test: add test for state does not match exception and added needed sub claim

ricklambrechts · ricklambrechts · commit 5216e359ccda · 2024-09-30T21:00:24.000+02:00
diff --git a/tests/Feature/Http/Controllers/LoginControllerResponseTest.php b/tests/Feature/Http/Controllers/LoginControllerResponseTest.php
@@ -5,12 +5,15 @@
 namespace MinVWS\OpenIDConnectLaravel\Tests\Feature\Http\Controllers;
 
 use Illuminate\Http\Client\Request;
+use Illuminate\Http\Response;
 use Illuminate\Support\Facades\Config;
 use Illuminate\Support\Facades\Http;
 use Illuminate\Support\Facades\Session;
 use Illuminate\Testing\TestResponse;
+use Jumbojett\OpenIDConnectClientException;
 use MinVWS\OpenIDConnectLaravel\OpenIDConfiguration\OpenIDConfiguration;
 use MinVWS\OpenIDConnectLaravel\OpenIDConfiguration\OpenIDConfigurationLoader;
+use MinVWS\OpenIDConnectLaravel\Services\ExceptionHandlerInterface;
 use MinVWS\OpenIDConnectLaravel\Tests\TestCase;
 use Mockery;
 
@@ -129,11 +132,53 @@ public function codeChallengeMethodProvider(): array
         ];
     }
 
-    public function testTokenSignedWithClientSecret(): void
+    public function testStateDoesNotMatch(): void
+    {
+        Http::fake([
+            // Token requested by OpenIDConnectClient::authenticate() function.
+            // Currently needed because the package requests the token endpoint before checking the state.
+            // TODO: Remove if https://github.com/jumbojett/OpenID-Connect-PHP/pull/447 is merged.
+            'https://provider.rdobeheer.nl/token' => Http::response([
+                'access_token' => 'access-token-from-token-endpoint',
+                'id_token' => 'some-valid-token-not-needed-for-this-state-check',
+                'token_type' => 'Bearer',
+                'expires_in' => 3600,
+            ]),
+        ]);
+
+        // Set OIDC config
+        $this->mockOpenIDConfigurationLoader();
+        Config::set('oidc.issuer', 'https://provider.rdobeheer.nl');
+        Config::set('oidc.client_id', 'test-client-id');
+        Config::set('oidc.client_secret', 'the-secret-client-secret');
+
+        // Mock LoginResponseHandlerInterface to check handleExceptionWhileAuthenticate is called.
+        $mock = Mockery::mock(ExceptionHandlerInterface::class);
+        $mock
+            ->shouldReceive('handleExceptionWhileAuthenticate')
+            ->withArgs(function (OpenIDConnectClientException $e) {
+                return $e->getMessage() === 'Unable to determine state';
+            })
+            ->once()
+            ->andReturn(new Response('', 400));
+        $this->app->instance(ExceptionHandlerInterface::class, $mock);
+
+        // Set the current state, which is usually generated and saved in the session before login,
+        // and sent to the issuer during the login redirect.
+        Session::put('openid_connect_state', 'some-state');
+
+        // We simulate here that the state does not match with the state in the session.
+        // And that the repsonse of ExceptionHandlerInterface is returned.
+        $response = $this->getRoute('oidc.login', ['code' => 'some-code', 'state' => 'a-different-state']);
+        $response->assertStatus(400);
+    }
+
+    public function testIdTokenSignedWithClientSecret(): void
     {
         $idToken = generateJwt([
             "iss" => "https://provider.rdobeheer.nl",
             "aud" => 'test-client-id',
+            "sub" => 'test-subject',
         ], 'the-secret-client-secret');
 
         Http::fake([
@@ -146,7 +191,7 @@ public function testTokenSignedWithClientSecret(): void
             ]),
             // User info requested by OpenIDConnectClient::requestUserInfo() function.
             'https://provider.rdobeheer.nl/userinfo?schema=openid' => Http::response([
-                'email' => 'teste@rdobeheer.nl',
+                'email' => 'tester@rdobeheer.nl',
             ]),
         ]);
 
@@ -157,16 +202,16 @@ public function testTokenSignedWithClientSecret(): void
         Config::set('oidc.client_id', 'test-client-id');
         Config::set('oidc.client_secret', 'the-secret-client-secret');
 
-        // Set current state, normally this is generated before logging in and send
-        // to the issuer, when the user is redirected for login.
+        // Set the current state, which is usually generated and saved in the session before login,
+        // and sent to the issuer during the login redirect.
         Session::put('openid_connect_state', 'some-state');
 
         // We simulate here that the user now comes back after successful login at issuer.
         $response = $this->getRoute('oidc.login', ['code' => 'some-code', 'state' => 'some-state']);
         $response->assertStatus(200);
         $response->assertJson([
             'userInfo' => [
-                'email' => 'teste@rdobeheer.nl',
+                'email' => 'tester@rdobeheer.nl',
             ]
         ]);
 
@@ -234,8 +279,8 @@ public function testTokenSignedWithPrivateKey(): void
         [$key, $keyResource] = generateOpenSSLKey();
         Config::set('oidc.client_authentication.signing_private_key_path', stream_get_meta_data($keyResource)['uri']);
 
-        // Set current state, normally this is generated before logging in and send
-        // to the issuer, when the user is redirected for login.
+        // Set the current state, which is usually generated and saved in the session before login,
+        // and sent to the issuer during the login redirect.
         Session::put('openid_connect_state', 'some-state');
 
         // We simulate here that the user now comes back after successful login at issuer.
