jonny/jonnybarnes.uk
1
0
Fork 0
Code Issues 5 Pull requests Projects Releases 5 Packages Wiki Activity Actions

Auth endpoint

Browse source 
The IndieAuth endpoint should be added, currently adding the unt tests
This commit is contained in:
Jonny Barnes 2024-06-02 10:16:16 +01:00
parent 7ad5d56f1b
commit 5b2bfd5270
Signed by: jonny
SSH key fingerprint: SHA256:CTuSlns5U7qlD9jqHvtnVmfYV3Zwl2Z7WnJ4/dqOaL8
18 changed files with 1282 additions and 475 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

108
app/Http/Controllers/Admin/PasskeysController.php
View file

@ -19,7 +19,6 @@ use Illuminate\Support\Facades\Auth;
use Illuminate\View\View;
use ParagonIE\ConstantTime\Base64UrlSafe;
use Throwable;
use Webauthn\AttestationStatement\AttestationObjectLoader;
use Webauthn\AttestationStatement\AttestationStatementSupportManager;
use Webauthn\AttestationStatement\NoneAttestationStatementSupport;
use Webauthn\AuthenticationExtensions\ExtensionOutputCheckerHandler;
@ -28,9 +27,11 @@ use Webauthn\AuthenticatorAssertionResponseValidator;
use Webauthn\AuthenticatorAttestationResponse;
use Webauthn\AuthenticatorAttestationResponseValidator;
use Webauthn\AuthenticatorSelectionCriteria;
use Webauthn\CeremonyStep\CeremonyStepManagerFactory;
use Webauthn\Denormalizer\WebauthnSerializerFactory;
use Webauthn\Exception\WebauthnException;
use Webauthn\PublicKeyCredential;
use Webauthn\PublicKeyCredentialCreationOptions;
use Webauthn\PublicKeyCredentialLoader;
use Webauthn\PublicKeyCredentialParameters;
use Webauthn\PublicKeyCredentialRequestOptions;
use Webauthn\PublicKeyCredentialRpEntity;
@ -109,39 +110,57 @@ class PasskeysController extends Controller
$user = auth()->user();
$publicKeyCredentialCreationOptionsData = session('create_options');
// Unset session data to mitigate replay attacks
session()->forget('create_options');
if (empty($publicKeyCredentialCreationOptionsData)) {
throw new WebAuthnException('No public key credential request options found');
}
$publicKeyCredentialCreationOptions = PublicKeyCredentialCreationOptions::createFromString($publicKeyCredentialCreationOptionsData);
// Unset session data to mitigate replay attacks
session()->forget('create_options');
$attestationStatementSupportManager = new AttestationStatementSupportManager();
$attestationStatementSupportManager->add(new NoneAttestationStatementSupport());
$attestationSupportManager = AttestationStatementSupportManager::create();
$attestationSupportManager->add(NoneAttestationStatementSupport::create());
$attestationObjectLoader = AttestationObjectLoader::create($attestationSupportManager);
$publicKeyCredentialLoader = PublicKeyCredentialLoader::create($attestationObjectLoader);
$webauthnSerializer = (new WebauthnSerializerFactory(
$attestationStatementSupportManager
))->create();
$publicKeyCredential = $publicKeyCredentialLoader->load(json_encode($request->all(), JSON_THROW_ON_ERROR));
$publicKeyCredential = $webauthnSerializer->deserialize(
json_encode($request->all(), JSON_THROW_ON_ERROR),
PublicKeyCredential::class,
'json'
);
if (! $publicKeyCredential->response instanceof AuthenticatorAttestationResponse) {
throw new WebAuthnException('Invalid response type');
}
$attestationStatementSupportManager = AttestationStatementSupportManager::create();
$attestationStatementSupportManager->add(NoneAttestationStatementSupport::create());
$algorithmManager = new Manager();
$algorithmManager->add(new Ed25519());
$algorithmManager->add(new ES256());
$algorithmManager->add(new RS256());
$authenticatorAttestationResponseValidator = AuthenticatorAttestationResponseValidator::create(
attestationStatementSupportManager: $attestationStatementSupportManager,
publicKeyCredentialSourceRepository: null,
tokenBindingHandler: null,
extensionOutputCheckerHandler: ExtensionOutputCheckerHandler::create(),
$ceremonyStepManagerFactory = new CeremonyStepManagerFactory();
$ceremonyStepManagerFactory->setAlgorithmManager($algorithmManager);
$ceremonyStepManagerFactory->setAttestationStatementSupportManager(
$attestationStatementSupportManager
