From 63ef549749fac9d0e302842f06e7794d1daabc13 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Sat, 7 Jan 2017 22:23:47 +0100 Subject: API: expect JWT in the Authorization header Relates to https://github.com/shaarli/Shaarli/pull/731 Added: - require the presence of the 'Authorization' header Changed: - use the HTTP Bearer Token authorization schema See: - https://jwt.io/introduction/#how-do-json-web-tokens-work- - https://tools.ietf.org/html/rfc6750 - http://security.stackexchange.com/q/108662 Signed-off-by: VirtualTam --- tests/api/ApiMiddlewareTest.php | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) (limited to 'tests/api') diff --git a/tests/api/ApiMiddlewareTest.php b/tests/api/ApiMiddlewareTest.php index 4d4dd9b9..d9753b1d 100644 --- a/tests/api/ApiMiddlewareTest.php +++ b/tests/api/ApiMiddlewareTest.php @@ -143,7 +143,7 @@ class ApiMiddlewareTest extends \PHPUnit_Framework_TestCase $env = Environment::mock([ 'REQUEST_METHOD' => 'GET', 'REQUEST_URI' => '/echo', - 'HTTP_JWT'=> 'jwt', + 'HTTP_AUTHORIZATION'=> 'Bearer jwt', ]); $request = Request::createFromEnvironment($env); $response = new Response(); @@ -157,7 +157,30 @@ class ApiMiddlewareTest extends \PHPUnit_Framework_TestCase } /** - * Invoke the middleware without an invalid JWT token (debug): + * Invoke the middleware with an invalid JWT token header + */ + public function testInvalidJwtAuthHeaderDebug() + { + $this->conf->set('dev.debug', true); + $mw = new ApiMiddleware($this->container); + $env = Environment::mock([ + 'REQUEST_METHOD' => 'GET', + 'REQUEST_URI' => '/echo', + 'HTTP_AUTHORIZATION'=> 'PolarBearer jwt', + ]); + $request = Request::createFromEnvironment($env); + $response = new Response(); + /** @var Response $response */ + $response = $mw($request, $response, null); + + $this->assertEquals(401, $response->getStatusCode()); + $body = json_decode((string) $response->getBody()); + $this->assertEquals('Not authorized: Invalid JWT header', $body->message); + $this->assertContains('ApiAuthorizationException', $body->stacktrace); + } + + /** + * Invoke the middleware with an invalid JWT token (debug): * should return a 401 error Unauthorized - with a specific message and a stacktrace. * * Note: specific JWT errors tests are handled in ApiUtilsTest. @@ -169,7 +192,7 @@ class ApiMiddlewareTest extends \PHPUnit_Framework_TestCase $env = Environment::mock([ 'REQUEST_METHOD' => 'GET', 'REQUEST_URI' => '/echo', - 'HTTP_JWT'=> 'bad jwt', + 'HTTP_AUTHORIZATION'=> 'Bearer jwt', ]); $request = Request::createFromEnvironment($env); $response = new Response(); -- cgit v1.2.3