die tenant admin oauth authentifizierung wurde implementiert und funktioniert jetzt. Zudem wurde das marketing frontend dashboard implementiert.

2025-11-04 16:14:17 +01:00
parent 92e64c361a
commit fe380689fb
63 changed files with 4239 additions and 1142 deletions
--- a/tests/Feature/OAuth/AuthorizeTest.php
+++ b/tests/Feature/OAuth/AuthorizeTest.php
@@ -0,0 +1,204 @@
+<?php
+
+namespace Tests\Feature\OAuth;
+
+use App\Models\OAuthClient;
+use App\Models\Tenant;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Str;
+use Tests\TestCase;
+
+class AuthorizeTest extends TestCase
+{
+    use RefreshDatabase;
+
+    public function test_authorize_redirects_guests_to_login(): void
+    {
+        $tenant = Tenant::factory()->create();
+        $client = $this->createClientForTenant($tenant);
+        $query = $this->buildAuthorizeQuery($client);
+        $fullUrl = url('/api/v1/oauth/authorize?'.http_build_query($query));
+
+        $response = $this->get('/api/v1/oauth/authorize?'.http_build_query($query));
+
+        $response->assertRedirect();
+        $location = $response->headers->get('Location');
+        $this->assertNotNull($location);
+
+        $this->assertStringStartsWith(route('tenant.admin.login'), $location);
+
+        $parsed = parse_url($location);
+        $actualQuery = [];
+        parse_str($parsed['query'] ?? '', $actualQuery);
+
+        $this->assertSame('login_required', $actualQuery['error'] ?? null);
+        $this->assertSame('Please sign in to continue.', $actualQuery['error_description'] ?? null);
+        $this->assertReturnToMatches($query, $actualQuery['return_to'] ?? null);
+
+        $this->assertIntendedUrlMatches($query);
+    }
+
+    public function test_authorize_returns_json_payload_for_ajax_guests(): void
+    {
+        $tenant = Tenant::factory()->create();
+        $client = $this->createClientForTenant($tenant);
+        $query = $this->buildAuthorizeQuery($client);
+
+        $response = $this->withHeaders(['Accept' => 'application/json'])
+            ->get('/api/v1/oauth/authorize?'.http_build_query($query));
+
+        $response->assertStatus(401)
+            ->assertJson([
+                'error' => 'login_required',
+                'error_description' => 'Please sign in to continue.',
+            ]);
+
+        $this->assertIntendedUrlMatches($query);
+    }
+
+    public function test_authorize_rejects_when_user_cannot_access_client_tenant(): void
+    {
+        $homeTenant = Tenant::factory()->create();
+        $otherTenant = Tenant::factory()->create();
+        $user = User::factory()->create([
+            'tenant_id' => $homeTenant->id,
+            'role' => 'tenant_admin',
+        ]);
+
+        $client = $this->createClientForTenant($otherTenant);
+
+        $this->actingAs($user);
+
+        $query = $this->buildAuthorizeQuery($client);
+        $response = $this->get('/api/v1/oauth/authorize?'.http_build_query($query));
+
+        $response->assertRedirect();
+        $location = $response->headers->get('Location');
+        $this->assertNotNull($location);
+
+        $parsed = parse_url($location);
+        $actualQuery = [];
+        parse_str($parsed['query'] ?? '', $actualQuery);
+
+        $this->assertSame('tenant_mismatch', $actualQuery['error'] ?? null);
+        $this->assertReturnToMatches($query, $actualQuery['return_to'] ?? null);
+    }
+
+    public function test_authorize_redirects_with_error_when_client_unknown(): void
+    {
+        $tenant = Tenant::factory()->create();
+        $this->actingAs(User::factory()->create([
+            'tenant_id' => $tenant->id,
+            'role' => 'tenant_admin',
+        ]));
+
+        $query = $this->buildAuthorizeQuery(new OAuthClient([
+            'client_id' => 'missing-client',
+            'redirect_uris' => ['http://localhost/callback'],
