4 files changed, 70 insertions, 4 deletions

diff --git a/lib/matrix_app_service/phoenix/router.ex b/lib/matrix_app_service/phoenix/router.ex
index 2a4aba6..b3e6c8f 100644
--- a/lib/matrix_app_service/phoenix/router.ex
+++ b/lib/matrix_app_service/phoenix/router.ex
@@ -3,7 +3,7 @@ defmodule MatrixAppService.Phoenix.Router do
     quote do
       pipeline :matrix_api do
         plug :accepts, ["json"]
-        plug MatrixAppService.AuthPlug
+        plug MatrixAppServiceWeb.AuthPlug
       end
 
       path = Application.compile_env(:matrix_app_service, :path, "/")
diff --git a/lib/matrix_app_service/auth_plug.ex b/lib/matrix_app_service_web/auth_plug.ex
index 8adbc91..2d2ae23 100644
--- a/lib/matrix_app_service/auth_plug.ex
+++ b/lib/matrix_app_service_web/auth_plug.ex
@@ -1,15 +1,24 @@
-defmodule MatrixAppService.AuthPlug do
+defmodule MatrixAppServiceWeb.AuthPlug do
+  @moduledoc """
+  This Plug implements the Application Service authorization,
+  as described here:
+
+  https://matrix.org/docs/spec/application_service/r0.1.2#authorization
+  """
+
   @behaviour Plug
   import Plug.Conn
   require Logger
 
+  @doc false
   @impl Plug
   def init(opts) do
     opts
   end
 
+  @doc false
   @impl Plug
-  def call(%Plug.Conn{params: %{"access_token" => hs_token}} = conn, _) do
+  def call(%Plug.Conn{params: %{"access_token" => hs_token}} = conn, _opts) do
     config_hs_token = Application.fetch_env!(:matrix_app_service, :homeserver_token)
 
     with ^config_hs_token <- hs_token do
@@ -21,7 +30,7 @@ defmodule MatrixAppService.AuthPlug do
     end
   end
 
-  def call(conn, _config_hs_token) do
+  def call(conn, _opts) do
     Logger.warn("No homeserver token provided")
     respond_error(conn, 401)
   end
diff --git a/test/matrix_app_service/client.ex b/test/matrix_app_service/client.ex
new file mode 100644
index 0000000..37d2225
--- /dev/null
+++ b/test/matrix_app_service/client.ex
@@ -0,0 +1,4 @@
+defmodule MatrixAppService.ClientTest do
+  use ExUnit.Case
+  use Plug.Test
+end
diff --git a/test/matrix_app_service_web/auth_plug_test.exs b/test/matrix_app_service_web/auth_plug_test.exs
new file mode 100644
index 0000000..1293cec
--- /dev/null
+++ b/test/matrix_app_service_web/auth_plug_test.exs
@@ -0,0 +1,53 @@
+defmodule MatrixAppServiceWeb.AuthPlugTest do
+  use ExUnit.Case
+  use Plug.Test
+
+  import ExUnit.CaptureLog
+
+  test "call with correct acces token returns conn unchanged" do
+    Application.put_env(:matrix_app_service, :homeserver_token, "test_token")
+
+    conn = conn(:get, "/users/2", %{"access_token" => "test_token"})
+
+    assert MatrixAppServiceWeb.AuthPlug.call(conn, nil) == conn
+  end
+
+  test "call with incorrect access token halts with error 403" do
+    Application.put_env(:matrix_app_service, :homeserver_token, "test_token")
+
+    conn =
+      conn(:get, "/users/2", %{"access_token" => "incorrect_token"})
+      |> MatrixAppServiceWeb.AuthPlug.call(nil)
+
+    assert conn.status == 403
+    assert conn.private[:phoenix_template] == "403.json"
+    assert conn.private[:phoenix_view] == MatrixAppServiceWeb.ErrorView
+    assert conn.halted == true
+  end
+
+  test "call with incorrect access token gets logged" do
+    Application.put_env(:matrix_app_service, :homeserver_token, "test_token")
+    conn = conn(:get, "/users/2", %{"access_token" => "incorrect_token"})
+
+    assert capture_log(fn -> MatrixAppServiceWeb.AuthPlug.call(conn, nil) end) =~
+             "Received invalid homeserver token"
+  end
+
+  test "call without access token halts with error 401" do
+    conn =
+      conn(:get, "/users/2")
+      |> MatrixAppServiceWeb.AuthPlug.call(nil)
+
+    assert conn.status == 401
+    assert conn.private[:phoenix_template] == "401.json"
+    assert conn.private[:phoenix_view] == MatrixAppServiceWeb.ErrorView
+    assert conn.halted == true
+  end
+
+  test "call without access token gets logged" do
+    conn = conn(:get, "user/3")
+
+    assert capture_log(fn -> MatrixAppServiceWeb.AuthPlug.call(conn, nil) end) =~
+             "No homeserver token provided"
+  end
+end