2022-03-31 08:38:35 +02:00
|
|
|
<?php
|
|
|
|
|
2022-03-31 12:09:25 +02:00
|
|
|
namespace Tests\Feature\Http\Auth;
|
2022-03-31 08:38:35 +02:00
|
|
|
|
2023-08-01 11:28:27 +02:00
|
|
|
use App\Extensions\WebauthnCredentialBroker;
|
|
|
|
use App\Http\Controllers\Auth\WebAuthnRecoveryController;
|
|
|
|
use App\Http\Requests\WebauthnRecoveryRequest;
|
2022-03-31 08:38:35 +02:00
|
|
|
use App\Models\User;
|
2023-08-01 11:28:27 +02:00
|
|
|
use App\Providers\AuthServiceProvider;
|
2022-11-17 17:00:28 +01:00
|
|
|
use Database\Factories\UserFactory;
|
2022-11-22 15:15:52 +01:00
|
|
|
use Illuminate\Support\Facades\Date;
|
|
|
|
use Illuminate\Support\Facades\DB;
|
2023-08-01 11:28:27 +02:00
|
|
|
use PHPUnit\Framework\Attributes\CoversClass;
|
2022-11-22 15:15:52 +01:00
|
|
|
use Tests\FeatureTestCase;
|
2022-03-31 08:38:35 +02:00
|
|
|
|
2022-12-09 10:52:17 +01:00
|
|
|
/**
|
2023-08-01 11:28:27 +02:00
|
|
|
* WebAuthnRecoveryControllerTest test class
|
2022-12-09 10:52:17 +01:00
|
|
|
*/
|
2023-08-01 11:28:27 +02:00
|
|
|
#[CoversClass(WebAuthnRecoveryController::class)]
|
|
|
|
#[CoversClass(WebauthnCredentialBroker::class)]
|
|
|
|
#[CoversClass(WebauthnRecoveryRequest::class)]
|
|
|
|
#[CoversClass(AuthServiceProvider::class)]
|
2022-03-31 08:38:35 +02:00
|
|
|
class WebAuthnRecoveryControllerTest extends FeatureTestCase
|
|
|
|
{
|
|
|
|
/**
|
|
|
|
* @var \App\Models\User
|
2022-11-22 15:15:52 +01:00
|
|
|
*/
|
2022-03-31 08:38:35 +02:00
|
|
|
protected $user;
|
2022-11-17 17:00:28 +01:00
|
|
|
|
|
|
|
protected $now;
|
|
|
|
|
|
|
|
const STORED_TOKEN_VALUE = '$2y$10$P6q8rl8te5QaO1EdpyJcNO0s9VFlVgf62KaItQhrPTskxfyu97mlW';
|
2022-11-22 15:15:52 +01:00
|
|
|
|
2022-11-17 17:00:28 +01:00
|
|
|
const ACTUAL_TOKEN_VALUE = '9e583e3fb6c32034164ac62415c9657dcbd1fb861b434340b08a94c2075cac66';
|
2022-11-22 15:15:52 +01:00
|
|
|
|
2022-11-17 17:00:28 +01:00
|
|
|
const CREDENTIAL_ID = '-VOLFKPY-_FuMI_sJ7gMllK76L3VoRUINj6lL_Z3qDg';
|
2022-03-31 08:38:35 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* @test
|
|
|
|
*/
|
2022-12-13 12:07:29 +01:00
|
|
|
public function setUp() : void
|
2022-03-31 08:38:35 +02:00
|
|
|
{
|
|
|
|
parent::setUp();
|
|
|
|
|
|
|
|
$this->user = User::factory()->create();
|
2022-11-17 17:00:28 +01:00
|
|
|
|
|
|
|
Date::setTestNow($this->now = Date::create(2022, 11, 16, 9, 4));
|
|
|
|
|
2024-01-26 18:16:55 +01:00
|
|
|
DB::table(config('auth.passwords.webauthn.table'))->insert([
|
2022-11-17 17:00:28 +01:00
|
|
|
