2FAuth/tests/Api/v1/Controllers/TwoFAccountControllerTest.php

1620 lines
57 KiB
PHP
Raw Normal View History

2021-11-14 01:52:46 +01:00
<?php
2021-11-30 17:39:33 +01:00
namespace Tests\Api\v1\Controllers;
2021-11-14 01:52:46 +01:00
2023-08-01 11:28:27 +02:00
use App\Api\v1\Controllers\TwoFAccountController;
use App\Api\v1\Resources\TwoFAccountCollection;
use App\Api\v1\Resources\TwoFAccountExportCollection;
use App\Api\v1\Resources\TwoFAccountExportResource;
use App\Api\v1\Resources\TwoFAccountReadResource;
use App\Api\v1\Resources\TwoFAccountStoreResource;
2024-11-15 10:39:29 +01:00
use App\Facades\IconStore;
2022-07-30 17:51:02 +02:00
use App\Facades\Settings;
2022-11-22 15:15:52 +01:00
use App\Models\Group;
2021-12-02 13:15:53 +01:00
use App\Models\TwoFAccount;
2022-11-22 15:15:52 +01:00
use App\Models\User;
2023-08-01 11:28:27 +02:00
use App\Policies\TwoFAccountPolicy;
use App\Providers\MigrationServiceProvider;
use App\Providers\TwoFAuthServiceProvider;
2024-10-18 14:28:45 +02:00
use App\Services\LogoService;
use Illuminate\Http\Testing\FileFactory;
2021-11-14 01:52:46 +01:00
use Illuminate\Support\Facades\DB;
2024-10-18 14:28:45 +02:00
use Illuminate\Support\Facades\Http;
2021-11-14 01:52:46 +01:00
use Illuminate\Support\Facades\Storage;
2023-08-01 11:28:27 +02:00
use PHPUnit\Framework\Attributes\CoversClass;
2023-12-20 16:55:58 +01:00
use PHPUnit\Framework\Attributes\DataProvider;
use PHPUnit\Framework\Attributes\Test;
use Tests\Classes\LocalFile;
2024-10-18 14:28:45 +02:00
use Tests\Data\HttpRequestTestData;
2022-12-13 12:07:29 +01:00
use Tests\Data\MigrationTestData;
2022-12-09 10:52:17 +01:00
use Tests\Data\OtpTestData;
2022-11-22 15:15:52 +01:00
use Tests\FeatureTestCase;
2021-11-22 01:09:54 +01:00
/**
2023-08-01 11:28:27 +02:00
* TwoFAccountControllerTest test class
2021-11-22 01:09:54 +01:00
*/
2023-08-01 11:28:27 +02:00
#[CoversClass(TwoFAccountController::class)]
#[CoversClass(TwoFAccountCollection::class)]
#[CoversClass(TwoFAccountReadResource::class)]
#[CoversClass(TwoFAccountStoreResource::class)]
#[CoversClass(TwoFAccountExportResource::class)]
#[CoversClass(TwoFAccountExportCollection::class)]
#[CoversClass(MigrationServiceProvider::class)]
#[CoversClass(TwoFAuthServiceProvider::class)]
#[CoversClass(TwoFAccountPolicy::class)]
2021-11-14 01:52:46 +01:00
class TwoFAccountControllerTest extends FeatureTestCase
{
/**
* @var \App\Models\User|\Illuminate\Contracts\Auth\Authenticatable
2022-11-22 15:15:52 +01:00
*/
2023-03-10 22:59:46 +01:00
protected $user;
protected $anotherUser;
2021-11-14 01:52:46 +01:00
2021-11-22 01:09:54 +01:00
/**
* @var App\Models\Group
2022-11-22 15:15:52 +01:00
*/
2023-03-10 22:59:46 +01:00
protected $userGroupA;
protected $userGroupB;
protected $anotherUserGroupA;
protected $anotherUserGroupB;
/**
* @var App\Models\TwoFAccount
*/
2023-03-10 22:59:46 +01:00
protected $twofaccountA;
protected $twofaccountB;
protected $twofaccountC;
protected $twofaccountD;
2021-11-22 01:09:54 +01:00
protected $twofaccountE;
private const VALID_RESOURCE_STRUCTURE_WITHOUT_SECRET = [
'id',
'group_id',
'service',
'account',
'icon',
'otp_type',
'digits',
'algorithm',
'period',
2022-11-22 15:15:52 +01:00
'counter',
];
2022-11-22 15:15:52 +01:00
private const VALID_RESOURCE_STRUCTURE_WITH_SECRET = [
'id',
'group_id',
'service',
'account',
'icon',
'otp_type',
'secret',
'digits',
'algorithm',
'period',
2022-11-22 15:15:52 +01:00
'counter',
];
2022-11-22 15:15:52 +01:00
private const VALID_OTP_RESOURCE_STRUCTURE_FOR_TOTP = [
'generated_at',
'otp_type',
'password',
'period',
];
2022-11-22 15:15:52 +01:00
private const VALID_EMBEDDED_OTP_RESOURCE_STRUCTURE_FOR_TOTP = [
'generated_at',
'password',
];
private const VALID_OTP_RESOURCE_STRUCTURE_FOR_HOTP = [
'otp_type',
'password',
'counter',
];
2022-11-22 15:15:52 +01:00
private const VALID_RESOURCE_STRUCTURE_WITH_OTP = [
'id',
'group_id',
'service',
'account',
'icon',
'otp_type',
'secret',
'digits',
'algorithm',
'period',
'counter',
2024-09-26 23:50:01 +02:00
'otp' => self::VALID_EMBEDDED_OTP_RESOURCE_STRUCTURE_FOR_TOTP,
];
private const VALID_COLLECTION_RESOURCE_STRUCTURE_WITH_OTP = [
'id',
'group_id',
'service',
'account',
'icon',
'otp_type',
'digits',
'algorithm',
'period',
'counter',
2024-09-26 23:50:01 +02:00
'otp' => self::VALID_EMBEDDED_OTP_RESOURCE_STRUCTURE_FOR_TOTP,
];
2023-03-18 17:33:43 +01:00
private const VALID_EXPORT_STRUTURE = [
'app',
'schema',
'datetime',
'data' => [
'*' => [
'otp_type',
'account',
'service',
'icon',
'icon_mime',
'icon_file',
'secret',
'digits',
'algorithm',
'period',
'counter',
'legacy_uri',
],
],
];
private const VALID_EXPORT_AS_URIS_STRUTURE = [
'app',
'datetime',
'data' => [
'*' => [
'uri',
],
],
2023-03-18 17:33:43 +01:00
];
private const JSON_FRAGMENTS_FOR_CUSTOM_TOTP = [
'service' => OtpTestData::SERVICE,
'account' => OtpTestData::ACCOUNT,
'otp_type' => 'totp',
'secret' => OtpTestData::SECRET,
'digits' => OtpTestData::DIGITS_CUSTOM,
'algorithm' => OtpTestData::ALGORITHM_CUSTOM,
'period' => OtpTestData::PERIOD_CUSTOM,
'counter' => null,
];
2022-11-22 15:15:52 +01:00
private const JSON_FRAGMENTS_FOR_DEFAULT_TOTP = [
'service' => null,
'account' => OtpTestData::ACCOUNT,
'otp_type' => 'totp',
'secret' => OtpTestData::SECRET,
'digits' => OtpTestData::DIGITS_DEFAULT,
'algorithm' => OtpTestData::ALGORITHM_DEFAULT,
'period' => OtpTestData::PERIOD_DEFAULT,
'counter' => null,
];
2022-11-22 15:15:52 +01:00
private const JSON_FRAGMENTS_FOR_CUSTOM_HOTP = [
'service' => OtpTestData::SERVICE,
'account' => OtpTestData::ACCOUNT,
'otp_type' => 'hotp',
'secret' => OtpTestData::SECRET,
'digits' => OtpTestData::DIGITS_CUSTOM,
'algorithm' => OtpTestData::ALGORITHM_CUSTOM,
'period' => null,
'counter' => OtpTestData::COUNTER_CUSTOM,
];
2022-11-22 15:15:52 +01:00
private const JSON_FRAGMENTS_FOR_DEFAULT_HOTP = [
2022-11-22 15:15:52 +01:00
'service' => null,
'account' => OtpTestData::ACCOUNT,
'otp_type' => 'hotp',
'secret' => OtpTestData::SECRET,
'digits' => OtpTestData::DIGITS_DEFAULT,
'algorithm' => OtpTestData::ALGORITHM_DEFAULT,
'period' => null,
'counter' => OtpTestData::COUNTER_DEFAULT,
];
2022-11-22 15:15:52 +01:00
private const ARRAY_OF_INVALID_PARAMETERS = [
2022-11-22 15:15:52 +01:00
'account' => null,
'otp_type' => 'totp',
'secret' => OtpTestData::SECRET,
];
2022-12-13 12:07:29 +01:00
public function setUp() : void
2021-11-14 01:52:46 +01:00
{
parent::setUp();
