- Adding Tests

jasonbahl · jasonbahl · commit 054d6b74da66 · 2018-01-19T11:06:46.000-07:00
diff --git a/src/Auth.php b/src/Auth.php
@@ -24,7 +24,7 @@ public static function get_secret_key() {
 
 		// Use the defined secret key, if it exists, otherwise use the SECURE_AUTH_SALT if it exists
 		// @see: https://api.wordpress.org/secret-key/1.1/salt/
-		$salt       = defined( SECURE_AUTH_SALT ) ? SECURE_AUTH_SALT : null;
+		$salt       = defined( SECURE_AUTH_SALT ) ? SECURE_AUTH_SALT : 'jwt-authentication';
 		$secret_key = defined( 'GRAPHQL_JWT_AUTH_SECRET_KEY' ) ? GRAPHQL_JWT_AUTH_SECRET_KEY : $salt;
 
 		return apply_filters( 'graphql_jwt_auth_secret_key', $secret_key );
@@ -107,7 +107,7 @@ public static function get_token_expiration() {
 			/**
 			 * Set the expiration time, default is 300 seconds.
 			 */
-			$expiration = self::get_token_issued() + ( 300 );
+			$expiration = self::get_token_issued() + 300;
 
 			/**
 			 * Determine the expiration value. Default is 7 days, but is filterable to be configured as needed
@@ -118,7 +118,7 @@ public static function get_token_expiration() {
 
 		}
 
-		return ! empty( self::$expiration ) && is_string( self::$expiration ) ? self::$expiration : null;
+		return ! empty( self::$expiration ) ? self::$expiration : null;
 
 	}
 
@@ -484,6 +484,12 @@ public static function unrevoke_user_secret( int $user_id ) {
 
 	}
 
+	protected static function set_status( $status_code ) {
+		add_filter( 'graphql_response_status_code', function() use ( $status_code ) {
+			return $status_code;
+		});
+	}
+
 	/**
 	 * Main validation function, this function try to get the Authentication
 	 * headers and decoded.
@@ -575,6 +581,7 @@ public static function validate_token( $token = null, $refresh = false ) {
 			 * If any exceptions are caught
 			 */
 		} catch ( \Exception $error ) {
+			self::set_status( 403 );
 			return new \WP_Error( 'invalid_token', __( 'The JWT Token is invalid', 'wp-graphql-jwt-authentication' ) );
 		}
 
diff --git a/src/ManageTokens.php b/src/ManageTokens.php
@@ -275,7 +275,7 @@ public static function add_tokens_to_graphql_response_headers( $headers ) {
 			 * If the tokens can be generated (not revoked, etc), return them
 			 */
 			if ( ! empty( $auth_token ) && ! is_wp_error( $auth_token ) ) {
-				$headers['X-jwt-auth-token'] = $auth_token;
+				$headers['X-JWT-Auth'] = $auth_token;
 			}
 
 		}
@@ -287,7 +287,7 @@ public static function add_tokens_to_graphql_response_headers( $headers ) {
 			$refresh_token = Auth::get_refresh_token( new \WP_User( $validate_auth_header->data->user->id ), false );
 
 			if ( ! empty( $refresh_token ) && ! is_wp_error( $refresh_token ) ) {
-				$headers['X-jwt-refresh-token'] = $refresh_token;
+				$headers['X-JWT-Refresh'] = $refresh_token;
 			}
 
