framework/tests/integration/api/Auth/AuthenticateWithApiKeyTest.php

<?php

/*
 * This file is part of Flarum.
 *
 * (c) Toby Zerner <toby.zerner@gmail.com>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace Flarum\Tests\integration\api\Auth;

use Carbon\Carbon;
use Flarum\Api\ApiKey;
use Flarum\Api\Client;
use Flarum\Api\Controller\CreateGroupController;
use Flarum\Tests\integration\RetrievesAuthorizedUsers;
use Flarum\Tests\integration\TestCase;
use Flarum\User\Guest;
use Flarum\User\User;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Zend\Diactoros\Response;
use Zend\Diactoros\ServerRequestFactory;
use Zend\Stratigility\MiddlewarePipe;

class AuthenticateWithApiKeyTest extends TestCase
{
    use RetrievesAuthorizedUsers;

    public function setUp()
    {
        parent::setUp();

        $this->prepareDatabase([
            'users' => [
                $this->adminUser(),
                $this->normalUser(),
            ],
        ]);
    }

    protected function key(int $user_id = null): ApiKey
    {
        return ApiKey::unguarded(function () use ($user_id) {
            return ApiKey::query()->firstOrCreate([
                'key'        => str_random(),
                'user_id'    => $user_id,
                'created_at' => Carbon::now()
            ]);
        });
    }

    /**
     * @test
     * @expectedException \Flarum\User\Exception\PermissionDeniedException
     */
    public function cannot_authorize_without_key()
    {
        /** @var Client $api */
        $api = $this->app()->getContainer()->make(Client::class);
        $api->setErrorHandler(null);

        $api->send(CreateGroupController::class, new Guest);
    }

    /**
     * @test
     */
    public function master_token_can_authenticate_as_anyone()
    {
        $key = $this->key();

        $request = ServerRequestFactory::fromGlobals()
            ->withAddedHeader('Authorization', "Token {$key->key}; userId=1");

        $pipe = $this->injectAuthorizationPipeline();

        $response = $pipe->handle($request);

        $this->assertEquals(200, $response->getStatusCode());
        $this->assertEquals(1, $response->getHeader('X-Authenticated-As')[0]);

        $key = $key->refresh();

        $this->assertNotNull($key->last_activity_at);

        $key->delete();
    }

    /**
     * @test
     */
    public function personal_api_token_cannot_authenticate_as_anyone()
    {
        $user = User::find(2);

        $key = $this->key($user->id);

        $request = ServerRequestFactory::fromGlobals()
            ->withAddedHeader('Authorization', "Token {$key->key}; userId=1");

        $pipe = $this->injectAuthorizationPipeline();

        $response = $pipe->handle($request);

        $this->assertEquals(200, $response->getStatusCode());
        $this->assertEquals($user->id, $response->getHeader('X-Authenticated-As')[0]);

        $key = $key->refresh();

        $this->assertNotNull($key->last_activity_at);

        $key->delete();
    }

    /**
     * @test
     */
    public function personal_api_token_authenticates_user()
    {
        $user = User::find(2);

        $key = $this->key($user->id);

        $request = ServerRequestFactory::fromGlobals()
            ->withAddedHeader('Authorization', "Token {$key->key}");

        $pipe = $this->injectAuthorizationPipeline();

        $response = $pipe->handle($request);

        $this->assertEquals(200, $response->getStatusCode());
        $this->assertEquals($user->id, $response->getHeader('X-Authenticated-As')[0]);

        $key = $key->refresh();

        $this->assertNotNull($key->last_activity_at);

        $key->delete();
    }

    protected function injectAuthorizationPipeline(): MiddlewarePipe
    {
        app()->resolving('flarum.api.middleware', function ($pipeline) {
            $pipeline->pipe(new class implements MiddlewareInterface {
                public function process(
                    ServerRequestInterface $request,
                    RequestHandlerInterface $handler
                ): ResponseInterface {
                    if ($actor = $request->getAttribute('actor')) {
                        return new Response\EmptyResponse(200, [
                            'X-Authenticated-As' => $actor->id
                        ]);
                    }
                }
            });
        });

        $pipe = app('flarum.api.middleware');

        return $pipe;
    }
}