Add tests to ensure that the operation cannot be modified during inte…

…ractive auth.
matrix-org · Mar 26, 2020 · 7a4929c · 7a4929c
1 parent 07884c2
commit 7a4929c
Showing 1 changed file with 58 additions and 0 deletions.
diff --git a/tests/10apidoc/12device_management.pl b/tests/10apidoc/12device_management.pl
@@ -335,3 +335,61 @@ sub matrix_delete_device {
          matrix_delete_device( $user, $DEVICE_ID, undef );
       })->main::expect_http_401;
   };
+
+
+test "The deleted device must be consistent through an interactive auth session",
+   requires => [ local_user_fixture( with_events => 0 ) ],
+
+   do => sub {
+      my ( $user ) = @_;
+
+      my $DEVICE_ID = "login_device";
+      my $SECOND_DEVICE_ID = "second_device";
+
+      # Create two devices.
+      matrix_login_again_with_user(
+         $user,
+         device_id => $DEVICE_ID,
+         initial_device_display_name => "device display",
+      )->then( sub {
+         matrix_login_again_with_user(
+            $user,
+            device_id => $SECOND_DEVICE_ID,
+            initial_device_display_name => "device display",
+         )
+      })->then( sub {
+         # Initiate the interactive authentication session with the first device.
+         matrix_delete_device( $user, $DEVICE_ID, {} );
+      })->main::expect_http_401->then( sub {
+         my ( $resp ) = @_;
+
+         my $body = decode_json $resp->content;
+
+         log_if_fail( "Response to empty body", $body );
+
+         assert_json_keys( $body, qw( session params flows ));
+
+         # Continue the interactive authentication session (by providing
+         # credentials), but attempt to delete the second device.
+         matrix_delete_device( $user, $SECOND_DEVICE_ID, {
+             auth => {
+                type     => "m.login.password",
+                user     => $user->user_id,
+                password => $user->password,
+                session  => $body->{session},
+             }
+         })->main::expect_http_403;
+      })->then( sub {
+         # The device delete was rejected (the device should still exist).
+         matrix_get_device( $user, $SECOND_DEVICE_ID );
+      })->then( sub {
+         my ( $device ) = @_;
+         assert_json_keys(
+            $device,
+            qw( device_id user_id display_name ),
+         );
+         assert_eq( $device->{device_id}, $SECOND_DEVICE_ID );
+         assert_eq( $device->{display_name}, "device display" );
+         Future->done( 1 );
+      });
+   };