m038/intotheeast-com-content
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
89ae41d9ec3ba658ef56c06524825c3222ea37fa
intotheeast-com-content/plugins/api/tests/Unit/Auth/JwtAuthenticatorTest.php
T

372 lines
11 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace Grav\Plugin\Api\Tests\Unit\Auth;
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
use Grav\Common\Config\Config;
use Grav\Common\Grav;
use Grav\Plugin\Api\Auth\JwtAuthenticator;
use Grav\Plugin\Api\Tests\Unit\TestHelper;
use PHPUnit\Framework\Attributes\CoversClass;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
/**
* Tests for the JwtAuthenticator.
*
* We subclass JwtAuthenticator to override getSecret() and getRevokedTokensFile()
* so the tests run without a full Grav file system.
*/
#[CoversClass(JwtAuthenticator::class)]
class JwtAuthenticatorTest extends TestCase
{
private const SECRET = 'test-jwt-secret-key-at-least-32-chars-long';
private const ALGORITHM = 'HS256';
private string $tempDir;
protected function setUp(): void
{
$this->tempDir = sys_get_temp_dir() . '/grav_api_jwt_test_' . uniqid();
@mkdir($this->tempDir, 0775, true);
}
protected function tearDown(): void
{
$files = glob($this->tempDir . '/*');
if ($files) {
array_map('unlink', $files);
}
@rmdir($this->tempDir);
}
#[Test]
public function returns_null_when_no_bearer_token(): void
{
$authenticator = $this->buildAuthenticator([]);
$request = TestHelper::createMockRequest();
self::assertNull($authenticator->authenticate($request));
}
#[Test]
public function returns_null_with_non_bearer_authorization(): void
{
$authenticator = $this->buildAuthenticator([]);
$request = TestHelper::createMockRequest(
headers: ['Authorization' => 'Basic dXNlcjpwYXNz'],
);
self::assertNull($authenticator->authenticate($request));
}
#[Test]
public function authenticates_valid_access_token(): void
{
$user = TestHelper::createMockUser('alice');
$authenticator = $this->buildAuthenticator(['alice' => $user]);
$token = JWT::encode([
'iss' => 'grav-api',
'sub' => 'alice',
'iat' => time(),
'exp' => time() + 3600,
'type' => 'access',
], self::SECRET, self::ALGORITHM);
$request = TestHelper::createMockRequest(
headers: ['Authorization' => 'Bearer ' . $token],
);
$result = $authenticator->authenticate($request);
self::assertNotNull($result);
self::assertSame('alice', $result->username);
}
#[Test]
public function authenticates_via_x_api_token_bare_jwt(): void
{
$user = TestHelper::createMockUser('alice');
$authenticator = $this->buildAuthenticator(['alice' => $user]);
$token = JWT::encode([
'iss' => 'grav-api',
'sub' => 'alice',
'iat' => time(),
'exp' => time() + 3600,
'type' => 'access',
], self::SECRET, self::ALGORITHM);
$request = TestHelper::createMockRequest(
headers: ['X-API-Token' => $token],
);
$result = $authenticator->authenticate($request);
self::assertNotNull($result);
self::assertSame('alice', $result->username);
}
#[Test]
public function authenticates_via_x_api_token_with_bearer_prefix(): void
{
$user = TestHelper::createMockUser('alice');
$authenticator = $this->buildAuthenticator(['alice' => $user]);
$token = JWT::encode([
'iss' => 'grav-api',
'sub' => 'alice',
'iat' => time(),
'exp' => time() + 3600,
'type' => 'access',
], self::SECRET, self::ALGORITHM);
$request = TestHelper::createMockRequest(
headers: ['X-API-Token' => 'Bearer ' . $token],
);
$result = $authenticator->authenticate($request);
self::assertNotNull($result);
self::assertSame('alice', $result->username);
}
#[Test]
public function x_api_token_takes_precedence_over_authorization(): void
{
$alice = TestHelper::createMockUser('alice');
$bob = TestHelper::createMockUser('bob');
$authenticator = $this->buildAuthenticator(['alice' => $alice, 'bob' => $bob]);
$aliceToken = JWT::encode([
'iss' => 'grav-api', 'sub' => 'alice', 'iat' => time(),
'exp' => time() + 3600, 'type' => 'access',
], self::SECRET, self::ALGORITHM);
$bobToken = JWT::encode([
'iss' => 'grav-api', 'sub' => 'bob', 'iat' => time(),
'exp' => time() + 3600, 'type' => 'access',
], self::SECRET, self::ALGORITHM);
// X-API-Token carries Alice's JWT; Authorization carries Bob's.
// Custom header wins (FPM-stripping hosts may drop Authorization
// silently, so we want the survivable channel to be authoritative).
