Merge pull request #30 from pdsinterop/fix/public-request

Fix bug caused by "public" scenario not being correctly handled.

Author: poef

src/Utils/DPop.php

@@ -28,10 +28,10 @@ class DPop {
 
     private JtiValidator $jtiValidator;
 
-    public function __construct(JtiValidator $jtiValidator)
-    {
-        $this->jtiValidator = $jtiValidator;
-    }
+	public function __construct(JtiValidator $jtiValidator)
+	{
+		$this->jtiValidator = $jtiValidator;
+	}
 
 	/**
 	 * This method fetches the WebId from a request and verifies
@@ -48,29 +48,28 @@ public function __construct(JtiValidator $jtiValidator)
 	public function getWebId($request) {
 		$serverParams = $request->getServerParams();
 
-		$this->validateRequestHeaders($serverParams);
-
-		[, $jwt] = explode(" ", $serverParams['HTTP_AUTHORIZATION'], 2);
+		if (isset($serverParams['HTTP_AUTHORIZATION']) === false) {
+			$webId = "public";
+		} else {
+			$this->validateRequestHeaders($serverParams);
 
-		$dpop = $serverParams['HTTP_DPOP'];
+			[, $jwt] = explode(" ", $serverParams['HTTP_AUTHORIZATION'], 2);
 
-		//@FIXME: check that there is just one DPoP token in the request
-		try {
-			$dpopKey = $this->getDpopKey($dpop, $request);
-		} catch (InvalidTokenStructure $e) {
-			throw new InvalidTokenException("Invalid JWT token: {$e->getMessage()}", 0, $e);
-		}
+			$dpop = $serverParams['HTTP_DPOP'];
 
-		try {
-			$this->validateJwtDpop($jwt, $dpopKey);
-		} catch (RequiredConstraintsViolated $e) {
-			throw new InvalidTokenException($e->getMessage(), 0, $e);
-		}
+			//@FIXME: check that there is just one DPoP token in the request
+			try {
+				$dpopKey = $this->getDpopKey($dpop, $request);
+			} catch (InvalidTokenStructure $e) {
+				throw new InvalidTokenException("Invalid JWT token: {$e->getMessage()}", 0, $e);
+			}
 
-		if ($jwt) {
+			try {
+				$this->validateJwtDpop($jwt, $dpopKey);
+			} catch (RequiredConstraintsViolated $e) {
+				throw new InvalidTokenException($e->getMessage(), 0, $e);
+			}
 			$webId = $this->getSubjectFromJwt($jwt);
-		} else {
-			$webId = "public";
 		}
 
 		return $webId;
@@ -274,10 +273,6 @@ private function getSubjectFromJwt($jwt) {
 	}
 
 	private function validateRequestHeaders($serverParams) {
-		if (isset($serverParams['HTTP_AUTHORIZATION']) === false) {
-			throw new AuthorizationHeaderException("Authorization Header missing");
-		}
-
 		if (str_contains($serverParams['HTTP_AUTHORIZATION'], ' ') === false) {
 			throw new AuthorizationHeaderException("Authorization Header does not contain parameters");
 		}

tests/unit/Utils/DPOPTest.php

@@ -234,7 +234,7 @@ final public function testGetWebIdWithoutRequest(): void
     }
 
     /**
-     * @testdox Dpop SHOULD complain WHEN asked to get WebId from Request without Authorization Header
+     * @testdox Dpop SHOULD return 'public' WHEN asked to get WebId from Request without Authorization Header
      *
      * @covers ::getWebId
      */
@@ -245,10 +245,10 @@ final public function testGetWebIdWithoutHttpAuthorizationHeader(): void
 
         $request = new ServerRequest(array(),array(), $this->url);
 
-        $this->expectException(AuthorizationHeaderException::class);
-        $this->expectExceptionMessage('Authorization Header missing');
+        $actual = $dpop->getWebId($request);
+        $expected = 'public';
 
-        $dpop->getWebId($request);
+        $this->assertEquals($expected, $actual);
     }
 
     /**