2024-10-18 14:28:45 +02:00
Storage::fake('icons');
Storage::fake('logos');
Storage::fake('imagesLink');
2024-11-09 10:18:45 +01:00
2024-10-18 14:28:45 +02:00
Http::preventStrayRequests();
Http::fake([
LogoService::TFA_IMG_URL . '*' => Http::response(HttpRequestTestData::SVG_LOGO_BODY, 200),
LogoService::TFA_URL => Http::response(HttpRequestTestData::TFA_JSON_BODY, 200),
OtpTestData::EXTERNAL_IMAGE_URL_DECODED => Http::response((new FileFactory)->image('file.png', 10, 10)->tempFile, 200),
2024-11-15 10:39:29 +01:00
OtpTestData::EXTERNAL_INFECTED_IMAGE_URL_DECODED => Http::response((new FileFactory)->createWithContent('infected.svg', OtpTestData::ICON_SVG_DATA_INFECTED)->tempFile, 200),
'example.com/*' => Http::response(null, 400),
]);
2024-10-18 14:28:45 +02:00
2023-03-10 22:59:46 +01:00
$this->user = User::factory()->create();
$this->userGroupA = Group::factory()->for($this->user)->create();
$this->userGroupB = Group::factory()->for($this->user)->create();
$this->twofaccountA = TwoFAccount::factory()->for($this->user)->create([
'group_id' => $this->userGroupA->id,
]);
$this->twofaccountB = TwoFAccount::factory()->for($this->user)->create([
'group_id' => $this->userGroupA->id,
]);
2023-03-10 22:59:46 +01:00
$this->anotherUser = User::factory()->create();
$this->anotherUserGroupA = Group::factory()->for($this->anotherUser)->create();
$this->anotherUserGroupB = Group::factory()->for($this->anotherUser)->create();
$this->twofaccountC = TwoFAccount::factory()->for($this->anotherUser)->create([
'group_id' => $this->anotherUserGroupA->id,
]);
$this->twofaccountD = TwoFAccount::factory()->for($this->anotherUser)->create([
'group_id' => $this->anotherUserGroupB->id,
]);
$this->twofaccountE = TwoFAccount::factory()->for($this->anotherUser)->create([
'group_id' => $this->anotherUserGroupB->id,
]);
2021-11-14 01:52:46 +01:00
}
#[Test]
#[DataProvider('validResourceStructureProvider')]
public function test_index_returns_user_twofaccounts_only($urlParameter, $expected)
2021-11-14 01:52:46 +01:00
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
2022-11-22 15:15:52 +01:00
->json('GET', '/api/v1/twofaccounts' . $urlParameter)
2021-11-14 01:52:46 +01:00
->assertOk()
->assertJsonCount(2, $key = null)
2021-11-14 01:52:46 +01:00
->assertJsonStructure([
2022-11-22 15:15:52 +01:00
'*' => $expected,
])
->assertJsonFragment([
'id' => $this->twofaccountA->id,
])
->assertJsonFragment([
'id' => $this->twofaccountB->id,
])
->assertJsonMissing([
'id' => $this->twofaccountC->id,
])
->assertJsonMissing([
'id' => $this->twofaccountD->id,
]);
2021-11-14 01:52:46 +01:00
}
/**
* Provide data for index tests
2021-11-14 01:52:46 +01:00
*/
public static function validResourceStructureProvider()
2021-11-14 01:52:46 +01:00
{
return [
2022-11-22 15:15:52 +01:00
'VALID_RESOURCE_STRUCTURE_WITHOUT_SECRET' => [
'',
2022-11-22 15:15:52 +01:00
self::VALID_RESOURCE_STRUCTURE_WITHOUT_SECRET,
],
2022-11-22 15:15:52 +01:00
'VALID_RESOURCE_STRUCTURE_WITH_SECRET' => [
'?withSecret=1',
2022-11-22 15:15:52 +01:00
self::VALID_RESOURCE_STRUCTURE_WITH_SECRET,
],
'VALID_COLLECTION_RESOURCE_STRUCTURE_WITH_OTP' => [
'?withOtp=1',
self::VALID_COLLECTION_RESOURCE_STRUCTURE_WITH_OTP,
],
];
2021-11-14 01:52:46 +01:00
}
#[Test]
public function test_index_returns_user_accounts_with_given_ids()
{
$response = $this->actingAs($this->anotherUser, 'api-guard')
->json('GET', '/api/v1/twofaccounts?ids=' . $this->twofaccountC->id . ',' . $this->twofaccountE->id)
->assertOk()
->assertJsonCount(2, $key = null)
->assertJsonStructure([
'*' => self::VALID_RESOURCE_STRUCTURE_WITHOUT_SECRET,
])
->assertJsonFragment([
'id' => $this->twofaccountC->id,
])
->assertJsonFragment([
'id' => $this->twofaccountE->id,
]);
}
#[Test]
public function test_index_returns_only_user_accounts_in_given_ids()
{
$response = $this->actingAs($this->anotherUser, 'api-guard')
->json('GET', '/api/v1/twofaccounts?ids=' . $this->twofaccountA->id . ',' . $this->twofaccountE->id)
->assertOk()
->assertJsonCount(1, $key = null)
->assertJsonStructure([
'*' => self::VALID_RESOURCE_STRUCTURE_WITHOUT_SECRET,
])
->assertJsonMissing([
'id' => $this->twofaccountA->id,
])
->assertJsonFragment([
'id' => $this->twofaccountE->id,
]);
}
#[Test]
public function test_orphan_accounts_are_reassign_to_the_only_user()
{
config(['auth.defaults.guard' => 'reverse-proxy-guard']);
$this->anotherUser->delete();
$this->twofaccountA->user_id = null;
$this->twofaccountA->save();
$this->assertCount(1, User::all());
$this->assertNull($this->twofaccountA->user_id);
$this->assertCount(1, TwoFAccount::orphans()->get());
$this->actingAs($this->user, 'reverse-proxy-guard')
->json('GET', '/api/v1/twofaccounts')
->assertOk();
$this->twofaccountA->refresh();
$this->assertNotNull($this->twofaccountA->user_id);
}
#[Test]
public function test_show_returns_twofaccount_resource_with_secret()
2021-11-14 01:52:46 +01:00
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('GET', '/api/v1/twofaccounts/' . $this->twofaccountA->id)
2021-11-14 01:52:46 +01:00
->assertOk()
->assertJsonStructure(self::VALID_RESOURCE_STRUCTURE_WITH_SECRET);
2021-11-14 01:52:46 +01:00
}
#[Test]
public function test_show_returns_twofaccount_resource_without_secret()
2021-11-14 01:52:46 +01:00
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('GET', '/api/v1/twofaccounts/' . $this->twofaccountA->id . '?withSecret=0')
2021-11-14 01:52:46 +01:00
->assertOk()
->assertJsonStructure(self::VALID_RESOURCE_STRUCTURE_WITHOUT_SECRET);
}
//#[Test]
2021-11-30 17:39:33 +01:00
// public function test_show_twofaccount_with_indeciphered_data_returns_replaced_data()
// {
// $dbEncryptionService = resolve('App\Services\DbEncryptionService');
// $dbEncryptionService->setTo(true);
2021-12-02 13:15:53 +01:00
// $twofaccount = TwoFAccount::factory()->create();
2021-11-30 17:39:33 +01:00
// DB::table('twofaccounts')
// ->where('id', $twofaccount->id)
// ->update([
// 'secret' => '**encrypted**',
// 'account' => '**encrypted**',
// ]);
2022-03-31 08:38:35 +02:00
// $response = $this->actingAs($this->user, 'api-guard')
2021-11-30 17:39:33 +01:00
// ->json('GET', '/api/v1/twofaccounts/' . $twofaccount->id)
// ->assertJsonFragment([
// 'secret' => '*indecipherable*',
// 'account' => '*indecipherable*',
// ]);
// }
2021-11-14 01:52:46 +01:00
#[Test]
public function test_show_returns_twofaccount_resource_with_otp()
{
$response = $this->actingAs($this->user, 'api-guard')
