a949c8d3af
hooks in config/services.php/.env.example, and updated wizard steps/controllers to store session payloads, attach packages, and surface localized success/error states. - Retooled payment handling for both Stripe and PayPal, adding richer status management in CheckoutController/ PayPalController, fallback flows in the wizard’s PaymentStep.tsx, and fresh feature tests for intent creation, webhooks, and the wizard CTA. - Introduced a consent-aware Matomo analytics stack: new consent context, cookie-banner UI, useAnalytics/ useCtaExperiment hooks, and MatomoTracker component, then instrumented marketing pages (Home, Packages, Checkout) with localized copy and experiment tracking. - Polished package presentation across marketing UIs by centralizing formatting in PresentsPackages, surfacing localized description tables/placeholders, tuning badges/layouts, and syncing guest/marketing translations. - Expanded docs & reference material (docs/prp/*, TODOs, public gallery overview) and added a Playwright smoke test for the hero CTA while reconciling outstanding checklist items.
285 lines
11 KiB
PHP
285 lines
11 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature;
|
|
|
|
use App\Models\OAuthClient;
|
|
use App\Models\Tenant;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Support\Facades\File;
|
|
use Illuminate\Support\Str;
|
|
use Tests\TestCase;
|
|
|
|
class OAuthFlowTest extends TestCase
|
|
{
|
|
use RefreshDatabase;
|
|
|
|
private const PUBLIC_KEY = <<<KEY
|
|
-----BEGIN PUBLIC KEY-----
|
|
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlrZWbp/7pXo83BIJX3v/
|
|
9f/51fxYFGZnZz9diqHkiOtDjggNdwze0LXruVeVb8YsaTI68RclgYCcsE4haTCG
|
|
LlTivKFJL2O10IEzswjjD08MsanHer3xZRO6VZ7JLXmBNKp5C71zfFf8AhMnQ+Y6
|
|
uGQ3wMOT6PWAiAmVBVYC8+KQsqyOkDu58bamhGGOrDsdWvrfDgRU1w8dxbgFYALQ
|
|
v1pVVmYT9oBxZcS5FlT8auf8zLcHXEl6S7X61ZPd/GTWT5htdSiJyXfSa/xM7bJP
|
|
CCv+mK6Gd5+1UG3RHGuwoi8Rch2O8PMglZqF6ybv/w836jUQKPl+sndePNN3soKQ
|
|
5wIDAQAB
|
|
-----END PUBLIC KEY-----
|
|
KEY;
|
|
|
|
private const PRIVATE_KEY = <<<KEY
|
|
-----BEGIN PRIVATE KEY-----
|
|
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCWtlZun/ulejzc
|
|
Eglfe//1//nV/FgUZmdnP12KoeSI60OOCA13DN7Qteu5V5VvxixpMjrxFyWBgJyw
|
|
TiFpMIYuVOK8oUkvY7XQgTOzCOMPTwyxqcd6vfFlE7pVnskteYE0qnkLvXN8V/wC
|
|
EydD5jq4ZDfAw5Po9YCICZUFVgLz4pCyrI6QO7nxtqaEYY6sOx1a+t8OBFTXDx3F
|
|
uAVgAtC/WlVWZhP2gHFlxLkWVPxq5/zMtwdcSXpLtfrVk938ZNZPmG11KInJd9Jr
|
|
/Eztsk8IK/6YroZ3n7VQbdEca7CiLxFyHY7w8yCVmoXrJu//DzfqNRAo+X6yd148
|
|
03eygpDnAgMBAAECggEAFoldk11I/A2zXBU2YZjhRZ/pdB4v7Z0CiWXoTvq2eeL0
|
|
TyDVIqBCEWOixCxcpEI2EeT4+2RCr4LT62lDhb9D0VnQLfTQRM3cOjmXyYXirj9b
|
|
3pVMxwXwOvUgP/1mh+5La9yyDRdfVZCylnzWukiLL1eNHr4gOA2+EpmcNxgNiPp1
|
|
Z8USUp2kmSZMPmQDkGEAJnrqmW7LyBvda3yuW557WtpaQlHTprvNQdBIUoFhLiiS
|
|
HnV9kZfQHM3BdM06zx8c7W6sbVavLQlaD0mhM6Z7o7566pq1JKScjhfoGcZRTmLs
|
|
