From 7f6a10b8a5e6eff621f9bd5c582b8b4e01fe1a7f Mon Sep 17 00:00:00 2001 From: danilopolani Date: Fri, 30 Jul 2021 12:50:23 +0200 Subject: [PATCH] hello --- .editorconfig | 12 ++ .github/FUNDING.yml | 1 + .github/workflows/main.yml | 45 +++++ .gitignore | 5 + .styleci.yml | 4 + CHANGELOG.md | 7 + CONTRIBUTING.md | 55 ++++++ LICENSE.md | 21 +++ README.md | 178 ++++++++++++++++++ composer.json | 54 ++++++ config/fusionauth.php | 64 +++++++ phpunit.xml | 17 ++ .../InvalidTokenAlgorithmException.php | 10 + src/Exceptions/InvalidTokenException.php | 10 + src/FusionAuthJwt.php | 101 ++++++++++ src/FusionAuthJwtServiceProvider.php | 49 +++++ src/FusionAuthJwtUser.php | 113 +++++++++++ src/FusionAuthJwtUserProvider.php | 62 ++++++ src/Helpers/RoleManager.php | 31 +++ src/Http/Middleware/CheckRole.php | 37 ++++ tests/ Middleware/CheckRoleTest.php | 59 ++++++ tests/FusionAuthJwtTest.php | 48 +++++ tests/Helpers/RoleManagerTest.php | 30 +++ tests/Pest.php | 14 ++ tests/TestCase.php | 41 ++++ 25 files changed, 1068 insertions(+) create mode 100644 .editorconfig create mode 100644 .github/FUNDING.yml create mode 100644 .github/workflows/main.yml create mode 100644 .gitignore create mode 100644 .styleci.yml create mode 100644 CHANGELOG.md create mode 100644 CONTRIBUTING.md create mode 100644 LICENSE.md create mode 100644 README.md create mode 100644 composer.json create mode 100644 config/fusionauth.php create mode 100644 phpunit.xml create mode 100644 src/Exceptions/InvalidTokenAlgorithmException.php create mode 100644 src/Exceptions/InvalidTokenException.php create mode 100644 src/FusionAuthJwt.php create mode 100644 src/FusionAuthJwtServiceProvider.php create mode 100644 src/FusionAuthJwtUser.php create mode 100644 src/FusionAuthJwtUserProvider.php create mode 100644 src/Helpers/RoleManager.php create mode 100644 src/Http/Middleware/CheckRole.php create mode 100644 tests/ Middleware/CheckRoleTest.php create mode 100644 tests/FusionAuthJwtTest.php create mode 100644 tests/Helpers/RoleManagerTest.php create mode 100644 tests/Pest.php create mode 100644 tests/TestCase.php diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..56f3b6b --- /dev/null +++ b/.editorconfig @@ -0,0 +1,12 @@ +root = true + +[*] +charset = utf-8 +end_of_line = lf +insert_final_newline = true +indent_style = space +indent_size = 4 +trim_trailing_whitespace = true + +[*.md] +trim_trailing_whitespace = false diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..d7f33a3 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1 @@ +custom: ['https://www.buymeacoffee.com/theraloss'] diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..eb685b0 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,45 @@ +name: run-tests + +on: + push: + branches: [master] + pull_request: + branches: [master] + +jobs: + test: + runs-on: ${{ matrix.os }} + strategy: + fail-fast: true + matrix: + os: [ubuntu-latest, windows-latest] + php: [7.4, 8.0] + laravel: [8.*] + stability: [prefer-lowest, prefer-stable] + include: + - laravel: 8.* + testbench: ^6.6 + + name: P${{ matrix.php }} - L${{ matrix.laravel }} - ${{ matrix.stability }} - ${{ matrix.os }} + + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: ${{ matrix.php }} + extensions: dom, curl, libxml, mbstring, zip, pcntl, pdo, sqlite, pdo_sqlite, bcmath, soap, intl, gd, exif, iconv, imagick, fileinfo + coverage: none + + - name: Setup problem matchers + run: | + echo "::add-matcher::${{ runner.tool_cache }}/php.json" + echo "::add-matcher::${{ runner.tool_cache }}/phpunit.json" + - name: Install dependencies + run: | + composer require "laravel/framework:${{ matrix.laravel }}" "orchestra/testbench:${{ matrix.testbench }}" --no-interaction --no-update + composer update --${{ matrix.stability }} --prefer-dist --no-interaction + - name: Execute tests + run: vendor/bin/pest diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f546cf9 --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +vendor/ +coverage/ +composer.lock +.DS_Store +*.cache diff --git a/.styleci.yml b/.styleci.yml new file mode 100644 index 0000000..f4d3cbc --- /dev/null +++ b/.styleci.yml @@ -0,0 +1,4 @@ +preset: laravel + +disabled: + - single_class_element_per_statement diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..5bfa132 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,7 @@ +# Changelog + +All notable changes to `laravel-fusionauth-jwt` will be documented in this file + +## 1.0.0 - 2021-07-30 + +- First release diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..b4ae1c4 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,55 @@ +# Contributing + +Contributions are **welcome** and will be fully **credited**. + +Please read and understand the contribution guide before creating an issue or pull request. + +## Etiquette + +This project is open source, and as such, the maintainers give their free time to build and maintain the source code +held within. They make the code freely available in the hope that it will be of use to other developers. It would be +extremely unfair for them to suffer abuse or anger for their hard work. + +Please be considerate towards maintainers when raising issues or presenting pull requests. Let's show the +world that developers are civilized and selfless people. + +It's the duty of the maintainer to ensure that all submissions to the project are of sufficient +quality to benefit the project. Many developers have different skillsets, strengths, and weaknesses. Respect the maintainer's decision, and do not be upset or abusive if your submission is not used. + +## Viability + +When requesting or submitting new features, first consider whether it might be useful to others. Open +source projects are used by many developers, who may have entirely different needs to your own. Think about +whether or not your feature is likely to be used by other users of the project. + +## Procedure + +Before filing an issue: + +- Attempt to replicate the problem, to ensure that it wasn't a coincidental incident. +- Check to make sure your feature suggestion isn't already present within the project. +- Check the pull requests tab to ensure that the bug doesn't have a fix in progress. +- Check the pull requests tab to ensure that the feature isn't already in progress. + +Before submitting a pull request: + +- Check the codebase to ensure that your feature doesn't already exist. +- Check the pull requests to ensure that another person hasn't already submitted the feature or fix. + +## Requirements + +If the project maintainer has any additional requirements, you will find them listed here. + +- **[PSR-2 Coding Standard](https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-2-coding-style-guide.md)** - The easiest way to apply the conventions is to install [PHP Code Sniffer](https://pear.php.net/package/PHP_CodeSniffer). + +- **Add tests!