);
$ceremonyStepManagerFactory->setExtensionOutputCheckerHandler(
ExtensionOutputCheckerHandler::create()
);
$securedRelyingPartyId = [];
if (App::environment('local', 'development')) {
$securedRelyingPartyId = [config('url.longurl')];
}
$ceremonyStepManagerFactory->setSecuredRelyingPartyId($securedRelyingPartyId);
$authenticatorAttestationResponseValidator = AuthenticatorAttestationResponseValidator::create(
ceremonyStepManager: $ceremonyStepManagerFactory->creationCeremony()
);
$publicKeyCredentialCreationOptions = $webauthnSerializer->deserialize(
$publicKeyCredentialCreationOptionsData,
PublicKeyCredentialCreationOptions::class,
'json'
);
$publicKeyCredentialSource = $authenticatorAttestationResponseValidator->check(
authenticatorAttestationResponse: $publicKeyCredential->response,
@ -187,14 +206,18 @@ class PasskeysController extends Controller
], 400);
}
$publicKeyCredentialRequestOptions = PublicKeyCredentialRequestOptions::createFromString($requestOptions);
$attestationStatementSupportManager = new AttestationStatementSupportManager();
$attestationStatementSupportManager->add(new NoneAttestationStatementSupport());
$attestationSupportManager = AttestationStatementSupportManager::create();
$attestationSupportManager->add(NoneAttestationStatementSupport::create());
$attestationObjectLoader = AttestationObjectLoader::create($attestationSupportManager);
$publicKeyCredentialLoader = PublicKeyCredentialLoader::create($attestationObjectLoader);
$webauthnSerializer = (new WebauthnSerializerFactory(
$attestationStatementSupportManager
))->create();
$publicKeyCredential = $publicKeyCredentialLoader->load(json_encode($request->all(), JSON_THROW_ON_ERROR));
$publicKeyCredential = $webauthnSerializer->deserialize(
json_encode($request->all(), JSON_THROW_ON_ERROR),
PublicKeyCredential::class,
'json'
);
if (! $publicKeyCredential->response instanceof AuthenticatorAssertionResponse) {
return response()->json([
@ -211,28 +234,47 @@ class PasskeysController extends Controller
], 404);
}
$credential = PublicKeyCredentialSource::createFromArray(json_decode($passkey->passkey, true, 512, JSON_THROW_ON_ERROR));
$publicKeyCredentialSource = $webauthnSerializer->deserialize(
$passkey->passkey,
PublicKeyCredentialSource::class,
'json'
);
$algorithmManager = Manager::create();
$algorithmManager = new Manager();
$algorithmManager->add(new Ed25519());
$algorithmManager->add(new ES256());
$algorithmManager->add(new RS256());
$authenticatorAssertionResponseValidator = new AuthenticatorAssertionResponseValidator(
publicKeyCredentialSourceRepository: null,
tokenBindingHandler: null,
extensionOutputCheckerHandler: ExtensionOutputCheckerHandler::create(),
algorithmManager: $algorithmManager,
);
$attestationStatementSupportManager = new AttestationStatementSupportManager();
$attestationStatementSupportManager->add(new NoneAttestationStatementSupport());
$ceremonyStepManagerFactory = new CeremonyStepManagerFactory();
$ceremonyStepManagerFactory->setAlgorithmManager($algorithmManager);
$ceremonyStepManagerFactory->setAttestationStatementSupportManager(
$attestationStatementSupportManager
);
$ceremonyStepManagerFactory->setExtensionOutputCheckerHandler(
ExtensionOutputCheckerHandler::create()
);
$securedRelyingPartyId = [];
if (App::environment('local', 'development')) {
$securedRelyingPartyId = [config('url.longurl')];
}
$ceremonyStepManagerFactory->setSecuredRelyingPartyId($securedRelyingPartyId);
$authenticatorAssertionResponseValidator = AuthenticatorAssertionResponseValidator::create(
ceremonyStepManager: $ceremonyStepManagerFactory->requestCeremony()
);
$publicKeyCredentialRequestOptions = $webauthnSerializer->deserialize(
$requestOptions,
PublicKeyCredentialRequestOptions::class,
'json'
);
try {
$authenticatorAssertionResponseValidator->check(
credentialId: $credential,
credentialId: $publicKeyCredentialSource,
authenticatorAssertionResponse: $publicKeyCredential->response,
publicKeyCredentialRequestOptions: $publicKeyCredentialRequestOptions,
request: config('url.longurl'),

