feat: harden tenant settings and import pipeline

2025-09-25 11:50:18 +02:00
parent b22d91ed32
commit 9248d7a3f5
29 changed files with 577 additions and 293 deletions
--- a/tests/Feature/Tenant/SettingsApiTest.php
+++ b/tests/Feature/Tenant/SettingsApiTest.php
@@ -71,7 +71,7 @@ class SettingsApiTest extends TenantTestCase

        $this->assertDatabaseHas('tenants', [
            'id' => $this->tenant->id,
-            'settings' => $settingsData['settings'],
+            'settings' => json_encode($settingsData['settings']),
        ]);
    }

@@ -100,7 +100,7 @@ class SettingsApiTest extends TenantTestCase
        $response = $this->authenticatedRequest('POST', '/api/v1/tenant/settings/reset');

        $response->assertStatus(200)
-                ->assertJson(['message' => 'Settings auf Standardwerte zurückgesetzt.'])
+                ->assertJson(['message' => 'Settings auf Standardwerte zurueckgesetzt.'])
                ->assertJsonPath('data.settings.branding.primary_color', '#3B82F6')
                ->assertJsonPath('data.settings.features.photo_likes_enabled', true);

@@ -136,7 +136,7 @@ class SettingsApiTest extends TenantTestCase

        $response->assertStatus(200)
                ->assertJson(['available' => true])
-                ->assertJson(['message' => 'Domain ist verfügbar.']);
+                ->assertJson(['message' => 'Domain ist verfuegbar.']);

        // Invalid domain format
        $response = $this->authenticatedRequest('POST', '/api/v1/tenant/settings/validate-domain', [
@@ -145,7 +145,7 @@ class SettingsApiTest extends TenantTestCase

        $response->assertStatus(200)
                ->assertJson(['available' => false])
-                ->assertJson(['message' => 'Ungültiges Domain-Format.']);
+                ->assertJson(['message' => 'Ungueltiges Domain-Format.']);

        // Taken domain (create another tenant with same domain)
        $otherTenant = Tenant::factory()->create(['custom_domain' => 'taken.example.com']);
@@ -187,4 +187,6 @@ class SettingsApiTest extends TenantTestCase
                ->assertJsonPath('data.settings.branding.primary_color', '#3B82F6') // Default for this tenant
                ->assertJsonMissing(['#FF0000']); // Other tenant's color
    }
-}
+}
+
+
--- a/tests/Feature/Tenant/TaskApiTest.php
+++ b/tests/Feature/Tenant/TaskApiTest.php
@@ -263,7 +263,9 @@ class TaskApiTest extends TenantTestCase
            'tenant_id' => $this->tenant->id,
            'priority' => 'medium',
        ]);
-        $collectionTasks->each(fn($task) => $task->taskCollection()->associate($collection));
+        $collectionTasks->each(function ($task) use ($collection) {
+            $task->update(['collection_id' => $collection->id]);
+        });

        Task::factory(3)->create([
            'tenant_id' => $this->tenant->id,
@@ -303,4 +305,8 @@ class TaskApiTest extends TenantTestCase
                ->assertJsonCount(1, 'data')
                ->assertJsonPath('data.0.title', 'Search Test');
    }
-}
+}
+
+
+
+
--- a/tests/Feature/Tenant/TenantTestCase.php
+++ b/tests/Feature/Tenant/TenantTestCase.php
@@ -2,11 +2,11 @@

 namespace Tests\Feature\Tenant;

+use App\Models\OAuthClient;
 use App\Models\Tenant;
 use App\Models\User;
 use Illuminate\Foundation\Testing\RefreshDatabase;
-use Illuminate\Http\Request;
-use Illuminate\Support\Facades\Route;
+use Illuminate\Support\Str;
 use Tests\TestCase;

 abstract class TenantTestCase extends TestCase
@@ -15,42 +15,103 @@ abstract class TenantTestCase extends TestCase

    protected Tenant $tenant;
    protected User $tenantUser;
+    protected OAuthClient $oauthClient;
    protected string $token;
+    protected ?string $refreshToken = null;

    protected function setUp(): void
    {
        parent::setUp();

