Support POST requests to userinfo endpoint

2024-10-19 01:01:23 +09:00 · 2024-10-16 21:28:08 +02:00 · 2024-10-16 21:28:08 +02:00 · 928c78ff4a
commit 928c78ff4a
parent d01391c358
3 changed files with 32 additions and 13 deletions
--- a/config/initializers/cors.rb
+++ b/config/initializers/cors.rb
@ -23,7 +23,7 @@ Rails.application.config.middleware.insert_before 0, Rack::Cors do
               methods: %i(post put delete get patch options)
      resource '/oauth/token', methods: [:post]
      resource '/oauth/revoke', methods: [:post]
-      resource '/oauth/userinfo', methods: [:get]
+      resource '/oauth/userinfo', methods: [:get, :post]
    end
  end
 end
--- a/config/routes.rb
+++ b/config/routes.rb
@ -66,6 +66,10 @@ Rails.application.routes.draw do

  namespace :oauth do
    get 'userinfo', to: 'userinfo#show', defaults: { format: 'json' }
+    # As this is borrowed from OpenID, the specification says we must also support
+    # POST for the userinfo endpoint:
+    # https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+    post 'userinfo', to: 'userinfo#show', defaults: { format: 'json' }
  end

  scope path: '.well-known' do
--- a/spec/requests/oauth/userinfo_spec.rb
+++ b/spec/requests/oauth/userinfo_spec.rb
@ -5,19 +5,13 @@ require 'rails_helper'
 RSpec.describe 'Oauth Userinfo Endpoint' do
  include RoutingHelper

-  describe 'GET /oauth/userinfo' do
-    subject do
-      get '/oauth/userinfo', headers: headers
-    end
-
-    let(:user)     { Fabricate(:user) }
-    let(:account)  { user.account }
-    let(:token)    { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }
-    let(:scopes)   { 'profile' }
-    let(:headers)  { { 'Authorization' => "Bearer #{token.token}" } }
-
-    it_behaves_like 'forbidden for wrong scope', 'read:accounts'
+  let(:user)     { Fabricate(:user) }
+  let(:account)  { user.account }
+  let(:token)    { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }
+  let(:scopes)   { 'profile' }
+  let(:headers)  { { 'Authorization' => "Bearer #{token.token}" } }

+  shared_examples 'returns successfully' do
    it 'returns http success' do
      subject

@ -33,4 +27,25 @@ RSpec.describe 'Oauth Userinfo Endpoint' do
      })
    end
  end
+
+  describe 'GET /oauth/userinfo' do
+    subject do
+      get '/oauth/userinfo', headers: headers
+    end
+
+    it_behaves_like 'forbidden for wrong scope', 'read:accounts'
+    it_behaves_like 'returns successfully'
+  end
+
+  # As this is borrowed from OpenID, the specification says we must also support
+  # POST for the userinfo endpoint:
+  # https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+  describe 'POST /oauth/userinfo' do
+    subject do
+      post '/oauth/userinfo', headers: headers
+    end
+
+    it_behaves_like 'forbidden for wrong scope', 'read:accounts'
+    it_behaves_like 'returns successfully'
+  end
 end