bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
92d8051903d24ad6bc78c12577966848bbf4a1b1
crewli/api/tests/Feature/Security/HttpOnlyCookieAuthTest.php
bert.hausmans 2e94a107e4 refactor(auth): consolidate to single cookie post single-SPA 
The dual-cookie machinery (crewli_app_token + crewli_portal_token,
Origin-based resolution) was load-bearing only when the second SPA
existed. apps/portal/ was deleted in WS-3 PR-B1; the resolver code
has been carrying dead branches since then. Collapse to one cookie.

Cookie name retained as crewli_app_token — no session breakage on
deploy. crewli_portal_token is fully purged from the server-side.

CookieBearerToken middleware:
- COOKIE_NAMES array → single COOKIE_NAME constant
- resolveCookieName method (Origin/Referer parsing, host+port
  matching against frontend_app_url/frontend_portal_url) → removed
- Body collapses to: skip if Authorization header present; else
  read crewli_app_token cookie and inject Bearer header

SetAuthCookie trait:
- COOKIE_MAP / resolveCookieName / originMatches → removed
- makeAuthCookie / forgetAuthCookie now take only $token; the
  cookie name is the trait's private constant

Five callers updated to drop the resolveCookieName($request) line
and the cookie-name argument: LoginController (3 sites),
MfaVerifyController (1 site), AuthRefreshController (1 site),
LogoutController (1 site), InvitationController (1 site — caller
list in the prompt missed this one but the same pattern applies).

frontend_portal_url config key retained (per Phase A directive Q1):
EmailChangeController, PasswordResetController, PersonController are
non-auth consumers that build per-app URL maps for outbound emails.
The map structure is now functionally redundant (production resolves
all FRONTEND_* env vars to the same host) but stays structurally
intact. Refactor tracked as TECH-FRONTEND-URL-CONSOLIDATE in the
upcoming docs commit.

HttpOnlyCookieAuthTest:
- Removed 4 dual-cookie tests (login_sets_portal_cookie_for_portal_origin,
  app_cookie_does_not_authenticate_portal_requests,
  portal_cookie_does_not_authenticate_app_requests,
  correct_cookie_authenticates_with_matching_origin)
- Renamed login_sets_app_cookie_for_unknown_origin →
  login_sets_app_cookie_regardless_of_origin; expanded to four
  Origin variants (none, app, unknown, foreign) — pins the new
  origin-agnostic contract
- Removed Origin headers from request calls in remaining tests
  (now meaningless)

Backend test count: 1491 → 1487 (-4 deleted, dual-cookie tests
encoding the obsolete contract). Pint clean. Larastan clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 00:24:01 +02:00

