvMuwyGW33w+ud3eV5dWbHZbJTgCHMtjUVqGE4sVPnX8wfKgb00hVGZ + ZhbRsqquUMJL+7RHZA1G3ZcC2WPmrUvIpi13W7F/+wizRjDrutgK0oc4L7zUPhgE + +d+Qe6JHvFL376hqkD9Z6vd9jVNRDv7D2uJcG+Uc7ePM6yLzQeJILnfvSwxna89G + 6YxfbYNjf/VKAcRM6UAR8aRGm/A9Qmdwsy08iRzlM0K5lid7Ath7ADJ+D6ezUIhl + qiI6sVrZdpsFXzuvcxjgAts54XoQsLCDZudTmzMs4BftswULCQFdj6c2oye9QKsu + EoZ0CvwNAgMBAAECggEAA1kIJu2QQIhhB0rEjQfaF5309NW9JK/pag91+claW3hd + q6papc1yIN6MjfRwPlE7i8npZygL03uEAkJhRoYHOEU3AOwFZluw7hiuPkBaQiDC + Ld1RpOZlnRidoqgHV1y+LzZ0ieJwgGhu4ZEbnSRZIvMihqRHJo5aJQGGUuQ60r6w + Z5N6j7GGCV14oGck6+0k/NhYrkhpbyl+AHPZeQ20L9ZaSpl+GD3RUgvx4nOhN1Fx + agovDCKwmRPSpuuBw6Wun1hKC9MuuL89CCy2yZ+MrjQmQJ/onKZKR2fc1I5g2JRu + z7xObQq/tAXIHKM27YYY5J3NcGtsy9tLpdtFDle/wQKBgQDfBaBURNs/ccVMMXSZ + T5lOo337Rv3bGFnoLwURUZrjJNGrHqLzeZvTNt0sXQX6Jbdeb5qnC/icng+QDEod + 9hRVDz1rN+2YqG6AMvrX5dQSK1PmkwVHLles4sX7DsZaiKNYFFbXc9rt7kXBwDoE + LXYidqUIqZiOjMqCyNlfyHHnRQKBgQC3ppq7TCEWIfqLzsfOoqaKD/fDOrQLLmor + 7RvAdGa+EyVeB1G+NQO00KN6U9W+SNPz0cEUYUZQiAaAghUGkNurrS1shr5k7aTX + pXpXtaA+xSEAd6w8lTl9mAfwZMBCcsfjyjPf1RPjZ6Tj2fdHqnsllSU5843LOqZK + CBXiitdKKQKBgQCVNEloN0zLLE1HxUpxiwxQzRZqtrr9ClST/mkQhhzuW+Kd7fgs + la5HZ0we8vkdun/sARRhL6Qa+7ADugUX+Frv8SsxARDG8eBDilfBevQfV7dg6fk8 + /ucPNgQoC2Fujj1hnvHeYJcWWTN4BSeLRfLj6aZNnlD/BXgyeTbcWtjBVQKBgBhG + npd5hboePbczWzgWSftgBvk4jkoYFZK+4fc7q8UeVMcsIoMJEPdayPFHma5whAvr + wyEFhrzobiuYhlz60v7LgoChAxPmUe7rgdOMP6Vse2NLbmoHs7TFXu9I8h0WfRPA + S8EfsmRR8/rmeghwIZ0jLOuPJUQi+Y45qWLrxW+ZAoGAMXYhio9y93M0nRqjiiCR + YibnhpZxvrNiLPxNiUi/WxcWEvulpmbKxLUhiWJB1ZmRTiGYlnclQXUuRyaOQNTo + 5TVAaNzDXayWVbxhx3Lb8NUV+QNUJEJOgjq4+NYw8fUZCr7T64pGGM4DJHPuHCBo + dJv7UByPuMKBIOYpy3Z+iWs= + -----END PRIVATE KEY----- + ''' + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} + +vars:pre-request { + : ''' + token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1 + + token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1token_secret_1token_secret_1token_secret_1token_set_1token_secret_1token_secret_1 + ''' +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource + res.body.resource.email: eq oauth1@example.com +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA1 Body 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA1 Body 200.bru new file mode 100644 index 00000000000..24f47357e99 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA1 Body 200.bru @@ -0,0 +1,61 @@ +meta { + name: OAuth1 RSA-SHA1 Body 200 + type: http + seq: 20 +} + +post { + url: {{localhost}}/api/auth/oauth1/resource + body: formUrlEncoded + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: RSA-SHA1 + private_key: ''' + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCf/ioOwb6uGm01 + WjL89sBOKmvMuwyGW33w+ud3eV5dWbHZbJTgCHMtjUVqGE4sVPnX8wfKgb00hVGZ + ZhbRsqquUMJL+7RHZA1G3ZcC2WPmrUvIpi13W7F/+wizRjDrutgK0oc4L7zUPhgE + +d+Qe6JHvFL376hqkD9Z6vd9jVNRDv7D2uJcG+Uc7ePM6yLzQeJILnfvSwxna89G + 6YxfbYNjf/VKAcRM6UAR8aRGm/A9Qmdwsy08iRzlM0K5lid7Ath7ADJ+D6ezUIhl + qiI6sVrZdpsFXzuvcxjgAts54XoQsLCDZudTmzMs4BftswULCQFdj6c2oye9QKsu + EoZ0CvwNAgMBAAECggEAA1kIJu2QQIhhB0rEjQfaF5309NW9JK/pag91+claW3hd + q6papc1yIN6MjfRwPlE7i8npZygL03uEAkJhRoYHOEU3AOwFZluw7hiuPkBaQiDC + Ld1RpOZlnRidoqgHV1y+LzZ0ieJwgGhu4ZEbnSRZIvMihqRHJo5aJQGGUuQ60r6w + Z5N6j7GGCV14oGck6+0k/NhYrkhpbyl+AHPZeQ20L9ZaSpl+GD3RUgvx4nOhN1Fx + agovDCKwmRPSpuuBw6Wun1hKC9MuuL89CCy2yZ+MrjQmQJ/onKZKR2fc1I5g2JRu + z7xObQq/tAXIHKM27YYY5J3NcGtsy9tLpdtFDle/wQKBgQDfBaBURNs/ccVMMXSZ + T5lOo337Rv3bGFnoLwURUZrjJNGrHqLzeZvTNt0sXQX6Jbdeb5qnC/icng+QDEod + 9hRVDz1rN+2YqG6AMvrX5dQSK1PmkwVHLles4sX7DsZaiKNYFFbXc9rt7kXBwDoE + LXYidqUIqZiOjMqCyNlfyHHnRQKBgQC3ppq7TCEWIfqLzsfOoqaKD/fDOrQLLmor + 7RvAdGa+EyVeB1G+NQO00KN6U9W+SNPz0cEUYUZQiAaAghUGkNurrS1shr5k7aTX + pXpXtaA+xSEAd6w8lTl9mAfwZMBCcsfjyjPf1RPjZ6Tj2fdHqnsllSU5843LOqZK + CBXiitdKKQKBgQCVNEloN0zLLE1HxUpxiwxQzRZqtrr9ClST/mkQhhzuW+Kd7fgs + la5HZ0we8vkdun/sARRhL6Qa+7ADugUX+Frv8SsxARDG8eBDilfBevQfV7dg6fk8 + /ucPNgQoC2Fujj1hnvHeYJcWWTN4BSeLRfLj6aZNnlD/BXgyeTbcWtjBVQKBgBhG + npd5hboePbczWzgWSftgBvk4jkoYFZK+4fc7q8UeVMcsIoMJEPdayPFHma5whAvr + wyEFhrzobiuYhlz60v7LgoChAxPmUe7rgdOMP6Vse2NLbmoHs7TFXu9I8h0WfRPA + S8EfsmRR8/rmeghwIZ0jLOuPJUQi+Y45qWLrxW+ZAoGAMXYhio9y93M0nRqjiiCR + YibnhpZxvrNiLPxNiUi/WxcWEvulpmbKxLUhiWJB1ZmRTiGYlnclQXUuRyaOQNTo + 5TVAaNzDXayWVbxhx3Lb8NUV+QNUJEJOgjq4+NYw8fUZCr7T64pGGM4DJHPuHCBo + dJv7UByPuMKBIOYpy3Z+iWs= + -----END PRIVATE KEY----- + ''' + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: body + include_body_hash: false +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA1 File Key 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA1 File Key 200.bru new file mode 100644 index 00000000000..a81108d3670 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA1 File Key 200.bru @@ -0,0 +1,34 @@ +meta { + name: OAuth1 RSA-SHA1 File Key 200 + type: http + seq: 15 +} + +get { + url: {{localhost}}/api/auth/oauth1/resource + body: none + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + verifier: + signature_method: RSA-SHA1 + private_key: @file(test-private-key.pem) + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource + res.body.resource.email: eq oauth1@example.com +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA1 Query Params 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA1 Query Params 200.bru new file mode 100644 index 00000000000..868090b9b56 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA1 Query Params 200.bru @@ -0,0 +1,61 @@ +meta { + name: OAuth1 RSA-SHA1 Query Params 200 + type: http + seq: 16 +} + +get { + url: {{localhost}}/api/auth/oauth1/resource + body: none + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: RSA-SHA1 + private_key: ''' + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCf/ioOwb6uGm01 + WjL89sBOKmvMuwyGW33w+ud3eV5dWbHZbJTgCHMtjUVqGE4sVPnX8wfKgb00hVGZ + ZhbRsqquUMJL+7RHZA1G3ZcC2WPmrUvIpi13W7F/+wizRjDrutgK0oc4L7zUPhgE + +d+Qe6JHvFL376hqkD9Z6vd9jVNRDv7D2uJcG+Uc7ePM6yLzQeJILnfvSwxna89G + 6YxfbYNjf/VKAcRM6UAR8aRGm/A9Qmdwsy08iRzlM0K5lid7Ath7ADJ+D6ezUIhl + qiI6sVrZdpsFXzuvcxjgAts54XoQsLCDZudTmzMs4BftswULCQFdj6c2oye9QKsu + EoZ0CvwNAgMBAAECggEAA1kIJu2QQIhhB0rEjQfaF5309NW9JK/pag91+claW3hd + q6papc1yIN6MjfRwPlE7i8npZygL03uEAkJhRoYHOEU3AOwFZluw7hiuPkBaQiDC + Ld1RpOZlnRidoqgHV1y+LzZ0ieJwgGhu4ZEbnSRZIvMihqRHJo5aJQGGUuQ60r6w + Z5N6j7GGCV14oGck6+0k/NhYrkhpbyl+AHPZeQ20L9ZaSpl+GD3RUgvx4nOhN1Fx + agovDCKwmRPSpuuBw6Wun1hKC9MuuL89CCy2yZ+MrjQmQJ/onKZKR2fc1I5g2JRu + z7xObQq/tAXIHKM27YYY5J3NcGtsy9tLpdtFDle/wQKBgQDfBaBURNs/ccVMMXSZ + T5lOo337Rv3bGFnoLwURUZrjJNGrHqLzeZvTNt0sXQX6Jbdeb5qnC/icng+QDEod + 9hRVDz1rN+2YqG6AMvrX5dQSK1PmkwVHLles4sX7DsZaiKNYFFbXc9rt7kXBwDoE + LXYidqUIqZiOjMqCyNlfyHHnRQKBgQC3ppq7TCEWIfqLzsfOoqaKD/fDOrQLLmor + 7RvAdGa+EyVeB1G+NQO00KN6U9W+SNPz0cEUYUZQiAaAghUGkNurrS1shr5k7aTX + pXpXtaA+xSEAd6w8lTl9mAfwZMBCcsfjyjPf1RPjZ6Tj2fdHqnsllSU5843LOqZK + CBXiitdKKQKBgQCVNEloN0zLLE1HxUpxiwxQzRZqtrr9ClST/mkQhhzuW+Kd7fgs + la5HZ0we8vkdun/sARRhL6Qa+7ADugUX+Frv8SsxARDG8eBDilfBevQfV7dg6fk8 + /ucPNgQoC2Fujj1hnvHeYJcWWTN4BSeLRfLj6aZNnlD/BXgyeTbcWtjBVQKBgBhG + npd5hboePbczWzgWSftgBvk4jkoYFZK+4fc7q8UeVMcsIoMJEPdayPFHma5whAvr + wyEFhrzobiuYhlz60v7LgoChAxPmUe7rgdOMP6Vse2NLbmoHs7TFXu9I8h0WfRPA + S8EfsmRR8/rmeghwIZ0jLOuPJUQi+Y45qWLrxW+ZAoGAMXYhio9y93M0nRqjiiCR + YibnhpZxvrNiLPxNiUi/WxcWEvulpmbKxLUhiWJB1ZmRTiGYlnclQXUuRyaOQNTo + 5TVAaNzDXayWVbxhx3Lb8NUV+QNUJEJOgjq4+NYw8fUZCr7T64pGGM4DJHPuHCBo + dJv7UByPuMKBIOYpy3Z+iWs= + -----END PRIVATE KEY----- + ''' + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: queryparams + include_body_hash: false +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA1 Variable Key 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA1 