202
app/Http/Controllers/IndieAuthController.php Normal file
View file

@ -0,0 +1,202 @@
<?php
declare(strict_types=1);
namespace App\Http\Controllers;
use Exception;
use GuzzleHttp\Client;
use GuzzleHttp\Psr7\Uri;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Cache;
use Illuminate\Support\Facades\Validator;
use Illuminate\View\View;
use Random\RandomException;
use SodiumException;
class IndieAuthController extends Controller
{
/**
* Process a GET request to the IndieAuth endpoint.
*
* This is the first step in the IndieAuth flow, where the client app sends the user to the IndieAuth endpoint.
*/
public function start(Request $request): View
{
// First check all required params are present
$validator = Validator::make($request->all(), [
'response_type' => 'required:string',
'client_id' => 'required',
'redirect_uri' => 'required',
'state' => 'required',
'code_challenge' => 'required:string',
'code_challenge_method' => 'required:string',
], [
'response_type' => 'response_type is required',
'client_id.required' => 'client_id is required to display which app is asking for authentication',
'redirect_uri.required' => 'redirect_uri is required so we can progress successful requests',
'state.required' => 'state is required',
'code_challenge.required' => 'code_challenge is required',
'code_challenge_method.required' => 'code_challenge_method is required',
]);
if ($validator->fails()) {
return view('indieauth.error')->withErrors($validator);
}
if ($request->get('response_type') !== 'code') {
return view('indieauth.error')->withErrors(['response_type' => 'only a response_type of "code" is supported']);
}
if (mb_strtoupper($request->get('code_challenge_method')) !== 'S256') {
return view('indieauth.error')->withErrors(['code_challenge_method' => 'only a code_challenge_method of "S256" is supported']);
}
if (! $this->isValidRedirectUri($request->get('client_id'), $request->get('redirect_uri'))) {
return view('indieauth.error')->withErrors(['redirect_uri' => 'redirect_uri is not valid for this client_id']);
}
$scopes = $request->get('scopes', '');
$scopes = explode(' ', $scopes);
return view('indieauth.start', [
'me' => $request->get('me'),
'client_id' => $request->get('client_id'),
'redirect_uri' => $request->get('redirect_uri'),
'state' => $request->get('state'),
'scopes' => $scopes,
'code_challenge' => $request->get('code_challenge'),
'code_challenge_method' => $request->get('code_challenge_method'),
]);
}
/**
* Confirm an IndieAuth approval request.
*
* Generates an auth code and redirects the user back to the client app.
*
* @throws RandomException
*/
public function confirm(Request $request): JsonResponse
{
$authCode = bin2hex(random_bytes(16));
$cacheKey = hash('xxh3', $request->get('client_id'));
$indieAuthRequestData = [
'code_challenge' => $request->get('code_challenge'),
'code_challenge_method' => $request->get('code_challenge_method'),
'client_id' => $request->get('client_id'),
'auth_code' => $authCode,
];
Cache::put($cacheKey, $indieAuthRequestData, now()->addMinutes(10));
$redirectUri = new Uri($request->get('redirect_uri'));