211 lines
6.6 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace Tests\Feature\Security;
use App\Models\User;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;
final class HttpOnlyCookieAuthTest extends TestCase
{
use RefreshDatabase;
protected function setUp(): void
{
parent::setUp();
$this->seed(RoleSeeder::class);
// Enable cookies for JSON requests (required for cookie-based auth testing)
$this->withCredentials();
}
// --- Login Cookie Tests ---
public function test_login_response_does_not_contain_token_in_json_body(): void
{
$user = User::factory()->create();
$response = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
]);
$response->assertOk();
$response->assertJsonMissing(['token']);
$this->assertArrayNotHasKey('token', $response->json('data'));
}
public function test_login_response_sets_httponly_cookie(): void
{
$user = User::factory()->create();
$response = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
]);
$response->assertOk();
$response->assertCookie('crewli_app_token');
}
public function test_login_cookie_has_httponly_flag(): void
{
$user = User::factory()->create();
$response = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
]);
$cookie = $this->findCookie($response, 'crewli_app_token');
$this->assertNotNull($cookie, 'Cookie crewli_app_token not found');
$this->assertTrue($cookie->isHttpOnly(), 'Cookie must be httpOnly');
}
public function test_login_cookie_has_samesite_strict(): void
{
$user = User::factory()->create();
$response = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
]);
$cookie = $this->findCookie($response, 'crewli_app_token');
$this->assertNotNull($cookie);
$this->assertEquals('strict', strtolower($cookie->getSameSite()));
}
public function test_login_sets_app_cookie_regardless_of_origin(): void
{
// Post-WS-3 PR-B2b: there is no per-app cookie resolution. Whatever
// Origin (or no Origin) the request carries, the auth cookie issued
// is always crewli_app_token. The request body alone determines auth.
$cases = [
'no Origin header' => [],
'app Origin' => ['Origin' => 'http://localhost:5174'],
'unknown Origin' => ['Origin' => 'http://localhost:9999'],
'foreign Origin' => ['Origin' => 'https://elsewhere.example.com'],
];
foreach ($cases as $label => $headers) {
$user = User::factory()->create();
$response = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
], $headers);
$response->assertOk();
$cookie = $this->findCookie($response, 'crewli_app_token');
$this->assertNotNull(
$cookie,
"crewli_app_token must be set for case: {$label}",
);
}
}
// --- Middleware Tests ---
public function test_request_with_auth_cookie_is_authenticated(): void
{
$user = User::factory()->create();
$token = $user->createToken('auth-token')->plainTextToken;
$response = $this->withUnencryptedCookie('crewli_app_token', $token)
->getJson('/api/v1/auth/me');
$response->assertOk();
$response->assertJsonPath('data.id', $user->id);
}
public function test_request_with_invalid_cookie_returns_401(): void
{
$response = $this->withUnencryptedCookie('crewli_app_token', 'invalid-token-value')
->getJson('/api/v1/auth/me');
$response->assertUnauthorized();
}
public function test_request_without_cookie_or_header_returns_401(): void
{
$response = $this->getJson('/api/v1/auth/me');
$response->assertUnauthorized();
}
// --- Logout Tests ---
public function test_logout_expires_auth_cookie(): void
{
$user = User::factory()->create();
$token = $user->createToken('auth-token')->plainTextToken;
$response = $this->withUnencryptedCookie('crewli_app_token', $token)
->postJson('/api/v1/auth/logout');
$response->assertOk();
$cookie = $this->findCookie($response, 'crewli_app_token');
$this->assertNotNull($cookie, 'Cookie crewli_app_token not found in logout response');
// Expired cookie has a past expiry time
$this->assertTrue($cookie->getExpiresTime() < time(), 'Logout cookie must be expired');
}
// --- Refresh Tests ---
public function test_refresh_revokes_old_token_and_sets_new_cookie(): void
{
$user = User::factory()->create();
$accessToken = $user->createToken('auth-token');
$token = $accessToken->plainTextToken;
$response = $this->withUnencryptedCookie('crewli_app_token', $token)
->postJson('/api/v1/auth/refresh');
$response->assertOk();
$response->assertCookie('crewli_app_token');
// New cookie should contain a different token
$newCookie = $this->findCookie($response, 'crewli_app_token');
$this->assertNotNull($newCookie);
$this->assertNotEquals($token, $newCookie->getValue(), 'New token must differ from old token');
// Old token should be revoked in the database
$this->assertNull(
\Laravel\Sanctum\PersonalAccessToken::findToken($token),
'Old token must be deleted from database',
);
// New token should be valid in the database
$this->assertNotNull(
\Laravel\Sanctum\PersonalAccessToken::findToken($newCookie->getValue()),
'New token must exist in database',
);
}
public function test_refresh_with_expired_token_returns_401(): void
{
$response = $this->withUnencryptedCookie('crewli_app_token', 'expired-or-invalid-token')
->postJson('/api/v1/auth/refresh');
$response->assertUnauthorized();
}
// --- Helper ---
private function findCookie($response, string $name): ?\Symfony\Component\HttpFoundation\Cookie
{
foreach ($response->headers->getCookies() as $cookie) {
if ($cookie->getName() === $name) {
return $cookie;
}
}
return null;
}
}
Reference in New Issue View Git Blame Copy Permalink