create(); $client = $this->createClientForTenant($tenant); $query = $this->buildAuthorizeQuery($client); $fullUrl = url('/api/v1/oauth/authorize?'.http_build_query($query)); $response = $this->get('/api/v1/oauth/authorize?'.http_build_query($query)); $response->assertRedirect(); $location = $response->headers->get('Location'); $this->assertNotNull($location); $this->assertStringStartsWith(route('tenant.admin.login'), $location); $parsed = parse_url($location); $actualQuery = []; parse_str($parsed['query'] ?? '', $actualQuery); $this->assertSame('login_required', $actualQuery['error'] ?? null); $this->assertSame('Please sign in to continue.', $actualQuery['error_description'] ?? null); $this->assertReturnToMatches($query, $actualQuery['return_to'] ?? null); $this->assertIntendedUrlMatches($query); } public function test_authorize_returns_json_payload_for_ajax_guests(): void { $tenant = Tenant::factory()->create(); $client = $this->createClientForTenant($tenant); $query = $this->buildAuthorizeQuery($client); $response = $this->withHeaders(['Accept' => 'application/json']) ->get('/api/v1/oauth/authorize?'.http_build_query($query)); $response->assertStatus(401) ->assertJson([ 'error' => 'login_required', 'error_description' => 'Please sign in to continue.', ]); $this->assertIntendedUrlMatches($query); } public function test_authorize_rejects_when_user_cannot_access_client_tenant(): void { $homeTenant = Tenant::factory()->create(); $otherTenant = Tenant::factory()->create(); $user = User::factory()->create([ 'tenant_id' => $homeTenant->id, 'role' => 'tenant_admin', ]); $client = $this->createClientForTenant($otherTenant); $this->actingAs($user); $query = $this->buildAuthorizeQuery($client); $response = $this->get('/api/v1/oauth/authorize?'.http_build_query($query)); $response->assertRedirect(); $location = $response->headers->get('Location'); $this->assertNotNull($location); $parsed = parse_url($location); $actualQuery = []; parse_str($parsed['query'] ?? '', $actualQuery); $this->assertSame('tenant_mismatch', $actualQuery['error'] ?? null); $this->assertReturnToMatches($query, $actualQuery['return_to'] ?? null); } public function test_authorize_redirects_with_error_when_client_unknown(): void { $tenant = Tenant::factory()->create(); $this->actingAs(User::factory()->create([ 'tenant_id' => $tenant->id, 'role' => 'tenant_admin', ])); $query = $this->buildAuthorizeQuery(new OAuthClient([ 'client_id' => 'missing-client', 'redirect_uris' => ['http://localhost/callback'], 'scopes' => ['tenant:read', 'tenant:write'], ])); $response = $this->get('/api/v1/oauth/authorize?'.http_build_query($query)); $response->assertRedirect(); $location = $response->headers->get('Location'); $this->assertNotNull($location); $parsed = parse_url($location); $actualQuery = []; parse_str($parsed['query'] ?? '', $actualQuery); $this->assertSame('invalid_client', $actualQuery['error'] ?? null); $this->assertReturnToMatches($query, $actualQuery['return_to'] ?? null); } public function test_authorize_returns_json_error_for_tenant_mismatch_when_requested(): void { $homeTenant = Tenant::factory()->create(); $otherTenant = Tenant::factory()->create(); $user = User::factory()->create([ 'tenant_id' => $homeTenant->id, 'role' => 'tenant_admin', ]); $client = $this->createClientForTenant($otherTenant); $this->actingAs($user); $query = $this->buildAuthorizeQuery($client); $response = $this->withHeaders(['Accept' => 'application/json']) ->get('/api/v1/oauth/authorize?'.http_build_query($query)); $response->assertStatus(403) ->assertJson([ 'error' => 'tenant_mismatch', ]); } private function createClientForTenant(Tenant $tenant): OAuthClient { return OAuthClient::create([ 'id' => (string) Str::uuid(), 'client_id' => 'tenant-admin-app-'.$tenant->id, 'tenant_id' => $tenant->id, 'client_secret' => null, 'redirect_uris' => ['http://localhost/callback'], 'scopes' => ['tenant:read', 'tenant:write'], 'is_active' => true, ]); } private function buildAuthorizeQuery(OAuthClient $client): array { return [ 'client_id' => $client->client_id, 'redirect_uri' => 'http://localhost/callback', 'response_type' => 'code', 'scope' => 'tenant:read tenant:write', 'state' => Str::random(10), 'code_challenge' => rtrim(strtr(base64_encode(hash('sha256', Str::random(32), true)), '+/', '-_'), '='), 'code_challenge_method' => 'S256', ]; } private function assertIntendedUrlMatches(array $expectedQuery): void { $intended = session('url.intended'); $this->assertNotNull($intended, 'Expected intended URL to be recorded in session.'); $parts = parse_url($intended); $this->assertSame('/api/v1/oauth/authorize', $parts['path'] ?? null); $actualQuery = []; parse_str($parts['query'] ?? '', $actualQuery); $this->assertEqualsCanonicalizing($expectedQuery, $actualQuery); } private function decodeReturnTo(?string $value): ?string { if ($value === null) { return null; } $padded = str_pad($value, strlen($value) + ((4 - (strlen($value) % 4)) % 4), '='); $normalized = strtr($padded, '-_', '+/'); return base64_decode($normalized) ?: null; } private function assertReturnToMatches(array $expectedQuery, ?string $encoded): void { $decoded = $this->decodeReturnTo($encoded); $this->assertNotNull($decoded, 'Failed to decode return_to parameter.'); $parts = parse_url($decoded); $this->assertSame('/api/v1/oauth/authorize', $parts['path'] ?? null); $actualQuery = []; parse_str($parts['query'] ?? '', $actualQuery); $this->assertEqualsCanonicalizing($expectedQuery, $actualQuery); } }