 		}
diff --git a/tests/_data/config.php b/tests/_data/config.php
@@ -5,3 +5,4 @@
  * fatal errors when the autoloader is loaded twice
  */
 define( 'WPGRAPHQL_JWT_AUTHENTICATION_AUTOLOAD', false );
+define( 'GRAPHQL_JWT_AUTH_SECRET_KEY', 'codeception_tests' );
diff --git a/tests/functional.suite.dist.yml b/tests/functional.suite.dist.yml
@@ -24,7 +24,7 @@ modules:
       WPDb:
         dsn: 'mysql:host=127.0.0.1;dbname=wpgraphql_jwt_auth_serve'
         user: 'root'
-        password: 'jbutt#123'
+        password: ''
         dump: 'tests/_data/dump.sql'
         populate: true
         cleanup: true
@@ -37,5 +37,5 @@ modules:
         dbName: wpgraphql_jwt_auth_serve
         dbHost: 127.0.0.1
         dbUser: root
-        dbPassword: jbutt#123
+        dbPassword: ''
         configFile: "tests/_data/config.php"
diff --git a/tests/functional/AuthCept.php b/tests/functional/AuthCept.php
@@ -1,17 +1,32 @@
 <?php
-
 $I = new FunctionalTester($scenario);
-$I->wantTo('Get Posts with GraphQL');
-$I->sendPost( 'https://denverpost.com/graphql', json_encode([
-'query' => '{ posts{ edges{ node{ id, title } } } }'
+$I->wantTo('Get public data without passing authentication headers');
+
+$I->sendPOST( 'http://wp.localhost/graphql', json_encode([
+	'query' => '
+	{ 
+		posts { 
+			edges { 
+				node { 
+					id
+					title
+					link
+					date 
+				} 
+			} 
+		} 
+	}'
 ]) );
-$I->seeResponseCodeIs( 403 );
-$I->seeResponseIsJson();
 
+$I->seeResponseCodeIs( 200 );
+$I->seeResponseIsJson();
+$response = $I->grabResponse();
 
+$response_array = json_decode( $response, true );
 
