This repository has been archived on 2023-08-20. You can view files and clone it, but cannot push or open issues or pull requests.
indieauth/tests/SingleUserPasswordAuthenticationCallbackTest.php

109 lines
3.8 KiB
PHP
Raw Permalink Normal View History

<?php declare(strict_types=1);
namespace Taproot\IndieAuth\Test;
use BadMethodCallException;
use Dflydev\FigCookies;
use Exception;
use Nyholm\Psr7;
use Nyholm\Psr7\ServerRequest;
use PHPUnit\Framework\TestCase;
use Taproot\IndieAuth\Callback\SingleUserPasswordAuthenticationCallback;
use Taproot\IndieAuth\Server;
class SingleUserPasswordAuthenticationCallbackTest extends TestCase {
public function testThrowsExceptionIfUserDataHasNoMeKey() {
try {
$c = new SingleUserPasswordAuthenticationCallback(SERVER_SECRET, [
'not_me' => 'blah'
], password_hash('password', PASSWORD_DEFAULT));
$this->fail();
} catch (BadMethodCallException $e) {
$this->assertEquals('The $user array MUST contain a “me” key, the value which must be the users canonical URL as a string.', $e->getMessage());
}
}
public function testThrowsExceptionIfSecretIsTooShort() {
try {
$c = new SingleUserPasswordAuthenticationCallback('not long enough', [
'me' => 'blah'
], password_hash('password', PASSWORD_DEFAULT));
$this->fail();
} catch (BadMethodCallException $e) {
$this->assertEquals('$secret must be a string with a minimum length of 64 characters.', $e->getMessage());
}
}
public function testThrowsExceptionIfHashedPasswordIsInvalid() {
try {
$c = new SingleUserPasswordAuthenticationCallback(SERVER_SECRET, [
'me' => 'https://me.example.com/'
], 'definitely not a hashed password');
$this->fail();
} catch (BadMethodCallException $e) {
$this->assertTrue(true);
}
}
public function testShowsAuthenticationFormOnUnauthenticatedRequest() {
$callback = new SingleUserPasswordAuthenticationCallback(SERVER_SECRET, [
'me' => 'https://me.example.com/'
], password_hash('password', PASSWORD_DEFAULT));
$formAction = 'https://example.com/formaction';
$req = (new ServerRequest('GET', 'https://example.com/login'))->withAttribute(Server::DEFAULT_CSRF_KEY, 'csrf token');
$res = $callback($req, $formAction);
$this->assertEquals(200, $res->getStatusCode());
// For the moment, just do a very naieve test.
$this->assertStringContainsString($formAction, (string) $res->getBody());
}
public function testReturnsCookieRedirectOnAuthenticatedRequest() {
$userData = [
'me' => 'https://me.example.com',
'profile' => ['name' => 'Me']
];
$password = 'my very secure password';
$callback = new SingleUserPasswordAuthenticationCallback(SERVER_SECRET, $userData, password_hash($password, PASSWORD_DEFAULT));
$req = (new ServerRequest('POST', 'https://example.com/login'))
->withAttribute(Server::DEFAULT_CSRF_KEY, 'csrf token')
->withParsedBody([
SingleUserPasswordAuthenticationCallback::PASSWORD_FORM_PARAMETER => $password
]);
$res = $callback($req, 'form_action');
$this->assertEquals(302, $res->getStatusCode());
$this->assertEquals('form_action', $res->getHeaderLine('location'));
$resCookies = FigCookies\SetCookies::fromResponse($res);
$hashCookie = $resCookies->get(SingleUserPasswordAuthenticationCallback::LOGIN_HASH_COOKIE);
$this->assertEquals(hash_hmac('SHA256', json_encode($userData), SERVER_SECRET), $hashCookie->getValue());
}
public function testReturnsUserDataOnResponseWithValidHashCookie() {
$userData = [
'me' => 'https://me.example.com',
'profile' => ['name' => 'Me']
];
$password = 'my very secure password';
$callback = new SingleUserPasswordAuthenticationCallback(SERVER_SECRET, $userData, password_hash($password, PASSWORD_DEFAULT));
$req = (new ServerRequest('POST', 'https://example.com/login'))
->withAttribute(Server::DEFAULT_CSRF_KEY, 'csrf token')
->withCookieParams([
SingleUserPasswordAuthenticationCallback::LOGIN_HASH_COOKIE => hash_hmac('SHA256', json_encode($userData), SERVER_SECRET)
]);
$res = $callback($req, 'form_action');
$this->assertEquals($userData, $res);
}
}