4 files changed, 63 insertions, 27 deletions
diff --git a/test/plugs/oauth_scopes_plug_test.exs b/test/plugs/oauth_scopes_plug_test.exs
index 1b3aa85b6..85105f968 100644
--- a/test/plugs/oauth_scopes_plug_test.exs
+++ b/test/plugs/oauth_scopes_plug_test.exs
@@ -7,6 +7,7 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
 
   alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
   alias Pleroma.Plugs.OAuthScopesPlug
+  alias Pleroma.Plugs.PlugHelper
   alias Pleroma.Repo
 
   import Mock
@@ -16,6 +17,18 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
     :ok
   end
 
+  test "is not performed if marked as skipped", %{conn: conn} do
+    with_mock OAuthScopesPlug, [:passthrough], perform: &passthrough([&1, &2]) do
+      conn =
+        conn
+        |> PlugHelper.append_to_skipped_plugs(OAuthScopesPlug)
+        |> OAuthScopesPlug.call(%{scopes: ["random_scope"]})
+
+      refute called(OAuthScopesPlug.perform(:_, :_))
+      refute conn.halted
+    end
+  end
+
   test "if `token.scopes` fulfills specified 'any of' conditions, " <>
          "proceeds with no op",
        %{conn: conn} do
diff --git a/test/web/auth/oauth_test_controller_test.exs b/test/web/auth/oauth_test_controller_test.exs
new file mode 100644
index 000000000..a2f6009ac
--- /dev/null
+++ b/test/web/auth/oauth_test_controller_test.exs
@@ -0,0 +1,49 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Tests.OAuthTestControllerTest do
+  use Pleroma.Web.ConnCase
+
+  import Pleroma.Factory
+
+  setup %{conn: conn} do
+    user = insert(:user)
+    conn = assign(conn, :user, user)
+    %{conn: conn, user: user}
+  end
+
+  test "missed_oauth", %{conn: conn} do
+    res =
+      conn
+      |> get("/test/authenticated_api/missed_oauth")
+      |> json_response(403)
+
+    assert res ==
+             %{
+               "error" =>
+                 "Security violation: OAuth scopes check was neither handled nor explicitly skipped."
+             }
+  end
+
+  test "skipped_oauth", %{conn: conn} do
+    conn
+    |> assign(:token, nil)
+    |> get("/test/authenticated_api/skipped_oauth")
+    |> json_response(200)
+  end
+
+  test "performed_oauth", %{user: user} do
+    %{conn: good_token_conn} = oauth_access(["read"], user: user)
+
+    good_token_conn
+    |> get("/test/authenticated_api/performed_oauth")
+    |> json_response(200)
+
+    %{conn: bad_token_conn} = oauth_access(["follow"], user: user)
+
+    bad_token_conn
+    |> get("/test/authenticated_api/performed_oauth")
+    |> json_response(403)
+  end
+end
diff --git a/test/web/mastodon_api/controllers/suggestion_controller_test.exs b/test/web/mastodon_api/controllers/suggestion_controller_test.exs
index c697a39f8..8d0e70db8 100644
--- a/test/web/mastodon_api/controllers/suggestion_controller_test.exs
+++ b/test/web/mastodon_api/controllers/suggestion_controller_test.exs
@@ -7,34 +7,8 @@ defmodule Pleroma.Web.MastodonAPI.SuggestionControllerTest do
 
   alias Pleroma.Config
 
-  import Pleroma.Factory
-  import Tesla.Mock
-
   setup do: oauth_access(["read"])
 
-  setup %{user: user} do
-    other_user = insert(:user)
-    host = Config.get([Pleroma.Web.Endpoint, :url, :host])
-    url500 = "http://test500?#{host}&#{user.nickname}"
-    url200 = "http://test200?#{host}&#{user.nickname}"
-
-    mock(fn
-      %{method: :get, url: ^url500} ->
-        %Tesla.Env{status: 500, body: "bad request"}
-
-      %{method: :get, url: ^url200} ->
-        %Tesla.Env{
-          status: 200,
-          body:
-            ~s([{"acct":"yj455","avatar":"https://social.heldscal.la/avatar/201.jpeg","avatar_static":"https://social.heldscal.la/avatar/s/201.jpeg"}, {"acct":"#{
-              other_user.ap_id
-            }","avatar":"https://social.heldscal.la/avatar/202.jpeg","avatar_static":"https://social.heldscal.la/avatar/s/202.jpeg"}])
-        }
-    end)
-
-    [other_user: other_user]
-  end
-
   test "returns empty result", %{conn: conn} do
     res =
       conn
diff --git a/test/web/pleroma_api/controllers/pleroma_api_controller_test.exs b/test/web/pleroma_api/controllers/pleroma_api_controller_test.exs
index 32250f06f..8f0cbe9b2 100644
--- a/test/web/pleroma_api/controllers/pleroma_api_controller_test.exs
+++ b/test/web/pleroma_api/controllers/pleroma_api_controller_test.exs
@@ -203,7 +203,7 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIControllerTest do
 
   test "POST /api/v1/pleroma/conversations/read" do
     user = insert(:user)
-    %{user: other_user, conn: conn} = oauth_access(["write:notifications"])
+    %{user: other_user, conn: conn} = oauth_access(["write:conversations"])
 
     {:ok, _activity} =
       CommonAPI.post(user, %{"status" => "Hi @#{other_user.nickname}", "visibility" => "direct"})