kshQVSf38ayhAz8CikWiJgqFJigIZI0bR9fROOy+wQKBgQDOWjVRq8Ql+Eu0so/B
|
|
3hS1TGaBOFe5vymeX+hnC87Zu7yVsj96mhmofnlTJdbSZLHfO631XD9O3qCcYzuK
|
|
1PLzOvO38ZVZLq/CkiwkC4qfGVQb3/8v0QyIXCKhMrwkwuL6AYMjQi6vd/+4vp2C
|
|
5EJefbNBfdvsC90t84wxqBpIDQKBgQC6+Rs7cBD9VOAKkNH1O4k9cE1JCDX6aqlg
|
|
RtO/93+kbqxz3llvIebI9z3CPE7Wp0n2GEFjvDCTy5kST7BQvdwm4VlthSpfhx+l
|
|
4ahw1+xbB3KQxemmf3MroTZWHLfTOGvHdei05EIdRZv8Mpi9UcHd7OhVO82SUnLn
|
|
pBqGLZGrwwKBgB2FiltE16sW+r2/ThHOU+gcJg4WoXZRgwLFddpINi+wTCqedbZ0
|
|
lXcloPXkU/eFsGzffOO9btE5yICXMc2K6bcil/uY9GTt6PdNMkN14z8fwIi8YyXU
|
|
Ipbfl5S4TXJ070QVM024CjXQVSV5H8+6GESsdxjHiM8cY2hPj58LDbeBAoGAfd5r
|
|
FcVoupJjzNkXbwboagLrFGpBpFYfth+YN1hPhou27r3V6TmiWtIOsm7VCC5QXSqR
|
|
AqpS7XwXjTs2T/Swe0AjatZF409c39gdA/JoPBO0bX++voZ4Kvv5T1k/6yLFc96N
|
|
jRFI7NnKm6oYJwMeBt+QvKhoyMNWdViFPqT4tu8CgYEAmcInq55jIJOr7GNvf6jV
|
|
wojrBxhEGOF8U8YqX6FgVEmVDkEOer3mFDnkZT/S2IFjH4eruo/ZTFFtyw9K9JGd
|
|
06FINYtK/H91SdcOJHuWdELuTQw0+Jtr47tSUlp1c3L0J7Mt1Sqqzg8lLoLYPcLJ
|
|
d7faJuYR8uKalWG3ZimbGNo=
|
|
-----END PRIVATE KEY-----
|
|
KEY;
|
|
|
|
protected function setUp(): void
|
|
{
|
|
parent::setUp();
|
|
|
|
config()->set('oauth.keys.current_kid', 'test-kid');
|
|
config()->set('oauth.keys.storage_path', storage_path('app/oauth-keys-tests'));
|
|
|
|
$paths = $this->keyPaths('test-kid');
|
|
|
|
File::ensureDirectoryExists($paths['directory']);
|
|
File::put($paths['public'], self::PUBLIC_KEY);
|
|
File::put($paths['private'], self::PRIVATE_KEY);
|
|
File::chmod($paths['private'], 0600);
|
|
File::chmod($paths['public'], 0644);
|
|
}
|
|
|
|
protected function tearDown(): void
|
|
{
|
|
File::deleteDirectory(storage_path('app/oauth-keys-tests'));
|
|
parent::tearDown();
|
|
}
|
|
|
|
public function test_authorization_code_flow_and_refresh(): void
|
|
{
|
|
$tenant = Tenant::factory()->create([
|
|
'slug' => 'test-tenant',
|
|
]);
|
|
|
|
OAuthClient::create([
|
|
'id' => (string) Str::uuid(),
|
|
'client_id' => 'tenant-admin-app',
|
|
'tenant_id' => $tenant->id,
|
|
'redirect_uris' => ['http://localhost/callback'],
|
|
'scopes' => ['tenant:read', 'tenant:write'],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$codeVerifier = 'unit-test-code-verifier-1234567890';
|
|
$codeChallenge = rtrim(strtr(base64_encode(hash('sha256', $codeVerifier, true)), '+/', '-_'), '=');
|
|
$state = Str::random(10);
|
|
|
|
$response = $this->get('/api/v1/oauth/authorize?' . http_build_query([
|
|
'client_id' => 'tenant-admin-app',
|
|
'redirect_uri' => 'http://localhost/callback',
|
|
'response_type' => 'code',
|
|
'scope' => 'tenant:read tenant:write',
|
|
'state' => $state,
|
|
'code_challenge' => $codeChallenge,
|
|
'code_challenge_method' => 'S256',
|
|
]));
|
|
|
|
$response->assertRedirect();
|
|
$location = $response->headers->get('Location');
|
|
$this->assertNotNull($location);
|
|
|
|
$query = [];
|
|
parse_str(parse_url($location, PHP_URL_QUERY) ?? '', $query);
|
