tempest-framework/tests/Integration/Route/ValidSignatureMiddlewareTest.php at 1c8d0edf5dddb56cd1dc02e44d5767ca891622fe · Tresor-Kasenda/tempest-framework · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
<?php

declare(strict_types=1);

namespace Tests\Tempest\Integration\Route;

use PHPUnit\Framework\Attributes\Test;
use Tempest\DateTime\Duration;
use Tempest\Http\Status;
use Tempest\Router\UriGenerator;
use Tests\Tempest\Integration\FrameworkIntegrationTestCase;
use Tests\Tempest\Integration\Route\Fixtures\SignedUrlController;

final class ValidSignatureMiddlewareTest extends FrameworkIntegrationTestCase
{
    private UriGenerator $generator {
        get => $this->container->get(UriGenerator::class);
    }

    protected function setUp(): void
    {
        parent::setUp();

        $this->http->registerRoute([SignedUrlController::class, 'signedAction']);
        $this->http->registerRoute([SignedUrlController::class, 'unsignedAction']);
    }

    #[Test]
    public function valid_signature_allows_request(): void
    {
        $uri = $this->generator->createSignedUri(
            action: [SignedUrlController::class, 'signedAction'],
            token: 'abc123',
        );

        $response = $this->http->get($uri);

        $this->assertSame(Status::OK, $response->status);
        $body = is_array($response->body) ? $response->body : json_decode($response->body, true);
        $this->assertSame('abc123', $body['token']);
        $this->assertSame('Signature valid', $body['message']);
    }

    #[Test]
    public function missing_signature_returns_forbidden(): void
    {
        $response = $this->http->get('/signed-action/abc123');

        $this->assertSame(Status::FORBIDDEN, $response->status);
    }

    #[Test]
    public function invalid_signature_returns_forbidden(): void
    {
        $uri = $this->generator->createSignedUri(
            action: [SignedUrlController::class, 'signedAction'],
            token: 'abc123',
        );

        // Tamper with the signature
        $tamperedUri = str_replace('signature=', 'signature=tampered', $uri);

        $response = $this->http->get($tamperedUri);

        $this->assertSame(Status::FORBIDDEN, $response->status);
    }

    #[Test]
    public function tampered_parameter_returns_forbidden(): void
    {
        $uri = $this->generator->createSignedUri(
            action: [SignedUrlController::class, 'signedAction'],
            token: 'abc123',
        );

        // Tamper with the token parameter
        $tamperedUri = str_replace('abc123', 'tampered', $uri);

        $response = $this->http->get($tamperedUri);

        $this->assertSame(Status::FORBIDDEN, $response->status);
    }

    #[Test]
    public function expired_signature_returns_forbidden(): void
    {
        $clock = $this->clock();

        $uri = $this->generator->createTemporarySignedUri(
            action: [SignedUrlController::class, 'signedAction'],
            duration: Duration::minutes(10),
            token: 'abc123',
        );

        // Advance time past expiration
        $clock->plus(Duration::minutes(15));

        $response = $this->http->get($uri);

        $this->assertSame(Status::FORBIDDEN, $response->status);
    }

    #[Test]
    public function temporary_signature_valid_before_expiration(): void
    {
        $clock = $this->clock();

        $uri = $this->generator->createTemporarySignedUri(
            action: [SignedUrlController::class, 'signedAction'],
            duration: Duration::minutes(10),
            token: 'abc123',
        );

        // Advance time but stay within expiration
        $clock->plus(Duration::minutes(5));

        $response = $this->http->get($uri);

        $this->assertSame(Status::OK, $response->status);
    }

    #[Test]
    public function unsigned_route_works_without_signature(): void
    {
        // Routes without #[ValidSignature] should work normally
        $response = $this->http->get('/unsigned-action/abc123');

        $this->assertSame(Status::OK, $response->status);
    }

    #[Test]
    public function tampered_expiration_returns_forbidden(): void
    {
        $clock = $this->clock();

        $uri = $this->generator->createTemporarySignedUri(
            action: [SignedUrlController::class, 'signedAction'],
            duration: Duration::minutes(10),
            token: 'abc123',
        );

        // Get the current timestamp and extend it in the URL
        $timestamp = $clock->now()->plusMinutes(10)->getTimestamp()->getSeconds();
        $tamperedUri = str_replace(
            'expires_at=' . $timestamp,
            'expires_at=' . ($timestamp + 3600),
            $uri
        );

        $response = $this->http->get($tamperedUri);

        $this->assertSame(Status::FORBIDDEN, $response->status);
    }
}