Source

rest-api-blueprint / restapiblueprint / features / oauth.feature

Full commit
Feature: Two-legged OAuth
  As an API client
  I expect to be able to authentication using two-legged oauth

  Background: Set server name and reset database
    Given I am using server "http://localhost:5000/v1"
    And I set Accept header to "application/json"
    When I send a DELETE request to "people"
    Then the response status should be "200"

  Scenario: Cannot access a restricted URL without any authentication
    When I send a GET request to "private"
    Then the response status should be "401"
    And the WWW-Authenticate header should be "OAuth"

  Scenario: Can access a restricted URL with query OAuth
    Given I use query OAuth with key="akey" and secret="asecret"
    When I send a GET request to "private"
    Then the response status should be "200"

  Scenario: Cannot access a restricted URL with query OAuth and wrong secret
    Given I use query OAuth with key="akey" and secret="wrong_asecret"
    When I send a GET request to "private"
    Then the response status should be "401"

  Scenario: Cannot access a restricted URL with query OAuth and wrong key
    Given I use query OAuth with key="wrong_akey" and secret="asecret"
    When I send a GET request to "private"
    Then the response status should be "401"

  Scenario: Can access a restricted URL with header OAuth
    Given I use header OAuth with key="akey" and secret="asecret"
    When I send a GET request to "private"
    Then the response status should be "200"

  Scenario: Cannot access a restricted URL with header OAuth and wrong secret
    Given I use header OAuth with key="akey" and secret="wrong_asecret"
    When I send a GET request to "private"
    Then the response status should be "401"

  Scenario: Cannot access a restricted URL with header OAuth and wrong key
    Given I use header OAuth with key="wrong_akey" and secret="asecret"
    When I send a GET request to "private"
    Then the response status should be "401"

  Scenario: Cannot access a restricted URL with right key but wrong capabilities
    Given I use header OAuth with key="akey" and secret="asecret"
    When I send a POST request to "private"
    Then the response status should be "403"