diff --git a/src/Http/Exceptions/HttpAuthExpired.php b/src/Http/Exceptions/HttpAuthExpired.php new file mode 100644 index 00000000..83ca240f --- /dev/null +++ b/src/Http/Exceptions/HttpAuthExpired.php @@ -0,0 +1,24 @@ +handle($request); } - return $this->notAuthorizedResponse(); + throw new HttpAuthExpired('Authentication Token Mismatch'); } /** @@ -77,14 +78,4 @@ class VerifyCsrfToken implements MiddlewareInterface && is_string($sessionToken) && hash_equals($sessionToken, $token); } - - /** - * @return ResponseInterface - * @codeCoverageIgnore - */ - protected function notAuthorizedResponse(): ResponseInterface - { - // The 419 code is used as "Page Expired" to differentiate from a 401 (not authorized) - return response()->withStatus(419, 'Authentication Token Mismatch'); - } } diff --git a/tests/Unit/Http/Exceptions/HttpAuthExpiredTest.php b/tests/Unit/Http/Exceptions/HttpAuthExpiredTest.php new file mode 100644 index 00000000..4eaee032 --- /dev/null +++ b/tests/Unit/Http/Exceptions/HttpAuthExpiredTest.php @@ -0,0 +1,22 @@ +assertEquals(419, $exception->getStatusCode()); + $this->assertEquals('Authentication Expired', $exception->getMessage()); + + $exception = new HttpAuthExpired('Oops!'); + $this->assertEquals('Oops!', $exception->getMessage()); + } +} diff --git a/tests/Unit/Middleware/VerifyCsrfTokenTest.php b/tests/Unit/Middleware/VerifyCsrfTokenTest.php index 60280c5b..636e1f81 100644 --- a/tests/Unit/Middleware/VerifyCsrfTokenTest.php +++ b/tests/Unit/Middleware/VerifyCsrfTokenTest.php @@ -2,6 +2,7 @@ namespace Engelsystem\Test\Unit\Middleware; +use Engelsystem\Http\Exceptions\HttpAuthExpired; use Engelsystem\Middleware\VerifyCsrfToken; use PHPUnit\Framework\MockObject\MockObject; use PHPUnit\Framework\TestCase; @@ -33,13 +34,9 @@ class VerifyCsrfTokenTest extends TestCase /** @var VerifyCsrfToken|MockObject $middleware */ $middleware = $this->getMockBuilder(VerifyCsrfToken::class) ->disableOriginalConstructor() - ->setMethods(['notAuthorizedResponse', 'tokensMatch']) + ->setMethods(['tokensMatch']) ->getMock(); - $middleware->expects($this->exactly(1)) - ->method('notAuthorizedResponse') - ->willReturn($response); - $middleware->expects($this->exactly(2)) ->method('tokensMatch') ->willReturnOnConsecutiveCalls(true, false); @@ -47,10 +44,15 @@ class VerifyCsrfTokenTest extends TestCase // Results in true, false, false $request->expects($this->exactly(3)) ->method('getMethod') - ->willReturnOnConsecutiveCalls('GET', 'POST', 'DELETE'); + ->willReturnOnConsecutiveCalls('GET', 'DELETE', 'POST'); + // Is reading $middleware->process($request, $handler); + // Tokens match $middleware->process($request, $handler); + + // No match + $this->expectException(HttpAuthExpired::class); $middleware->process($request, $handler); } @@ -66,23 +68,18 @@ class VerifyCsrfTokenTest extends TestCase $handler = $this->getMockForAbstractClass(RequestHandlerInterface::class); /** @var ResponseInterface|MockObject $response */ $response = $this->getMockForAbstractClass(ResponseInterface::class); - /** @var ResponseInterface|MockObject $noAuthResponse */ - $noAuthResponse = $this->getMockForAbstractClass(ResponseInterface::class); /** @var SessionInterface|MockObject $session */ $session = $this->getMockForAbstractClass(SessionInterface::class); /** @var VerifyCsrfToken|MockObject $middleware */ $middleware = $this->getMockBuilder(VerifyCsrfToken::class) ->setConstructorArgs([$session]) - ->setMethods(['isReading', 'notAuthorizedResponse']) + ->setMethods(['isReading']) ->getMock(); $middleware->expects($this->atLeastOnce()) ->method('isReading') ->willReturn(false); - $middleware->expects($this->exactly(1)) - ->method('notAuthorizedResponse') - ->willReturn($noAuthResponse); $handler->expects($this->exactly(3)) ->method('handle') @@ -91,38 +88,39 @@ class VerifyCsrfTokenTest extends TestCase $request->expects($this->exactly(4)) ->method('getParsedBody') ->willReturnOnConsecutiveCalls( - null, null, ['_token' => 'PostFooToken'], - ['_token' => 'PostBarToken'] + ['_token' => 'PostBarToken'], + null ); $request->expects($this->exactly(4)) ->method('getHeader') ->with('X-CSRF-TOKEN') ->willReturnOnConsecutiveCalls( - [], ['HeaderFooToken'], [], - ['HeaderBarToken'] + ['HeaderBarToken'], + [] ); $session->expects($this->exactly(4)) ->method('get') ->with('_token') ->willReturnOnConsecutiveCalls( - 'NotAvailableToken', 'HeaderFooToken', 'PostFooToken', - 'PostBarToken' + 'PostBarToken', + 'NotAvailableToken' ); - // Not tokens - $this->assertEquals($noAuthResponse, $middleware->process($request, $handler)); // Header token - $this->assertEquals($response, $middleware->process($request, $handler)); + $middleware->process($request, $handler); // POST token - $this->assertEquals($response, $middleware->process($request, $handler)); + $middleware->process($request, $handler); // Header and POST tokens - $this->assertEquals($response, $middleware->process($request, $handler)); + $middleware->process($request, $handler); + // No tokens + $this->expectException(HttpAuthExpired::class); + $middleware->process($request, $handler); } }