@@ -9,6 +9,23 @@ class OrcidControllerTest < ActionController::TestCase
99 post :authenticate
1010
1111 assert_redirected_to /https:\/\/sandbox\.orcid\.org\/oauth\/authorize\?.+/
12+ params = Rack::Utils.parse_query(URI.parse(response.location).query)
13+ assert_equal "#{TeSS::Config.base_url}/orcid/callback", params['redirect_uri']
14+ assert_nil params['state']
15+ end
16+
17+ test 'authenticating orcid in space uses root app redirect URI and sets space state' do
18+ plant_space = spaces(:plants)
19+ with_host(plant_space.host) do
20+ sign_in users(:regular_user)
21+
22+ post :authenticate
23+
24+ assert_redirected_to /https:\/\/sandbox\.orcid\.org\/oauth\/authorize\?.+/
25+ params = Rack::Utils.parse_query(URI.parse(response.location).query)
26+ assert_equal "#{TeSS::Config.base_url}/orcid/callback", params['redirect_uri']
27+ assert_equal "space_id:#{plant_space.id}", params['state']
28+ end
1229 end
1330
1431 test 'do not authenticate orcid if user not logged-in' do
@@ -148,4 +165,61 @@ class OrcidControllerTest < ActionController::TestCase
148165 end
149166 end
150167 end
168+
169+ test 'redirect to subdomain space in callback' do
170+ space = spaces(:astro)
171+ space.update!(host: 'space.example.com')
172+ mock_images
173+ user = users(:regular_user)
174+ assert user.profile.orcid.blank?
175+ sign_in user
176+
177+ VCR.use_cassette('orcid/get_token_free_orcid') do
178+ get :callback, params: { code: '123xyz', state: "space_id:#{space.id}" }
179+ end
180+
181+ profile = user.profile.reload
182+ assert_equal '0009-0006-0987-5702', profile.orcid
183+ assert profile.orcid_authenticated?
184+ assert_redirected_to user_url(user, host: 'space.example.com')
185+ assert response.headers['Location'].starts_with?('http://space.example.com/users/')
186+ assert flash[:error].blank?
187+ end
188+
189+ test 'do not redirect to non-subdomain space in callback' do
190+ space = spaces(:astro)
191+ space.update!(host: 'space.golf.com')
192+ mock_images
193+ user = users(:regular_user)
194+ assert user.profile.orcid.blank?
195+ sign_in user
196+
197+ VCR.use_cassette('orcid/get_token_free_orcid') do
198+ get :callback, params: { code: '123xyz', state: "space_id:#{space.id}" }
199+ end
200+
201+ profile = user.profile.reload
202+ assert_equal '0009-0006-0987-5702', profile.orcid
203+ assert profile.orcid_authenticated?
204+ assert_redirected_to user
205+ refute response.headers['Location'].starts_with?('http://space.golf.com/users/')
206+ assert flash[:error].blank?
207+ end
208+
209+ test 'ignore bad space when redirecting in callback' do
210+ mock_images
211+ user = users(:regular_user)
212+ assert user.profile.orcid.blank?
213+ sign_in user
214+
215+ VCR.use_cassette('orcid/get_token_free_orcid') do
216+ get :callback, params: { code: '123xyz', state: "space_id:banana🍌" }
217+ end
218+
219+ profile = user.profile.reload
220+ assert_equal '0009-0006-0987-5702', profile.orcid
221+ assert profile.orcid_authenticated?
222+ assert_redirected_to user
223+ assert flash[:error].blank?
224+ end
151225end
0 commit comments