** - Your patch won't be accepted if it doesn't have tests. + +- **Document any change in behaviour** - Make sure the `README.md` and any other relevant documentation are kept up-to-date. + +- **Consider our release cycle** - We try to follow [SemVer v2.0.0](https://semver.org/). Randomly breaking public APIs is not an option. + +- **One pull request per feature** - If you want to do more than one thing, send multiple pull requests. + +- **Send coherent history** - Make sure each individual commit in your pull request is meaningful. If you had to make multiple intermediate commits while developing, please [squash them](https://www.git-scm.com/book/en/v2/Git-Tools-Rewriting-History#Changing-Multiple-Commit-Messages) before submitting. + +**Happy coding**! diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..e4f9f37 --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) Danilo Polani + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..50c1b88 --- /dev/null +++ b/README.md @@ -0,0 +1,178 @@ +# Laravel FusionAuth JWT + +[![Latest Version on Packagist](https://img.shields.io/packagist/v/danilopolani/laravel-fusionauth-jwt.svg?style=flat-square)](https://packagist.org/packages/danilopolani/laravel-fusionauth-jwt) +[![Total Downloads](https://img.shields.io/packagist/dt/danilopolani/laravel-fusionauth-jwt.svg?style=flat-square)](https://packagist.org/packages/danilopolani/laravel-fusionauth-jwt) +![GitHub Actions](https://github.com/danilopolani/laravel-fusionauth-jwt/actions/workflows/main.yml/badge.svg) + +Implement an Auth guard for FusionAuth JWTs in Laravel. +It ships with also a middleware to check against the user role. + +## Installation + +You can install the package via composer: + +```bash +composer require danilopolani/laravel-fusionauth-jwt +``` + +Then publish its config file: + +```bash +php artisan vendor:publish --tag=fusionauth-jwt-config +``` + +## Configuration + +There are a few notable configuration options for the package. + +Key | Type | Description +------------ | ------------- | ------------- +`domain` | String | Your FusionAuth domain, e.g. `auth.myapp.com` or `sandbox.fusionauth.io`. +`client_id` | String | The Client ID of the current application. +`client_secret` | String | The Client Secret of the current application. +`issuers` | Array | A list of authorized issuers for the incoming JWT. +`audience` | String \| Null | The ID/Name of the authorized audience. If null, the **Client ID** will be used. +`supported_algs` | Array | The supported algorithms of the JWT. Supported: `RS256` and `HS256`. +`default_role` | String \| Null | The default role to be checked if you're using the [`CheckRole`](#role-middleware) middleware. + +## Usage + +To start protecting your APIs you need to add the Guard and the Auth Provider to your `config/auth.php` configuration file: + +```php +'guards' => [ + // ... + 'fusionauth' => [ + 'driver' => 'fusionauth', + 'provider' => 'fusionauth', + ], +], + +'providers' => [ + // ... + 'fusionauth' => [ + 'driver' => 'fusionauth', + ], +], +``` + +Then you can use the `auth:fusionauth` guard to protect your endpoints; you can apply it to a group or a single route: + +```php +// app\Http\Kernel.php + +protected $middlewareGroups = [ + 'api' => [ + 'auth:fusionauth', + // ... + ], +]; + +// or routes/api.php + +Route::get('users', [UserController::class, 'index']) + ->middleware('auth:fusionauth'); +``` + +Now requests for those endpoints will check if the given JWT (given as **Bearer token**) is valid. + +To retrieve the current logged in user - or to check if it's logged in - you can use the usual `Auth` facade methods, specifying the `fusionauth` guard: + +```php +Auth::guard('fusionauth')->check(); + +/** @var \DaniloPolani\FusionAuthJwt\FusionAuthJwtUser $user */ +$user = Auth::guard('fusionauth')->user(); +``` + +### Role middleware + +The package ships with a handy middleware to check for user role (stored in the `roles` key). + +You can apply it on a middleware group inside the `Kernel.php` or to specific routes: + +```php +// app\Http\Kernel.php + +protected $middlewareGroups = [ + 'api' => [ + 'auth:fusionauth', + \DaniloPolani\FusionAuthJwt\Http\Middleware\CheckRole::class, + // ... + ], +]; + +// or