fix handling of app domain names that aren't url-like, added error responses, and test cases for origin rejections

2026-04-24 03:45:38 +08:00 · 2017-07-17 16:07:17 -04:00
parent 29bdb81221
commit dc5ef3718f
2 changed files with 59 additions and 6 deletions
--- a/integration_tests/blockstack_integration_tests/live_tests/api_tests.py
+++ b/integration_tests/blockstack_integration_tests/live_tests/api_tests.py
@@ -135,7 +135,7 @@ class PingTest(APITestCase):
        self.assertTrue(data['status'] == 'alive')

 class AuthInternal(APITestCase):
-    def test_get_and_use_session_token(self):
+    def test_get_and_use_session_token_domain(self):
        privkey = ("a28ea1a6f11fb1c755b1d102990d64d6" +
                   "b4468c10705bbcbdfca8bc4497cf8da8")

@@ -152,12 +152,55 @@ class AuthInternal(APITestCase):

        url = "/v1/auth?authRequest={}".format(package)
        data = self.get_request(url, headers = auth_header, status_code=200)
+
        self.assertIn('token', data)
        session = data['token']

        auth_header = get_auth_header(session)
+
+        # test wrong origin
+        data = self.get_request('/v1/wallet/payment_address',
+                                headers = auth_header, status_code=403)
+        # test correct origin
+        auth_header['Origin'] = 'http://test.com'
        data = self.get_request('/v1/wallet/payment_address',
                                headers = auth_header, status_code=200)
+
+        data = self.get_request('/v1/users/muneeb.id',
+                                headers = auth_header, status_code=403)
+        self.assertIn('error', data)
+
+    def test_get_and_use_session_token_url(self):
+        privkey = ("a28ea1a6f11fb1c755b1d102990d64d6" +
+                   "b4468c10705bbcbdfca8bc4497cf8da8")
+
+        # test support for the development UI port as well (3000)
+        auth_header = get_auth_header(port = 3000)
+        request = {
+            'app_domain': 'http://test.com',
+            'app_public_key': blockstack_client.keys.get_pubkey_hex(privkey),
+            'methods': ['wallet_read'],
+        }
+
+        signer = jsontokens.TokenSigner()
+        package = signer.sign(request, privkey)
+
+        url = "/v1/auth?authRequest={}".format(package)
+        data = self.get_request(url, headers = auth_header, status_code=200)
+
+        self.assertIn('token', data)
+        session = data['token']
+
+        auth_header = get_auth_header(session)
+
+        # test wrong origin
+        data = self.get_request('/v1/wallet/payment_address',
+                                headers = auth_header, status_code=403)
+        # test correct origin
+        auth_header['Origin'] = 'http://test.com'
+        data = self.get_request('/v1/wallet/payment_address',
+                                headers = auth_header, status_code=200)
+
        data = self.get_request('/v1/users/muneeb.id',
                                headers = auth_header, status_code=403)
        self.assertIn('error', data)