Variable Key 200.bru new file mode 100644 index 00000000000..4130a58948c --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA1 Variable Key 200.bru @@ -0,0 +1,64 @@ +meta { + name: OAuth1 RSA-SHA1 Variable Key 200 + type: http + seq: 14 +} + +get { + url: {{localhost}}/api/auth/oauth1/resource + body: none + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: RSA-SHA1 + private_key: {{private-key}} + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} + +script:pre-request { + bru.setVar('private-key', `-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCf/ioOwb6uGm01 +WjL89sBOKmvMuwyGW33w+ud3eV5dWbHZbJTgCHMtjUVqGE4sVPnX8wfKgb00hVGZ +ZhbRsqquUMJL+7RHZA1G3ZcC2WPmrUvIpi13W7F/+wizRjDrutgK0oc4L7zUPhgE ++d+Qe6JHvFL376hqkD9Z6vd9jVNRDv7D2uJcG+Uc7ePM6yLzQeJILnfvSwxna89G +6YxfbYNjf/VKAcRM6UAR8aRGm/A9Qmdwsy08iRzlM0K5lid7Ath7ADJ+D6ezUIhl +qiI6sVrZdpsFXzuvcxjgAts54XoQsLCDZudTmzMs4BftswULCQFdj6c2oye9QKsu +EoZ0CvwNAgMBAAECggEAA1kIJu2QQIhhB0rEjQfaF5309NW9JK/pag91+claW3hd +q6papc1yIN6MjfRwPlE7i8npZygL03uEAkJhRoYHOEU3AOwFZluw7hiuPkBaQiDC +Ld1RpOZlnRidoqgHV1y+LzZ0ieJwgGhu4ZEbnSRZIvMihqRHJo5aJQGGUuQ60r6w +Z5N6j7GGCV14oGck6+0k/NhYrkhpbyl+AHPZeQ20L9ZaSpl+GD3RUgvx4nOhN1Fx +agovDCKwmRPSpuuBw6Wun1hKC9MuuL89CCy2yZ+MrjQmQJ/onKZKR2fc1I5g2JRu +z7xObQq/tAXIHKM27YYY5J3NcGtsy9tLpdtFDle/wQKBgQDfBaBURNs/ccVMMXSZ +T5lOo337Rv3bGFnoLwURUZrjJNGrHqLzeZvTNt0sXQX6Jbdeb5qnC/icng+QDEod +9hRVDz1rN+2YqG6AMvrX5dQSK1PmkwVHLles4sX7DsZaiKNYFFbXc9rt7kXBwDoE +LXYidqUIqZiOjMqCyNlfyHHnRQKBgQC3ppq7TCEWIfqLzsfOoqaKD/fDOrQLLmor +7RvAdGa+EyVeB1G+NQO00KN6U9W+SNPz0cEUYUZQiAaAghUGkNurrS1shr5k7aTX +pXpXtaA+xSEAd6w8lTl9mAfwZMBCcsfjyjPf1RPjZ6Tj2fdHqnsllSU5843LOqZK +CBXiitdKKQKBgQCVNEloN0zLLE1HxUpxiwxQzRZqtrr9ClST/mkQhhzuW+Kd7fgs +la5HZ0we8vkdun/sARRhL6Qa+7ADugUX+Frv8SsxARDG8eBDilfBevQfV7dg6fk8 +/ucPNgQoC2Fujj1hnvHeYJcWWTN4BSeLRfLj6aZNnlD/BXgyeTbcWtjBVQKBgBhG +npd5hboePbczWzgWSftgBvk4jkoYFZK+4fc7q8UeVMcsIoMJEPdayPFHma5whAvr +wyEFhrzobiuYhlz60v7LgoChAxPmUe7rgdOMP6Vse2NLbmoHs7TFXu9I8h0WfRPA +S8EfsmRR8/rmeghwIZ0jLOuPJUQi+Y45qWLrxW+ZAoGAMXYhio9y93M0nRqjiiCR +YibnhpZxvrNiLPxNiUi/WxcWEvulpmbKxLUhiWJB1ZmRTiGYlnclQXUuRyaOQNTo +5TVAaNzDXayWVbxhx3Lb8NUV+QNUJEJOgjq4+NYw8fUZCr7T64pGGM4DJHPuHCBo +dJv7UByPuMKBIOYpy3Z+iWs= +-----END PRIVATE KEY-----`); +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource + res.body.resource.email: eq oauth1@example.com +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA256 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA256 200.bru new file mode 100644 index 00000000000..5c662018372 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA256 200.bru @@ -0,0 +1,62 @@ +meta { + name: OAuth1 RSA-SHA256 200 + type: http + seq: 1 +} + +get { + url: {{localhost}}/api/auth/oauth1/resource + body: none + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: RSA-SHA256 + private_key: ''' + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCf/ioOwb6uGm01 + WjL89sBOKmvMuwyGW33w+ud3eV5dWbHZbJTgCHMtjUVqGE4sVPnX8wfKgb00hVGZ + ZhbRsqquUMJL+7RHZA1G3ZcC2WPmrUvIpi13W7F/+wizRjDrutgK0oc4L7zUPhgE + +d+Qe6JHvFL376hqkD9Z6vd9jVNRDv7D2uJcG+Uc7ePM6yLzQeJILnfvSwxna89G + 6YxfbYNjf/VKAcRM6UAR8aRGm/A9Qmdwsy08iRzlM0K5lid7Ath7ADJ+D6ezUIhl + qiI6sVrZdpsFXzuvcxjgAts54XoQsLCDZudTmzMs4BftswULCQFdj6c2oye9QKsu + EoZ0CvwNAgMBAAECggEAA1kIJu2QQIhhB0rEjQfaF5309NW9JK/pag91+claW3hd + q6papc1yIN6MjfRwPlE7i8npZygL03uEAkJhRoYHOEU3AOwFZluw7hiuPkBaQiDC + Ld1RpOZlnRidoqgHV1y+LzZ0ieJwgGhu4ZEbnSRZIvMihqRHJo5aJQGGUuQ60r6w + Z5N6j7GGCV14oGck6+0k/NhYrkhpbyl+AHPZeQ20L9ZaSpl+GD3RUgvx4nOhN1Fx + agovDCKwmRPSpuuBw6Wun1hKC9MuuL89CCy2yZ+MrjQmQJ/onKZKR2fc1I5g2JRu + z7xObQq/tAXIHKM27YYY5J3NcGtsy9tLpdtFDle/wQKBgQDfBaBURNs/ccVMMXSZ + T5lOo337Rv3bGFnoLwURUZrjJNGrHqLzeZvTNt0sXQX6Jbdeb5qnC/icng+QDEod + 9hRVDz1rN+2YqG6AMvrX5dQSK1PmkwVHLles4sX7DsZaiKNYFFbXc9rt7kXBwDoE + LXYidqUIqZiOjMqCyNlfyHHnRQKBgQC3ppq7TCEWIfqLzsfOoqaKD/fDOrQLLmor + 7RvAdGa+EyVeB1G+NQO00KN6U9W+SNPz0cEUYUZQiAaAghUGkNurrS1shr5k7aTX + pXpXtaA+xSEAd6w8lTl9mAfwZMBCcsfjyjPf1RPjZ6Tj2fdHqnsllSU5843LOqZK + CBXiitdKKQKBgQCVNEloN0zLLE1HxUpxiwxQzRZqtrr9ClST/mkQhhzuW+Kd7fgs + la5HZ0we8vkdun/sARRhL6Qa+7ADugUX+Frv8SsxARDG8eBDilfBevQfV7dg6fk8 + /ucPNgQoC2Fujj1hnvHeYJcWWTN4BSeLRfLj6aZNnlD/BXgyeTbcWtjBVQKBgBhG + npd5hboePbczWzgWSftgBvk4jkoYFZK+4fc7q8UeVMcsIoMJEPdayPFHma5whAvr + wyEFhrzobiuYhlz60v7LgoChAxPmUe7rgdOMP6Vse2NLbmoHs7TFXu9I8h0WfRPA + S8EfsmRR8/rmeghwIZ0jLOuPJUQi+Y45qWLrxW+ZAoGAMXYhio9y93M0nRqjiiCR + YibnhpZxvrNiLPxNiUi/WxcWEvulpmbKxLUhiWJB1ZmRTiGYlnclQXUuRyaOQNTo + 5TVAaNzDXayWVbxhx3Lb8NUV+QNUJEJOgjq4+NYw8fUZCr7T64pGGM4DJHPuHCBo + dJv7UByPuMKBIOYpy3Z+iWs= + -----END PRIVATE KEY----- + ''' + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource + res.body.resource.email: eq oauth1@example.com +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA512 200.bru b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA512 200.bru new file mode 100644 index 00000000000..71bdb93b533 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/OAuth1 RSA-SHA512 200.bru @@ -0,0 +1,62 @@ +meta { + name: OAuth1 RSA-SHA512 200 + type: http + seq: 1 +} + +get { + url: {{localhost}}/api/auth/oauth1/resource + body: none + auth: oauth1 +} + +auth:oauth1 { + consumer_key: consumer_key_1 + consumer_secret: + access_token: access_token_1 + token_secret: token_secret_1 + callback_url: + signature_method: RSA-SHA512 + private_key: ''' + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCf/ioOwb6uGm01 + WjL89sBOKmvMuwyGW33w+ud3eV5dWbHZbJTgCHMtjUVqGE4sVPnX8wfKgb00hVGZ + ZhbRsqquUMJL+7RHZA1G3ZcC2WPmrUvIpi13W7F/+wizRjDrutgK0oc4L7zUPhgE + +d+Qe6JHvFL376hqkD9Z6vd9jVNRDv7D2uJcG+Uc7ePM6yLzQeJILnfvSwxna89G + 6YxfbYNjf/VKAcRM6UAR8aRGm/A9Qmdwsy08iRzlM0K5lid7Ath7ADJ+D6ezUIhl + qiI6sVrZdpsFXzuvcxjgAts54XoQsLCDZudTmzMs4BftswULCQFdj6c2oye9QKsu + EoZ0CvwNAgMBAAECggEAA1kIJu2QQIhhB0rEjQfaF5309NW9JK/pag91+claW3hd + q6papc1yIN6MjfRwPlE7i8npZygL03uEAkJhRoYHOEU3AOwFZluw7hiuPkBaQiDC + Ld1RpOZlnRidoqgHV1y+LzZ0ieJwgGhu4ZEbnSRZIvMihqRHJo5aJQGGUuQ60r6w + Z5N6j7GGCV14oGck6+0k/NhYrkhpbyl+AHPZeQ20L9ZaSpl+GD3RUgvx4nOhN1Fx + agovDCKwmRPSpuuBw6Wun1hKC9MuuL89CCy2yZ+MrjQmQJ/onKZKR2fc1I5g2JRu + z7xObQq/tAXIHKM27YYY5J3NcGtsy9tLpdtFDle/wQKBgQDfBaBURNs/ccVMMXSZ + T5lOo337Rv3bGFnoLwURUZrjJNGrHqLzeZvTNt0sXQX6Jbdeb5qnC/icng+QDEod + 9hRVDz1rN+2YqG6AMvrX5dQSK1PmkwVHLles4sX7DsZaiKNYFFbXc9rt7kXBwDoE + LXYidqUIqZiOjMqCyNlfyHHnRQKBgQC3ppq7TCEWIfqLzsfOoqaKD/fDOrQLLmor + 7RvAdGa+EyVeB1G+NQO00KN6U9W+SNPz0cEUYUZQiAaAghUGkNurrS1shr5k7aTX + pXpXtaA+xSEAd6w8lTl9mAfwZMBCcsfjyjPf1RPjZ6Tj2fdHqnsllSU5843LOqZK + CBXiitdKKQKBgQCVNEloN0zLLE1HxUpxiwxQzRZqtrr9ClST/mkQhhzuW+Kd7fgs + la5HZ0we8vkdun/sARRhL6Qa+7ADugUX+Frv8SsxARDG8eBDilfBevQfV7dg6fk8 + /ucPNgQoC2Fujj1hnvHeYJcWWTN4BSeLRfLj6aZNnlD/BXgyeTbcWtjBVQKBgBhG + npd5hboePbczWzgWSftgBvk4jkoYFZK+4fc7q8UeVMcsIoMJEPdayPFHma5whAvr + wyEFhrzobiuYhlz60v7LgoChAxPmUe7rgdOMP6Vse2NLbmoHs7TFXu9I8h0WfRPA + S8EfsmRR8/rmeghwIZ0jLOuPJUQi+Y45qWLrxW+ZAoGAMXYhio9y93M0nRqjiiCR + YibnhpZxvrNiLPxNiUi/WxcWEvulpmbKxLUhiWJB1ZmRTiGYlnclQXUuRyaOQNTo + 5TVAaNzDXayWVbxhx3Lb8NUV+QNUJEJOgjq4+NYw8fUZCr7T64pGGM4DJHPuHCBo + dJv7UByPuMKBIOYpy3Z+iWs= + -----END PRIVATE KEY----- + ''' + timestamp: + nonce: + version: 1.0 + realm: + add_params_to: header + include_body_hash: false +} + +assert { + res.status: eq 200 + res.body.resource.name: eq oauth1-test-resource + res.body.resource.email: eq oauth1@example.com +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/bruno.json b/tests/auth/oauth1/fixtures/collections/bru/bruno.json new file mode 100644 index 00000000000..30769743368 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/bruno.json @@ -0,0 +1,5 @@ +{ + "version": "1", + "name": "oauth1-testbench-bru", + "type": "collection" +} diff --git a/tests/auth/oauth1/fixtures/collections/bru/environments/Local.bru b/tests/auth/oauth1/fixtures/collections/bru/environments/Local.bru new file mode 100644 index 00000000000..5d116f2effa --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/bru/environments/Local.bru @@ -0,0 +1,3 @@ +vars { + localhost: http://localhost:8081 +} diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 200.yml new file mode 100644 index 00000000000..4487a667345 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 200.yml @@ -0,0 +1,36 @@ +info: + name: OAuth1 HMAC-SHA1 200 + type: http + seq: 1 + +http: + method: GET + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + consumerSecret: consumer_secret_1 + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: HMAC-SHA1 + version: '1.0' + addParamsTo: header + includeBodyHash: false + +runtime: + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + - expression: res.body.resource.email + operator: eq + value: oauth1@example.com + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 401.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 401.yml new file mode 100644 index 00000000000..765cf88bc6f --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 401.yml @@ -0,0 +1,33 @@ +info: + name: OAuth1 HMAC-SHA1 401 + type: http + seq: 2 + +http: + method: GET + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + consumerSecret: wrong_secret + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: HMAC-SHA1 + version: '1.0' + addParamsTo: header + includeBodyHash: false + +runtime: + assertions: + - expression: res.status + operator: eq + value: '401' + - expression: res.body.error + operator: eq + value: Invalid signature + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 Body 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 Body 200.yml new file mode 100644 index 00000000000..3e66f100eea --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 Body 200.yml @@ -0,0 +1,35 @@ +info: + name: OAuth1 HMAC-SHA1 Body 200 + type: http + seq: 17 + +http: + method: POST + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + consumerSecret: consumer_secret_1 + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: HMAC-SHA1 + version: '1.0' + addParamsTo: body + includeBodyHash: false + body: + type: formUrlEncoded + +runtime: + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 Body JSON 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 Body JSON 200.yml new file mode 100644 index 00000000000..6ec44487cc7 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 Body JSON 200.yml @@ -0,0 +1,36 @@ +info: + name: OAuth1 HMAC-SHA1 Body JSON 200 + type: http + seq: 21 + +http: + method: POST + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + consumerSecret: consumer_secret_1 + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: HMAC-SHA1 + version: '1.0' + addParamsTo: body + includeBodyHash: false + body: + type: json + json: '{"test":"data"}' + +runtime: + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 POST 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 POST 200.yml new file mode 100644 index 00000000000..4c4ca0e0c02 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 POST 200.yml @@ -0,0 +1,35 @@ +info: + name: OAuth1 HMAC-SHA1 POST 200 + type: http + seq: 3 + +http: + method: POST + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + consumerSecret: consumer_secret_1 + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: HMAC-SHA1 + version: '1.0' + addParamsTo: header + includeBodyHash: false + body: + type: formUrlEncoded + +runtime: + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 Query Params 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 Query Params 200.yml new file mode 100644 index 00000000000..c6276bc1718 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA1 Query Params 200.yml @@ -0,0 +1,33 @@ +info: + name: OAuth1 HMAC-SHA1 Query Params 200 + type: http + seq: 4 + +http: + method: GET + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + consumerSecret: consumer_secret_1 + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: HMAC-SHA1 + version: '1.0' + addParamsTo: queryparams + includeBodyHash: false + +runtime: + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA256 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA256 200.yml new file mode 100644 index 00000000000..928ead49771 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA256 200.yml @@ -0,0 +1,36 @@ +info: + name: OAuth1 HMAC-SHA256 200 + type: http + seq: 1 + +http: + method: GET + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + consumerSecret: consumer_secret_1 + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: HMAC-SHA256 + version: '1.0' + addParamsTo: header + includeBodyHash: false + +runtime: + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + - expression: res.body.resource.email + operator: eq + value: oauth1@example.com + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA256 401.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA256 401.yml new file mode 100644 index 00000000000..7f7bf8969cc --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA256 401.yml @@ -0,0 +1,33 @@ +info: + name: OAuth1 HMAC-SHA256 401 + type: http + seq: 2 + +http: + method: GET + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + consumerSecret: wrong_secret + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: HMAC-SHA256 + version: '1.0' + addParamsTo: header + includeBodyHash: false + +runtime: + assertions: + - expression: res.status + operator: eq + value: '401' + - expression: res.body.error + operator: eq + value: Invalid signature + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA256 Body 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA256 Body 200.yml new file mode 100644 index 00000000000..f7f365d7ea0 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA256 Body 200.yml @@ -0,0 +1,35 @@ +info: + name: OAuth1 HMAC-SHA256 Body 200 + type: http + seq: 19 + +http: + method: POST + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + consumerSecret: consumer_secret_1 + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: HMAC-SHA256 + version: '1.0' + addParamsTo: body + includeBodyHash: false + body: + type: formUrlEncoded + +runtime: + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA512 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA512 200.yml new file mode 100644 index 00000000000..685cbf930e7 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA512 200.yml @@ -0,0 +1,36 @@ +info: + name: OAuth1 HMAC-SHA512 200 + type: http + seq: 1 + +http: + method: GET + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + consumerSecret: consumer_secret_1 + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: HMAC-SHA512 + version: '1.0' + addParamsTo: header + includeBodyHash: false + +runtime: + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + - expression: res.body.resource.email + operator: eq + value: oauth1@example.com + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA512 401.