->json('GET', '/api/v1/twofaccounts/' . $this->twofaccountA->id . '?withOtp=1')
->assertOk()
->assertJsonStructure(self::VALID_RESOURCE_STRUCTURE_WITH_OTP);
}
#[Test]
public function test_show_returns_twofaccount_resource_without_otp()
{
$response = $this->actingAs($this->user, 'api-guard')
->json('GET', '/api/v1/twofaccounts/' . $this->twofaccountA->id . '?withOtp=0')
->assertOk()
->assertJsonStructure(self::VALID_RESOURCE_STRUCTURE_WITHOUT_SECRET);
}
#[Test]
2021-11-14 01:52:46 +01:00
public function test_show_missing_twofaccount_returns_not_found()
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
2021-11-14 01:52:46 +01:00
->json('GET', '/api/v1/twofaccounts/1000')
->assertNotFound()
->assertJsonStructure([
2022-11-22 15:15:52 +01:00
'message',
2021-11-14 01:52:46 +01:00
]);
}
#[Test]
public function test_show_twofaccount_of_another_user_is_forbidden()
{
$response = $this->actingAs($this->user, 'api-guard')
->json('GET', '/api/v1/twofaccounts/' . $this->twofaccountC->id)
->assertForbidden()
->assertJsonStructure([
'message',
]);
}
#[Test]
2023-08-01 11:28:27 +02:00
#[DataProvider('accountCreationProvider')]
public function test_store_without_encryption_returns_success_with_consistent_resource_structure($payload, $expected)
2021-11-14 01:52:46 +01:00
{
Settings::set('useEncryption', false);
2021-11-14 01:52:46 +01:00
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts', $payload)
2021-11-14 01:52:46 +01:00
->assertCreated()
->assertJsonStructure(self::VALID_RESOURCE_STRUCTURE_WITH_SECRET)
->assertJsonFragment($expected);
2021-11-14 01:52:46 +01:00
}
#[Test]
2023-08-01 11:28:27 +02:00
#[DataProvider('accountCreationProvider')]
public function test_store_with_encryption_returns_success_with_consistent_resource_structure($payload, $expected)
2021-11-14 01:52:46 +01:00
{
Settings::set('useEncryption', true);
2021-11-14 01:52:46 +01:00
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts', $payload)
->assertCreated()
->assertJsonStructure(self::VALID_RESOURCE_STRUCTURE_WITH_SECRET)
->assertJsonFragment($expected);
2021-11-14 01:52:46 +01:00
}
/**
* Provide data for TwoFAccount store tests
2021-11-14 01:52:46 +01:00
*/
2023-08-01 11:28:27 +02:00
public static function accountCreationProvider()
2021-11-14 01:52:46 +01:00
{
return [
2022-11-22 15:15:52 +01:00
'TOTP_FULL_CUSTOM_URI' => [
[
'uri' => OtpTestData::TOTP_FULL_CUSTOM_URI,
],
2022-11-22 15:15:52 +01:00
self::JSON_FRAGMENTS_FOR_CUSTOM_TOTP,
],
2022-11-22 15:15:52 +01:00
'TOTP_SHORT_URI' => [
[
'uri' => OtpTestData::TOTP_SHORT_URI,
],
2022-11-22 15:15:52 +01:00
self::JSON_FRAGMENTS_FOR_DEFAULT_TOTP,
],
2022-11-22 15:15:52 +01:00
'ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_TOTP' => [
OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_TOTP,
2022-11-22 15:15:52 +01:00
self::JSON_FRAGMENTS_FOR_CUSTOM_TOTP,
],
2022-11-22 15:15:52 +01:00
'ARRAY_OF_MINIMUM_VALID_PARAMETERS_FOR_TOTP' => [
OtpTestData::ARRAY_OF_MINIMUM_VALID_PARAMETERS_FOR_TOTP,
2022-11-22 15:15:52 +01:00
self::JSON_FRAGMENTS_FOR_DEFAULT_TOTP,
],
2022-11-22 15:15:52 +01:00
'HOTP_FULL_CUSTOM_URI' => [
[
'uri' => OtpTestData::HOTP_FULL_CUSTOM_URI,
],
2022-11-22 15:15:52 +01:00
self::JSON_FRAGMENTS_FOR_CUSTOM_HOTP,
],
2022-11-22 15:15:52 +01:00
'HOTP_SHORT_URI' => [
[
'uri' => OtpTestData::HOTP_SHORT_URI,
],
2022-11-22 15:15:52 +01:00
self::JSON_FRAGMENTS_FOR_DEFAULT_HOTP,
],
2022-11-22 15:15:52 +01:00
'ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_HOTP' => [
OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_HOTP,
2022-11-22 15:15:52 +01:00
self::JSON_FRAGMENTS_FOR_CUSTOM_HOTP,
],
2022-11-22 15:15:52 +01:00
'ARRAY_OF_MINIMUM_VALID_PARAMETERS_FOR_HOTP' => [
OtpTestData::ARRAY_OF_MINIMUM_VALID_PARAMETERS_FOR_HOTP,
2022-11-22 15:15:52 +01:00
self::JSON_FRAGMENTS_FOR_DEFAULT_HOTP,
],
];
2021-11-14 01:52:46 +01:00
}
#[Test]
2021-11-14 01:52:46 +01:00
public function test_store_with_invalid_uri_returns_validation_error()
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
2021-11-14 01:52:46 +01:00
->json('POST', '/api/v1/twofaccounts', [
'uri' => OtpTestData::INVALID_OTPAUTH_URI,
])
2021-11-14 01:52:46 +01:00
->assertStatus(422);
}
#[Test]
public function test_store_assigns_created_account_to_provided_groupid()
{
// Set the default group to No group
$this->user['preferences->defaultGroup'] = 0;
$this->user->save();
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts', array_merge(
OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_TOTP,
2024-09-26 23:50:01 +02:00
['group_id' => $this->userGroupA->id]
))
->assertJsonFragment([
'group_id' => $this->userGroupA->id,
]);
}
#[Test]
public function test_store_with_assignement_to_missing_groupid_returns_validation_error()
{
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts', array_merge(
OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_TOTP,
2024-09-26 23:50:01 +02:00
['group_id' => 9999999]
))
->assertJsonValidationErrorFor('group_id');
}
#[Test]
public function test_store_with_assignement_to_null_groupid_does_not_assign_account_to_group()
{
// Set the default group to No group
$this->user['preferences->defaultGroup'] = 0;
$this->user->save();
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts', array_merge(
OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_TOTP,
2024-09-26 23:50:01 +02:00
['group_id' => null]
))
->assertJsonFragment([
'group_id' => null,
]);
}
#[Test]
public function test_store_with_assignement_to_null_groupid_is_overriden_by_specific_default_group()
{
// Set the default group to a specific group
$this->user['preferences->defaultGroup'] = $this->userGroupA->id;
$this->user->save();
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts', array_merge(
OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_TOTP,
2024-09-26 23:50:01 +02:00
['group_id' => null]
))
->assertJsonFragment([
'group_id' => $this->user->preferences['defaultGroup'],
]);
}
#[Test]
public function test_store_with_assignement_to_zero_groupid_overrides_specific_default_group()
{
// Set the default group to a specific group
$this->user['preferences->defaultGroup'] = $this->userGroupA->id;
$this->user->save();
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts', array_merge(
OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_TOTP,
2024-09-26 23:50:01 +02:00
['group_id' => 0]
))
->assertJsonFragment([
'group_id' => null,
