cms/tests/Feature/GraphQL/AuthenticationTest.php at 87f8dfdf275285eb4f75ac73ca1a2def34906f13 · statamic/cms · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
<?php

namespace Tests\Feature\GraphQL;

use PHPUnit\Framework\Attributes\Group;
use PHPUnit\Framework\Attributes\Test;
use Statamic\Facades\Config;
use Tests\PreventSavingStacheItemsToDisk;
use Tests\TestCase;

#[Group('graphql')]
class AuthenticationTest extends TestCase
{
    use PreventSavingStacheItemsToDisk;

    #[Test]
    public function it_can_authenticate_using_auth_token()
    {
        Config::set('statamic.graphql.auth_token', 'foobar');

        $this
            ->withToken('foobar')
            ->postJson('/graphql', ['query' => '{ping}'])
            ->assertOk();
    }

    #[Test]
    public function it_cant_authenticate_with_invalid_auth_token()
    {
        Config::set('statamic.graphql.auth_token', 'foobar');

        $this
            ->withToken($token = 'invalid')
            ->postJson($url = '/graphql', ['query' => '{ping}'])
            ->assertUnauthorized();

        $this
            ->withToken($token)
            ->post($url, ['query' => '{ping}'])
            ->assertUnauthorized();
    }

    #[Test]
    public function it_cant_authenticate_without_auth_token()
    {
        Config::set('statamic.graphql.auth_token', 'foobar');

        $this
            ->postJson($url = '/graphql', ['query' => '{ping}'])
            ->assertUnauthorized();

        $this
            ->post($url, ['query' => '{ping}'])
            ->assertUnauthorized();
    }

    #[Test]
    public function authentication_only_required_when_auth_token_is_set()
    {
        Config::set('statamic.graphql.auth_token', null);

        $this
            ->postJson($url = '/graphql', ['query' => '{ping}'])
            ->assertOk();

        $this
            ->post($url, ['query' => '{ping}'])
            ->assertOk();
    }

    #[Test]
    public function authenticated_responses_are_not_served_to_unauthenticated_requests()
    {
        Config::set('statamic.graphql.auth_token', 'foobar');
        Config::set('statamic.graphql.cache', ['expiry' => 60]);

        // First, make an authenticated request that gets cached
        $this
            ->withToken('foobar')
            ->postJson('/graphql', ['query' => '{ping}'])
            ->assertOk()
            ->assertJsonPath('data.ping', 'pong');

        // Now make an unauthenticated request - should get 401, not cached response
        // This verifies auth happens before caching
        $this
            ->withoutToken()
            ->postJson('/graphql', ['query' => '{ping}'])
            ->assertUnauthorized();
    }
}