2018-11-08 05:34:09 +08:00
|
|
|
<?php
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This file is part of Flarum.
|
|
|
|
*
|
2020-02-05 05:11:08 +08:00
|
|
|
* For detailed copyright and license information, please view the
|
|
|
|
* LICENSE file that was distributed with this source code.
|
2018-11-08 05:34:09 +08:00
|
|
|
*/
|
|
|
|
|
2019-01-02 05:17:09 +08:00
|
|
|
namespace Flarum\Tests\integration\api\Auth;
|
2018-11-08 05:34:09 +08:00
|
|
|
|
|
|
|
use Carbon\Carbon;
|
|
|
|
use Flarum\Api\ApiKey;
|
2019-01-31 04:15:27 +08:00
|
|
|
use Flarum\Api\Client;
|
2018-11-08 05:34:09 +08:00
|
|
|
use Flarum\Api\Controller\CreateGroupController;
|
2019-01-02 05:17:09 +08:00
|
|
|
use Flarum\Tests\integration\RetrievesAuthorizedUsers;
|
|
|
|
use Flarum\Tests\integration\TestCase;
|
2019-01-31 04:15:27 +08:00
|
|
|
use Flarum\User\Guest;
|
|
|
|
use Flarum\User\User;
|
2019-07-06 07:11:19 +08:00
|
|
|
use Illuminate\Support\Str;
|
2018-11-08 05:34:09 +08:00
|
|
|
use Psr\Http\Message\ResponseInterface;
|
|
|
|
use Psr\Http\Message\ServerRequestInterface;
|
|
|
|
use Psr\Http\Server\MiddlewareInterface;
|
|
|
|
use Psr\Http\Server\RequestHandlerInterface;
|
|
|
|
use Zend\Diactoros\Response;
|
|
|
|
use Zend\Diactoros\ServerRequestFactory;
|
|
|
|
use Zend\Stratigility\MiddlewarePipe;
|
|
|
|
|
|
|
|
class AuthenticateWithApiKeyTest extends TestCase
|
|
|
|
{
|
|
|
|
use RetrievesAuthorizedUsers;
|
|
|
|
|
2019-01-31 04:15:27 +08:00
|
|
|
public function setUp()
|
|
|
|
{
|
|
|
|
parent::setUp();
|
|
|
|
|
|
|
|
$this->prepareDatabase([
|
|
|
|
'users' => [
|
|
|
|
$this->adminUser(),
|
|
|
|
$this->normalUser(),
|
|
|
|
],
|
|
|
|
]);
|
|
|
|
}
|
|
|
|
|
2018-11-08 05:34:09 +08:00
|
|
|
protected function key(int $user_id = null): ApiKey
|
|
|
|
{
|
|
|
|
return ApiKey::unguarded(function () use ($user_id) {
|
|
|
|
return ApiKey::query()->firstOrCreate([
|
2019-07-06 07:11:19 +08:00
|
|
|
'key' => Str::random(),
|
2018-11-08 05:34:09 +08:00
|
|
|
'user_id' => $user_id,
|
|
|
|
'created_at' => Carbon::now()
|
|
|
|
]);
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @test
|
|
|
|
*/
|
|
|
|
public function cannot_authorize_without_key()
|
|
|
|
{
|
2019-01-31 04:15:27 +08:00
|
|
|
/** @var Client $api */
|
|
|
|
$api = $this->app()->getContainer()->make(Client::class);
|
|
|
|
|
2019-08-10 05:57:33 +08:00
|
|
|
$response = $api->send(CreateGroupController::class, new Guest);
|
2019-07-30 06:09:10 +08:00
|
|
|
|
2019-08-20 13:19:55 +08:00
|
|
|
$this->assertEquals(401, $response->getStatusCode());
|
2018-11-08 05:34:09 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @test
|
|
|
|
*/
|
|
|
|
public function master_token_can_authenticate_as_anyone()
|
|
|
|
{
|
|
|
|
$key = $this->key();
|
|
|
|
|
|
|
|
$request = ServerRequestFactory::fromGlobals()
