more tests (#19)

Reviewed-on: #19
Co-authored-by: Ron Rise <ron@siteworxpro.com>
Co-committed-by: Ron Rise <ron@siteworxpro.com>

tests/Http/Middleware/JwtMiddlewareTest.php

@@ -0,0 +1,230 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Siteworxpro\Tests\Http\Middleware;
+
+use DateTimeImmutable;
+use Lcobucci\JWT\JwtFacade;
+use Lcobucci\JWT\Signer\Hmac\Sha256;
+use Lcobucci\JWT\Signer\Key\InMemory;
+use Lcobucci\JWT\Token\Builder;
+use League\Route\Dispatcher;
+use Nyholm\Psr7\Response;
+use Nyholm\Psr7\ServerRequest;
+use Siteworxpro\App\Attributes\Guards\Jwt;
+use Siteworxpro\App\Http\Middleware\JwtMiddleware;
+use Siteworxpro\App\Services\Facades\Config;
+use Siteworxpro\HttpStatus\CodesEnum;
+
+class JwtMiddlewareTest extends Middleware
+{
+    private const string TEST_SIGNING_KEY = 'test_signing_key_123456444478901234';
+
+    public function getClass(): object
+    {
+        return new class {
+            public function getCallable(): array
+            {
+                return [$this, 'index'];
+            }
+
+            #[Jwt]
+            public function index()
+            {
+                // Dummy method for testing
+            }
+        };
+    }
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        Config::set('jwt.signing_key', self::TEST_SIGNING_KEY);
+    }
+
+    /**
+     * @throws \JsonException
+     */
+    public function testIgnoresNoJwtAttribute()
+    {
+        $class = new class {
+            public function getCallable(): array
+            {
+                return [ $this, 'index' ];
+            }
+
+            public function index()
+            {
+                // Dummy method for testing
+            }
+        };
+
+        $handler = \Mockery::mock(Dispatcher::class);
+        $handler->shouldReceive('getMiddlewareStack')
+            ->andReturn([$class]);
+
+        $handler
+            ->shouldReceive('handle')
+            ->once()
+            ->andReturn(new Response(200));
+
+        $request = new ServerRequest('GET', '/');
+        $middleware = new JwtMiddleware();
+        $response = $middleware->process($request, $handler);
+        $this->assertEquals(CodesEnum::OK->value, $response->getStatusCode());
+    }
+
+    /**
+     * @throws \JsonException
+     */
+    public function testIgnoresJwtAttributeButNoToken()
+    {
+        $class = $this->getClass();
+
+        $handler = \Mockery::mock(Dispatcher::class);
+        $handler->shouldReceive('getMiddlewareStack')
+            ->andReturn([$class]);
+
+        $request = new ServerRequest('GET', '/');
+        $middleware = new JwtMiddleware();
+        $response = $middleware->process($request, $handler);
+        $this->assertEquals(CodesEnum::UNAUTHORIZED->value, $response->getStatusCode());
+    }
+
+    /**
+     * @throws \JsonException
+     */
+    public function testInvalidToken()
+    {
+        $class = $this->getClass();
+
+        $handler = \Mockery::mock(Dispatcher::class);
+        $handler->shouldReceive('getMiddlewareStack')
+            ->andReturn([$class]);
+
+        $request = new ServerRequest('GET', '/');
+        $request = $request->withHeader('Authorization', 'Bearer ' . 'invalid_token_string');
+        $middleware = new JwtMiddleware();
+        $response = $middleware->process($request, $handler);
+        $this->assertEquals(CodesEnum::UNAUTHORIZED->value, $response->getStatusCode());
+        $this->assertStringContainsString(
+            'Unauthorized: Invalid token',
+            $response->getBody()->getContents()
+        );
+    }
+
+    /**
+     * @throws \JsonException
+     */
+    public function testJwtAttributeWithTokenButWrongAud()
+    {
+        $class = $this->getClass();
+
+        $handler = \Mockery::mock(Dispatcher::class);
+        $handler->shouldReceive('getMiddlewareStack')
