Refactoring: Throw HttpAuthExpired on csrf token mismatch

6 years ago · 55beca95cd
parent 9788c5095a
commit 55beca95cd
4 changed files with 69 additions and 34 deletions
--- a/src/Http/Exceptions/HttpAuthExpired.php
+++ b/src/Http/Exceptions/HttpAuthExpired.php
@ -0,0 +1,24 @@
+<?php
+
+namespace Engelsystem\Http\Exceptions;
+
+use Throwable;
+
+class HttpAuthExpired extends HttpException
+{
+    /**
+     * @param string         $message
+     * @param array          $headers
+     * @param int            $code
+     * @param Throwable|null $previous
+     */
+    public function __construct(
+        string $message = 'Authentication Expired',
+        array $headers = [],
+        int $code = 0,
+        Throwable $previous = null
+    ) {
+        // The 419 code is used as "Page Expired" to differentiate from a 401 (not authorized)
+        parent::__construct(419, $message, $headers, $code, $previous);
+    }
+}
--- a/src/Middleware/VerifyCsrfToken.php
+++ b/src/Middleware/VerifyCsrfToken.php
@ -2,6 +2,7 @@

 namespace Engelsystem\Middleware;

+use Engelsystem\Http\Exceptions\HttpAuthExpired;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface;
@ -37,7 +38,7 @@ class VerifyCsrfToken implements MiddlewareInterface
            return $handler->handle($request);
        }

-        return $this->notAuthorizedResponse();
+        throw new HttpAuthExpired('Authentication Token Mismatch');
    }

    /**
@ -77,14 +78,4 @@ class VerifyCsrfToken implements MiddlewareInterface
            && is_string($sessionToken)
            && hash_equals($sessionToken, $token);
    }
-
-    /**
-     * @return ResponseInterface
-     * @codeCoverageIgnore
-     */
-    protected function notAuthorizedResponse(): ResponseInterface
-    {
-        // The 419 code is used as "Page Expired" to differentiate from a 401 (not authorized)
-        return response()->withStatus(419, 'Authentication Token Mismatch');
-    }
 }
--- a/tests/Unit/Http/Exceptions/HttpAuthExpiredTest.php
+++ b/tests/Unit/Http/Exceptions/HttpAuthExpiredTest.php
@ -0,0 +1,22 @@
+<?php
+
+namespace Engelsystem\Test\Unit\Http\Exceptions;
+
+use Engelsystem\Http\Exceptions\HttpAuthExpired;
+use PHPUnit\Framework\TestCase;
+
+class HttpAuthExpiredTest extends TestCase
+{
+    /**
+     * @covers \Engelsystem\Http\Exceptions\HttpAuthExpired::__construct
+     */
+    public function testConstruct()
+    {
+        $exception = new HttpAuthExpired();
+        $this->assertEquals(419, $exception->getStatusCode());
+        $this->assertEquals('Authentication Expired', $exception->getMessage());
+
+        $exception = new HttpAuthExpired('Oops!');
+        $this->assertEquals('Oops!', $exception->getMessage());
+    }
+}
--- a/tests/Unit/Middleware/VerifyCsrfTokenTest.php
+++ b/tests/Unit/Middleware/VerifyCsrfTokenTest.php
@ -2,6 +2,7 @@

 namespace Engelsystem\Test\Unit\Middleware;

+use Engelsystem\Http\Exceptions\HttpAuthExpired;
 use Engelsystem\Middleware\VerifyCsrfToken;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
@ -33,13 +34,9 @@ class VerifyCsrfTokenTest extends TestCase
        /** @var VerifyCsrfToken|MockObject $middleware */
        $middleware = $this->getMockBuilder(VerifyCsrfToken::class)
            ->disableOriginalConstructor()
-            ->setMethods(['notAuthorizedResponse', 'tokensMatch'])
+            ->setMethods(['tokensMatch'])
            ->getMock();

-        $middleware->expects($this->exactly(1))
-            ->method('notAuthorizedResponse')
-            ->willReturn($response);
-
        $middleware->expects($this->exactly(2))
            ->method('tokensMatch')
            ->willReturnOnConsecutiveCalls(true, false);
@ -47,10 +44,15 @@ class VerifyCsrfTokenTest extends TestCase
        // Results in true, false, false
        $request->expects($this->exactly(3))
            ->method('getMethod')
-            ->willReturnOnConsecutiveCalls('GET', 'POST', 'DELETE');
+            ->willReturnOnConsecutiveCalls('GET', 'DELETE', 'POST');

+        // Is reading
        $middleware->process($request, $handler);
+        // Tokens match
        $middleware->process($request, $handler);
+
+        // No match
+        $this->expectException(HttpAuthExpired::class);
        $middleware->process($request, $handler);
    }

@ -66,23 +68,18 @@ class VerifyCsrfTokenTest extends TestCase
        $handler = $this->getMockForAbstractClass(RequestHandlerInterface::class);
        /** @var ResponseInterface|MockObject $response */
        $response = $this->getMockForAbstractClass(ResponseInterface::class);
-        /** @var ResponseInterface|MockObject $noAuthResponse */
-        $noAuthResponse = $this->getMockForAbstractClass(ResponseInterface::class);
        /** @var SessionInterface|MockObject $session */
        $session = $this->getMockForAbstractClass(SessionInterface::class);

        /** @var VerifyCsrfToken|MockObject $middleware */
        $middleware = $this->getMockBuilder(VerifyCsrfToken::class)
            ->setConstructorArgs([$session])
-            ->setMethods(['isReading', 'notAuthorizedResponse'])
+            ->setMethods(['isReading'])
            ->getMock();

        $middleware->expects($this->atLeastOnce())
            ->method('isReading')
            ->willReturn(false);
-        $middleware->expects($this->exactly(1))
-            ->method('notAuthorizedResponse')
-            ->willReturn($noAuthResponse);

        $handler->expects($this->exactly(3))
            ->method('handle')
@ -91,38 +88,39 @@ class VerifyCsrfTokenTest extends TestCase
        $request->expects($this->exactly(4))
            ->method('getParsedBody')
            ->willReturnOnConsecutiveCalls(
-                null,
                null,
                ['_token' => 'PostFooToken'],
-                ['_token' => 'PostBarToken']
+                ['_token' => 'PostBarToken'],
+                null
            );
        $request->expects($this->exactly(4))
            ->method('getHeader')
            ->with('X-CSRF-TOKEN')
            ->willReturnOnConsecutiveCalls(
-                [],
                ['HeaderFooToken'],
                [],
-                ['HeaderBarToken']
+                ['HeaderBarToken'],
+                []
            );

        $session->expects($this->exactly(4))
            ->method('get')
            ->with('_token')
            ->willReturnOnConsecutiveCalls(
-                'NotAvailableToken',
                'HeaderFooToken',
                'PostFooToken',
-                'PostBarToken'
+                'PostBarToken',
+                'NotAvailableToken'
            );

-        // Not tokens
-        $this->assertEquals($noAuthResponse, $middleware->process($request, $handler));
        // Header token
-        $this->assertEquals($response, $middleware->process($request, $handler));
+        $middleware->process($request, $handler);
        // POST token
-        $this->assertEquals($response, $middleware->process($request, $handler));
+        $middleware->process($request, $handler);
        // Header and POST tokens
-        $this->assertEquals($response, $middleware->process($request, $handler));
+        $middleware->process($request, $handler);
+        // No tokens
+        $this->expectException(HttpAuthExpired::class);
+        $middleware->process($request, $handler);
    }
 }