$request = TestHelper::createMockRequest(
headers: [
'X-API-Token' => $aliceToken,
'Authorization' => 'Bearer ' . $bobToken,
],
);
$result = $authenticator->authenticate($request);
self::assertNotNull($result);
self::assertSame('alice', $result->username);
}
#[Test]
public function rejects_expired_token(): void
{
$user = TestHelper::createMockUser('bob');
$authenticator = $this->buildAuthenticator(['bob' => $user]);
$token = JWT::encode([
'iss' => 'grav-api',
'sub' => 'bob',
'iat' => time() - 7200,
'exp' => time() - 3600,
'type' => 'access',
], self::SECRET, self::ALGORITHM);
$request = TestHelper::createMockRequest(
headers: ['Authorization' => 'Bearer ' . $token],
);
self::assertNull($authenticator->authenticate($request));
}
#[Test]
public function rejects_refresh_token_as_access(): void
{
$user = TestHelper::createMockUser('carol');
$authenticator = $this->buildAuthenticator(['carol' => $user]);
$token = JWT::encode([
'iss' => 'grav-api',
'sub' => 'carol',
'iat' => time(),
'exp' => time() + 604800,
'type' => 'refresh',
'jti' => bin2hex(random_bytes(16)),
], self::SECRET, self::ALGORITHM);
$request = TestHelper::createMockRequest(
headers: ['Authorization' => 'Bearer ' . $token],
);
self::assertNull($authenticator->authenticate($request), 'Refresh tokens must not authenticate as access tokens');
}
#[Test]
public function rejects_nonexistent_user(): void
{
$authenticator = $this->buildAuthenticator([]);
$token = JWT::encode([
'iss' => 'grav-api',
'sub' => 'ghost',
'iat' => time(),
'exp' => time() + 3600,
'type' => 'access',
], self::SECRET, self::ALGORITHM);
$request = TestHelper::createMockRequest(
headers: ['Authorization' => 'Bearer ' . $token],
);
self::assertNull($authenticator->authenticate($request));
}
#[Test]
public function generate_access_token_is_valid(): void
{
$user = TestHelper::createMockUser('dave');
$authenticator = $this->buildAuthenticator(['dave' => $user]);
$token = $authenticator->generateAccessToken($user);
self::assertNotEmpty($token);
$decoded = JWT::decode($token, new Key(self::SECRET, self::ALGORITHM));
self::assertSame('grav-api', $decoded->iss);
self::assertSame('dave', $decoded->sub);
self::assertSame('access', $decoded->type);
self::assertGreaterThan(time(), $decoded->exp);
}
#[Test]
public function generate_refresh_token_is_valid(): void
{
$user = TestHelper::createMockUser('eve');
$authenticator = $this->buildAuthenticator(['eve' => $user]);
$token = $authenticator->generateRefreshToken($user);
self::assertNotEmpty($token);
$decoded = JWT::decode($token, new Key(self::SECRET, self::ALGORITHM));
self::assertSame('grav-api', $decoded->iss);
self::assertSame('eve', $decoded->sub);
self::assertSame('refresh', $decoded->type);
self::assertNotEmpty($decoded->jti);
self::assertGreaterThan(time(), $decoded->exp);
}
#[Test]
public function refresh_token_validation(): void
{
$user = TestHelper::createMockUser('frank');
$authenticator = $this->buildAuthenticator(['frank' => $user]);
$refreshToken = $authenticator->generateRefreshToken($user);
$result = $authenticator->validateRefreshToken($refreshToken);
self::assertNotNull($result);
self::assertSame('frank', $result->username);
}
#[Test]
public function refresh_token_validation_rejects_access_token(): void
{
$user = TestHelper::createMockUser('grace');
$authenticator = $this->buildAuthenticator(['grace' => $user]);
$accessToken = $authenticator->generateAccessToken($user);
$result = $authenticator->validateRefreshToken($accessToken);
self::assertNull($result, 'Access tokens must not be accepted as refresh tokens');
}
#[Test]
public function revoke_token(): void
{
$user = TestHelper::createMockUser('heidi');
$authenticator = $this->buildAuthenticator(['heidi' => $user]);
$refreshToken = $authenticator->generateRefreshToken($user);
// Token should be valid before revocation
self::assertNotNull($authenticator->validateRefreshToken($refreshToken));
// Revoke it
$revoked = $authenticator->revokeToken($refreshToken);
self::assertTrue($revoked);
// Token should be rejected after revocation
self::assertNull($authenticator->validateRefreshToken($refreshToken));
}
#[Test]
public function revoke_access_token_returns_false(): void
{
$user = TestHelper::createMockUser('ivan');
$authenticator = $this->buildAuthenticator(['ivan' => $user]);
$accessToken = $authenticator->generateAccessToken($user);
// Access tokens have no jti, so revocation should return false
$result = $authenticator->revokeToken($accessToken);
self::assertFalse($result);
}
/**
* Build a testable JwtAuthenticator subclass that doesn't depend on the Grav locator.
*/
private function buildAuthenticator(array $users): JwtAuthenticator
{
$accounts = TestHelper::createMockAccounts($users);
$grav = TestHelper::createMockGrav(['accounts' => $accounts]);
$config = TestHelper::createMockConfig([
'plugins' => ['api' => ['auth' => [
'jwt_secret' => self::SECRET,
'jwt_algorithm' => self::ALGORITHM,
'jwt_expiry' => 3600,
'jwt_refresh_expiry' => 604800,
]]],
]);
$tempDir = $this->tempDir;
return new class ($grav, $config, $tempDir) extends JwtAuthenticator {
public function __construct(
Grav $grav,
Config $config,
private readonly string $dir,
) {
parent::__construct($grav, $config);
}
protected function getSecret(): string
{
return $this->config->get('plugins.api.auth.jwt_secret');
}
protected function getRevokedTokensFile(): string
{
return $this->dir . '/revoked_tokens.json';
}
};
}
}
Reference in New Issue View Git Blame Copy Permalink