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA512 401.yml new file mode 100644 index 00000000000..85bf2505d44 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 HMAC-SHA512 401.yml @@ -0,0 +1,33 @@ +info: + name: OAuth1 HMAC-SHA512 401 + type: http + seq: 2 + +http: + method: GET + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + consumerSecret: wrong_secret + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: HMAC-SHA512 + version: '1.0' + addParamsTo: header + includeBodyHash: false + +runtime: + assertions: + - expression: res.status + operator: eq + value: '401' + - expression: res.body.error + operator: eq + value: Invalid signature + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 PLAINTEXT 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 PLAINTEXT 200.yml new file mode 100644 index 00000000000..b90367d356d --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 PLAINTEXT 200.yml @@ -0,0 +1,36 @@ +info: + name: OAuth1 PLAINTEXT 200 + type: http + seq: 1 + +http: + method: GET + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + consumerSecret: consumer_secret_1 + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: PLAINTEXT + version: '1.0' + addParamsTo: header + includeBodyHash: false + +runtime: + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + - expression: res.body.resource.email + operator: eq + value: oauth1@example.com + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 PLAINTEXT 401.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 PLAINTEXT 401.yml new file mode 100644 index 00000000000..daff85b8601 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 PLAINTEXT 401.yml @@ -0,0 +1,33 @@ +info: + name: OAuth1 PLAINTEXT 401 + type: http + seq: 2 + +http: + method: GET + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + consumerSecret: wrong_secret + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: PLAINTEXT + version: '1.0' + addParamsTo: header + includeBodyHash: false + +runtime: + assertions: + - expression: res.status + operator: eq + value: '401' + - expression: res.body.error + operator: eq + value: Invalid signature + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 PLAINTEXT Body 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 PLAINTEXT Body 200.yml new file mode 100644 index 00000000000..57804667781 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 PLAINTEXT Body 200.yml @@ -0,0 +1,35 @@ +info: + name: OAuth1 PLAINTEXT Body 200 + type: http + seq: 18 + +http: + method: POST + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + consumerSecret: consumer_secret_1 + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: PLAINTEXT + version: '1.0' + addParamsTo: body + includeBodyHash: false + body: + type: formUrlEncoded + +runtime: + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 PLAINTEXT Query Params 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 PLAINTEXT Query Params 200.yml new file mode 100644 index 00000000000..b1196fcc4f7 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 PLAINTEXT Query Params 200.yml @@ -0,0 +1,33 @@ +info: + name: OAuth1 PLAINTEXT Query Params 200 + type: http + seq: 15 + +http: + method: GET + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + consumerSecret: consumer_secret_1 + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: PLAINTEXT + version: '1.0' + addParamsTo: queryparams + includeBodyHash: false + +runtime: + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA1 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA1 200.yml new file mode 100644 index 00000000000..633d5ae4745 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA1 200.yml @@ -0,0 +1,66 @@ +info: + name: OAuth1 RSA-SHA1 200 + type: http + seq: 1 + +http: + method: GET + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: RSA-SHA1 + version: '1.0' + addParamsTo: header + includeBodyHash: false + privateKey: + type: text + value: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCf/ioOwb6uGm01 + WjL89sBOKmvMuwyGW33w+ud3eV5dWbHZbJTgCHMtjUVqGE4sVPnX8wfKgb00hVGZ + ZhbRsqquUMJL+7RHZA1G3ZcC2WPmrUvIpi13W7F/+wizRjDrutgK0oc4L7zUPhgE + +d+Qe6JHvFL376hqkD9Z6vd9jVNRDv7D2uJcG+Uc7ePM6yLzQeJILnfvSwxna89G + 6YxfbYNjf/VKAcRM6UAR8aRGm/A9Qmdwsy08iRzlM0K5lid7Ath7ADJ+D6ezUIhl + qiI6sVrZdpsFXzuvcxjgAts54XoQsLCDZudTmzMs4BftswULCQFdj6c2oye9QKsu + EoZ0CvwNAgMBAAECggEAA1kIJu2QQIhhB0rEjQfaF5309NW9JK/pag91+claW3hd + q6papc1yIN6MjfRwPlE7i8npZygL03uEAkJhRoYHOEU3AOwFZluw7hiuPkBaQiDC + Ld1RpOZlnRidoqgHV1y+LzZ0ieJwgGhu4ZEbnSRZIvMihqRHJo5aJQGGUuQ60r6w + Z5N6j7GGCV14oGck6+0k/NhYrkhpbyl+AHPZeQ20L9ZaSpl+GD3RUgvx4nOhN1Fx + agovDCKwmRPSpuuBw6Wun1hKC9MuuL89CCy2yZ+MrjQmQJ/onKZKR2fc1I5g2JRu + z7xObQq/tAXIHKM27YYY5J3NcGtsy9tLpdtFDle/wQKBgQDfBaBURNs/ccVMMXSZ + T5lOo337Rv3bGFnoLwURUZrjJNGrHqLzeZvTNt0sXQX6Jbdeb5qnC/icng+QDEod + 9hRVDz1rN+2YqG6AMvrX5dQSK1PmkwVHLles4sX7DsZaiKNYFFbXc9rt7kXBwDoE + LXYidqUIqZiOjMqCyNlfyHHnRQKBgQC3ppq7TCEWIfqLzsfOoqaKD/fDOrQLLmor + 7RvAdGa+EyVeB1G+NQO00KN6U9W+SNPz0cEUYUZQiAaAghUGkNurrS1shr5k7aTX + pXpXtaA+xSEAd6w8lTl9mAfwZMBCcsfjyjPf1RPjZ6Tj2fdHqnsllSU5843LOqZK + CBXiitdKKQKBgQCVNEloN0zLLE1HxUpxiwxQzRZqtrr9ClST/mkQhhzuW+Kd7fgs + la5HZ0we8vkdun/sARRhL6Qa+7ADugUX+Frv8SsxARDG8eBDilfBevQfV7dg6fk8 + /ucPNgQoC2Fujj1hnvHeYJcWWTN4BSeLRfLj6aZNnlD/BXgyeTbcWtjBVQKBgBhG + npd5hboePbczWzgWSftgBvk4jkoYFZK+4fc7q8UeVMcsIoMJEPdayPFHma5whAvr + wyEFhrzobiuYhlz60v7LgoChAxPmUe7rgdOMP6Vse2NLbmoHs7TFXu9I8h0WfRPA + S8EfsmRR8/rmeghwIZ0jLOuPJUQi+Y45qWLrxW+ZAoGAMXYhio9y93M0nRqjiiCR + YibnhpZxvrNiLPxNiUi/WxcWEvulpmbKxLUhiWJB1ZmRTiGYlnclQXUuRyaOQNTo + 5TVAaNzDXayWVbxhx3Lb8NUV+QNUJEJOgjq4+NYw8fUZCr7T64pGGM4DJHPuHCBo + dJv7UByPuMKBIOYpy3Z+iWs= + -----END PRIVATE KEY----- + +runtime: + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + - expression: res.body.resource.email + operator: eq + value: oauth1@example.com + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA1 Body 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA1 Body 200.yml new file mode 100644 index 00000000000..c0085758193 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA1 Body 200.yml @@ -0,0 +1,66 @@ +info: + name: OAuth1 RSA-SHA1 Body 200 + type: http + seq: 20 + +http: + method: POST + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + consumerSecret: '' + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: RSA-SHA1 + version: '1.0' + addParamsTo: body + includeBodyHash: false + privateKey: + type: text + value: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCf/ioOwb6uGm01 + WjL89sBOKmvMuwyGW33w+ud3eV5dWbHZbJTgCHMtjUVqGE4sVPnX8wfKgb00hVGZ + ZhbRsqquUMJL+7RHZA1G3ZcC2WPmrUvIpi13W7F/+wizRjDrutgK0oc4L7zUPhgE + +d+Qe6JHvFL376hqkD9Z6vd9jVNRDv7D2uJcG+Uc7ePM6yLzQeJILnfvSwxna89G + 6YxfbYNjf/VKAcRM6UAR8aRGm/A9Qmdwsy08iRzlM0K5lid7Ath7ADJ+D6ezUIhl + qiI6sVrZdpsFXzuvcxjgAts54XoQsLCDZudTmzMs4BftswULCQFdj6c2oye9QKsu + EoZ0CvwNAgMBAAECggEAA1kIJu2QQIhhB0rEjQfaF5309NW9JK/pag91+claW3hd + q6papc1yIN6MjfRwPlE7i8npZygL03uEAkJhRoYHOEU3AOwFZluw7hiuPkBaQiDC + Ld1RpOZlnRidoqgHV1y+LzZ0ieJwgGhu4ZEbnSRZIvMihqRHJo5aJQGGUuQ60r6w + Z5N6j7GGCV14oGck6+0k/NhYrkhpbyl+AHPZeQ20L9ZaSpl+GD3RUgvx4nOhN1Fx + agovDCKwmRPSpuuBw6Wun1hKC9MuuL89CCy2yZ+MrjQmQJ/onKZKR2fc1I5g2JRu + z7xObQq/tAXIHKM27YYY5J3NcGtsy9tLpdtFDle/wQKBgQDfBaBURNs/ccVMMXSZ + T5lOo337Rv3bGFnoLwURUZrjJNGrHqLzeZvTNt0sXQX6Jbdeb5qnC/icng+QDEod + 9hRVDz1rN+2YqG6AMvrX5dQSK1PmkwVHLles4sX7DsZaiKNYFFbXc9rt7kXBwDoE + LXYidqUIqZiOjMqCyNlfyHHnRQKBgQC3ppq7TCEWIfqLzsfOoqaKD/fDOrQLLmor + 7RvAdGa+EyVeB1G+NQO00KN6U9W+SNPz0cEUYUZQiAaAghUGkNurrS1shr5k7aTX + pXpXtaA+xSEAd6w8lTl9mAfwZMBCcsfjyjPf1RPjZ6Tj2fdHqnsllSU5843LOqZK + CBXiitdKKQKBgQCVNEloN0zLLE1HxUpxiwxQzRZqtrr9ClST/mkQhhzuW+Kd7fgs + la5HZ0we8vkdun/sARRhL6Qa+7ADugUX+Frv8SsxARDG8eBDilfBevQfV7dg6fk8 + /ucPNgQoC2Fujj1hnvHeYJcWWTN4BSeLRfLj6aZNnlD/BXgyeTbcWtjBVQKBgBhG + npd5hboePbczWzgWSftgBvk4jkoYFZK+4fc7q8UeVMcsIoMJEPdayPFHma5whAvr + wyEFhrzobiuYhlz60v7LgoChAxPmUe7rgdOMP6Vse2NLbmoHs7TFXu9I8h0WfRPA + S8EfsmRR8/rmeghwIZ0jLOuPJUQi+Y45qWLrxW+ZAoGAMXYhio9y93M0nRqjiiCR + YibnhpZxvrNiLPxNiUi/WxcWEvulpmbKxLUhiWJB1ZmRTiGYlnclQXUuRyaOQNTo + 5TVAaNzDXayWVbxhx3Lb8NUV+QNUJEJOgjq4+NYw8fUZCr7T64pGGM4DJHPuHCBo + dJv7UByPuMKBIOYpy3Z+iWs= + -----END PRIVATE KEY----- + body: + type: formUrlEncoded + +runtime: + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA1 File Key 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA1 File Key 200.yml new file mode 100644 index 00000000000..5633106da00 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA1 File Key 200.yml @@ -0,0 +1,38 @@ +info: + name: OAuth1 RSA-SHA1 File Key 200 + type: http + seq: 15 + +http: + method: GET + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: RSA-SHA1 + version: '1.0' + addParamsTo: header + includeBodyHash: false + privateKey: + type: file + value: test-private-key.pem + +runtime: + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + - expression: res.body.resource.email + operator: eq + value: oauth1@example.com + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA1 Query Params 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA1 Query Params 200.yml new file mode 100644 index 00000000000..69dba257030 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA1 Query Params 200.yml @@ -0,0 +1,63 @@ +info: + name: OAuth1 RSA-SHA1 Query Params 200 + type: http + seq: 16 + +http: + method: GET + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: RSA-SHA1 + version: '1.0' + addParamsTo: queryparams + includeBodyHash: false + privateKey: + type: text + value: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCf/ioOwb6uGm01 + WjL89sBOKmvMuwyGW33w+ud3eV5dWbHZbJTgCHMtjUVqGE4sVPnX8wfKgb00hVGZ + ZhbRsqquUMJL+7RHZA1G3ZcC2WPmrUvIpi13W7F/+wizRjDrutgK0oc4L7zUPhgE + +d+Qe6JHvFL376hqkD9Z6vd9jVNRDv7D2uJcG+Uc7ePM6yLzQeJILnfvSwxna89G + 6YxfbYNjf/VKAcRM6UAR8aRGm/A9Qmdwsy08iRzlM0K5lid7Ath7ADJ+D6ezUIhl + qiI6sVrZdpsFXzuvcxjgAts54XoQsLCDZudTmzMs4BftswULCQFdj6c2oye9QKsu + EoZ0CvwNAgMBAAECggEAA1kIJu2QQIhhB0rEjQfaF5309NW9JK/pag91+claW3hd + q6papc1yIN6MjfRwPlE7i8npZygL03uEAkJhRoYHOEU3AOwFZluw7hiuPkBaQiDC + Ld1RpOZlnRidoqgHV1y+LzZ0ieJwgGhu4ZEbnSRZIvMihqRHJo5aJQGGUuQ60r6w + Z5N6j7GGCV14oGck6+0k/NhYrkhpbyl+AHPZeQ20L9ZaSpl+GD3RUgvx4nOhN1Fx + agovDCKwmRPSpuuBw6Wun1hKC9MuuL89CCy2yZ+MrjQmQJ/onKZKR2fc1I5g2JRu + z7xObQq/tAXIHKM27YYY5J3NcGtsy9tLpdtFDle/wQKBgQDfBaBURNs/ccVMMXSZ + T5lOo337Rv3bGFnoLwURUZrjJNGrHqLzeZvTNt0sXQX6Jbdeb5qnC/icng+QDEod + 9hRVDz1rN+2YqG6AMvrX5dQSK1PmkwVHLles4sX7DsZaiKNYFFbXc9rt7kXBwDoE + LXYidqUIqZiOjMqCyNlfyHHnRQKBgQC3ppq7TCEWIfqLzsfOoqaKD/fDOrQLLmor + 7RvAdGa+EyVeB1G+NQO00KN6U9W+SNPz0cEUYUZQiAaAghUGkNurrS1shr5k7aTX + pXpXtaA+xSEAd6w8lTl9mAfwZMBCcsfjyjPf1RPjZ6Tj2fdHqnsllSU5843LOqZK + CBXiitdKKQKBgQCVNEloN0zLLE1HxUpxiwxQzRZqtrr9ClST/mkQhhzuW+Kd7fgs + la5HZ0we8vkdun/sARRhL6Qa+7ADugUX+Frv8SsxARDG8eBDilfBevQfV7dg6fk8 + /ucPNgQoC2Fujj1hnvHeYJcWWTN4BSeLRfLj6aZNnlD/BXgyeTbcWtjBVQKBgBhG + npd5hboePbczWzgWSftgBvk4jkoYFZK+4fc7q8UeVMcsIoMJEPdayPFHma5whAvr + wyEFhrzobiuYhlz60v7LgoChAxPmUe7rgdOMP6Vse2NLbmoHs7TFXu9I8h0WfRPA + S8EfsmRR8/rmeghwIZ0jLOuPJUQi+Y45qWLrxW+ZAoGAMXYhio9y93M0nRqjiiCR + YibnhpZxvrNiLPxNiUi/WxcWEvulpmbKxLUhiWJB1ZmRTiGYlnclQXUuRyaOQNTo + 5TVAaNzDXayWVbxhx3Lb8NUV+QNUJEJOgjq4+NYw8fUZCr7T64pGGM4DJHPuHCBo + dJv7UByPuMKBIOYpy3Z+iWs= + -----END PRIVATE KEY----- + +runtime: + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA1 Variable Key 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA1 Variable Key 200.yml new file mode 100644 index 00000000000..d07b8f75b8a --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA1 Variable Key 200.yml @@ -0,0 +1,69 @@ +info: + name: OAuth1 RSA-SHA1 Variable Key 200 + type: http + seq: 14 + +http: + method: GET + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: RSA-SHA1 + version: '1.0' + addParamsTo: header + includeBodyHash: false + privateKey: + type: text + value: '{{private-key}}' + +runtime: + scripts: + - type: before-request + code: | + bru.setVar('private-key', `-----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCf/ioOwb6uGm01 + WjL89sBOKmvMuwyGW33w+ud3eV5dWbHZbJTgCHMtjUVqGE4sVPnX8wfKgb00hVGZ + ZhbRsqquUMJL+7RHZA1G3ZcC2WPmrUvIpi13W7F/+wizRjDrutgK0oc4L7zUPhgE + +d+Qe6JHvFL376hqkD9Z6vd9jVNRDv7D2uJcG+Uc7ePM6yLzQeJILnfvSwxna89G + 6YxfbYNjf/VKAcRM6UAR8aRGm/A9Qmdwsy08iRzlM0K5lid7Ath7ADJ+D6ezUIhl + qiI6sVrZdpsFXzuvcxjgAts54XoQsLCDZudTmzMs4BftswULCQFdj6c2oye9QKsu + EoZ0CvwNAgMBAAECggEAA1kIJu2QQIhhB0rEjQfaF5309NW9JK/pag91+claW3hd + q6papc1yIN6MjfRwPlE7i8npZygL03uEAkJhRoYHOEU3AOwFZluw7hiuPkBaQiDC + Ld1RpOZlnRidoqgHV1y+LzZ0ieJwgGhu4ZEbnSRZIvMihqRHJo5aJQGGUuQ60r6w + Z5N6j7GGCV14oGck6+0k/NhYrkhpbyl+AHPZeQ20L9ZaSpl+GD3RUgvx4nOhN1Fx + agovDCKwmRPSpuuBw6Wun1hKC9MuuL89CCy2yZ+MrjQmQJ/onKZKR2fc1I5g2JRu + z7xObQq/tAXIHKM27YYY5J3NcGtsy9tLpdtFDle/wQKBgQDfBaBURNs/ccVMMXSZ + T5lOo337Rv3bGFnoLwURUZrjJNGrHqLzeZvTNt0sXQX6Jbdeb5qnC/icng+QDEod + 9hRVDz1rN+2YqG6AMvrX5dQSK1PmkwVHLles4sX7DsZaiKNYFFbXc9rt7kXBwDoE + LXYidqUIqZiOjMqCyNlfyHHnRQKBgQC3ppq7TCEWIfqLzsfOoqaKD/fDOrQLLmor + 7RvAdGa+EyVeB1G+NQO00KN6U9W+SNPz0cEUYUZQiAaAghUGkNurrS1shr5k7aTX + pXpXtaA+xSEAd6w8lTl9mAfwZMBCcsfjyjPf1RPjZ6Tj2fdHqnsllSU5843LOqZK + CBXiitdKKQKBgQCVNEloN0zLLE1HxUpxiwxQzRZqtrr9ClST/mkQhhzuW+Kd7fgs + la5HZ0we8vkdun/sARRhL6Qa+7ADugUX+Frv8SsxARDG8eBDilfBevQfV7dg6fk8 + /ucPNgQoC2Fujj1hnvHeYJcWWTN4BSeLRfLj6aZNnlD/BXgyeTbcWtjBVQKBgBhG + npd5hboePbczWzgWSftgBvk4jkoYFZK+4fc7q8UeVMcsIoMJEPdayPFHma5whAvr + wyEFhrzobiuYhlz60v7LgoChAxPmUe7rgdOMP6Vse2NLbmoHs7TFXu9I8h0WfRPA + S8EfsmRR8/rmeghwIZ0jLOuPJUQi+Y45qWLrxW+ZAoGAMXYhio9y93M0nRqjiiCR + YibnhpZxvrNiLPxNiUi/WxcWEvulpmbKxLUhiWJB1ZmRTiGYlnclQXUuRyaOQNTo + 5TVAaNzDXayWVbxhx3Lb8NUV+QNUJEJOgjq4+NYw8fUZCr7T64pGGM4DJHPuHCBo + dJv7UByPuMKBIOYpy3Z+iWs= + -----END PRIVATE KEY-----`); + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + - expression: res.body.resource.email + operator: eq + value: oauth1@example.com + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA256 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA256 200.yml new file mode 100644 index 00000000000..a3f1b94f9ff --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA256 200.yml @@ -0,0 +1,66 @@ +info: + name: OAuth1 RSA-SHA256 200 + type: http + seq: 1 + +http: + method: GET + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: RSA-SHA256 + version: '1.0' + addParamsTo: header + includeBodyHash: false + privateKey: + type: text + value: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCf/ioOwb6uGm01 + WjL89sBOKmvMuwyGW33w+ud3eV5dWbHZbJTgCHMtjUVqGE4sVPnX8wfKgb00hVGZ + ZhbRsqquUMJL+7RHZA1G3ZcC2WPmrUvIpi13W7F/+wizRjDrutgK0oc4L7zUPhgE + +d+Qe6JHvFL376hqkD9Z6vd9jVNRDv7D2uJcG+Uc7ePM6yLzQeJILnfvSwxna89G + 6YxfbYNjf/VKAcRM6UAR8aRGm/A9Qmdwsy08iRzlM0K5lid7Ath7ADJ+D6ezUIhl + qiI6sVrZdpsFXzuvcxjgAts54XoQsLCDZudTmzMs4BftswULCQFdj6c2oye9QKsu + EoZ0CvwNAgMBAAECggEAA1kIJu2QQIhhB0rEjQfaF5309NW9JK/pag91+claW3hd + q6papc1yIN6MjfRwPlE7i8npZygL03uEAkJhRoYHOEU3AOwFZluw7hiuPkBaQiDC + Ld1RpOZlnRidoqgHV1y+LzZ0ieJwgGhu4ZEbnSRZIvMihqRHJo5aJQGGUuQ60r6w + Z5N6j7GGCV14oGck6+0k/NhYrkhpbyl+AHPZeQ20L9ZaSpl+GD3RUgvx4nOhN1Fx + agovDCKwmRPSpuuBw6Wun1hKC9MuuL89CCy2yZ+MrjQmQJ/onKZKR2fc1I5g2JRu + z7xObQq/tAXIHKM27YYY5J3NcGtsy9tLpdtFDle/wQKBgQDfBaBURNs/ccVMMXSZ + T5lOo337Rv3bGFnoLwURUZrjJNGrHqLzeZvTNt0sXQX6Jbdeb5qnC/icng+QDEod + 9hRVDz1rN+2YqG6AMvrX5dQSK1PmkwVHLles4sX7DsZaiKNYFFbXc9rt7kXBwDoE + LXYidqUIqZiOjMqCyNlfyHHnRQKBgQC3ppq7TCEWIfqLzsfOoqaKD/fDOrQLLmor + 7RvAdGa+EyVeB1G+NQO00KN6U9W+SNPz0cEUYUZQiAaAghUGkNurrS1shr5k7aTX + pXpXtaA+xSEAd6w8lTl9mAfwZMBCcsfjyjPf1RPjZ6Tj2fdHqnsllSU5843LOqZK + CBXiitdKKQKBgQCVNEloN0zLLE1HxUpxiwxQzRZqtrr9ClST/mkQhhzuW+Kd7fgs + la5HZ0we8vkdun/sARRhL6Qa+7ADugUX+Frv8SsxARDG8eBDilfBevQfV7dg6fk8 + /ucPNgQoC2Fujj1hnvHeYJcWWTN4BSeLRfLj6aZNnlD/BXgyeTbcWtjBVQKBgBhG + npd5hboePbczWzgWSftgBvk4jkoYFZK+4fc7q8UeVMcsIoMJEPdayPFHma5whAvr + wyEFhrzobiuYhlz60v7LgoChAxPmUe7rgdOMP6Vse2NLbmoHs7TFXu9I8h0WfRPA + S8EfsmRR8/rmeghwIZ0jLOuPJUQi+Y45qWLrxW+ZAoGAMXYhio9y93M0nRqjiiCR + YibnhpZxvrNiLPxNiUi/WxcWEvulpmbKxLUhiWJB1ZmRTiGYlnclQXUuRyaOQNTo + 5TVAaNzDXayWVbxhx3Lb8NUV+QNUJEJOgjq4+NYw8fUZCr7T64pGGM4DJHPuHCBo + dJv7UByPuMKBIOYpy3Z+iWs= + -----END PRIVATE KEY----- + +runtime: + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + - expression: res.body.resource.email + operator: eq + value: oauth1@example.com + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA512 200.yml b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA512 200.yml new file mode 100644 index 00000000000..34ba48a939b --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/OAuth1 RSA-SHA512 200.yml @@ -0,0 +1,66 @@ +info: + name: OAuth1 RSA-SHA512 200 + type: http + seq: 1 + +http: + method: GET + url: '{{localhost}}/api/auth/oauth1/resource' + auth: + type: oauth1 + consumerKey: consumer_key_1 + accessToken: access_token_1 + tokenSecret: token_secret_1 + signatureMethod: RSA-SHA512 + version: '1.0' + addParamsTo: header + includeBodyHash: false + privateKey: + type: text + value: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCf/ioOwb6uGm01 + WjL89sBOKmvMuwyGW33w+ud3eV5dWbHZbJTgCHMtjUVqGE4sVPnX8wfKgb00hVGZ + ZhbRsqquUMJL+7RHZA1G3ZcC2WPmrUvIpi13W7F/+wizRjDrutgK0oc4L7zUPhgE + +d+Qe6JHvFL376hqkD9Z6vd9jVNRDv7D2uJcG+Uc7ePM6yLzQeJILnfvSwxna89G + 6YxfbYNjf/VKAcRM6UAR8aRGm/A9Qmdwsy08iRzlM0K5lid7Ath7ADJ+D6ezUIhl + qiI6sVrZdpsFXzuvcxjgAts54XoQsLCDZudTmzMs4BftswULCQFdj6c2oye9QKsu + EoZ0CvwNAgMBAAECggEAA1kIJu2QQIhhB0rEjQfaF5309NW9JK/pag91+claW3hd + q6papc1yIN6MjfRwPlE7i8npZygL03uEAkJhRoYHOEU3AOwFZluw7hiuPkBaQiDC + Ld1RpOZlnRidoqgHV1y+LzZ0ieJwgGhu4ZEbnSRZIvMihqRHJo5aJQGGUuQ60r6w + Z5N6j7GGCV14oGck6+0k/NhYrkhpbyl+AHPZeQ20L9ZaSpl+GD3RUgvx4nOhN1Fx + agovDCKwmRPSpuuBw6Wun1hKC9MuuL89CCy2yZ+MrjQmQJ/onKZKR2fc1I5g2JRu + z7xObQq/tAXIHKM27YYY5J3NcGtsy9tLpdtFDle/wQKBgQDfBaBURNs/ccVMMXSZ + T5lOo337Rv3bGFnoLwURUZrjJNGrHqLzeZvTNt0sXQX6Jbdeb5qnC/icng+QDEod + 9hRVDz1rN+2YqG6AMvrX5dQSK1PmkwVHLles4sX7DsZaiKNYFFbXc9rt7kXBwDoE + LXYidqUIqZiOjMqCyNlfyHHnRQKBgQC3ppq7TCEWIfqLzsfOoqaKD/fDOrQLLmor + 7RvAdGa+EyVeB1G+NQO00KN6U9W+SNPz0cEUYUZQiAaAghUGkNurrS1shr5k7aTX + pXpXtaA+xSEAd6w8lTl9mAfwZMBCcsfjyjPf1RPjZ6Tj2fdHqnsllSU5843LOqZK + CBXiitdKKQKBgQCVNEloN0zLLE1HxUpxiwxQzRZqtrr9ClST/mkQhhzuW+Kd7fgs + la5HZ0we8vkdun/sARRhL6Qa+7ADugUX+Frv8SsxARDG8eBDilfBevQfV7dg6fk8 + /ucPNgQoC2Fujj1hnvHeYJcWWTN4BSeLRfLj6aZNnlD/BXgyeTbcWtjBVQKBgBhG + npd5hboePbczWzgWSftgBvk4jkoYFZK+4fc7q8UeVMcsIoMJEPdayPFHma5whAvr + wyEFhrzobiuYhlz60v7LgoChAxPmUe7rgdOMP6Vse2NLbmoHs7TFXu9I8h0WfRPA + S8EfsmRR8/rmeghwIZ0jLOuPJUQi+Y45qWLrxW+ZAoGAMXYhio9y93M0nRqjiiCR + YibnhpZxvrNiLPxNiUi/WxcWEvulpmbKxLUhiWJB1ZmRTiGYlnclQXUuRyaOQNTo + 5TVAaNzDXayWVbxhx3Lb8NUV+QNUJEJOgjq4+NYw8fUZCr7T64pGGM4DJHPuHCBo + dJv7UByPuMKBIOYpy3Z+iWs= + -----END PRIVATE KEY----- + +runtime: + assertions: + - expression: res.status + operator: eq + value: '200' + - expression: res.body.resource.name + operator: eq + value: oauth1-test-resource + - expression: res.body.resource.email + operator: eq + value: oauth1@example.com + +settings: + encodeUrl: true + timeout: 0 + followRedirects: true + maxRedirects: 5 diff --git a/tests/auth/oauth1/fixtures/collections/yml/environments/Local.yml b/tests/auth/oauth1/fixtures/collections/yml/environments/Local.yml new file mode 100644 index 00000000000..930a0b3996e --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/environments/Local.yml @@ -0,0 +1,5 @@ +name: Local + +variables: + - name: localhost + value: http://localhost:8081 diff --git a/tests/auth/oauth1/fixtures/collections/yml/opencollection.yml b/tests/auth/oauth1/fixtures/collections/yml/opencollection.yml new file mode 100644 index 00000000000..6fc6eca07e5 --- /dev/null +++ b/tests/auth/oauth1/fixtures/collections/yml/opencollection.yml @@ -0,0 +1,6 @@ +opencollection: '1.0.0' + +info: + name: oauth1-testbench-yml + +bundled: false diff --git a/tests/auth/oauth1/init-user-data/preferences.json b/tests/auth/oauth1/init-user-data/preferences.json new file mode 100644 index 00000000000..a127ece2469 --- /dev/null +++ b/tests/auth/oauth1/init-user-data/preferences.json @@ -0,0 +1,10 @@ +{ + "maximized": false, + "lastOpenedCollections": ["{{collectionPath}}/bru", "{{collectionPath}}/yml"], + "preferences": { + "onboarding": { + "hasLaunchedBefore": true, + "hasSeenWelcomeModal": true + } + } +} diff --git a/tests/auth/oauth1/oauth1-runner.spec.ts b/tests/auth/oauth1/oauth1-runner.spec.ts new file mode 100644 index 00000000000..05fe5085fe2 --- /dev/null +++ b/tests/auth/oauth1/oauth1-runner.spec.ts @@ -0,0 +1,217 @@ +import fs from 'fs'; +import path from 'path'; +import { test, expect } from '../../../playwright'; +import { + sendRequestAndWaitForResponse, closeAllCollections, selectEnvironment, + openCollection, openRequest, selectResponsePaneTab +} from '../../utils/page'; +import { runCollection, validateRunnerResults } from '../../utils/page/runner'; + +// The test PEM file is gitignored (*.pem). Write it to both fixture directories +// at module load time so collectionFixturePath includes it when copying. + +const { TEST_RSA_PRIVATE_KEY } = require('../../../packages/bruno-tests/src/auth/oauth1'); + +const fixtureBase = path.join(__dirname, 'fixtures', 'collections'); +for (const subdir of ['bru', 'yml']) { + const pemPath = path.join(fixtureBase, subdir, 'test-private-key.pem'); + if (!fs.existsSync(pemPath)) { + fs.writeFileSync(pemPath, TEST_RSA_PRIVATE_KEY); + } +} + +const requests = [ + { name: 'OAuth1 HMAC-SHA1 200', status: 200 }, + { name: 'OAuth1 HMAC-SHA1 401', status: 401 }, + { name: 'OAuth1 HMAC-SHA1 POST 200', status: 200 }, + { name: 'OAuth1 HMAC-SHA1 Query Params 200', status: 200 }, + { name: 'OAuth1 HMAC-SHA256 200', status: 200 }, + { name: 'OAuth1 HMAC-SHA256 401', status: 401 }, + { name: 'OAuth1 HMAC-SHA512 200', status: 200 }, + { name: 'OAuth1 HMAC-SHA512 401', status: 401 }, + { name: 'OAuth1 PLAINTEXT 200', status: 200 }, + { name: 'OAuth1 PLAINTEXT 401', status: 401 }, + { name: 'OAuth1 PLAINTEXT Query Params 200', status: 200 }, + { name: 'OAuth1 RSA-SHA1 200', status: 200 }, + { name: 'OAuth1 RSA-SHA1 Query Params 200', status: 200 }, + { name: 'OAuth1 RSA-SHA256 200', status: 200 }, + { name: 'OAuth1 RSA-SHA512 200', status: 200 }, + { name: 'OAuth1 RSA-SHA1 Variable Key 200', status: 200 }, + { name: 'OAuth1 RSA-SHA1 File Key 200', status: 200 }, + { name: 'OAuth1 HMAC-SHA1 Body 200', status: 200 }, + { name: 'OAuth1 PLAINTEXT Body 200', status: 200 }, + { name: 'OAuth1 HMAC-SHA256 Body 200', status: 200 }, + { name: 'OAuth1 RSA-SHA1 Body 200', status: 200 }, + { name: 'OAuth1 HMAC-SHA1 Body JSON 200', status: 200 } +]; + +const sendAllRequests = async (page, collectionName: string) => { + await openCollection(page, collectionName); + await selectEnvironment(page, 'Local', 'collection'); + + for (const { name, status } of requests) { + await test.step(name, async () => { + await openRequest(page, collectionName, name); + await sendRequestAndWaitForResponse(page, status); + }); + } +}; + +const runAndValidate = async (page, collectionName: string) => { + await runCollection(page, collectionName); + await validateRunnerResults(page, { + totalRequests: requests.length, + passed: requests.length, + failed: 0 + }); +}; + +/** + * After