bert.hausmans
513ca519b2
Backend: - CookieBearerToken middleware reads httpOnly cookie and injects Authorization header before Sanctum validates (prepended to API middleware group) - SetAuthCookie trait provides cookie creation/expiry helpers with per-app cookie names (crewli_admin_token, crewli_app_token, crewli_portal_token) - LoginController sets token via Set-Cookie, removes it from JSON body - LogoutController expires the auth cookie on logout - AuthRefreshController (POST /auth/refresh) rotates tokens with new cookie - InvitationController accept also sets token via cookie, not JSON body - All cookies: httpOnly, SameSite=Strict, Secure (in production) Frontend (all three SPAs): - Removed all localStorage token storage (apps/app, apps/portal) - Removed all JS-readable cookie token storage (apps/admin) - Removed Authorization: Bearer header interceptors from axios - Auth stores now rely on GET /auth/me to validate httpOnly cookie - Admin app: new Pinia auth store replaces useCookie-based auth pattern - withCredentials: true ensures browser sends cookies automatically Fixes security findings A13-1 (localStorage tokens) and A13-2 (admin cookie flags). Tokens are now invisible to JavaScript. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
208 lines
6.5 KiB
PHP
208 lines
6.5 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace Tests\Feature\Security;
|
|
|
|
use App\Models\User;
|
|
use Database\Seeders\RoleSeeder;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Laravel\Sanctum\Sanctum;
|
|
use Tests\TestCase;
|
|
|
|
final class HttpOnlyCookieAuthTest extends TestCase
|
|
{
|
|
use RefreshDatabase;
|
|
|
|
protected function setUp(): void
|
|
{
|
|
parent::setUp();
|
|
$this->seed(RoleSeeder::class);
|
|
// Enable cookies for JSON requests (required for cookie-based auth testing)
|
|
$this->withCredentials();
|
|
}
|
|
|
|
// --- Login Cookie Tests ---
|
|
|
|
public function test_login_response_does_not_contain_token_in_json_body(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
|
|
$response = $this->postJson('/api/v1/auth/login', [
|
|
'email' => $user->email,
|
|
'password' => 'password',
|
|
]);
|
|
|
|
$response->assertOk();
|
|
$response->assertJsonMissing(['token']);
|
|
$this->assertArrayNotHasKey('token', $response->json('data'));
|
|
}
|
|
|
|
public function test_login_response_sets_httponly_cookie(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
|
|
$response = $this->postJson('/api/v1/auth/login', [
|
|
'email' => $user->email,
|
|
'password' => 'password',
|
|
], ['Origin' => 'http://localhost:5174']);
|
|
|
|
$response->assertOk();
|
|
$response->assertCookie('crewli_app_token');
|
|
}
|
|
|
|
public function test_login_cookie_has_httponly_flag(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
|
|
$response = $this->postJson('/api/v1/auth/login', [
|
|
'email' => $user->email,
|
|
'password' => 'password',
|
|
], ['Origin' => 'http://localhost:5174']);
|
|
|
|
$cookie = $this->findCookie($response, 'crewli_app_token');
|
|
$this->assertNotNull($cookie, 'Cookie crewli_app_token not found');
|
|
$this->assertTrue($cookie->isHttpOnly(), 'Cookie must be httpOnly');
|
|
}
|
|
|
|
public function test_login_cookie_has_samesite_strict(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
|
|
$response = $this->postJson('/api/v1/auth/login', [
|
|
'email' => $user->email,
|
|
'password' => 'password',
|
|
], ['Origin' => 'http://localhost:5174']);
|
|
|
|
$cookie = $this->findCookie($response, 'crewli_app_token');
|
|
$this->assertNotNull($cookie);
|
|
$this->assertEquals('strict', strtolower($cookie->getSameSite()));
|
|
}
|
|
|
|
public function test_login_sets_admin_cookie_for_admin_origin(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
|
|
$response = $this->postJson('/api/v1/auth/login', [
|
|
'email' => $user->email,