+            'scopes' => ['tenant:read', 'tenant:write'],
+        ]));
+
+        $response = $this->get('/api/v1/oauth/authorize?'.http_build_query($query));
+
+        $response->assertRedirect();
+        $location = $response->headers->get('Location');
+        $this->assertNotNull($location);
+
+        $parsed = parse_url($location);
+        $actualQuery = [];
+        parse_str($parsed['query'] ?? '', $actualQuery);
+
+        $this->assertSame('invalid_client', $actualQuery['error'] ?? null);
+        $this->assertReturnToMatches($query, $actualQuery['return_to'] ?? null);
+    }
+
+    public function test_authorize_returns_json_error_for_tenant_mismatch_when_requested(): void
+    {
+        $homeTenant = Tenant::factory()->create();
+        $otherTenant = Tenant::factory()->create();
+        $user = User::factory()->create([
+            'tenant_id' => $homeTenant->id,
+            'role' => 'tenant_admin',
+        ]);
+
+        $client = $this->createClientForTenant($otherTenant);
+
+        $this->actingAs($user);
+
+        $query = $this->buildAuthorizeQuery($client);
+        $response = $this->withHeaders(['Accept' => 'application/json'])
+            ->get('/api/v1/oauth/authorize?'.http_build_query($query));
+
+        $response->assertStatus(403)
+            ->assertJson([
+                'error' => 'tenant_mismatch',
+            ]);
+    }
+
+    private function createClientForTenant(Tenant $tenant): OAuthClient
+    {
+        return OAuthClient::create([
+            'id' => (string) Str::uuid(),
+            'client_id' => 'tenant-admin-app-'.$tenant->id,
+            'tenant_id' => $tenant->id,
+            'client_secret' => null,
+            'redirect_uris' => ['http://localhost/callback'],
+            'scopes' => ['tenant:read', 'tenant:write'],
+            'is_active' => true,
+        ]);
+    }
+
+    private function buildAuthorizeQuery(OAuthClient $client): array
+    {
+        return [
+            'client_id' => $client->client_id,
+            'redirect_uri' => 'http://localhost/callback',
+            'response_type' => 'code',
+            'scope' => 'tenant:read tenant:write',
+            'state' => Str::random(10),
+            'code_challenge' => rtrim(strtr(base64_encode(hash('sha256', Str::random(32), true)), '+/', '-_'), '='),
+            'code_challenge_method' => 'S256',
+        ];
+    }
+
+    private function assertIntendedUrlMatches(array $expectedQuery): void
+    {
+        $intended = session('url.intended');
+        $this->assertNotNull($intended, 'Expected intended URL to be recorded in session.');
+
+        $parts = parse_url($intended);
+        $this->assertSame('/api/v1/oauth/authorize', $parts['path'] ?? null);
+
+        $actualQuery = [];
+        parse_str($parts['query'] ?? '', $actualQuery);
+
+        $this->assertEqualsCanonicalizing($expectedQuery, $actualQuery);
+    }
+
+    private function decodeReturnTo(?string $value): ?string
+    {
+        if ($value === null) {
+            return null;
+        }
+
+        $padded = str_pad($value, strlen($value) + ((4 - (strlen($value) % 4)) % 4), '=');
+        $normalized = strtr($padded, '-_', '+/');
+
+        return base64_decode($normalized) ?: null;
+    }
+
+    private function assertReturnToMatches(array $expectedQuery, ?string $encoded): void
+    {
+        $decoded = $this->decodeReturnTo($encoded);
+        $this->assertNotNull($decoded, 'Failed to decode return_to parameter.');
+
+        $parts = parse_url($decoded);
+        $this->assertSame('/api/v1/oauth/authorize', $parts['path'] ?? null);
+
+        $actualQuery = [];
+        parse_str($parts['query'] ?? '', $actualQuery);
+
+        $this->assertEqualsCanonicalizing($expectedQuery, $actualQuery);
+    }
+}