$redirectUri = Uri::withQueryValues($redirectUri, [
'code' => $authCode,
'me' => $request->get('me'),
'state' => $request->get('state'),
]);
// For now just dump URL scheme
return response()->json([
'redirect_uri' => $redirectUri,
]);
}
/**
* Process a POST request to the IndieAuth endpoint.
*
* This is the second step in the IndieAuth flow, where the client app sends the auth code to the IndieAuth endpoint.
* @throws SodiumException
*/
public function processCodeExchange(Request $request): JsonResponse
{
// First check all the data is present
$validator = Validator::make($request->all(), [
'grant_type' => 'required:string',
'code' => 'required:string',
'client_id' => 'required',
'redirect_uri' => 'required',
'code_verifier' => 'required',
]);
if ($validator->fails()) {
return response()->json($validator->errors(), 400);
}
if ($request->get('grant_type') !== 'authorization_code') {
return response()->json(['error' => 'only a grant_type of "authorization_code" is supported'], 400);
}
// Check cache for auth code
$cacheKey = hash('xxh3', $request->get('client_id'));
$indieAuthRequestData = Cache::pull($cacheKey);
if ($indieAuthRequestData === null) {
return response()->json(['error' => 'code is invalid'], 404);
}
if ($indieAuthRequestData['auth_code'] !== $request->get('code')) {
return response()->json(['error' => 'code is invalid'], 400);
}
// Check code verifier
if (! hash_equals(
$indieAuthRequestData['code_challenge'],
sodium_bin2base64(
hash('sha256', $request->get('code_verifier'), true),
SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING
)
)) {
return response()->json(['error' => 'code_verifier is invalid'], 400);
}
return response()->json([
'me' => config('app.url'),
]);
}
protected function isValidRedirectUri(string $clientId, string $redirectUri): bool
{
// If client_id is not a valid URL, then it's not valid
$clientIdParsed = \Mf2\parseUriToComponents($clientId);
if (! isset($clientIdParsed['authority'])) {
ray($clientIdParsed);
return false;
}
// If redirect_uri is not a valid URL, then it's not valid
$redirectUriParsed = \Mf2\parseUriToComponents($redirectUri);
if (! isset($redirectUriParsed['authority'])) {
ray($redirectUriParsed);
return false;
}
// If client_id and redirect_uri are the same host, then it's valid
if ($clientIdParsed['authority'] === $redirectUriParsed['authority']) {
return true;
}
// Otherwise we need to check the redirect_uri is in the client_id's redirect_uris
$guzzle = resolve(Client::class);
try {
$clientInfo = $guzzle->get($clientId);
} catch (Exception $e) {
ray('Failed to fetch client info', $e->getMessage());
return false;
}
$clientInfoParsed = \Mf2\parse($clientInfo->getBody()->getContents(), $clientId);
$redirectUris = $clientInfoParsed['rels']['redirect_uri'] ?? [];
return in_array($redirectUri, $redirectUris);
}
}

2
app/Http/Middleware/MyAuthMiddleware.php
View file

@ -20,6 +20,8 @@ class MyAuthMiddleware
{
if (Auth::check() === false) {
// theyre not logged in, so send them to login form
redirect()->setIntendedUrl($request->url());
return redirect()->route('login');
}