routes/api.php + +Route::get('users', [UserController::class, 'index']) + ->middleware(['auth:fusionauth', 'fusionauth.role']); +``` + +By default the middleware will check that the current user has the `default_role` specified in the configuration file, but you can use as well a specific role, different from the default: + +```php +// routes/api.php + +Route::get('users', [UserController::class, 'index']) + ->middleware(['auth:fusionauth', 'fusionauth.role:admin']); +``` + +For more complex cases we suggest you to take a look on how the [`CheckRole`](https://github.com/danilopolani/laravel-fusionauth-jwt/blob/master/src/Http/Middleware/CheckRole.php) middleware is written (using the [`RoleManager`](https://github.com/danilopolani/laravel-fusionauth-jwt/blob/master/src/Helpers/RoleManager.php) class) and write your own. + +### Usage in tests + +When you need to test your endpoints in Laravel, you can take advantage of the [`actingAs`](https://laravel.com/docs/8.x/http-tests#session-and-authentication) method to set the current logged in user. + +You can pass any property you want to the `FusionAuthJwtUser` class, like `email`, `user` etc. Take a look at this example where we specify the user roles: + +```php +use DaniloPolani\FusionAuthJwt\FusionAuthJwtUser; + +$this + ->actingAs( + new FusionAuthJwtUser([ + 'roles' => ['user', 'admin'], + ]), + 'fusionauth', + ) + ->get('/api/users') + ->assertOk(); +``` + +If you need to set the authenticated user outside HTTP testing (therefore you can't use `actingAs()`), you can use the `setUser()` method of the `Auth` facade: + +```php +use DaniloPolani\FusionAuthJwt\FusionAuthJwtUser; +use Illuminate\Support\Facades\Auth; + +Auth::guard('fusionauth')->setUser( + new FusionAuthJwtUser([ + 'roles' => ['user', 'admin'], + ]) +); +``` + +### Changelog + +Please see [CHANGELOG](CHANGELOG.md) for more information what has changed recently. + +## Contributing + +Please see [CONTRIBUTING](CONTRIBUTING.md) for details. + +### Security + +If you discover any security related issues, please email danilo.polani@gmail.com instead of using the issue tracker. + +## Credits + +- [Danilo Polani](https://github.com/danilopolani) +- [All Contributors](../../contributors) + +## License + +The MIT License (MIT). Please see [License File](LICENSE.md) for more information. + +## Laravel Package Boilerplate + +This package was generated using the [Laravel Package Boilerplate](https://laravelpackageboilerplate.com). diff --git a/composer.json b/composer.json new file mode 100644 index 0000000..29fee3e --- /dev/null +++ b/composer.json @@ -0,0 +1,54 @@ +{ + "name": "danilopolani/laravel-fusionauth-jwt", + "description": "Laravel Auth guard for FusionAuth JWT", + "keywords": [ + "danilopolani", + "laravel-fusionauth-jwt" + ], + "homepage": "https://github.com/danilopolani/laravel-fusionauth-jwt", + "license": "MIT", + "type": "library", + "authors": [ + { + "name": "Danilo Polani", + "email": "danilo.polani@gmail.com", + "role": "Developer" + } + ], + "require": { + "php": "^7.4|^8.0", + "firebase/php-jwt": "^5.4", + "illuminate/auth": "^8.0", + "illuminate/http": "^8.0", + "illuminate/contracts": "^8.0", + "illuminate/routing": "^8.0", + "illuminate/support": "^8.0" + }, + "require-dev": { + "orchestra/testbench": "^6.0", + "pestphp/pest": "^1.12" + }, + "autoload": { + "psr-4": { + "DaniloPolani\\FusionAuthJwt\\": "src" + } + }, + "autoload-dev": { + "psr-4": { + "DaniloPolani\\FusionAuthJwt\\Tests\\": "tests" + } + }, + "scripts": { + "test": "vendor/bin/pest" + }, + "config": { + "sort-packages": true + }, + "extra": { + "laravel": { + "providers": [ + "DaniloPolani\\FusionAuthJwt\\FusionAuthJwtServiceProvider" + ] + } + } +} diff --git a/config/fusionauth.php b/config/fusionauth.php new file mode 100644 index 0000000..141ca74 --- /dev/null +++ b/config/fusionauth.php @@ -0,0 +1,64 @@ + env('FUSIONAUTH_DOMAIN'), + + /* + |-------------------------------------------------------------------------- + | App Client ID + |-------------------------------------------------------------------------- + | + */ + 'client_id' => env('FUSIONAUTH_CLIENT_ID'), + + /* + |-------------------------------------------------------------------------- + | App Client Secret + |-------------------------------------------------------------------------- + | + */ + 'client_secret' => env('FUSIONAUTH_CLIENT_SECRET'), + + /* + |-------------------------------------------------------------------------- + | Authorized issuers + |-------------------------------------------------------------------------- + | + */ + 'issuers' => [ + env('FUSIONAUTH_ISSUER'), + ], + + /* + |-------------------------------------------------------------------------- + | Authorized audience + |-------------------------------------------------------------------------- + | + */ + 'audience' => env('FUSIONAUTH_AUDIENCE'), + + /* + |-------------------------------------------------------------------------- + | Token supported algorithms + |-------------------------------------------------------------------------- + | + */ + 'supported_algs' => ['RS256'], + + /* + |-------------------------------------------------------------------------- + | Default role name + |-------------------------------------------------------------------------- + | + | Name of the default role to check when using the CheckRole middleware. + | + */ + 'default_role' => null, +]; diff --git a/phpunit.xml b/phpunit.xml new file mode 100644 index 0000000..ec8702d --- /dev/null +++ b/phpunit.xml @@ -0,0 +1,17 @@ + + + + + ./tests + + + + + ./src + + + diff --git a/src/Exceptions/InvalidTokenAlgorithmException.php b/src/Exceptions/InvalidTokenAlgorithmException.php new file mode 100644 index 0000000..819e865 --- /dev/null +++ b/src/Exceptions/InvalidTokenAlgorithmException.php @@ -0,0 +1,10 @@ +iss, Config::get('fusionauth.issuers'))) { + throw new InvalidTokenException('Issuer "' . $token->iss . '" is not authorized.'); + } + + $possibleAudiences = [ + // Fallback to client_id to avoid "null $token->aud" matching "null fusionauth.audience" + Config::get('fusionauth.audience', Config::get('fusionauth.client_id')), + Config::get('fusionauth.client_id'), + ]; + + // Validate aud against the audience and client id (may be a token from client_credentials) + if (!in_array($token->aud, $possibleAudiences)) { + throw new InvalidTokenException('Audience "' . $token->aud . '" is not authorized.'); + } + } + + /** + * Fetch public keys generated from JWKS. + * + * @return array + */ + protected static function fetchPublicKeys(): array + { + return Cache::remember( + 'fusionauth.public_keys', + self::JWKS_CACHE_TTL, + fn () => Http::get('https://' . Config::get('fusionauth.domain') . '/api/jwt/public-key') + ->throw() + ->json('publicKeys', []) + ); + } +} diff --git a/src/FusionAuthJwtServiceProvider.php b/src/FusionAuthJwtServiceProvider.php new file mode 100644 index 0000000..025165d --- /dev/null +++ b/src/FusionAuthJwtServiceProvider.php @@ -0,0 +1,49 @@ +mergeConfigFrom(__DIR__.'