'email' => $this->user->email,
|
|
|
|
'token' => self::STORED_TOKEN_VALUE,
|
|
|
|
'created_at' => $this->now->toDateTimeString(),
|
|
|
|
]);
|
2022-03-31 08:38:35 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @test
|
|
|
|
*/
|
2022-12-09 10:52:17 +01:00
|
|
|
public function test_recover_fails_if_no_recovery_is_set()
|
|
|
|
{
|
2024-01-26 18:16:55 +01:00
|
|
|
DB::table(config('auth.passwords.webauthn.table'))->delete();
|
2022-12-09 10:52:17 +01:00
|
|
|
|
|
|
|
$this->json('POST', '/webauthn/recover', [
|
|
|
|
'token' => self::ACTUAL_TOKEN_VALUE,
|
|
|
|
'email' => $this->user->email,
|
|
|
|
'password' => UserFactory::USER_PASSWORD,
|
|
|
|
])
|
|
|
|
->assertStatus(422)
|
|
|
|
->assertJsonValidationErrors('token');
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @test
|
|
|
|
*/
|
|
|
|
public function test_recover_with_wrong_token_returns_validation_error()
|
2022-03-31 08:38:35 +02:00
|
|
|
{
|
2022-11-17 17:00:28 +01:00
|
|
|
$response = $this->json('POST', '/webauthn/recover', [
|
2022-12-09 10:52:17 +01:00
|
|
|
'token' => 'wrong_token',
|
2022-11-22 15:15:52 +01:00
|
|
|
'email' => $this->user->email,
|
2022-11-17 17:00:28 +01:00
|
|
|
'password' => UserFactory::USER_PASSWORD,
|
2022-03-31 08:38:35 +02:00
|
|
|
])
|
2022-12-09 10:52:17 +01:00
|
|
|
->assertStatus(422)
|
|
|
|
->assertJsonMissingValidationErrors('email')
|
|
|
|
->assertJsonValidationErrors('token');
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @test
|
|
|
|
*/
|
|
|
|
public function test_recover_with_expired_token_returns_validation_error()
|
|
|
|
{
|
|
|
|
Date::setTestNow($now = Date::create(2020, 01, 01, 16, 30));
|
|
|
|
|
2024-01-26 18:16:55 +01:00
|
|
|
DB::table(config('auth.passwords.webauthn.table'))->delete();
|
|
|
|
DB::table(config('auth.passwords.webauthn.table'))->insert([
|
2022-12-09 10:52:17 +01:00
|
|
|
'token' => self::STORED_TOKEN_VALUE,
|
|
|
|
'email' => $this->user->email,
|
|
|
|
'created_at' => $now->clone()->subHour()->subSecond()->toDateTimeString(),
|
|
|
|
]);
|
|
|
|
|
|
|
|
$this->json('POST', '/webauthn/recover', [
|
2022-12-13 12:07:29 +01:00
|
|
|
'token' => self::ACTUAL_TOKEN_VALUE,
|
|
|
|
'email' => $this->user->email,
|
2022-12-09 10:52:17 +01:00
|
|
|
'password' => UserFactory::USER_PASSWORD,
|
|
|
|
])
|
|
|
|
->assertStatus(422)
|
|
|
|
->assertJsonValidationErrors('token');
|
2022-03-31 08:38:35 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @test
|
|
|
|
*/
|
2022-11-17 17:00:28 +01:00
|
|
|