sending a request, switch to the Timeline tab, expand the latest timeline item, + * and return locators for the request URL and headers section. + */ +const openTimelineRequest = async (page) => { + await selectResponsePaneTab(page, 'Timeline'); + + // Click the first (latest) timeline item header to expand it + const timelineItem = page.locator('.timeline-item').first(); + await timelineItem.locator('.oauth-request-item-header').click(); + + return timelineItem; +}; + +const verifyAddParamsTo = async (page, collectionName: string, requestName: string, addParamsTo: 'header' | 'queryparams' | 'body') => { + await openRequest(page, collectionName, requestName); + await sendRequestAndWaitForResponse(page, 200); + + const timelineItem = await openTimelineRequest(page); + const content = timelineItem.locator('.timeline-item-content'); + + if (addParamsTo === 'header') { + await expect(content).toContainText('Authorization'); + await expect(content).toContainText('OAuth'); + } else if (addParamsTo === 'queryparams') { + const urlPre = content.locator('pre').first(); + await expect(urlPre).toContainText('oauth_consumer_key'); + } else { + // Body: oauth params should be in the request body, not in URL or Authorization header + const urlPre = content.locator('pre').first(); + await expect(urlPre).not.toContainText('oauth_consumer_key'); + // Body section is expanded by default — verify oauth params are in the body + await expect(content.locator('.collapsible-section').filter({ hasText: 'Body' })).toContainText('oauth_consumer_key'); + } +}; + +test.describe('OAuth 1.0 Runner', () => { + test.afterAll(async ({ pageWithUserData: page }) => { + await closeAllCollections(page); + }); + + test.describe('[bru]', () => { + test('Send individual requests', async ({ pageWithUserData: page }) => { + test.setTimeout(3 * 60 * 1000); + await sendAllRequests(page, 'oauth1-testbench-bru'); + }); + + test('Run collection and verify all assertions pass', async ({ pageWithUserData: page }) => { + test.setTimeout(3 * 60 * 1000); + await runAndValidate(page, 'oauth1-testbench-bru'); + }); + + test('Verify Add Params To placement via timeline', async ({ pageWithUserData: page }) => { + test.setTimeout(3 * 60 * 1000); + await openCollection(page, 'oauth1-testbench-bru'); + await selectEnvironment(page, 'Local', 'collection'); + + await test.step('Header: HMAC-SHA1', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-bru', 'OAuth1 HMAC-SHA1 200', 'header'); + }); + + await test.step('Query Params: HMAC-SHA1', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-bru', 'OAuth1 HMAC-SHA1 Query Params 200', 'queryparams'); + }); + + await test.step('Query Params: PLAINTEXT', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-bru', 'OAuth1 PLAINTEXT Query Params 200', 'queryparams'); + }); + + await test.step('Query Params: RSA-SHA1', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-bru', 'OAuth1 RSA-SHA1 Query Params 200', 'queryparams'); + }); + + await test.step('Body: HMAC-SHA1', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-bru', 'OAuth1 HMAC-SHA1 Body 200', 'body'); + }); + + await test.step('Body: PLAINTEXT', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-bru', 'OAuth1 PLAINTEXT Body 200', 'body'); + }); + + await test.step('Body: HMAC-SHA256', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-bru', 'OAuth1 HMAC-SHA256 Body 200', 'body'); + }); + + await test.step('Body: RSA-SHA1', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-bru', 'OAuth1 RSA-SHA1 Body 200', 'body'); + }); + + await test.step('Body: HMAC-SHA1 JSON (non-form body)', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-bru', 'OAuth1 HMAC-SHA1 Body JSON 200', 'body'); + }); + }); + }); + + test.describe('[yml]', () => { + test('Send individual requests', async ({ pageWithUserData: page }) => { + test.setTimeout(3 * 60 * 1000); + await sendAllRequests(page, 'oauth1-testbench-yml'); + }); + + test('Run collection and verify all assertions pass', async ({ pageWithUserData: page }) => { + test.setTimeout(3 * 60 * 1000); + await runAndValidate(page, 'oauth1-testbench-yml'); + }); + + test('Verify Add Params To placement via timeline', async ({ pageWithUserData: page }) => { + test.setTimeout(3 * 60 * 1000); + await openCollection(page, 'oauth1-testbench-yml'); + await selectEnvironment(page, 'Local', 'collection'); + + await test.step('Header: HMAC-SHA1', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-yml', 'OAuth1 HMAC-SHA1 200', 'header'); + }); + + await test.step('Query Params: HMAC-SHA1', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-yml', 'OAuth1 HMAC-SHA1 Query Params 200', 'queryparams'); + }); + + await test.step('Query Params: PLAINTEXT', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-yml', 'OAuth1 PLAINTEXT Query Params 200', 'queryparams'); + }); + + await test.step('Query Params: RSA-SHA1', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-yml', 'OAuth1 RSA-SHA1 Query Params 200', 'queryparams'); + }); + + await test.step('Body: HMAC-SHA1', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-yml', 'OAuth1 HMAC-SHA1 Body 200', 'body'); + }); + + await test.step('Body: PLAINTEXT', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-yml', 'OAuth1 PLAINTEXT Body 200', 'body'); + }); + + await test.step('Body: HMAC-SHA256', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-yml', 'OAuth1 HMAC-SHA256 Body 200', 'body'); + }); + + await test.step('Body: RSA-SHA1', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-yml', 'OAuth1 RSA-SHA1 Body 200', 'body'); + }); + + await test.step('Body: HMAC-SHA1 JSON (non-form body)', async () => { + await verifyAddParamsTo(page, 'oauth1-testbench-yml', 'OAuth1 HMAC-SHA1 Body JSON 200', 'body'); + }); + }); + }); +}); diff --git a/tests/auth/oauth1/oauth1.spec.ts b/tests/auth/oauth1/oauth1.spec.ts new file mode 100644 index 00000000000..b3a4a6ceb61 --- /dev/null +++ b/tests/auth/oauth1/oauth1.spec.ts @@ -0,0 +1,158 @@ +import { test, expect } from '../../../playwright'; +import { + closeAllCollections, createCollection, createRequest, openRequest, + selectRequestPaneTab, saveRequest +} from '../../utils/page'; + +const label = (page, text: string) => page.locator('label').filter({ hasText: new RegExp(`^${text}$`) }); +const sectionLabel = (page, text: string) => page.locator('.oauth1-section-label').filter({ hasText: text }); +const dropdownItem = (page, text: string) => page.locator('.dropdown-item').filter({ hasText: text }); +const fieldRow = (page, text: string) => label(page, text).locator('..'); +const editorIn = (row) => row.locator('.single-line-editor-wrapper .CodeMirror'); + +const typeInField = async (page, fieldName: string, value: string) => { + await editorIn(fieldRow(page, fieldName)).click(); + await page.keyboard.type(value); +}; + +const selectAuthMode = async (page) => { + await page.locator('.auth-mode-label').click(); + await dropdownItem(page, 'OAuth 1.0').click(); +}; + +test.describe('OAuth 1.0 Authentication', () => { + test.afterAll(async ({ page }) => { + await closeAllCollections(page); + }); + + test('Request auth UI', async ({ page, createTmpDir }) => { + // Setup + await createCollection(page, 'oauth1-test', await createTmpDir()); + await createRequest(page, 'oauth1-request', 'oauth1-test', { url: 'https://example.com/api' }); + await openRequest(page, 'oauth1-test', 'oauth1-request'); + await selectRequestPaneTab(page, 'Auth'); + await selectAuthMode(page); + + // Sections + await test.step('Three sections are