This repository has been archived on 2023-08-20. You can view files and clone it, but cannot push or open issues or pull requests.
indieauth/tests/SingleUserPasswordAuthenticationCallbackTest.php
Barnaby Walters 01a15f0b46 Made SingleUserAuth callback set a cookie
So that auth data is preserved across multiple requests.
2021-06-18 16:11:49 +02:00

109 lines
3.8 KiB
PHP
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?php declare(strict_types=1);
namespace Taproot\IndieAuth\Test;
use BadMethodCallException;
use Dflydev\FigCookies;
use Exception;
use Nyholm\Psr7;
use Nyholm\Psr7\ServerRequest;
use PHPUnit\Framework\TestCase;
use Taproot\IndieAuth\Callback\SingleUserPasswordAuthenticationCallback;
use Taproot\IndieAuth\Server;
class SingleUserPasswordAuthenticationCallbackTest extends TestCase {
public function testThrowsExceptionIfUserDataHasNoMeKey() {
try {
$c = new SingleUserPasswordAuthenticationCallback(SERVER_SECRET, [
'not_me' => 'blah'
], password_hash('password', PASSWORD_DEFAULT));
$this->fail();
} catch (BadMethodCallException $e) {
$this->assertEquals('The $user array MUST contain a “me” key, the value which must be the users canonical URL as a string.', $e->getMessage());
}
}
public function testThrowsExceptionIfSecretIsTooShort() {
try {
$c = new SingleUserPasswordAuthenticationCallback('not long enough', [
'me' => 'blah'
], password_hash('password', PASSWORD_DEFAULT));
$this->fail();
} catch (BadMethodCallException $e) {
$this->assertEquals('$secret must be a string with a minimum length of 64 characters.', $e->getMessage());
}
}
public function testThrowsExceptionIfHashedPasswordIsInvalid() {
try {
$c = new SingleUserPasswordAuthenticationCallback(SERVER_SECRET, [
'me' => 'https://me.example.com/'
], 'definitely not a hashed password');
$this->fail();
} catch (BadMethodCallException $e) {
$this->assertTrue(true);
}
}
public function testShowsAuthenticationFormOnUnauthenticatedRequest() {
$callback = new SingleUserPasswordAuthenticationCallback(SERVER_SECRET, [
'me' => 'https://me.example.com/'
], password_hash('password', PASSWORD_DEFAULT));
$formAction = 'https://example.com/formaction';
$req = (new ServerRequest('GET', 'https://example.com/login'))->withAttribute(Server::DEFAULT_CSRF_KEY, 'csrf token');
$res = $callback($req, $formAction);
$this->assertEquals(200, $res->getStatusCode());
// For the moment, just do a very naieve test.
$this->assertStringContainsString($formAction, (string) $res->getBody());
}
public function testReturnsCookieRedirectOnAuthenticatedRequest() {
$userData = [
'me' => 'https://me.example.com',
'profile' => ['name' => 'Me']
];
$password = 'my very secure password';
$callback = new SingleUserPasswordAuthenticationCallback(SERVER_SECRET, $userData, password_hash($password, PASSWORD_DEFAULT));
$req = (new ServerRequest('POST', 'https://example.com/login'))
->withAttribute(Server::DEFAULT_CSRF_KEY, 'csrf token')
->withParsedBody([
SingleUserPasswordAuthenticationCallback::PASSWORD_FORM_PARAMETER => $password
]);
$res = $callback($req, 'form_action');
$this->assertEquals(302, $res->getStatusCode());
$this->assertEquals('form_action', $res->getHeaderLine('location'));
$resCookies = FigCookies\SetCookies::fromResponse($res);
$hashCookie = $resCookies->get(SingleUserPasswordAuthenticationCallback::LOGIN_HASH_COOKIE);
$this->assertEquals(hash_hmac('SHA256', json_encode($userData), SERVER_SECRET), $hashCookie->getValue());
}
public function testReturnsUserDataOnResponseWithValidHashCookie() {
$userData = [
'me' => 'https://me.example.com',
'profile' => ['name' => 'Me']
];
$password = 'my very secure password';
$callback = new SingleUserPasswordAuthenticationCallback(SERVER_SECRET, $userData, password_hash($password, PASSWORD_DEFAULT));
$req = (new ServerRequest('POST', 'https://example.com/login'))
->withAttribute(Server::DEFAULT_CSRF_KEY, 'csrf token')
->withCookieParams([
SingleUserPasswordAuthenticationCallback::LOGIN_HASH_COOKIE => hash_hmac('SHA256', json_encode($userData), SERVER_SECRET)
]);
$res = $callback($req, 'form_action');
$this->assertEquals($userData, $res);
}
}