|
|
|
|
->withAddedHeader('Authorization', "Token {$key->key}; userId=1");
|
|
|
|
|
|
|
|
$pipe = $this->injectAuthorizationPipeline();
|
|
|
|
|
|
|
|
$response = $pipe->handle($request);
|
|
|
|
|
|
|
|
$this->assertEquals(200, $response->getStatusCode());
|
|
|
|
$this->assertEquals(1, $response->getHeader('X-Authenticated-As')[0]);
|
|
|
|
|
|
|
|
$key = $key->refresh();
|
|
|
|
|
|
|
|
$this->assertNotNull($key->last_activity_at);
|
|
|
|
|
|
|
|
$key->delete();
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @test
|
|
|
|
*/
|
|
|
|
public function personal_api_token_cannot_authenticate_as_anyone()
|
|
|
|
{
|
2019-01-31 04:15:27 +08:00
|
|
|
$user = User::find(2);
|
2018-11-08 05:34:09 +08:00
|
|
|
|
|
|
|
$key = $this->key($user->id);
|
|
|
|
|
|
|
|
$request = ServerRequestFactory::fromGlobals()
|
|
|
|
->withAddedHeader('Authorization', "Token {$key->key}; userId=1");
|
|
|
|
|
|
|
|
$pipe = $this->injectAuthorizationPipeline();
|
|
|
|
|
|
|
|
$response = $pipe->handle($request);
|
|
|
|
|
|
|
|
$this->assertEquals(200, $response->getStatusCode());
|
|
|
|
$this->assertEquals($user->id, $response->getHeader('X-Authenticated-As')[0]);
|
|
|
|
|
|
|
|
$key = $key->refresh();
|
|
|
|
|
|
|
|
$this->assertNotNull($key->last_activity_at);
|
|
|
|
|
|
|
|
$key->delete();
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @test
|
|
|
|
*/
|
|
|
|
public function personal_api_token_authenticates_user()
|
|
|
|
{
|
2019-01-31 04:15:27 +08:00
|
|
|
$user = User::find(2);
|
2018-11-08 05:34:09 +08:00
|
|
|
|
|
|
|
$key = $this->key($user->id);
|
|
|
|
|
|
|
|
$request = ServerRequestFactory::fromGlobals()
|
|
|
|
->withAddedHeader('Authorization', "Token {$key->key}");
|
|
|
|
|
|
|
|
$pipe = $this->injectAuthorizationPipeline();
|
|
|
|
|
|
|
|
$response = $pipe->handle($request);
|
|
|
|
|
|
|
|
$this->assertEquals(200, $response->getStatusCode());
|
|
|
|
$this->assertEquals($user->id, $response->getHeader('X-Authenticated-As')[0]);
|
|
|
|
|
|
|
|
$key = $key->refresh();
|
|
|
|
|
|
|
|
$this->assertNotNull($key->last_activity_at);
|
|
|
|
|
|
|
|
$key->delete();
|
|
|
|
}
|
|
|
|
|
|
|
|
protected function injectAuthorizationPipeline(): MiddlewarePipe
|
|
|
|
{
|
|
|
|
app()->resolving('flarum.api.middleware', function ($pipeline) {
|
|
|
|
$pipeline->pipe(new class implements MiddlewareInterface {
|
|
|
|
public function process(
|
|
|
|
ServerRequestInterface $request,
|
|
|
|
RequestHandlerInterface $handler
|
|
|
|
): ResponseInterface {
|
|
|
|
if ($actor = $request->getAttribute('actor')) {
|
|
|
|
return new Response\EmptyResponse(200, [
|
|
|
|
'X-Authenticated-As' => $actor->id
|
|
|
|
]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
$pipe = app('flarum.api.middleware');
|
|
|
|
|
|
|
|
return $pipe;
|
|
|
|
}
|
|
|
|
}
|