4
composer.json
View file

@ -10,6 +10,7 @@
"ext-intl": "*",
"ext-json": "*",
"ext-pgsql": "*",
"ext-sodium": "*",
"cviebrock/eloquent-sluggable": "^11.0",
"guzzlehttp/guzzle": "^7.2",
"indieauth/client": "^1.1",
@ -26,9 +27,12 @@
"league/commonmark": "^2.0",
"league/flysystem-aws-s3-v3": "^3.0",
"mf2/mf2": "~0.3",
"phpdocumentor/reflection-docblock": "^5.3",
"spatie/commonmark-highlighter": "^3.0",
"spatie/laravel-ignition": "^2.1",
"symfony/html-sanitizer": "^7.0",
"symfony/property-access": "^7.0",
"symfony/serializer": "^7.0",
"web-auth/webauthn-lib": "^4.7"
},
"require-dev": {

1146
composer.lock generated
View file

File diff suppressed because it is too large Load diff

2
docker-compose.yml
View file

@ -1,5 +1,4 @@
# For more information: https://laravel.com/docs/sail
version: '3'
services:
laravel.test:
build:
@ -18,6 +17,7 @@ services:
LARAVEL_SAIL: 1
XDEBUG_MODE: '${SAIL_XDEBUG_MODE:-off}'
XDEBUG_CONFIG: '${SAIL_XDEBUG_CONFIG:-client_host=host.docker.internal}'
IGNITION_LOCAL_SITES_PATH: '${PWD}'
volumes:
- '.:/var/www/html'
networks:

1
public/assets/css/app.css
View file

@ -5,3 +5,4 @@
@import url('code.css');
@import url('content.css');
@import url('notes.css');
@import url('indieauth.css');

BIN
public/assets/css/app.css.br
View file

Binary file not shown.

15
public/assets/css/indieauth.css Normal file
View file

@ -0,0 +1,15 @@
.indieauth {
.error {
color: var(--color-danger);
background-color: var(--color-danger-shadow);
border: 1px solid var(--color-danger);
border-radius: .5rem;
display: flex;
padding-inline: 1rem;
padding-block: .5rem;
width: fit-content;
margin-block-end: 1rem;
}
}

BIN
public/assets/css/indieauth.css.br Normal file
View file

Binary file not shown.

2
public/assets/css/variables.css
View file

@ -20,4 +20,6 @@
--color-link-visited: oklch(70.44% 0.21 304.41deg);
--color-primary-shadow: oklch(19.56% 0.054 125.505deg / 40%);
--rss-color-link: oklch(67.59% 0.189 42.04deg);
--color-danger: oklch(64.41% 0.281 23.29deg);
--color-danger-shadow: oklch(64.41% 0.281 23.29deg / 10%);
}

BIN
public/assets/css/variables.css.br
View file

Binary file not shown.

BIN
public/assets/js/app.js.br
View file

Binary file not shown.

BIN
public/assets/js/auth.js.br
View file

Binary file not shown.

12
resources/views/indieauth/error.blade.php Normal file
View file

@ -0,0 +1,12 @@
@extends('master')
@section('title')IndieAuth « @stop
@section('content')
<section class="indieauth">
<h1>IndieAuth</h1>
@foreach ($errors->all() as $message)
<div class="error">{{ $message }}</div>
@endforeach
</section>
@stop

39
resources/views/indieauth/start.blade.php Normal file
View file

@ -0,0 +1,39 @@
@extends('master')
@section('title')IndieAuth « @stop
@section('content')
<form class="indieauth" action="/auth/confirm" method="post">
@csrf
<input type="hidden" name="client_id" value="{{ $client_id }}">
<input type="hidden" name="redirect_uri" value="{{ $redirect_uri }}">
<input type="hidden" name="state" value="{{ $state }}">
<input type="hidden" name="me" value="{{ $me }}">
<input type="hidden" name="code_challenge" value="{{ $code_challenge }}">
<input type="hidden" name="code_challenge_method" value="{{ $code_challenge_method }}">
@if(!empty($scopes))
@foreach($scopes as $scope)
<input type="hidden" name="scope[]" value="{{ $scope }}">
@endforeach
@endif
<h1>IndieAuth</h1>
@if(!empty($error))
<div class="error">{{ $error }}</div>
@endif
<p>You are attempting to log in with the client <code>{{ $client_id }}</code></p>
<p>After approving the request you will be redirected to <code>{{ $redirect_uri }}</code></p>
@if(!empty($scopes))
<p>The client is requesting the following scopes:</p>
<ul>
@foreach($scopes as $scope)
<li>{{ $scope }}</li>
@endforeach
</ul>
@endif
<button type="submit">Approve</button>
</form>
@stop