|
$authorizationCode = $query['code'] ?? null;
|
|
$this->assertNotNull($authorizationCode, 'Authorization code should be present');
|
|
$this->assertEquals($state, $query['state'] ?? null);
|
|
|
|
$tokenResponse = $this->post('/api/v1/oauth/token', [
|
|
'grant_type' => 'authorization_code',
|
|
'code' => $authorizationCode,
|
|
'client_id' => 'tenant-admin-app',
|
|
'redirect_uri' => 'http://localhost/callback',
|
|
'code_verifier' => $codeVerifier,
|
|
]);
|
|
|
|
$tokenResponse->assertOk();
|
|
$tokenData = $tokenResponse->json();
|
|
|
|
$this->assertArrayHasKey('access_token', $tokenData);
|
|
$this->assertArrayHasKey('refresh_token', $tokenData);
|
|
$this->assertSame('Bearer', $tokenData['token_type']);
|
|
|
|
$meResponse = $this->get('/api/v1/tenant/me', [
|
|
'Authorization' => 'Bearer ' . $tokenData['access_token'],
|
|
]);
|
|
|
|
$meResponse->assertOk();
|
|
$meResponse->assertJsonFragment([
|
|
'tenant_id' => $tenant->id,
|
|
'name' => $tenant->name,
|
|
]);
|
|
|
|
$refreshResponse = $this->post('/api/v1/oauth/token', [
|
|
'grant_type' => 'refresh_token',
|
|
'refresh_token' => $tokenData['refresh_token'],
|
|
'client_id' => 'tenant-admin-app',
|
|
]);
|
|
|
|
$refreshResponse->assertOk();
|
|
$refreshData = $refreshResponse->json();
|
|
$this->assertArrayHasKey('access_token', $refreshData);
|
|
$this->assertArrayHasKey('refresh_token', $refreshData);
|
|
$this->assertNotEquals($refreshData['access_token'], $tokenData['access_token']);
|
|
$this->withServerVariables(['REMOTE_ADDR' => '198.51.100.10'])
|
|
->post('/api/v1/oauth/token', [
|
|
'grant_type' => 'refresh_token',
|
|
'refresh_token' => $refreshData['refresh_token'],
|
|
'client_id' => 'tenant-admin-app',
|
|
])
|
|
->assertStatus(403)
|
|
->assertJson([
|
|
'error' => 'Refresh token cannot be used from this IP address',
|
|
]);
|
|
}
|
|
|
|
public function test_refresh_token_ip_binding_can_be_disabled(): void
|
|
{
|
|
config()->set('oauth.refresh_tokens.enforce_ip_binding', false);
|
|
|
|
$tenant = Tenant::factory()->create([
|
|
'slug' => 'ip-free',
|
|
]);
|
|
|
|
OAuthClient::create([
|
|
'id' => (string) Str::uuid(),
|
|
'client_id' => 'tenant-admin-app',
|
|
'tenant_id' => $tenant->id,
|
|
'redirect_uris' => ['http://localhost/callback'],
|
|
'scopes' => ['tenant:read'],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$codeVerifier = 'unit-test-code-verifier-abcdef';
|
|
$codeChallenge = rtrim(strtr(base64_encode(hash('sha256', $codeVerifier, true)), '+/', '-_'), '=');
|
|
|
|
$codeResponse = $this->get('/api/v1/oauth/authorize?' . http_build_query([
|
|
'client_id' => 'tenant-admin-app',
|
|
'redirect_uri' => 'http://localhost/callback',
|
|
'response_type' => 'code',
|
|
'scope' => 'tenant:read',
|
|
'state' => 'state',
|
|
'code_challenge' => $codeChallenge,
|
|
'code_challenge_method' => 'S256',
|
|
]));
|
|
|
|