public function test_recover_with_invalid_password_returns_authentication_error()
|
2022-03-31 08:38:35 +02:00
|
|
|
{
|
2022-12-09 10:52:17 +01:00
|
|
|
$this->json('POST', '/webauthn/recover', [
|
2022-11-22 15:15:52 +01:00
|
|
|
'token' => self::ACTUAL_TOKEN_VALUE,
|
|
|
|
'email' => $this->user->email,
|
2022-11-17 17:00:28 +01:00
|
|
|
'password' => 'bad_password',
|
2022-03-31 08:38:35 +02:00
|
|
|
])
|
2022-12-09 10:52:17 +01:00
|
|
|
->assertStatus(401);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @test
|
|
|
|
*/
|
|
|
|
public function test_recover_returns_validation_error_when_no_user_exists()
|
|
|
|
{
|
|
|
|
$this->json('POST', '/webauthn/recover', [
|
|
|
|
'token' => self::ACTUAL_TOKEN_VALUE,
|
|
|
|
'email' => 'no@user.com',
|
|
|
|
'password' => UserFactory::USER_PASSWORD,
|
|
|
|
])
|
|
|
|
->assertStatus(422)
|
|
|
|
->assertJsonMissingValidationErrors('password')
|
|
|
|
->assertJsonMissingValidationErrors('token')
|
|
|
|
->assertJsonValidationErrors('email');
|
2022-03-31 08:38:35 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @test
|
|
|
|
*/
|
2022-11-17 17:00:28 +01:00
|
|
|
public function test_recover_returns_success()
|
2022-03-31 08:38:35 +02:00
|
|
|
{
|
2022-11-17 17:00:28 +01:00
|
|
|
$response = $this->json('POST', '/webauthn/recover', [
|
2022-11-22 15:15:52 +01:00
|
|
|
'token' => self::ACTUAL_TOKEN_VALUE,
|
|
|
|
'email' => $this->user->email,
|
2022-11-17 17:00:28 +01:00
|
|
|
'password' => UserFactory::USER_PASSWORD,
|
|
|
|
])
|
2022-12-09 10:52:17 +01:00
|
|
|
->assertStatus(200);
|
2022-11-17 17:00:28 +01:00
|
|
|
|
2024-01-26 18:16:55 +01:00
|
|
|
$this->assertDatabaseMissing(config('auth.passwords.webauthn.table'), [
|
2022-11-17 17:00:28 +01:00
|
|
|
'token' => self::STORED_TOKEN_VALUE,
|
2022-03-31 08:38:35 +02:00
|
|
|
]);
|
2024-01-26 18:16:55 +01:00
|
|
|
}
|
2022-03-31 08:38:35 +02:00
|
|
|
|
2024-01-26 18:16:55 +01:00
|
|
|
/**
|
|
|
|
* @test
|
|
|
|
*/
|
|
|
|
public function test_recover_resets_useWebauthnOnly_user_preference()
|
|
|
|
{
|
|
|
|
$this->user['preferences->useWebauthnOnly'] = true;
|
|
|
|
$this->user->save();
|
|
|
|
|
|
|
|
$response = $this->json('POST', '/webauthn/recover', [
|
|
|
|
'token' => self::ACTUAL_TOKEN_VALUE,
|
|
|
|
'email' => $this->user->email,
|
|
|
|
'password' => UserFactory::USER_PASSWORD,
|
|
|
|
])
|
|
|
|
->assertStatus(200);
|
|
|
|
|
|
|
|
$this->user->refresh();
|
|
|
|
|
|
|
|
$this->assertFalse($this->user->preferences['useWebauthnOnly']);
|