18
routes/web.php
View file

@ -16,6 +16,7 @@ use App\Http\Controllers\BookmarksController;
use App\Http\Controllers\ContactsController;
use App\Http\Controllers\FeedsController;
use App\Http\Controllers\FrontPageController;
use App\Http\Controllers\IndieAuthController;
use App\Http\Controllers\LikesController;
use App\Http\Controllers\MicropubController;
use App\Http\Controllers\MicropubMediaController;
@ -190,6 +191,23 @@ Route::domain(config('url.longurl'))->group(function () {
Route::get('/tagged/{tag}', [BookmarksController::class, 'tagged']);
});
// IndieAuth
Route::get('auth', [IndieAuthController::class, 'start'])->middleware(MyAuthMiddleware::class);
Route::post('auth/confirm', [IndieAuthController::class, 'confirm'])->middleware(MyAuthMiddleware::class);
Route::post('auth', [IndieAuthController::class, 'processCodeExchange']);
Route::get('/test-auth-cache', function () {
$cacheKey = hash('xxh3', 'http://jonnybarnes.localhost');
dump(Cache::get($cacheKey));
});
Route::get('/test-me', function () {
return response()->json([
'me' => config('app.url'),
]);
});
// Token Endpoint
Route::post('api/token', [TokenEndpointController::class, 'create']);