/../config/fusionauth.php', 'fusionauth'); + } + + public function boot() + { + Auth::provider( + 'fusionauth', + fn (Application $app) => $app->make(FusionAuthJwtUserProvider::class) + ); + + Auth::extend( + 'fusionauth', + fn (Application $app, string $name, array $config) => new RequestGuard( + fn (Request $request, FusionAuthJwtUserProvider $provider) => $provider->retrieveByCredentials([ + 'jwt' => $request->bearerToken(), + ]), + $app['request'], + $app['auth']->createUserProvider($config['provider']) + ) + ); + + /** @var Router $router */ + $router = $this->app->make(Router::class); + $router->aliasMiddleware('fusionauth.role', CheckRole::class); + + if ($this->app->runningInConsole()) { + $this->publishes([ + __DIR__.'/../config/fusionauth.php' => config_path('fusionauth.php'), + ], 'fusionauth-jwt-config'); + } + } +} diff --git a/src/FusionAuthJwtUser.php b/src/FusionAuthJwtUser.php new file mode 100644 index 0000000..56a7163 --- /dev/null +++ b/src/FusionAuthJwtUser.php @@ -0,0 +1,113 @@ + $roles + * @property-read int $exp + * @property-read int $iat + */ +class FusionAuthJwtUser implements Authenticatable +{ + private array $userInfo; + + /** + * FusionAuthUser constructor. + * + * @param array $userInfo + */ + public function __construct(array $userInfo) + { + $this->userInfo = $userInfo; + } + + /** + * {@inheritDoc} + */ + public function getAuthIdentifierName() + { + return $this->userInfo['sub']; + } + + /** + * {@inheritDoc} + */ + public function getAuthIdentifier() + { + return $this->userInfo['sub']; + } + + /** + * {@inheritDoc} + */ + public function getAuthPassword() + { + return ''; + } + + /** + * {@inheritDoc} + */ + public function getRememberToken() + { + return ''; + } + + /** + * {@inheritDoc} + */ + public function setRememberToken($value) + { + // + } + + /** + * {@inheritDoc} + */ + public function getRememberTokenName() + { + return ''; + } + + /** + * Get the whole user info array. + * + * @return array + */ + public function getUserInfo(): array + { + return $this->userInfo; + } + + /** + * Add a generic getter to get all the properties of the userInfo. + * + * @param string $name + * @return mixed the related value or null if not found + */ + public function __get($name) + { + return $this->userInfo[$name] ?? null; + } + + /** + * Stringify the current user. + * + * @return string + */ + public function __toString() + { + return json_encode($this->userInfo); + } +} diff --git a/src/FusionAuthJwtUserProvider.php b/src/FusionAuthJwtUserProvider.php new file mode 100644 index 0000000..958a862 --- /dev/null +++ b/src/FusionAuthJwtUserProvider.php @@ -0,0 +1,62 @@ +user())->roles ?: []; + } +} diff --git a/src/Http/Middleware/CheckRole.php b/src/Http/Middleware/CheckRole.php new file mode 100644 index 0000000..3dfd5c6 --- /dev/null +++ b/src/Http/Middleware/CheckRole.php @@ -0,0 +1,37 @@ +check()) { + throw new UnauthorizedHttpException('Bearer'); + } + + $finalRole = $role ?: Config::get('fusionauth.default_role'); + + if (is_null($finalRole) || !RoleManager::hasRole($finalRole)) { + throw new UnauthorizedHttpException('Bearer role="' . $role . '"'); + } + + return $next($request); + } +} diff --git a/tests/ Middleware/CheckRoleTest.php b/tests/ Middleware/CheckRoleTest.php new file mode 100644 index 0000000..31e50e7 --- /dev/null +++ b/tests/ Middleware/CheckRoleTest.php @@ -0,0 +1,59 @@ +request = new Request(); + $this->nullFn = fn () => assertTrue(true); +}); + +test('block if guest', function () { + (new CheckRole())->handle($this->request, $this->nullFn); +})->throws(UnauthorizedHttpException::class); + +test('block if no role specified', function () { + Auth::guard('fusionauth')->setUser(new FusionAuthJwtUser([])); + + (new CheckRole())->handle($this->request, $this->nullFn); +})->throws(UnauthorizedHttpException::class); + +test('block if user has not the default role', function () { + Auth::guard('fusionauth')->setUser( + new FusionAuthJwtUser(['roles' => ['foo']]) + ); + + (new CheckRole())->handle($this->request, $this->nullFn); +})->throws(UnauthorizedHttpException::class); + +test('block