diff options
| author | Chocolate Pie <106949016+chocolate-pie@users.noreply.github.com> | 2023-12-27 15:08:59 +0900 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-12-27 15:08:59 +0900 |
| commit | c96bc36fedc804dc840ea791a9355d7df0748e64 (patch) | |
| tree | 127f0cc1478cb0248aa03b39e07f051423244c6c /packages/backend/test/e2e/api.ts | |
| parent | chore(frontend): update team members (diff) | |
| download | misskey-c96bc36fedc804dc840ea791a9355d7df0748e64.tar.gz misskey-c96bc36fedc804dc840ea791a9355d7df0748e64.tar.bz2 misskey-c96bc36fedc804dc840ea791a9355d7df0748e64.zip | |
Merge pull request from GHSA-7pxq-6xx9-xpgm
* fix: fix improper authorization when accessing with third-party application
* refactor: refactor type definitions
* fix: get rid of unnecessary access limitation
* enhance: サードパーティアプリケーションがWebsocket APIを使えるように
* fix: add missing parentheses
* Revert "fix(backend): add missing kind definition for admin endpoints to improve security"
This reverts commit 5150053275594278e9eb23e72d98b16593c4c230.
* frontend: 翻訳の抜けを訂正, read:adminとwrite:adminはアクセス発行トークンのデフォルトでは非表示にする
* enhance(test): misskey-ghsa-7pxq-6xx9-xpgmに関するテストを追加
* enhance(test): Websocket APIに対するテストも追加
* enhance(refactor): `@/misc/api-permissions.ts`を`misskey-js/permissions`に統合
* fix(frontend): アクセストークン発行UIで全ての権限を有効にした際、管理者用APIへのアクセスも許可してしまう問題を修正
* enhance(backend): Websocketの接続に最低限必要な権限を変更
* fix(backend): `/api/admin/meta`をサードパーティアプリケーションからはアクセスできないように
* fix(backend): エンドポイントにアクセスするために必要な権限を変更
* fix(frontend/locale): Add missing type declaration
* chore: update `misskey-js/src/autogen`
---------
Co-authored-by: tamaina <tamaina@hotmail.co.jp>
Diffstat (limited to 'packages/backend/test/e2e/api.ts')
| -rw-r--r-- | packages/backend/test/e2e/api.ts | 43 |
1 files changed, 42 insertions, 1 deletions
diff --git a/packages/backend/test/e2e/api.ts b/packages/backend/test/e2e/api.ts index 15da74931d..cf24228b83 100644 --- a/packages/backend/test/e2e/api.ts +++ b/packages/backend/test/e2e/api.ts @@ -7,7 +7,7 @@ process.env.NODE_ENV = 'test'; import * as assert from 'assert'; import { IncomingMessage } from 'http'; -import { signup, api, startServer, successfulApiCall, failedApiCall, uploadFile, waitFire, connectStream, relativeFetch } from '../utils.js'; +import { signup, api, startServer, successfulApiCall, failedApiCall, uploadFile, waitFire, connectStream, relativeFetch, createAppToken } from '../utils.js'; import type { INestApplicationContext } from '@nestjs/common'; import type * as misskey from 'misskey-js'; @@ -89,6 +89,11 @@ describe('API', () => { }); test('管理者専用のAPIのアクセス制限', async () => { + const application = await createAppToken(alice, ['read:account']); + const application2 = await createAppToken(alice, ['read:admin:index-stats']); + const application3 = await createAppToken(bob, []); + const application4 = await createAppToken(bob, ['read:admin:index-stats']); + // aliceは管理者、APIを使える await successfulApiCall({ endpoint: '/admin/get-index-stats', @@ -128,6 +133,42 @@ describe('API', () => { code: 'AUTHENTICATION_FAILED', id: 'b0a7f5f8-dc2f-4171-b91f-de88ad238e14', }); + + await successfulApiCall({ + endpoint: '/admin/get-index-stats', + parameters: {}, + user: { token: application2 }, + }); + + await failedApiCall({ + endpoint: '/admin/get-index-stats', + parameters: {}, + user: { token: application }, + }, { + status: 403, + code: 'PERMISSION_DENIED', + id: '1370e5b7-d4eb-4566-bb1d-7748ee6a1838', + }); + + await failedApiCall({ + endpoint: '/admin/get-index-stats', + parameters: {}, + user: { token: application3 }, + }, { + status: 403, + code: 'ROLE_PERMISSION_DENIED', + id: 'c3d38592-54c0-429d-be96-5636b0431a61', + }); + + await failedApiCall({ + endpoint: '/admin/get-index-stats', + parameters: {}, + user: { token: application4 }, + }, { + status: 403, + code: 'ROLE_PERMISSION_DENIED', + id: 'c3d38592-54c0-429d-be96-5636b0431a61', + }); }); describe('Authentication header', () => { |