]);
}
#[Test]
public function test_store_with_assignement_to_provided_groupid_overrides_specific_default_group()
{
// Set the default group to a specific group
$this->user['preferences->defaultGroup'] = $this->userGroupA->id;
$this->user->save();
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts', array_merge(
OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_TOTP,
2024-09-26 23:50:01 +02:00
['group_id' => $this->userGroupB->id]
))
->assertJsonFragment([
'group_id' => $this->userGroupB->id,
]);
}
#[Test]
2021-11-22 01:09:54 +01:00
public function test_store_assigns_created_account_when_default_group_is_a_specific_one()
{
// Set the default group to a specific one
$this->user['preferences->defaultGroup'] = $this->userGroupA->id;
$this->user->save();
2021-11-22 01:09:54 +01:00
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
2021-11-22 01:09:54 +01:00
->json('POST', '/api/v1/twofaccounts', [
'uri' => OtpTestData::TOTP_SHORT_URI,
2021-11-22 01:09:54 +01:00
])
->assertJsonFragment([
'group_id' => $this->user->preferences['defaultGroup'],
2021-11-22 01:09:54 +01:00
]);
}
#[Test]
2021-11-22 01:09:54 +01:00
public function test_store_assigns_created_account_when_default_group_is_the_active_one()
{
// Set the default group to be the active one
$this->user['preferences->defaultGroup'] = -1;
2021-11-22 01:09:54 +01:00
// Set the active group
$this->user['preferences->activeGroup'] = $this->userGroupA->id;
$this->user->save();
2021-11-22 01:09:54 +01:00
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
2021-11-22 01:09:54 +01:00
->json('POST', '/api/v1/twofaccounts', [
'uri' => OtpTestData::TOTP_SHORT_URI,
2021-11-22 01:09:54 +01:00
])
->assertJsonFragment([
'group_id' => $this->user->preferences['activeGroup'],
2021-11-22 01:09:54 +01:00
]);
}
#[Test]
2021-11-22 01:09:54 +01:00
public function test_store_assigns_created_account_when_default_group_is_no_group()
{
// Set the default group to No group
$this->user['preferences->defaultGroup'] = 0;
$this->user->save();
2021-11-22 01:09:54 +01:00
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
2021-11-22 01:09:54 +01:00
->json('POST', '/api/v1/twofaccounts', [
'uri' => OtpTestData::TOTP_SHORT_URI,
2021-11-22 01:09:54 +01:00
])
->assertJsonFragment([
2022-11-22 15:15:52 +01:00
'group_id' => null,
2021-11-22 01:09:54 +01:00
]);
}
#[Test]
2021-11-22 01:09:54 +01:00
public function test_store_assigns_created_account_when_default_group_does_not_exist()
{
// Set the default group to a non-existing one
$this->user['preferences->defaultGroup'] = 1000;
$this->user->save();
2021-11-22 01:09:54 +01:00
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
2021-11-22 01:09:54 +01:00
->json('POST', '/api/v1/twofaccounts', [
'uri' => OtpTestData::TOTP_SHORT_URI,
2021-11-22 01:09:54 +01:00
])
->assertJsonFragment([
2022-11-22 15:15:52 +01:00
'group_id' => null,
2021-11-22 01:09:54 +01:00
]);
}
#[Test]
2021-11-14 01:52:46 +01:00
public function test_update_totp_returns_success_with_updated_resource()
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('PUT', '/api/v1/twofaccounts/' . $this->twofaccountA->id, OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_TOTP)
2021-11-14 01:52:46 +01:00
->assertOk()
->assertJsonFragment(self::JSON_FRAGMENTS_FOR_CUSTOM_TOTP);
2021-11-14 01:52:46 +01:00
}
#[Test]
2021-11-14 01:52:46 +01:00
public function test_update_hotp_returns_success_with_updated_resource()
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('PUT', '/api/v1/twofaccounts/' . $this->twofaccountA->id, OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_HOTP)
2021-11-14 01:52:46 +01:00
->assertOk()
->assertJsonFragment(self::JSON_FRAGMENTS_FOR_CUSTOM_HOTP);
2021-11-14 01:52:46 +01:00
}
#[Test]
2021-11-14 01:52:46 +01:00
public function test_update_missing_twofaccount_returns_not_found()
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('PUT', '/api/v1/twofaccounts/1000', OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_TOTP)
2021-11-14 01:52:46 +01:00
->assertNotFound();
}
#[Test]
public function test_update_with_assignement_to_null_group_returns_success_with_updated_resource()
{
$this->assertNotEquals(null, $this->twofaccountA->group_id);
2024-09-26 23:50:01 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('PUT', '/api/v1/twofaccounts/' . $this->twofaccountA->id, array_merge(
OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_TOTP,
2024-09-26 23:50:01 +02:00
['group_id' => null]
))
->assertOk()
->assertJsonFragment([
2024-09-26 23:50:01 +02:00
'group_id' => null,
])
->assertJsonFragment(self::JSON_FRAGMENTS_FOR_CUSTOM_TOTP);
}
#[Test]
public function test_update_with_assignement_to_zero_group_returns_success_with_updated_resource()
{
$this->assertNotEquals(null, $this->twofaccountA->group_id);
2024-09-26 23:50:01 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('PUT', '/api/v1/twofaccounts/' . $this->twofaccountA->id, array_merge(
OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_TOTP,
2024-09-26 23:50:01 +02:00
['group_id' => 0]
))
->assertOk()
->assertJsonFragment([
2024-09-26 23:50:01 +02:00
'group_id' => null,
])
->assertJsonFragment(self::JSON_FRAGMENTS_FOR_CUSTOM_TOTP);
}
#[Test]
public function test_update_with_assignement_to_new_groupid_returns_success_with_updated_resource()
{
$this->assertEquals($this->userGroupA->id, $this->twofaccountA->group_id);
2024-09-26 23:50:01 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('PUT', '/api/v1/twofaccounts/' . $this->twofaccountA->id, array_merge(
OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_TOTP,
2024-09-26 23:50:01 +02:00
['group_id' => $this->userGroupB->id]
))
->assertOk()
->assertJsonFragment([
2024-09-26 23:50:01 +02:00
'group_id' => $this->userGroupB->id,
])
->assertJsonFragment(self::JSON_FRAGMENTS_FOR_CUSTOM_TOTP);
}
#[Test]
public function test_update_with_assignement_to_missing_groupid_returns_validation_error()
{
$response = $this->actingAs($this->user, 'api-guard')
->json('PUT', '/api/v1/twofaccounts/' . $this->twofaccountA->id, array_merge(
OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_TOTP,
2024-09-26 23:50:01 +02:00
['group_id' => 9999999]
))
->assertJsonValidationErrorFor('group_id');
}
#[Test]
2021-11-14 01:52:46 +01:00
public function test_update_twofaccount_with_invalid_data_returns_validation_error()
{
2021-12-02 13:15:53 +01:00
$twofaccount = TwoFAccount::factory()->create();
