142 lines
4 KiB
PHP
142 lines
4 KiB
PHP
<?php
|
|
|
|
namespace Tests\Unit\Auth\Middleware;
|
|
|
|
use App\Auth\CreateSessionDto;
|
|
use App\Http\Middleware\AuthMiddleware;
|
|
use App\Shared\ValueObject\EmailAddress;
|
|
use App\User\User;
|
|
use Closure;
|
|
use DateTimeImmutable;
|
|
use DateTimeZone;
|
|
use Illuminate\Http\JsonResponse;
|
|
use Illuminate\Http\Request;
|
|
use Tests\Fakes\FakeClock;
|
|
use Tests\Fakes\FakeSessionRepository;
|
|
use Tests\TestCase;
|
|
|
|
class AuthMiddlewareTest extends TestCase
|
|
{
|
|
private FakeSessionRepository $sessionRepo;
|
|
|
|
private FakeClock $clock;
|
|
|
|
private DateTimeImmutable $now;
|
|
|
|
private AuthMiddleware $middleware;
|
|
|
|
protected function setUp(): void
|
|
{
|
|
$this->now = new DateTimeImmutable(
|
|
'2026-04-29T12:00:00',
|
|
new DateTimeZone('UTC')
|
|
);
|
|
$this->sessionRepo = new FakeSessionRepository();
|
|
$this->clock = new FakeClock($this->now);
|
|
$this->middleware = new AuthMiddleware(
|
|
$this->sessionRepo,
|
|
$this->clock,
|
|
);
|
|
}
|
|
|
|
private function makeRequest(?string $token): Request
|
|
{
|
|
$request = Request::create('/api/anything', 'POST');
|
|
if ($token !== null) {
|
|
$request->cookies->set('auth_token', $token);
|
|
}
|
|
|
|
return $request;
|
|
}
|
|
|
|
private function nextThatRecords(?Request &$captured): Closure
|
|
{
|
|
return function (Request $request) use (&$captured) {
|
|
$captured = $request;
|
|
|
|
return new JsonResponse(['ok' => true], 200);
|
|
};
|
|
}
|
|
|
|
public function testMissingCookieReturnsUnauthorizedJson(): void
|
|
{
|
|
$captured = null;
|
|
$response = $this->middleware->handle(
|
|
$this->makeRequest(null),
|
|
$this->nextThatRecords($captured),
|
|
);
|
|
|
|
$this->assertSame(401, $response->getStatusCode());
|
|
$this->assertSame(
|
|
['error' => 'unauthenticated'],
|
|
json_decode($response->getContent(), true),
|
|
);
|
|
$this->assertNull($captured);
|
|
}
|
|
|
|
public function testUnknownTokenReturnsUnauthorized(): void
|
|
{
|
|
$captured = null;
|
|
$response = $this->middleware->handle(
|
|
$this->makeRequest('does-not-exist'),
|
|
$this->nextThatRecords($captured),
|
|
);
|
|
|
|
$this->assertSame(401, $response->getStatusCode());
|
|
$this->assertNull($captured);
|
|
}
|
|
|
|
public function testExpiredSessionReturnsUnauthorizedAndIsDeleted(): void
|
|
{
|
|
$user = new User(
|
|
id: 7,
|
|
email: new EmailAddress('user@example.com'),
|
|
passwordHash: 'password',
|
|
);
|
|
$this->sessionRepo->create(new CreateSessionDto(
|
|
token: 'expired-token',
|
|
user: $user,
|
|
createdAt: $this->now->modify('-8 days'),
|
|
expiresAt: $this->now->modify('-1 day'),
|
|
));
|
|
|
|
$captured = null;
|
|
$response = $this->middleware->handle(
|
|
$this->makeRequest('expired-token'),
|
|
$this->nextThatRecords($captured),
|
|
);
|
|
|
|
$this->assertSame(401, $response->getStatusCode());
|
|
$this->assertNull($captured);
|
|
$this->assertNull(
|
|
$this->sessionRepo->findByToken('expired-token')
|
|
);
|
|
}
|
|
|
|
public function testValidSessionAttachesUserAndCallsNext(): void
|
|
{
|
|
$user = new User(
|
|
id: 7,
|
|
email: new EmailAddress('user@example.com'),
|
|
passwordHash: 'password',
|
|
);
|
|
$this->sessionRepo->create(new CreateSessionDto(
|
|
token: 'valid-token',
|
|
user: $user,
|
|
createdAt: $this->now,
|
|
expiresAt: $this->now->modify('+7 days'),
|
|
));
|
|
|
|
$captured = null;
|
|
$response = $this->middleware->handle(
|
|
$this->makeRequest('valid-token'),
|
|
$this->nextThatRecords($captured),
|
|
);
|
|
|
|
$this->assertSame(200, $response->getStatusCode());
|
|
$this->assertNotNull($captured);
|
|
$attachedUser = $captured->attributes->get('user');
|
|
$this->assertInstanceOf(User::class, $attachedUser);
|
|
$this->assertSame(7, $attachedUser->getId());
|
|
}
|
|
}
|