+        $this->initialiseTenantContext();
+    }
+
+    protected function authenticatedRequest(string $method, string $uri, array $data = [], array $headers = [])
+    {
+        $headers = array_merge([
+            'Authorization' => 'Bearer '.$this->token,
+        ], $headers);
+
+        return $this->withHeaders($headers)->json($method, $uri, $data);
+    }
+
+    protected function mockTenantContext(): void
+    {
+        $this->app->instance('tenant', $this->tenant);
+    }
+
+    protected function initialiseTenantContext(array $scopes = ['tenant:read', 'tenant:write']): void
+    {
        $this->tenant = Tenant::factory()->create([
            'name' => 'Test Tenant',
-            'slug' => 'test-tenant',
+            'slug' => 'test-tenant-'.Str::random(6),
        ]);

        $this->tenantUser = User::factory()->create([
            'name' => 'Test User',
-            'email' => 'test@example.com',
+            'email' => 'test-'.Str::random(6).'@example.com',
            'tenant_id' => $this->tenant->id,
            'role' => 'admin',
        ]);

-        $this->token = 'mock-jwt-token-' . $this->tenant->id . '-' . time();
-    }
+        $this->oauthClient = $this->createTenantClient($this->tenant, $scopes);
+        [$this->token, $this->refreshToken] = $this->issueTokens($this->oauthClient, $scopes);

-    protected function authenticatedRequest($method, $uri, array $data = [], array $headers = [])
-    {
-        $headers['Authorization'] = 'Bearer ' . $this->token;
-
-        // Temporarily override the middleware to skip auth and set tenant
-        $this->app['router']->pushMiddlewareToGroup('api', MockTenantMiddleware::class, 'mock-tenant');
-        
-        return $this->withHeaders($headers)->json($method, $uri, $data);
-    }
-
-    protected function mockTenantContext()
-    {
-        $this->actingAs($this->tenantUser);
-        
-        // Set tenant globally for tests
        $this->app->instance('tenant', $this->tenant);
    }
-}
+
+    protected function createTenantClient(Tenant $tenant, array $scopes): OAuthClient
+    {
+        return OAuthClient::create([
+            'id' => (string) Str::uuid(),
+            'client_id' => 'tenant-admin-app-'.$tenant->id,
+            'tenant_id' => $tenant->id,
+            'client_secret' => null,
+            'redirect_uris' => ['http://localhost/callback'],
+            'scopes' => $scopes,
+            'is_active' => true,
+        ]);
+    }
+
+    protected function issueTokens(OAuthClient $client, array $scopes = ['tenant:read', 'tenant:write']): array
+    {
+        $codeVerifier = 'tenant-code-verifier-'.Str::random(32);
+        $codeChallenge = rtrim(strtr(base64_encode(hash('sha256', $codeVerifier, true)), '+/', '-_'), '=');
+        $state = Str::random(10);
+
+        $response = $this->get('/api/v1/oauth/authorize?'.http_build_query([
+            'client_id' => $client->client_id,
+            'redirect_uri' => 'http://localhost/callback',
+            'response_type' => 'code',
+            'scope' => implode(' ', $scopes),
+            'state' => $state,
+            'code_challenge' => $codeChallenge,
+            'code_challenge_method' => 'S256',
+        ]));
+
+        $response->assertRedirect();
+        $location = $response->headers->get('Location');
+        $this->assertNotNull($location);
+
+        $query = [];
+        parse_str(parse_url($location, PHP_URL_QUERY) ?? '', $query);
+        $authorizationCode = $query['code'] ?? null;
+        $this->assertNotNull($authorizationCode, 'Authorization code should be present');
+
+        $tokenResponse = $this->post('/api/v1/oauth/token', [
+            'grant_type' => 'authorization_code',
+            'code' => $authorizationCode,
+            'client_id' => $client->client_id,
+            'redirect_uri' => 'http://localhost/callback',
+            'code_verifier' => $codeVerifier,
+        ]);
+
+        $tokenResponse->assertOk();
+
+        return [
+            $tokenResponse->json('access_token'),
+            $tokenResponse->json('refresh_token'),
+        ];
+    }
+}
+