2021-11-14 01:52:46 +01:00
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('PUT', '/api/v1/twofaccounts/' . $this->twofaccountA->id, self::ARRAY_OF_INVALID_PARAMETERS)
2021-11-14 01:52:46 +01:00
->assertStatus(422);
}
#[Test]
public function test_update_twofaccount_of_another_user_is_forbidden()
{
$response = $this->actingAs($this->user, 'api-guard')
->json('PUT', '/api/v1/twofaccounts/' . $this->twofaccountC->id, OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_HOTP)
->assertForbidden()
->assertJsonStructure([
'message',
]);
}
#[Test]
public function test_migrate_valid_gauth_payload_returns_success_with_consistent_resources()
{
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/migration', [
2022-12-09 10:52:17 +01:00
'payload' => MigrationTestData::GOOGLE_AUTH_MIGRATION_URI,
'withSecret' => 1,
])
->assertOk()
->assertJsonCount(2, $key = null)
->assertJsonFragment([
'id' => 0,
'service' => OtpTestData::SERVICE,
'account' => OtpTestData::ACCOUNT,
'otp_type' => 'totp',
'secret' => OtpTestData::SECRET,
'digits' => OtpTestData::DIGITS_DEFAULT,
'algorithm' => OtpTestData::ALGORITHM_DEFAULT,
'period' => OtpTestData::PERIOD_DEFAULT,
2022-11-22 15:15:52 +01:00
'counter' => null,
])
->assertJsonFragment([
'id' => 0,
'service' => OtpTestData::SERVICE . '_bis',
'account' => OtpTestData::ACCOUNT . '_bis',
'otp_type' => 'totp',
'secret' => OtpTestData::SECRET,
'digits' => OtpTestData::DIGITS_DEFAULT,
'algorithm' => OtpTestData::ALGORITHM_DEFAULT,
'period' => OtpTestData::PERIOD_DEFAULT,
2022-11-22 15:15:52 +01:00
'counter' => null,
]);
}
#[Test]
public function test_migrate_with_invalid_gauth_payload_returns_validation_error()
{
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/migration', [
2022-12-09 10:52:17 +01:00
'uri' => MigrationTestData::INVALID_GOOGLE_AUTH_MIGRATION_URI,
])
->assertStatus(422);
}
#[Test]
public function test_migrate_payload_with_duplicates_returns_negative_ids()
{
$twofaccount = TwoFAccount::factory()->for($this->user)->create([
2022-11-22 15:15:52 +01:00
'otp_type' => 'totp',
'account' => OtpTestData::ACCOUNT,
'service' => OtpTestData::SERVICE,
'secret' => OtpTestData::SECRET,
'algorithm' => OtpTestData::ALGORITHM_DEFAULT,
'digits' => OtpTestData::DIGITS_DEFAULT,
'period' => OtpTestData::PERIOD_DEFAULT,
'legacy_uri' => OtpTestData::TOTP_SHORT_URI,
2022-11-22 15:15:52 +01:00
'icon' => '',
]);
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/migration?withSecret=1', [
'payload' => MigrationTestData::GOOGLE_AUTH_MIGRATION_URI,
])
->assertOk()
->assertJsonFragment([
'id' => -1,
'service' => OtpTestData::SERVICE,
'account' => OtpTestData::ACCOUNT,
'otp_type' => 'totp',
'secret' => OtpTestData::SECRET,
'digits' => OtpTestData::DIGITS_DEFAULT,
'algorithm' => OtpTestData::ALGORITHM_DEFAULT,
'period' => OtpTestData::PERIOD_DEFAULT,
'counter' => null,
])
->assertJsonFragment([
'id' => 0,
'service' => OtpTestData::SERVICE . '_bis',
'account' => OtpTestData::ACCOUNT . '_bis',
'otp_type' => 'totp',
'secret' => OtpTestData::SECRET,
'digits' => OtpTestData::DIGITS_DEFAULT,
'algorithm' => OtpTestData::ALGORITHM_DEFAULT,
'period' => OtpTestData::PERIOD_DEFAULT,
'counter' => null,
]);
}
#[Test]
public function test_migrate_identify_duplicates_in_authenticated_user_twofaccounts_only()
{
$twofaccount = TwoFAccount::factory()->for($this->anotherUser)->create([
'otp_type' => 'totp',
'account' => OtpTestData::ACCOUNT,
'service' => OtpTestData::SERVICE,
'secret' => OtpTestData::SECRET,
'algorithm' => OtpTestData::ALGORITHM_DEFAULT,
'digits' => OtpTestData::DIGITS_DEFAULT,
'period' => OtpTestData::PERIOD_DEFAULT,
'legacy_uri' => OtpTestData::TOTP_SHORT_URI,
'icon' => '',
]);
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/migration?withSecret=1', [
2022-12-09 10:52:17 +01:00
'payload' => MigrationTestData::GOOGLE_AUTH_MIGRATION_URI,
])
->assertOk()
->assertJsonFragment([
2023-03-26 17:13:32 +02:00
'id' => 0,
'account' => OtpTestData::ACCOUNT,
'service' => OtpTestData::SERVICE,
'otp_type' => 'totp',
'secret' => OtpTestData::SECRET,
'algorithm' => OtpTestData::ALGORITHM_DEFAULT,
'digits' => OtpTestData::DIGITS_DEFAULT,
'period' => OtpTestData::PERIOD_DEFAULT,
'icon' => null,
])
->assertJsonFragment([
'id' => 0,
'service' => OtpTestData::SERVICE . '_bis',
'account' => OtpTestData::ACCOUNT . '_bis',
'otp_type' => 'totp',
'secret' => OtpTestData::SECRET,
'digits' => OtpTestData::DIGITS_DEFAULT,
'algorithm' => OtpTestData::ALGORITHM_DEFAULT,
'period' => OtpTestData::PERIOD_DEFAULT,
'counter' => null,
]);
}
#[Test]
public function test_migrate_invalid_gauth_payload_returns_bad_request()
{
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/migration', [
2022-12-09 10:52:17 +01:00
'payload' => MigrationTestData::GOOGLE_AUTH_MIGRATION_URI_WITH_INVALID_DATA,
])
->assertStatus(400)
->assertJsonStructure([
2022-11-22 15:15:52 +01:00
'message',
]);
}
#[Test]
public function test_migrate_valid_aegis_json_file_returns_success()
{
$file = LocalFile::fake()->validAegisJsonFile();
$response = $this->withHeaders(['Content-Type' => 'multipart/form-data'])
->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/migration', [
2022-11-22 15:15:52 +01:00
'file' => $file,
'withSecret' => 1,
])
->assertOk()
2022-12-09 10:52:17 +01:00
->assertJsonCount(3, $key = null)
->assertJsonFragment([
'id' => 0,
2022-12-09 10:52:17 +01:00
'service' => OtpTestData::SERVICE,
'account' => OtpTestData::ACCOUNT,
'otp_type' => 'totp',
'secret' => OtpTestData::SECRET,
'digits' => OtpTestData::DIGITS_CUSTOM,
'algorithm' => OtpTestData::ALGORITHM_CUSTOM,
'period' => OtpTestData::PERIOD_CUSTOM,
2022-11-22 15:15:52 +01:00
'counter' => null,
])
->assertJsonFragment([
'id' => 0,
2022-12-09 10:52:17 +01:00
'service' => OtpTestData::SERVICE,
'account' => OtpTestData::ACCOUNT,
'otp_type' => 'hotp',
'secret' => OtpTestData::SECRET,
'digits' => OtpTestData::DIGITS_CUSTOM,
'algorithm' => OtpTestData::ALGORITHM_CUSTOM,
'period' => null,
'counter' => OtpTestData::COUNTER_CUSTOM,
])
->assertJsonFragment([
'id' => 0,
'service' => OtpTestData::STEAM,
2022-12-09 10:52:17 +01:00
'account' => OtpTestData::ACCOUNT,
'otp_type' => 'steamtotp',
'secret' => OtpTestData::STEAM_SECRET,
'digits' => OtpTestData::DIGITS_STEAM,
'algorithm' => OtpTestData::ALGORITHM_DEFAULT,
'period' => OtpTestData::PERIOD_DEFAULT,
2022-11-22 15:15:52 +01:00
'counter' => null,
]);
}
#[Test]
2023-08-01 11:28:27 +02:00