if user has not the custom role provided', function () { + Auth::guard('fusionauth')->setUser( + new FusionAuthJwtUser(['roles' => ['user']]) + ); + + (new CheckRole())->handle($this->request, $this->nullFn, 'admin'); +})->throws(UnauthorizedHttpException::class); + +test('handles default role for a user', function () { + Auth::guard('fusionauth')->setUser( + new FusionAuthJwtUser(['roles' => ['user']]) + ); + + (new CheckRole())->handle($this->request, $this->nullFn); +}); + +test('handles a custom role', function () { + Auth::guard('fusionauth')->setUser( + new FusionAuthJwtUser(['roles' => ['user', 'admin']]) + ); + + (new CheckRole())->handle($this->request, $this->nullFn, 'admin'); +}); diff --git a/tests/FusionAuthJwtTest.php b/tests/FusionAuthJwtTest.php new file mode 100644 index 0000000..a1da4b3 --- /dev/null +++ b/tests/FusionAuthJwtTest.php @@ -0,0 +1,48 @@ +throws(InvalidTokenAlgorithmException::class); + +test('::validate() will throw an error if the issuer is not authorized', function () { + Config::set('fusionauth.audience', 'bar'); + Config::set('fusionauth.issuers', ['foo', 'bar']); + + FusionAuthJwt::validate((object) ['aud' => 'bar', 'iss' => 'baz']); +})->throws(InvalidTokenException::class); + +test('::validate() will throw an error if the audience or client_id are not authorized', function () { + Config::set('fusionauth.client_id', 'foo'); + Config::set('fusionauth.audience', 'bar'); + Config::set('fusionauth.issuers', ['foo', 'bar']); + + FusionAuthJwt::validate((object) ['aud' => 'baz', 'iss' => 'bar']); +})->throws(InvalidTokenException::class); + +test('::validate() will not throw anything if everything is good', function () { + Config::set('fusionauth.audience', 'bar'); + Config::set('fusionauth.issuers', ['foo', 'bar']); + + FusionAuthJwt::validate((object) ['aud' => 'bar', 'iss' => 'foo']); + + // Basic expectation to avoid the warning + expect(true)->toBeTrue(); +}); + +test('::validate() will not throw anything if audience matches the client_id', function () { + Config::set('fusionauth.client_id', 'baz'); + Config::set('fusionauth.audience', 'foo'); + Config::set('fusionauth.issuers', ['foo', 'bar']); + + FusionAuthJwt::validate((object) ['aud' => 'baz', 'iss' => 'foo']); + + // Basic expectation to avoid the warning + expect(true)->toBeTrue(); +}); diff --git a/tests/Helpers/RoleManagerTest.php b/tests/Helpers/RoleManagerTest.php new file mode 100644 index 0000000..a983271 --- /dev/null +++ b/tests/Helpers/RoleManagerTest.php @@ -0,0 +1,30 @@ +toBe([]); +}); + +test('::getRoles() with a logged in user', function () { + Auth::guard('fusionauth')->setUser( + new FusionAuthJwtUser(['roles' => ['user', 'admin']]) + ); + + expect(RoleManager::getRoles())->toBe(['user', 'admin']); +}); + +test('::hasRole() false when not logged in', function () { + expect(RoleManager::hasRole('user'))->toBeFalse(); +}); + +test('::hasRole() with a logged in user', function () { + Auth::guard('fusionauth')->setUser( + new FusionAuthJwtUser(['roles' => ['user', 'admin']]) + ); + + expect(RoleManager::hasRole('user'))->toBeTrue(); + expect(RoleManager::hasRole('foobar'))->toBeFalse(); +}); diff --git a/tests/Pest.php b/tests/Pest.php new file mode 100644 index 0000000..8d15a47 --- /dev/null +++ b/tests/Pest.php @@ -0,0 +1,14 @@ +in(__DIR__); diff --git a/tests/TestCase.php b/tests/TestCase.php new file mode 100644 index 0000000..cdd8769 --- /dev/null +++ b/tests/TestCase.php @@ -0,0 +1,41 @@ +set('auth.guards.fusionauth', [ + 'driver' => 'fusionauth', + 'provider' => 'fusionauth', + ]); + $app['config']->set('auth.providers.fusionauth', [ + 'driver' => 'fusionauth', + ]); + } +}