visible', async () => { + for (const name of ['Configuration', 'Signature', 'Advanced']) { + await expect(sectionLabel(page, name)).toBeVisible(); + } + }); + + // HMAC fields (top-level, always visible) + await test.step('HMAC mode shows correct fields', async () => { + for (const name of ['Consumer Key', 'Consumer Secret', 'Token', 'Token Secret']) { + await expect(label(page, name)).toBeVisible(); + } + await expect(label(page, 'Private Key')).not.toBeVisible(); + }); + + // Advanced section is collapsed by default + await test.step('Advanced fields are hidden by default', async () => { + for (const name of ['Callback URL', 'Verifier', 'Timestamp', 'Nonce', 'Version', 'Realm']) { + await expect(label(page, name)).not.toBeVisible(); + } + }); + + // Expand Advanced section + await test.step('Clicking Advanced expands the section', async () => { + await sectionLabel(page, 'Advanced').click(); + for (const name of ['Callback URL', 'Verifier', 'Timestamp', 'Nonce', 'Version', 'Realm']) { + await expect(label(page, name)).toBeVisible(); + } + }); + + // Signature method dropdown + await test.step('All 7 signature methods in dropdown', async () => { + const sigDropdown = fieldRow(page, 'Signature Method').locator('.oauth1-dropdown-selector'); + await sigDropdown.click(); + for (const method of ['HMAC-SHA1', 'HMAC-SHA256', 'HMAC-SHA512', 'RSA-SHA1', 'RSA-SHA256', 'RSA-SHA512', 'PLAINTEXT']) { + await expect(dropdownItem(page, method)).toBeVisible(); + } + }); + + // RSA mode toggles fields + await test.step('RSA mode shows Private Key, hides Consumer Secret', async () => { + await dropdownItem(page, 'RSA-SHA256').click(); + const sigDropdown = fieldRow(page, 'Signature Method').locator('.oauth1-dropdown-selector'); + await expect(sigDropdown.locator('.oauth1-dropdown-label')).toContainText('RSA-SHA256'); + await expect(label(page, 'Private Key')).toBeVisible(); + await expect(label(page, 'Consumer Secret')).not.toBeVisible(); + + // Private Key editor accepts input + const pkEditor = page.locator('.private-key-editor-wrapper .CodeMirror'); + await expect(pkEditor).toBeVisible(); + await pkEditor.click(); + await page.keyboard.type('test-private-key'); + + // Switch back to HMAC-SHA1 + await sigDropdown.click(); + await dropdownItem(page, 'HMAC-SHA1').click(); + await expect(label(page, 'Consumer Secret')).toBeVisible(); + await expect(label(page, 'Private Key')).not.toBeVisible(); + }); + + // Collapse and re-expand Advanced + await test.step('Clicking Advanced again collapses the section', async () => { + await sectionLabel(page, 'Advanced').click(); + await expect(label(page, 'Callback URL')).not.toBeVisible(); + await expect(label(page, 'Timestamp')).not.toBeVisible(); + + // Re-expand for subsequent steps + await sectionLabel(page, 'Advanced').click(); + await expect(label(page, 'Callback URL')).toBeVisible(); + }); + + // Fill fields + await test.step('Fill form fields', async () => { + await typeInField(page, 'Consumer Key', 'my-consumer-key'); + await typeInField(page, 'Token', 'my-token'); + await typeInField(page, 'Timestamp', '1234567890'); + }); + + // Add Params To dropdown + await test.step('Add Params To dropdown cycles options', async () => { + const apDropdown = fieldRow(page, 'Add Params To').locator('.oauth1-dropdown-selector'); + await expect(apDropdown.locator('.oauth1-dropdown-label')).toContainText('Header'); + await apDropdown.click(); + await dropdownItem(page, 'Query Params').click(); + await expect(apDropdown.locator('.oauth1-dropdown-label')).toContainText('Query Params'); + await apDropdown.click(); + await dropdownItem(page, 'Header').click(); + }); + + // Include Body Hash checkbox + await test.step('Include Body Hash checkbox toggles', async () => { + const checkbox = page.locator('input[type="checkbox"]'); + const bodyHashLabel = page.locator('label').filter({ hasText: 'Include Body Hash' }); + await expect(checkbox).not.toBeChecked(); + await bodyHashLabel.click(); + await expect(checkbox).toBeChecked(); + await bodyHashLabel.click(); + await expect(checkbox).not.toBeChecked(); + }); + + await saveRequest(page); + }); + + test('Collection settings auth', async ({ page }) => { + const collectionRow = page.getByTestId('collections').locator('#sidebar-collection-name').filter({ hasText: 'oauth1-test' }); + await collectionRow.click(); + await page.locator('.tab.auth').click(); + await selectAuthMode(page); + + await test.step('Sections are visible, Advanced collapsed by default', async () => { + for (const name of ['Configuration', 'Signature', 'Advanced']) { + await expect(sectionLabel(page, name)).toBeVisible(); + } + // Advanced fields hidden by default + await expect(label(page, 'Callback URL')).not.toBeVisible(); + }); + + await test.step('Fill and save', async () => { + await typeInField(page, 'Consumer Key', 'collection-consumer-key'); + await page.getByRole('button', { name: 'Save' }).click(); + }); + }); +}); diff --git a/tests/utils/page/actions.ts b/tests/utils/page/actions.ts index 295fe1dc9f2..823d8003883 100644 --- a/tests/utils/page/actions.ts +++ b/tests/utils/page/actions.ts @@ -766,14 +766,13 @@ const getResponseBody = async (page: Page): Promise => { return await page.locator('.response-pane').innerText(); }; -const selectRequestPaneTab = async (page: Page, tabName: string) => { - await test.step(`Wait for request to open up "${tabName}"`, async () => { - const requestPane = page.locator('.request-pane > .px-4'); - await expect(requestPane).toBeVisible(); - await expect(requestPane.locator('.tabs')).toBeVisible(); - }); - await test.step(`Select request pane tab "${tabName}"`, async () => { - const visibleTab = page.locator('.tabs').getByRole('tab', { name: tabName }); +const selectPaneTab = async (page: Page, paneSelector: string, tabName: string) => { + await test.step(`Select tab "${tabName}" in ${paneSelector}`, async () => { + const pane = page.locator(paneSelector); + await expect(pane).toBeVisible(); + await expect(pane.locator('.tabs')).toBeVisible(); + + const visibleTab = pane.locator('.tabs').getByRole('tab', { name: tabName }); // Check if tab is directly visible if (await visibleTab.isVisible()) { @@ -782,23 +781,30 @@ const selectRequestPaneTab = async (page: Page, tabName: string) => { return; } - const overflowButton = page.locator('.tabs .more-tabs'); + const overflowButton = pane.locator('.tabs .more-tabs'); // Check if there's an overflow dropdown if (await overflowButton.isVisible()) { await overflowButton.click(); - // Wait for dropdown to appear and click the menu item (overflow tabs are rendered as menuitems) + // Wait for dropdown to appear and click the menu item const dropdownItem = page.locator('.tippy-box .dropdown-item').filter({ hasText: tabName }); await dropdownItem.click(); await expect(visibleTab).toContainClass('active'); return; } - // If neither found, fail with a helpful message throw new Error(`Tab "${tabName}" not found in visible tabs or overflow dropdown`); }); }; +const selectResponsePaneTab = async (page: Page, tabName: string) => { + await selectPaneTab(page, '.response-pane', tabName); +}; + +const selectRequestPaneTab = async (page: Page, tabName: string) => { + await selectPaneTab(page, '.request-pane > .px-4', tabName); +}; + /** * Verify response contains specific text * @param page - The page object @@ -1036,6 +1042,7 @@ export { getResponseBody, expectResponseContains, selectRequestPaneTab, + selectResponsePaneTab, sendRequestAndWaitForResponse, switchResponseFormat, switchToPreviewTab,