#[DataProvider('invalidAegisJsonFileProvider')]
public function test_migrate_invalid_aegis_json_file_returns_bad_request($file)
{
$response = $this->withHeaders(['Content-Type' => 'multipart/form-data'])
->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/migration', [
'file' => $file,
])
->assertStatus(400);
}
/**
* Provide invalid Aegis JSON files for import tests
*/
2023-08-01 11:28:27 +02:00
public static function invalidAegisJsonFileProvider()
{
return [
2022-12-09 10:52:17 +01:00
'encryptedAegisJsonFile' => [
2022-11-22 15:15:52 +01:00
LocalFile::fake()->encryptedAegisJsonFile(),
],
2022-12-09 10:52:17 +01:00
'invalidAegisJsonFile' => [
2022-11-22 15:15:52 +01:00
LocalFile::fake()->invalidAegisJsonFile(),
],
];
}
#[Test]
2023-08-01 11:28:27 +02:00
#[DataProvider('validPlainTextFileProvider')]
public function test_migrate_valid_plain_text_file_returns_success($file)
{
$response = $this->withHeaders(['Content-Type' => 'multipart/form-data'])
->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/migration', [
2022-11-22 15:15:52 +01:00
'file' => $file,
'withSecret' => 1,
])
->assertOk()
->assertJsonCount(3, $key = null)
->assertJsonFragment([
'id' => 0,
'service' => OtpTestData::SERVICE,
'account' => OtpTestData::ACCOUNT,
'otp_type' => 'totp',
'secret' => OtpTestData::SECRET,
'digits' => OtpTestData::DIGITS_CUSTOM,
'algorithm' => OtpTestData::ALGORITHM_CUSTOM,
'period' => OtpTestData::PERIOD_CUSTOM,
2022-11-22 15:15:52 +01:00
'counter' => null,
])
->assertJsonFragment([
'id' => 0,
'service' => OtpTestData::SERVICE,
'account' => OtpTestData::ACCOUNT,
'otp_type' => 'hotp',
'secret' => OtpTestData::SECRET,
'digits' => OtpTestData::DIGITS_CUSTOM,
'algorithm' => OtpTestData::ALGORITHM_CUSTOM,
'period' => null,
2022-11-22 15:15:52 +01:00
'counter' => OtpTestData::COUNTER_CUSTOM,
])
->assertJsonFragment([
'id' => 0,
'service' => OtpTestData::STEAM,
'account' => OtpTestData::ACCOUNT,
'otp_type' => 'steamtotp',
'secret' => OtpTestData::STEAM_SECRET,
'digits' => OtpTestData::DIGITS_STEAM,
'algorithm' => OtpTestData::ALGORITHM_DEFAULT,
'period' => OtpTestData::PERIOD_DEFAULT,
2022-11-22 15:15:52 +01:00
'counter' => null,
]);
}
/**
* Provide valid Plain Text files for import tests
*/
2023-08-01 11:28:27 +02:00
public static function validPlainTextFileProvider()
{
return [
'validPlainTextFile' => [
2022-11-22 15:15:52 +01:00
LocalFile::fake()->validPlainTextFile(),
],
'validPlainTextFileWithNewLines' => [
2022-11-22 15:15:52 +01:00
LocalFile::fake()->validPlainTextFileWithNewLines(),
],
];
}
#[Test]
2023-08-01 11:28:27 +02:00
#[DataProvider('invalidPlainTextFileProvider')]
public function test_migrate_invalid_plain_text_file_returns_bad_request($file)
{
$response = $this->withHeaders(['Content-Type' => 'multipart/form-data'])
->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/migration', [
'file' => $file,
])
->assertStatus(400);
}
/**
* Provide invalid Plain Text files for import tests
*/
2023-08-01 11:28:27 +02:00
public static function invalidPlainTextFileProvider()
{
return [
2022-12-09 10:52:17 +01:00
'invalidPlainTextFileEmpty' => [
2022-11-22 15:15:52 +01:00
LocalFile::fake()->invalidPlainTextFileEmpty(),
],
2022-12-09 10:52:17 +01:00
'invalidPlainTextFileNoUri' => [
2022-11-22 15:15:52 +01:00
LocalFile::fake()->invalidPlainTextFileNoUri(),
],
2022-12-09 10:52:17 +01:00
'invalidPlainTextFileWithInvalidUri' => [
2022-11-22 15:15:52 +01:00
LocalFile::fake()->invalidPlainTextFileWithInvalidUri(),
],
2022-12-09 10:52:17 +01:00
'invalidPlainTextFileWithInvalidLine' => [
2022-11-22 15:15:52 +01:00
LocalFile::fake()->invalidPlainTextFileWithInvalidLine(),
],
];
}
#[Test]
public function test_reorder_returns_success()
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/reorder', [
'orderedIds' => [$this->twofaccountB->id, $this->twofaccountA->id],
2022-12-09 10:52:17 +01:00
])
->assertStatus(200)
->assertJsonStructure([
2022-11-22 15:15:52 +01:00
'message',
]);
}
2021-11-14 01:52:46 +01:00
#[Test]
public function test_reorder_with_invalid_data_returns_validation_error()
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/reorder', [
2022-12-09 10:52:17 +01:00
'orderedIds' => '3,2,1',
])
->assertStatus(422);
}
2021-11-14 01:52:46 +01:00
#[Test]
public function test_reorder_twofaccounts_of_another_user_is_forbidden()
{
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/reorder', [
'orderedIds' => [$this->twofaccountB->id, $this->twofaccountD->id],
])
->assertForbidden()
->assertJsonStructure([
'message',
]);
}
#[Test]
public function test_preview_returns_success_with_resource()
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/preview', [
'uri' => OtpTestData::TOTP_FULL_CUSTOM_URI,
])
->assertOk()
->assertJsonFragment(self::JSON_FRAGMENTS_FOR_CUSTOM_TOTP);
}
2021-11-14 01:52:46 +01:00
#[Test]
public function test_preview_with_invalid_data_returns_validation_error()
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/preview', [
'uri' => OtpTestData::INVALID_OTPAUTH_URI,
])
->assertStatus(422);
}
2021-11-14 01:52:46 +01:00
#[Test]
2024-10-18 14:28:45 +02:00
public function test_preview_with_unreachable_image_but_official_logo_returns_success()
{
$this->user['preferences->getOfficialIcons'] = true;
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/preview', [
'uri' => OtpTestData::TOTP_URI_WITH_UNREACHABLE_IMAGE,
])
->assertOk();
$this->assertNotNull($response->json('icon'));
}
#[Test]
public function test_preview_with_unreachable_image_returns_success_with_no_icon()
{
2024-10-18 14:28:45 +02:00
$this->user['preferences->getOfficialIcons'] = false;
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/preview', [
'uri' => OtpTestData::TOTP_URI_WITH_UNREACHABLE_IMAGE,
])
->assertOk()
->assertJsonFragment([
2022-11-22 15:15:52 +01:00
'icon' => null,
]);
}
2021-11-14 01:52:46 +01:00
2024-11-15 10:39:29 +01:00
#[Test]
public function test_preview_with_infected_svg_image_stores_sanitized_image()
{
$this->user['preferences->getOfficialIcons'] = true;
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/preview', [
'uri' => OtpTestData::TOTP_URI_WITH_INFECTED_SVG_IMAGE,
])
->assertOk();
$svgContent = IconStore::get($response->getData()->icon);
$this->assertStringNotContainsString(OtpTestData::ICON_SVG_MALICIOUS_CODE, $svgContent);
}
#[Test]
2023-03-18 17:33:43 +01:00
public function test_export_returns_json_migration_resource()
{