+            ->andReturn([$class]);
+
+        $request = new ServerRequest('GET', '/');
+        $request = $request->withHeader('Authorization', 'Bearer ' . $this->getJwt());
+        $middleware = new JwtMiddleware();
+        $response = $middleware->process($request, $handler);
+        $this->assertEquals(CodesEnum::UNAUTHORIZED->value, $response->getStatusCode());
+        $this->assertStringContainsString(
+            'The token is not allowed to be used by this audience',
+            $response->getBody()->getContents()
+        );
+    }
+
+    /**
+     * @throws \JsonException
+     */
+    public function testJwtAttributeWithTokenButWrongIss()
+    {
+        Config::set('jwt.audience', 'https://client-app.io');
+
+        $class = $this->getClass();
+
+        $handler = \Mockery::mock(Dispatcher::class);
+        $handler->shouldReceive('getMiddlewareStack')
+            ->andReturn([$class]);
+
+        $request = new ServerRequest('GET', '/');
+        $request = $request->withHeader('Authorization', 'Bearer ' . $this->getJwt());
+        $middleware = new JwtMiddleware();
+        $response = $middleware->process($request, $handler);
+        $this->assertEquals(CodesEnum::UNAUTHORIZED->value, $response->getStatusCode());
+        $this->assertStringContainsString(
+            'The token was not issued by the given issuers',
+            $response->getBody()->getContents()
+        );
+    }
+
+    /**
+     * @throws \JsonException
+     */
+    public function testJwtAttributeWithTokenWithDiffIssuer()
+    {
+        Config::set('jwt.audience', 'https://client-app.io');
+        Config::set('jwt.issuer', 'https://different-issuer.io');
+
+        $class = $this->getClass();
+
+        $handler = \Mockery::mock(Dispatcher::class);
+        $handler->shouldReceive('getMiddlewareStack')
+            ->andReturn([$class]);
+
+        $request = new ServerRequest('GET', '/');
+        $request = $request->withHeader('Authorization', 'Bearer ' . $this->getJwt());
+        $middleware = new JwtMiddleware();
+        $response = $middleware->process($request, $handler);
+        $this->assertEquals(CodesEnum::UNAUTHORIZED->value, $response->getStatusCode());
+        $this->assertStringContainsString(
+            'The token was not issued by the given issuers',
+            $response->getBody()->getContents()
+        );
+    }
+
+    public function testJwtAttributeWithToken()
+    {
+        Config::set('jwt.audience', 'https://client-app.io');
+        Config::set('jwt.issuer', 'https://api.my-awesome-app.io');
+
+        $class = $this->getClass();
+
+        $handler = \Mockery::mock(Dispatcher::class);
+        $handler->shouldReceive('getMiddlewareStack')
+            ->andReturn([$class]);
+
+        $handler
+            ->shouldReceive('handle')
+            ->once()
+            ->andReturn(new Response(200));
+
+        $request = new ServerRequest('GET', '/');
+        $request = $request->withHeader('Authorization', 'Bearer ' . $this->getJwt());
+        $middleware = new JwtMiddleware();
+        $response = $middleware->process($request, $handler);
+        $this->assertEquals(CodesEnum::OK->value, $response->getStatusCode());
+    }
+
+    private function getJwt(): string
+    {
+        $key = InMemory::plainText(self::TEST_SIGNING_KEY);
+        $signer = new Sha256();
+
+        $token = new JwtFacade()->issue(
+            $signer,
+            $key,
+            static fn (
+                Builder $builder,
+                DateTimeImmutable $issuedAt
+            ): Builder => $builder
+                ->issuedBy('https://api.my-awesome-app.io')
+                ->permittedFor('https://client-app.io')
+                ->expiresAt($issuedAt->modify('+10 minutes'))
+        );
+
+        return $token->toString();
+    }
+}