206
tests/Feature/IndieAuthTest.php Normal file
View file

@ -0,0 +1,206 @@
<?php
declare(strict_types=1);
namespace Tests\Feature;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use PHPUnit\Framework\Attributes\Test;
use Tests\TestCase;
class IndieAuthTest extends TestCase
{
use RefreshDatabase;
#[Test]
public function itShouldReturnApprovalViewWhenTheRequestIsValid(): void
{
$user = User::factory()->make();
$url = url()->query('/auth', [
'response_type' => 'code',
'me' => 'https://example.com',
'client_id' => 'https://app.example.com',
'redirect_uri' => 'https://app.example.com/callback',
'state' => '123456',
'scopes' => 'create update delete',
'code_challenge' => '123456',
'code_challenge_method' => 'S256',
]);
$response = $this->actingAs($user)->get($url);
$response->assertStatus(200);
$response->assertViewIs('indieauth.start');
}
#[Test]
public function itShouldReturnErrorViewWhenResponeTypeIsWrong(): void
{
$user = User::factory()->make();
$url = url()->query('/auth', [
'response_type' => 'invalid_value',
'me' => 'https://example.com',
'client_id' => 'https://app.example.com',
'redirect_uri' => 'https://app.example.com/callback',
'state' => '123456',
'scopes' => 'create update delete',
'code_challenge' => '123456',
'code_challenge_method' => 'S256',
]);
$response = $this->actingAs($user)->get($url);
$response->assertStatus(200);
$response->assertViewIs('indieauth.error');
$response->assertSee('only a response_type of "code" is supported');
}
#[Test]
public function itShouldReturnErrorViewWhenResponeTypeIsMissing(): void
{
$user = User::factory()->make();
$url = url()->query('/auth', [
'me' => 'https://example.com',
'client_id' => 'https://app.example.com',
'redirect_uri' => 'https://app.example.com/callback',
'state' => '123456',
'scopes' => 'create update delete',
'code_challenge' => '123456',
'code_challenge_method' => 'S256',
]);
$response = $this->actingAs($user)->get($url);
$response->assertStatus(200);
$response->assertViewIs('indieauth.error');
$response->assertSee('response_type is required');
}
#[Test]
public function itShouldReturnErrorViewWhenClientIdIsMissing(): void
{
$user = User::factory()->make();
$url = url()->query('/auth', [
'response_type' => 'code',
'me' => 'https://example.com',
'redirect_uri' => 'https://app.example.com/callback',
'state' => '123456',
'scopes' => 'create update delete',
'code_challenge' => '123456',
'code_challenge_method' => 'S256',
]);
$response = $this->actingAs($user)->get($url);
$response->assertStatus(200);
$response->assertViewIs('indieauth.error');
$response->assertSee('client_id is required');
}
#[Test]
public function itShouldReturnErrorViewWhenRedirectUriIsMissing(): void
{
$user = User::factory()->make();
$url = url()->query('/auth', [
'response_type' => 'code',
'me' => 'https://example.com',
'client_id' => 'https://app.example.com',
'state' => '123456',
'scopes' => 'create update delete',
'code_challenge' => '123456',
'code_challenge_method' => 'S256',
]);
$response = $this->actingAs($user)->get($url);
$response->assertStatus(200);
$response->assertViewIs('indieauth.error');
$response->assertSee('redirect_uri is required');
}
#[Test]
public function itShouldReturnErrorViewWhenStateIsMissing(): void
{
$user = User::factory()->make();
$url = url()->query('/auth', [
'response_type' => 'code',
'me' => 'https://example.com',
'client_id' => 'https://app.example.com',
'redirect_uri' => 'https://app.example.com/callback',
'scopes' => 'create update delete',
'code_challenge' => '123456',
'code_challenge_method' => 'S256',
]);
$response = $this->actingAs($user)->get($url);
$response->assertStatus(200);
$response->assertViewIs('indieauth.error');
$response->assertSee('state is required');
}
#[Test]
public function itShouldReturnErrorViewWhenCodeChallengeIsMissing(): void
{
$user = User::factory()->make();
$url = url()->query('/auth', [
'response_type' => 'code',
'me' => 'https://example.com',
'client_id' => 'https://app.example.com',
'redirect_uri' => 'https://app.example.com/callback',
'state' => '123456',
'scopes' => 'create update delete',
'code_challenge_method' => 'S256',
]);
$response = $this->actingAs($user)->get($url);
$response->assertStatus(200);
$response->assertViewIs('indieauth.error');
$response->assertSee('code_challenge is required');
}
#[Test]
public function itShouldReturnErrorViewWhenCodeChallengeMethodIsMissing(): void
{
$user = User::factory()->make();
$url = url()->query('/auth', [
'response_type' => 'code',
'me' => 'https://example.com',
'client_id' => 'https://app.example.com',
'redirect_uri' => 'https://app.example.com/callback',
'state' => '123456',
'scopes' => 'create update delete',
'code_challenge' => '123456',
]);
$response = $this->actingAs($user)->get($url);
$response->assertStatus(200);
$response->assertViewIs('indieauth.error');
$response->assertSee('code_challenge_method is required');
}
#[Test]
public function itShouldReturnErrorViewWhenCodeChallengeMethodIsUnsupportedValue(): void
{
$user = User::factory()->make();
$url = url()->query('/auth', [
'response_type' => 'code',
'me' => 'https://example.com',
'client_id' => 'https://app.example.com',
'redirect_uri' => 'https://app.example.com/callback',
'state' => '123456',
'scopes' => 'create update delete',
'code_challenge' => '123456',
'code_challenge_method' => 'invalid_value',
]);
$response = $this->actingAs($user)->get($url);
$response->assertStatus(200);
$response->assertViewIs('indieauth.error');
$response->assertSee('only a code_challenge_method of "S256" is supported');
}
}