$this->twofaccountA = TwoFAccount::factory()->for($this->user)->create(self::JSON_FRAGMENTS_FOR_DEFAULT_TOTP);
$this->twofaccountB = TwoFAccount::factory()->for($this->user)->create(self::JSON_FRAGMENTS_FOR_DEFAULT_HOTP);
$this->actingAs($this->user, 'api-guard')
->json('GET', '/api/v1/twofaccounts/export?ids=' . $this->twofaccountA->id . ',' . $this->twofaccountB->id)
->assertOk()
->assertJsonStructure(self::VALID_EXPORT_STRUTURE)
->assertJsonFragment(self::JSON_FRAGMENTS_FOR_DEFAULT_TOTP)
->assertJsonFragment(self::JSON_FRAGMENTS_FOR_DEFAULT_HOTP);
}
#[Test]
public function test_export_returns_plain_text_with_otpauth_uris()
{
$this->twofaccountA = TwoFAccount::factory()->for($this->user)->create(self::JSON_FRAGMENTS_FOR_DEFAULT_TOTP);
$this->twofaccountB = TwoFAccount::factory()->for($this->user)->create(self::JSON_FRAGMENTS_FOR_DEFAULT_HOTP);
$this->actingAs($this->user, 'api-guard')
->json('GET', '/api/v1/twofaccounts/export?ids=' . $this->twofaccountA->id . ',' . $this->twofaccountB->id . '&otpauth=1')
->assertOk()
->assertJsonStructure(self::VALID_EXPORT_AS_URIS_STRUTURE)
->assertJsonFragment(['uri' => $this->twofaccountA->getURI()])
->assertJsonFragment(['uri' => $this->twofaccountB->getURI()]);
}
#[Test]
public function test_export_returns_json_migration_resource_when_otpauth_param_is_off()
{
$this->twofaccountA = TwoFAccount::factory()->for($this->user)->create(self::JSON_FRAGMENTS_FOR_DEFAULT_TOTP);
$this->twofaccountB = TwoFAccount::factory()->for($this->user)->create(self::JSON_FRAGMENTS_FOR_DEFAULT_HOTP);
$this->actingAs($this->user, 'api-guard')
->json('GET', '/api/v1/twofaccounts/export?ids=' . $this->twofaccountA->id . ',' . $this->twofaccountB->id . '&otpauth=0')
->assertOk()
->assertJsonStructure(self::VALID_EXPORT_STRUTURE)
->assertJsonFragment(self::JSON_FRAGMENTS_FOR_DEFAULT_TOTP)
->assertJsonFragment(self::JSON_FRAGMENTS_FOR_DEFAULT_HOTP);
2023-03-18 17:33:43 +01:00
}
#[Test]
2023-03-18 17:33:43 +01:00
public function test_export_too_many_ids_returns_bad_request()
{
TwoFAccount::factory()->count(102)->for($this->user)->create();
$ids = DB::table('twofaccounts')->where('user_id', $this->user->id)->pluck('id')->implode(',');
$response = $this->actingAs($this->user, 'api-guard')
->json('GET', '/api/v1/twofaccounts/export?ids=' . $ids)
->assertStatus(400)
->assertJsonStructure([
'message',
'reason',
]);
}
#[Test]
2023-03-18 17:33:43 +01:00
public function test_export_missing_twofaccount_returns_existing_ones_only()
{
$this->twofaccountA = TwoFAccount::factory()->for($this->user)->create(self::JSON_FRAGMENTS_FOR_DEFAULT_TOTP);
$response = $this->actingAs($this->user, 'api-guard')
->json('GET', '/api/v1/twofaccounts/export?ids=' . $this->twofaccountA->id . ',1000')
->assertJsonFragment(self::JSON_FRAGMENTS_FOR_DEFAULT_TOTP);
}
#[Test]
2023-03-18 17:33:43 +01:00
public function test_export_twofaccount_of_another_user_is_forbidden()
{
$response = $this->actingAs($this->user, 'api-guard')
2023-12-20 16:55:58 +01:00
->json('GET', '/api/v1/twofaccounts/export?ids=' . $this->twofaccountC->id)
2023-03-18 17:33:43 +01:00
->assertForbidden()
->assertJsonStructure([
'message',
]);
}
2024-10-18 14:28:45 +02:00
#[Test]
public function test_export_returns_nulled_icon_resource_when_icon_file_is_missing()
{
$this->twofaccountA = TwoFAccount::factory()->for($this->user)->create(array_merge(
self::JSON_FRAGMENTS_FOR_DEFAULT_HOTP,
[
'icon' => 'icon_without_file_on_disk.png',
]
));
$response = $this->actingAs($this->user, 'api-guard')
->json('GET', '/api/v1/twofaccounts/export?ids=' . $this->twofaccountA->id)
->assertJsonFragment([
'icon' => 'icon_without_file_on_disk.png',
'icon_file' => null,
'icon_mime' => null,
]);
}
#[Test]
public function test_get_otp_using_totp_twofaccount_id_returns_consistent_resource()
2021-11-14 01:52:46 +01:00
{
$twofaccount = TwoFAccount::factory()->for($this->user)->create([
2022-11-22 15:15:52 +01:00
'otp_type' => 'totp',
'account' => OtpTestData::ACCOUNT,
'service' => OtpTestData::SERVICE,
'secret' => OtpTestData::SECRET,
'algorithm' => OtpTestData::ALGORITHM_DEFAULT,
'digits' => OtpTestData::DIGITS_DEFAULT,
'period' => OtpTestData::PERIOD_DEFAULT,
'legacy_uri' => OtpTestData::TOTP_SHORT_URI,
2022-11-22 15:15:52 +01:00
'icon' => '',
2021-11-14 01:52:46 +01:00
]);
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('GET', '/api/v1/twofaccounts/' . $twofaccount->id . '/otp')
->assertOk()
->assertJsonStructure(self::VALID_OTP_RESOURCE_STRUCTURE_FOR_TOTP)
->assertJsonFragment([
'otp_type' => 'totp',
2022-11-22 15:15:52 +01:00
'period' => OtpTestData::PERIOD_DEFAULT,
]);
}
2021-11-14 01:52:46 +01:00
#[Test]
public function test_get_otp_by_posting_totp_uri_returns_consistent_resource()
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/otp', [
'uri' => OtpTestData::TOTP_FULL_CUSTOM_URI,
2021-11-14 01:52:46 +01:00
])
->assertOk()
->assertJsonStructure(self::VALID_OTP_RESOURCE_STRUCTURE_FOR_TOTP)
->assertJsonFragment([
'otp_type' => 'totp',
2022-11-22 15:15:52 +01:00
'period' => OtpTestData::PERIOD_CUSTOM,
2021-11-14 01:52:46 +01:00
]);
}
#[Test]
public function test_get_otp_by_posting_totp_parameters_returns_consistent_resource()
2021-11-14 01:52:46 +01:00
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/otp', OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_TOTP)
->assertOk()
->assertJsonStructure(self::VALID_OTP_RESOURCE_STRUCTURE_FOR_TOTP)
2021-11-14 01:52:46 +01:00
->assertJsonFragment([
'otp_type' => 'totp',
2022-11-22 15:15:52 +01:00
'period' => OtpTestData::PERIOD_CUSTOM,
2021-11-14 01:52:46 +01:00
]);
}
#[Test]
public function test_get_otp_using_hotp_twofaccount_id_returns_consistent_resource()
2021-11-14 01:52:46 +01:00
{
$twofaccount = TwoFAccount::factory()->for($this->user)->create([
2022-11-22 15:15:52 +01:00
'otp_type' => 'hotp',
'account' => OtpTestData::ACCOUNT,
'service' => OtpTestData::SERVICE,
'secret' => OtpTestData::SECRET,
'algorithm' => OtpTestData::ALGORITHM_DEFAULT,
'digits' => OtpTestData::DIGITS_DEFAULT,
'period' => null,
'legacy_uri' => OtpTestData::HOTP_SHORT_URI,
2022-11-22 15:15:52 +01:00
'icon' => '',
]);
2021-11-14 01:52:46 +01:00
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('GET', '/api/v1/twofaccounts/' . $twofaccount->id . '/otp')
->assertOk()
->assertJsonStructure(self::VALID_OTP_RESOURCE_STRUCTURE_FOR_HOTP)
->assertJsonFragment([
'otp_type' => 'hotp',
2022-11-22 15:15:52 +01:00
