1
1
Fork 0
mirror of https://code.mensbeam.com/MensBeam/Arsse.git synced 2025-01-10 18:02:40 +00:00

Last set of tests for IndieAuth

This commit is contained in:
J. King 2019-12-10 13:26:13 -05:00
parent f13366121f
commit f46d053428
2 changed files with 70 additions and 9 deletions

View file

@ -310,7 +310,9 @@ class Auth extends \JKingWeb\Arsse\REST\AbstractHandler {
return [$token['user'], $data['response_type'] ?? "id"]; return [$token['user'], $data['response_type'] ?? "id"];
} }
/** Handles token verification as an API call /**
* Handles token verification as an API call; this will not normally be used since
* the token and service endpoints are tightly coupled
* *
* The static `validateBearer` method should be used to check the validity of a bearer token in normal use * The static `validateBearer` method should be used to check the validity of a bearer token in normal use
* *
@ -321,23 +323,27 @@ class Auth extends \JKingWeb\Arsse\REST\AbstractHandler {
if (!$req->hasHeader("Authorization")) { if (!$req->hasHeader("Authorization")) {
throw new ExceptionAuth("invalid_token"); throw new ExceptionAuth("invalid_token");
} }
$authorization = $req->getHeader("Authorization")[0]; $authorization = $req->getHeader("Authorization");
list($user, $data) = self::validateBearer($authorization); if (sizeof($authorization) > 1) {
throw new ExceptionAuth("invalid_request");
}
list($user, $data) = self::validateBearer($authorization[0]);
} catch (ExceptionAuth $e) { } catch (ExceptionAuth $e) {
$errCode = $e->getMessage(); $errCode = $e->getMessage();
$httpCode = [ $httpCode = [
'invalid_request' => 400, 'invalid_request' => 400,
'invalid_token' => 401, 'invalid_token' => 401,
][$errCode] ?? 500; ][$errCode] ?? 500;
return new EmptyResponse($httpCode, [ $out = new EmptyResponse($httpCode, ['WWW-Authenticate' => "Bearer error=\"$errCode\""]);
'WWW-Authenticate' => "Bearer error=\"$errCode\"", if ($httpCode == 401) {
'X-Arsse-Suppress-General-Auth' => "1" $out = $out->withHeader("X-Arsse-Suppress-General-Auth", "1");
]); }
return $out;
} }
return new JsonResponse([ return new JsonResponse([
'me' => $data['me'] ?? "", 'me' => $data['me'] ?? "",
'client_id' => $data['client_id'] ?? "", 'client_id' => $data['client_id'] ?? "",
'scope' => implode(" ", ($data['scope'] ?? self::SCOPES)), 'scope' => implode(" ", (array) ($data['scope'] ?? self::SCOPES)),
]); ]);
} }
@ -352,7 +358,7 @@ class Auth extends \JKingWeb\Arsse\REST\AbstractHandler {
} }
try { try {
$info = Arsse::$db->tokenLookup("microsub.access", $token); $info = Arsse::$db->tokenLookup("microsub.access", $token);
Arsse::$db->tokenRevoke($info['user'], "mucrosub.access", $token); Arsse::$db->tokenRevoke($info['user'], "microsub.access", $token);
} catch (\JKingWeb\Arsse\Db\ExceptionInput $e) { } catch (\JKingWeb\Arsse\Db\ExceptionInput $e) {
} }
return new EmptyResponse(200); return new EmptyResponse(200);

View file

@ -249,4 +249,59 @@ class TestAuth extends \JKingWeb\Arsse\Test\AbstractTest {
'Broken data' => ["Bearer TOKEN", [], "TOKEN", "someone", '{', ["someone", ['scope' => Auth::SCOPES]]], 'Broken data' => ["Bearer TOKEN", [], "TOKEN", "someone", '{', ["someone", ['scope' => Auth::SCOPES]]],
]; ];
} }
/** @dataProvider provideRevocations */
public function testRevokeAToken(array $params, $user, ResponseInterface $exp) {
\Phake::when(Arsse::$db)->tokenRevoke->thenReturn(true);
if ($user instanceof \Exception) {
\Phake::when(Arsse::$db)->tokenLookup->thenThrow($user);
} else {
\Phake::when(Arsse::$db)->tokenLookup->thenReturn(['user' => $user]);
}
$this->assertMessage($exp, $this->req("http://example.com/u/?f=token", "POST", [], [], array_merge(['action' => "revoke"], $params)));
$doLookup = strlen($params['token'] ?? "") > 0;
$doRevoke = ($doLookup && !$user instanceof \Exception);
if ($doLookup) {
\Phake::verify(Arsse::$db)->tokenLookup("microsub.access", $params['token'] ?? "");
} else {
\Phake::verify(Arsse::$db, \Phake::times(0))->tokenLookup;
}
if ($doRevoke) {
\Phake::verify(Arsse::$db)->tokenRevoke($user, "microsub.access", $params['token'] ?? "");
} else {
\Phake::verify(Arsse::$db, \Phake::times(0))->tokenRevoke;
}
}
public function provideRevocations() {
return [
'Missing token 1' => [[], "", new EmptyResponse(422)],
'Missing token 2' => [['token' => ""], "", new EmptyResponse(422)],
'Bad Token' => [['token' => "bad"], new ExceptionInput("subjectMissing"), new EmptyResponse(200)],
'Success' => [['token' => "good"], "someone", new EmptyResponse(200)],
];
}
/** @dataProvider provideTokenVerifications */
public function testVerifyAToken(array $authorization, $output, ResponseInterface $exp) {
if ($output instanceof \Exception) {
\Phake::when(Arsse::$db)->tokenLookup->thenThrow($output);
} else {
\Phake::when(Arsse::$db)->tokenLookup->thenReturn(['user' => "someone", 'data' => $output]);
}
$this->assertMessage($exp, $this->req("http://example.com/u/?f=token", "GET", [], $authorization ? ['Authorization' => $authorization] : []));
\Phake::verify(Arsse::$db, \Phake::times(0))->tokenRevoke;
}
public function provideTokenVerifications() {
return [
'No credentials' => [[], "", new EmptyResponse(401, ['WWW-Authenticate' => 'Bearer error="invalid_token"', 'X-Arsse-Suppress-General-Auth' => "1"])],
'Too many credentials' => [["Bearer TOKEN", "Basic BASE64"], "", new EmptyResponse(400, ['WWW-Authenticate' => 'Bearer error="invalid_request"'])],
'Invalid credentials' => [["Bearer !"], "", new EmptyResponse(400, ['WWW-Authenticate' => 'Bearer error="invalid_request"'])],
'Bad credentials' => [["Bearer BAD"], new ExceptionInput("subjectMissing"), new EmptyResponse(401, ['WWW-Authenticate' => 'Bearer error="invalid_token"', 'X-Arsse-Suppress-General-Auth' => "1"])],
'Success 1' => [["Bearer GOOD"], '{"me":"ook","client_id":"eek","scope":["ack"]}', new Response(['me' => "ook", 'client_id' => "eek", 'scope' => "ack"])],
'Success 2' => [["Bearer GOOD"], '{"scope":["ook","eek","ack"]}', new Response(['me' => "", 'client_id' => "", 'scope' => "ook eek ack"])],
'Success 3' => [["Bearer GOOD"], '{}', new Response(['me' => "", 'client_id' => "", 'scope' => "read follow channels"])],
];
}
} }