$location = $codeResponse->headers->get('Location');
|
|
parse_str(parse_url($location, PHP_URL_QUERY) ?? '', $query);
|
|
$code = $query['code'];
|
|
|
|
$tokenResponse = $this->post('/api/v1/oauth/token', [
|
|
'grant_type' => 'authorization_code',
|
|
'code' => $code,
|
|
'client_id' => 'tenant-admin-app',
|
|
'redirect_uri' => 'http://localhost/callback',
|
|
'code_verifier' => $codeVerifier,
|
|
]);
|
|
|
|
$token = $tokenResponse->json('refresh_token');
|
|
$this->withServerVariables(['REMOTE_ADDR' => '203.0.113.33'])
|
|
->post('/api/v1/oauth/token', [
|
|
'grant_type' => 'refresh_token',
|
|
'refresh_token' => $token,
|
|
'client_id' => 'tenant-admin-app',
|
|
])
|
|
->assertOk();
|
|
}
|
|
|
|
public function test_refresh_token_allows_same_subnet_when_enabled(): void
|
|
{
|
|
config()->set('oauth.refresh_tokens.allow_subnet_match', true);
|
|
|
|
$tenant = Tenant::factory()->create([
|
|
'slug' => 'subnet-tenant',
|
|
]);
|
|
|
|
OAuthClient::create([
|
|
'id' => (string) Str::uuid(),
|
|
'client_id' => 'tenant-admin-app',
|
|
'tenant_id' => $tenant->id,
|
|
'redirect_uris' => ['http://localhost/callback'],
|
|
'scopes' => ['tenant:read'],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$codeVerifier = 'unit-test-code-verifier-subnet';
|
|
$codeChallenge = rtrim(strtr(base64_encode(hash('sha256', $codeVerifier, true)), '+/', '-_'), '=');
|
|
|
|
$codeResponse = $this->get('/api/v1/oauth/authorize?' . http_build_query([
|
|
'client_id' => 'tenant-admin-app',
|
|
'redirect_uri' => 'http://localhost/callback',
|
|
'response_type' => 'code',
|
|
'scope' => 'tenant:read',
|
|
'state' => 'state',
|
|
'code_challenge' => $codeChallenge,
|
|
'code_challenge_method' => 'S256',
|
|
]));
|
|
|
|
$location = $codeResponse->headers->get('Location');
|
|
parse_str(parse_url($location, PHP_URL_QUERY) ?? '', $query);
|
|
$code = $query['code'];
|
|
|
|
$tokenResponse = $this->withServerVariables(['REMOTE_ADDR' => '198.51.100.24'])->post('/api/v1/oauth/token', [
|
|
'grant_type' => 'authorization_code',
|
|
'code' => $code,
|
|
'client_id' => 'tenant-admin-app',
|
|
'redirect_uri' => 'http://localhost/callback',
|
|
'code_verifier' => $codeVerifier,
|
|
]);
|
|
|
|
$token = $tokenResponse->json('refresh_token');
|
|
|
|
$this->withServerVariables(['REMOTE_ADDR' => '198.51.100.55'])
|
|
->post('/api/v1/oauth/token', [
|
|
'grant_type' => 'refresh_token',
|
|
'refresh_token' => $token,
|
|
'client_id' => 'tenant-admin-app',
|
|
])
|
|
->assertOk();
|
|
}
|
|
|
|
private function keyPaths(string $kid): array
|
|
{
|
|
$base = storage_path('app/oauth-keys-tests');
|
|
|
|
return [
|
|
'directory' => $base . DIRECTORY_SEPARATOR . $kid,
|
|
'public' => $base . DIRECTORY_SEPARATOR . $kid . DIRECTORY_SEPARATOR . 'public.key',
|
|
'private' => $base . DIRECTORY_SEPARATOR . $kid . DIRECTORY_SEPARATOR . 'private.key',
|
|
];
|
|
}
|
|
}
|
|
|