|
|
'password' => 'password',
|
|
], ['Origin' => 'http://localhost:5173']);
|
|
|
|
$response->assertOk();
|
|
$response->assertCookie('crewli_admin_token');
|
|
}
|
|
|
|
public function test_login_sets_portal_cookie_for_portal_origin(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
|
|
$response = $this->postJson('/api/v1/auth/login', [
|
|
'email' => $user->email,
|
|
'password' => 'password',
|
|
], ['Origin' => 'http://localhost:5175']);
|
|
|
|
$response->assertOk();
|
|
$response->assertCookie('crewli_portal_token');
|
|
}
|
|
|
|
// --- Middleware Tests ---
|
|
|
|
public function test_request_with_auth_cookie_is_authenticated(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
$token = $user->createToken('auth-token')->plainTextToken;
|
|
|
|
$response = $this->withUnencryptedCookie('crewli_app_token', $token)
|
|
->getJson('/api/v1/auth/me');
|
|
|
|
$response->assertOk();
|
|
$response->assertJsonPath('data.id', $user->id);
|
|
}
|
|
|
|
public function test_request_with_invalid_cookie_returns_401(): void
|
|
{
|
|
$response = $this->withUnencryptedCookie('crewli_app_token', 'invalid-token-value')
|
|
->getJson('/api/v1/auth/me');
|
|
|
|
$response->assertUnauthorized();
|
|
}
|
|
|
|
public function test_request_without_cookie_or_header_returns_401(): void
|
|
{
|
|
$response = $this->getJson('/api/v1/auth/me');
|
|
|
|
$response->assertUnauthorized();
|
|
}
|
|
|
|
// --- Logout Tests ---
|
|
|
|
public function test_logout_expires_auth_cookie(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
$token = $user->createToken('auth-token')->plainTextToken;
|
|
|
|
$response = $this->withUnencryptedCookie('crewli_app_token', $token)
|
|
->postJson('/api/v1/auth/logout', [], ['Origin' => 'http://localhost:5174']);
|
|
|
|
$response->assertOk();
|
|
|
|
$cookie = $this->findCookie($response, 'crewli_app_token');
|
|
$this->assertNotNull($cookie, 'Cookie crewli_app_token not found in logout response');
|
|
// Expired cookie has a past expiry time
|
|
$this->assertTrue($cookie->getExpiresTime() < time(), 'Logout cookie must be expired');
|
|
}
|
|
|
|
// --- Refresh Tests ---
|
|
|
|
public function test_refresh_revokes_old_token_and_sets_new_cookie(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
$accessToken = $user->createToken('auth-token');
|
|
$token = $accessToken->plainTextToken;
|
|
|
|
$response = $this->withUnencryptedCookie('crewli_app_token', $token)
|
|
->postJson('/api/v1/auth/refresh', [], ['Origin' => 'http://localhost:5174']);
|
|
|
|
$response->assertOk();
|
|
$response->assertCookie('crewli_app_token');
|
|
|
|
// New cookie should contain a different token
|
|
$newCookie = $this->findCookie($response, 'crewli_app_token');
|
|
$this->assertNotNull($newCookie);
|
|
$this->assertNotEquals($token, $newCookie->getValue(), 'New token must differ from old token');
|
|
|
|
// Old token should be revoked in the database
|
|
$this->assertNull(
|
|
\Laravel\Sanctum\PersonalAccessToken::findToken($token),
|
|
'Old token must be deleted from database',
|
|
);
|
|
|
|
// New token should be valid in the database
|
|
$this->assertNotNull(
|
|
\Laravel\Sanctum\PersonalAccessToken::findToken($newCookie->getValue()),
|
|
'New token must exist in database',
|
|
);
|
|
}
|
|
|
|
public function test_refresh_with_expired_token_returns_401(): void
|
|
{
|
|
$response = $this->withUnencryptedCookie('crewli_app_token', 'expired-or-invalid-token')
|
|
->postJson('/api/v1/auth/refresh');
|
|
|
|
$response->assertUnauthorized();
|
|
}
|
|
|
|
// --- Helper ---
|
|
|
|
private function findCookie($response, string $name): ?\Symfony\Component\HttpFoundation\Cookie
|
|
{
|
|
foreach ($response->headers->getCookies() as $cookie) {
|
|
if ($cookie->getName() === $name) {
|
|
return $cookie;
|
|
}
|
|
}
|
|
|
|
return null;
|
|
}
|
|
}
|