'counter' => OtpTestData::COUNTER_DEFAULT + 1,
2021-11-14 01:52:46 +01:00
]);
}
#[Test]
public function test_get_otp_by_posting_hotp_uri_returns_consistent_resource()
2021-11-14 01:52:46 +01:00
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/otp', [
'uri' => OtpTestData::HOTP_FULL_CUSTOM_URI,
])
->assertOk()
->assertJsonStructure(self::VALID_OTP_RESOURCE_STRUCTURE_FOR_HOTP)
->assertJsonFragment([
'otp_type' => 'hotp',
2022-11-22 15:15:52 +01:00
'counter' => OtpTestData::COUNTER_CUSTOM + 1,
2021-11-14 01:52:46 +01:00
]);
}
#[Test]
public function test_get_otp_by_posting_hotp_parameters_returns_consistent_resource()
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/otp', OtpTestData::ARRAY_OF_FULL_VALID_PARAMETERS_FOR_CUSTOM_HOTP)
->assertOk()
->assertJsonStructure(self::VALID_OTP_RESOURCE_STRUCTURE_FOR_HOTP)
2021-11-14 01:52:46 +01:00
->assertJsonFragment([
'otp_type' => 'hotp',
2022-11-22 15:15:52 +01:00
'counter' => OtpTestData::COUNTER_CUSTOM + 1,
2021-11-14 01:52:46 +01:00
]);
}
#[Test]
public function test_get_otp_by_posting_multiple_inputs_returns_bad_request()
2021-11-14 01:52:46 +01:00
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/otp', [
'uri' => OtpTestData::HOTP_FULL_CUSTOM_URI,
'key' => 'value',
])
->assertStatus(400)
2021-11-14 01:52:46 +01:00
->assertJsonStructure([
'message',
'reason',
2021-11-14 01:52:46 +01:00
]);
}
#[Test]
public function test_get_otp_using_indecipherable_twofaccount_id_returns_bad_request()
2021-11-14 01:52:46 +01:00
{
2022-07-30 17:51:02 +02:00
Settings::set('useEncryption', true);
$twofaccount = TwoFAccount::factory()->for($this->user)->create();
DB::table('twofaccounts')
->where('id', $twofaccount->id)
->update([
'secret' => '**encrypted**',
]);
2021-11-14 01:52:46 +01:00
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('GET', '/api/v1/twofaccounts/' . $twofaccount->id . '/otp')
->assertStatus(400)
2021-11-14 01:52:46 +01:00
->assertJsonStructure([
'message',
2021-11-14 01:52:46 +01:00
]);
}
#[Test]
public function test_get_otp_using_missing_twofaccount_id_returns_not_found()
2021-11-14 01:52:46 +01:00
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('GET', '/api/v1/twofaccounts/1000/otp')
->assertNotFound();
2021-11-14 01:52:46 +01:00
}
#[Test]
public function test_get_otp_by_posting_invalid_uri_returns_validation_error()
2021-11-14 01:52:46 +01:00
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/otp', [
'uri' => OtpTestData::INVALID_OTPAUTH_URI,
])
->assertStatus(422);
2021-11-14 01:52:46 +01:00
}
#[Test]
public function test_get_otp_by_posting_invalid_parameters_returns_validation_error()
2021-11-14 01:52:46 +01:00
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('POST', '/api/v1/twofaccounts/otp', self::ARRAY_OF_INVALID_PARAMETERS)
->assertStatus(422);
2021-11-14 01:52:46 +01:00
}
#[Test]
public function test_get_otp_of_another_user_twofaccount_is_forbidden()
2021-11-14 01:52:46 +01:00
{
$response = $this->actingAs($this->user, 'api-guard')
2023-03-10 22:59:46 +01:00
->json('GET', '/api/v1/twofaccounts/' . $this->twofaccountC->id . '/otp')
->assertForbidden()
->assertJsonStructure([
'message',
]);
}
#[Test]
public function test_count_returns_right_number_of_twofaccounts()
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('GET', '/api/v1/twofaccounts/count')
->assertStatus(200)
->assertExactJson([
'count' => 2,
2021-11-14 01:52:46 +01:00
]);
}
#[Test]
public function test_withdraw_returns_success()
2021-11-14 01:52:46 +01:00
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('PATCH', '/api/v1/twofaccounts/withdraw?ids=1,2')
->assertOk()
2021-11-14 01:52:46 +01:00
->assertJsonStructure([
'message',
2021-11-14 01:52:46 +01:00
]);
}
#[Test]
public function test_withdraw_too_many_ids_returns_bad_request()
2021-11-14 01:52:46 +01:00
{
TwoFAccount::factory()->count(102)->for($this->user)->create();
$ids = DB::table('twofaccounts')->where('user_id', $this->user->id)->pluck('id')->implode(',');
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('PATCH', '/api/v1/twofaccounts/withdraw?ids=' . $ids)
->assertStatus(400)
2021-11-14 01:52:46 +01:00
->assertJsonStructure([
'message',
'reason',
2021-11-14 01:52:46 +01:00
]);
}
#[Test]
public function test_destroy_twofaccount_returns_success()
2021-11-14 01:52:46 +01:00
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('DELETE', '/api/v1/twofaccounts/' . $this->twofaccountA->id)
->assertNoContent();
2021-11-14 01:52:46 +01:00
}
#[Test]
public function test_destroy_missing_twofaccount_returns_not_found()
2021-11-14 01:52:46 +01:00
{
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('DELETE', '/api/v1/twofaccounts/1000')
->assertNotFound();
2021-11-14 01:52:46 +01:00
}
#[Test]
public function test_destroy_twofaccount_of_another_user_is_forbidden()
{
$response = $this->actingAs($this->user, 'api-guard')
2023-12-20 16:55:58 +01:00
->json('DELETE', '/api/v1/twofaccounts/' . $this->twofaccountC->id)
->assertForbidden()
->assertJsonStructure([
'message',
]);
}
#[Test]
public function test_batch_destroy_twofaccount_returns_success()
2021-11-14 01:52:46 +01:00
{
TwoFAccount::factory()->count(3)->for($this->user)->create();
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('DELETE', '/api/v1/twofaccounts?ids=' . $this->twofaccountA->id . ',' . $this->twofaccountB->id)
->assertNoContent();
2021-11-14 01:52:46 +01:00
}
#[Test]
public function test_batch_destroy_too_many_twofaccounts_returns_bad_request()
2021-11-14 01:52:46 +01:00
{
TwoFAccount::factory()->count(102)->for($this->user)->create();
$ids = DB::table('twofaccounts')->where('user_id', $this->user->id)->pluck('id')->implode(',');
2021-11-14 01:52:46 +01:00
2022-03-31 08:38:35 +02:00
$response = $this->actingAs($this->user, 'api-guard')
->json('DELETE', '/api/v1/twofaccounts?ids=' . $ids)
->assertStatus(400)
->assertJsonStructure([
'message',
'reason',
]);
2021-11-14 01:52:46 +01:00
}
#[Test]
public function test_batch_destroy_twofaccount_of_another_user_is_forbidden()
{
TwoFAccount::factory()->count(2)->for($this->anotherUser)->create();
$ids = DB::table('twofaccounts')
->where('user_id', $this->anotherUser->id)
->pluck('id')
->implode(',');
$response = $this->actingAs($this->user, 'api-guard')
2023-12-20 16:55:58 +01:00
->json('DELETE', '/api/v1/twofaccounts?ids=' . $ids)
->assertForbidden()
->assertJsonStructure([
'message',
]);
}
2022-11-22 15:15:52 +01:00
}