2022-03-31 08:38:35 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @test
|
|
|
|
*/
|
2022-11-17 17:00:28 +01:00
|
|
|
public function test_revoke_all_credentials_clear_registered_credentials()
|
2022-03-31 08:38:35 +02:00
|
|
|
{
|
2022-11-17 17:00:28 +01:00
|
|
|
DB::table('webauthn_credentials')->insert([
|
2022-11-22 15:15:52 +01:00
|
|
|
'id' => self::CREDENTIAL_ID,
|
2022-11-17 17:00:28 +01:00
|
|
|
'authenticatable_type' => \App\Models\User::class,
|
2022-11-22 15:15:52 +01:00
|
|
|
'authenticatable_id' => $this->user->id,
|
|
|
|
'user_id' => 'e8af6f703f8042aa91c30cf72289aa07',
|
|
|
|
'counter' => 0,
|
|
|
|
'rp_id' => 'http://localhost',
|
|
|
|
'origin' => 'http://localhost',
|
|
|
|
'aaguid' => '00000000-0000-0000-0000-000000000000',
|
|
|
|
'attestation_format' => 'none',
|
|
|
|
'public_key' => 'eyJpdiI6Imp0U0NVeFNNbW45KzEvMXpad2p2SUE9PSIsInZhbHVlIjoic0VxZ2I1WnlHM2lJakhkWHVkK2kzMWtibk1IN2ZlaExGT01qOElXMDdRTjhnVlR0TDgwOHk1S0xQUy9BQ1JCWHRLNzRtenNsMml1dVQydWtERjFEU0h0bkJGT2RwUXE1M1JCcVpablE2Y2VGV2YvVEE2RGFIRUE5L0x1K0JIQXhLVE1aNVNmN3AxeHdjRUo2V0hwREZSRTJYaThNNnB1VnozMlVXZEVPajhBL3d3ODlkTVN3bW54RTEwSG0ybzRQZFFNNEFrVytUYThub2IvMFRtUlBZamoyZElWKzR1bStZQ1IwU3FXbkYvSm1FU2FlMTFXYUo0SG9kc1BDME9CNUNKeE9IelE5d2dmNFNJRXBKNUdlVzJ3VHUrQWJZRFluK0hib0xvVTdWQ0ZISjZmOWF3by83aVJES1dxbU9Zd1lhRTlLVmhZSUdlWmlBOUFtcTM2ZVBaRWNKNEFSQUhENk5EaC9hN3REdnVFbm16WkRxekRWOXd4cVcvZFdKa2tlWWJqZWlmZnZLS0F1VEVCZEZQcXJkTExiNWRyQmxsZWtaSDRlT3VVS0ZBSXFBRG1JMjRUMnBKRXZxOUFUa2xxMjg2TEplUzdscVo2UytoVU5SdXk1OE1lcFN6aU05ZkVXTkdIM2tKM3Q5bmx1TGtYb1F5bGxxQVR3K3BVUVlia1VybDFKRm9lZDViNzYraGJRdmtUb2FNTEVGZmZYZ3lYRDRiOUVjRnJpcTVvWVExOHJHSTJpMnVBZ3E0TmljbUlKUUtXY2lSWDh1dE5MVDNRUzVRSkQrTjVJUU8rSGhpeFhRRjJvSEdQYjBoVT0iLCJtYWMiOiI5MTdmNWRkZGE5OTEwNzQ3MjhkYWVhYjRlNjk0MWZlMmI5OTQ4YzlmZWI1M2I4OGVkMjE1MjMxNjUwOWRmZTU2IiwidGFnIjoiIn0=',
|
|
|
|
'updated_at' => now(),
|
|
|
|
'created_at' => now(),
|
2022-11-17 17:00:28 +01:00
|
|
|
]);
|
|
|
|
|
|
|
|
$response = $this->json('POST', '/webauthn/recover', [
|
2022-11-22 15:15:52 +01:00
|
|
|
'token' => self::ACTUAL_TOKEN_VALUE,
|
|
|
|
'email' => $this->user->email,
|
|
|
|
'password' => UserFactory::USER_PASSWORD,
|
|
|
|
'revokeAll' => true,
|
2022-03-31 08:38:35 +02:00
|
|
|
])
|
2022-12-09 10:52:17 +01:00
|
|
|
->assertStatus(200);
|
2022-03-31 08:38:35 +02:00
|
|
|
|
2022-11-17 17:00:28 +01:00
|
|
|
$this->assertDatabaseMissing('webauthn_credentials', [
|
|
|
|
'authenticatable_id' => $this->user->id,
|
|
|
|
]);
|
|
|
|
}
|
2022-11-22 15:15:52 +01:00
|
|
|
}
|