-$res = $I->sendPOST( 'http://wp.localhost/graphql', json_encode([
-	'query' => '{ posts{ edges{ node{ id, title } } } }'
-]) );
-$I->seeResponseCodeIs( 200 );
-$I->seeResponseIsJson();
+$I->assertArrayNotHasKey( 'errors', $response_array  );
+$I->assertArrayHasKey( 'data', $response_array );
+$I->assertNotEmpty( $response_array['data']['posts']['edges'][0]['node']['id'] );
+$I->assertNotEmpty( $response_array['data']['posts']['edges'][0]['node']['title'] );
+$I->assertNotEmpty( $response_array['data']['posts']['edges'][0]['node']['link'] );
+$I->assertNotEmpty( $response_array['data']['posts']['edges'][0]['node']['date'] );
diff --git a/tests/functional/AuthenticatedRequestCept.php b/tests/functional/AuthenticatedRequestCept.php
@@ -0,0 +1,132 @@
+<?php
+$I = new FunctionalTester($scenario);
+$I->wantTo('Make an authenticated request to generate a Refresh token');
+
+$username = uniqid();
+$user = $I->haveUserInDatabase( $username, 'administrator', [ 'user_pass' => 'password' ] );
+
+/**
+ * Login with username and password to get the authToken for use in the subsequent Authenticated request
+ */
+$I->sendPOST( 'http://wp.localhost/graphql', json_encode([
+	'query' => '
+		mutation Login($input: LoginInput!) {
+			login( input: $input ) {
+				authToken
+				refreshToken
+				user {
+				  username
+				}
+			}
+		}
+	',
+	'variables' => [
+		'input' => [
+			'username' => $username,
+			'password' => 'password',
+			'clientMutationId' => uniqid(),
+		]
+	],
+], true));
+
+$I->seeResponseCodeIs( 200 );
+$I->seeResponseIsJson();
+
+$response = $I->grabResponse();
+$response_array = json_decode( $response, true );
+$I->assertArrayNotHasKey( 'errors', $response_array  );
+$I->assertArrayHasKey( 'data', $response_array );
+
+$authToken = $response_array['data']['login']['authToken'];
+$refreshToken = $response_array['data']['login']['refreshToken'];
+
+/**
+ * Set the Authorization header using the authToken retrieved in the previous request.
+ * The authToken can be used to access resources (or mutate data) on behalf of the user it was issued for.
+ * Here we will make a request to get data about the user, using the authToken as the mechanism for setting
+ * the current user.
+ */
+$I->setHeader( 'Authorization', 'Bearer ' . $authToken );
+$I->sendPOST( 'http://wp.localhost/graphql', json_encode([
+	'query' => '
+		{
+		  viewer {
+		    username
+		    jwtAuthToken
+		    jwtUserSecret
+		    jwtRefreshToken
+		    jwtAuthExpiration
+		    isJwtAuthSecretRevoked
+		  }
+		}
+	',
+], true));
+
+/**
+ * The repsonse code should be 200
+ */
+$I->seeResponseCodeIs( 200 );
+
+/**
+ * Grab the Refresh header. Because the request was properly authenticated, there should
+ * be a valid refresh header in the response
+ */
+$refreshTokenHeader = $I->grabHttpHeader('X-JWT-Refresh' );
+$I->assertNotEmpty( $refreshTokenHeader );
+
+/**
+ * The response should be JSON
+ */
+$I->seeResponseIsJson();
+
+/**
+ * Get the JSON response
+ */
+$response = $I->grabResponse();
+
+/**
+ * Convert the response to JSON for making assertions
+ */
+$response_array = json_decode( $response, true );
+
+/**
+ * The request should be valid, so we expect no errors
+ */
+$I->assertArrayNotHasKey( 'errors', $response_array  );
+
+/**
+ * A valid request should contain the data in the response
+ */
+$I->assertArrayHasKey( 'data', $response_array );
+
+/**
+ * The username of the viewer should match the username for the Token we retrieved and sent a request with
+ */
+$I->assertEquals( $username, $response_array['data']['viewer']['username'] );
+
+/**
+ * The request should provide a new jwtAuthToken that we can use for future requests
+ */
+$I->assertNotEmpty( $response_array['data']['viewer']['jwtAuthToken'] );
+
+/**
+ * The request should provide the secret for the user, because the user has access to see their own JWT secret
+ */
+$I->assertNotEmpty( $response_array['data']['viewer']['jwtUserSecret'] );
+
+/**
+ * The request should provide a new JWT Refresh Token that can be used for future requests to get a new AccessToken
+ */
+$I->assertNotEmpty( $response_array['data']['viewer']['jwtRefreshToken'] );
+
+/**
+ * The request should provide info on the auth expiration for the user. This field is useful for building an interface
+ * where the user can see how long their expiration is and can then mutate the expiration timeframe, should there be
+ * per-user customization of expiration settings.
+ */
+$I->assertNotEmpty( $response_array['data']['viewer']['jwtAuthExpiration'] );
+
+/**
+ * The JWT should not be revoked for this user, so this assertion should be false
+ */
+$I->assertFalse( $response_array['data']['viewer']['isJwtAuthSecretRevoked'] );
diff --git a/tests/functional/InvalidAuthenticatedRequestCept.php b/tests/functional/InvalidAuthenticatedRequestCept.php
@@ -0,0 +1,82 @@
+<?php
+$I = new FunctionalTester($scenario);
+$I->wantTo('Make an invalid authenticated request and verify I get a 403 response and cannot access private data, but can still access public data');
+
+$invalidAuthToken = 'invalidAuthToken';
+
+/**
+ * Set the Authorization token with an invalid token, and try to request private data.
+ *
+ * This should return a 403, and should not return any private data for the user, but should still return public data
+ */
+$I->setHeader( 'Authorization', 'Bearer ' . $invalidAuthToken );
+$I->sendPOST( 'http://wp.localhost/graphql', json_encode([
+	'query' => '
+		{
+		  posts(first: 1) {
+		   edges { 
+		     node {
+		       id
+		       title
+		     }
+		   }
+		  }
+		  viewer {
+		    username
+		    jwtAuthToken
+		    jwtUserSecret
+		    jwtRefreshToken
+		    jwtAuthExpiration
+		    isJwtAuthSecretRevoked
+		  }
+		}
+	',
+], true));
+
+/**
+ * The repsonse code should be 403, because auth was invalid
+ */
+$I->seeResponseCodeIs( 403 );
+
+/**
+ * Since this is an invalid request, the JWT Auth and JWT Refresh token should not be returned in the response headers
+ */
+$I->dontSeeHttpHeader( 'X-JWT-Refresh' );
+$I->dontSeeHttpHeader( 'X-JWT-Auth' );
+
+
+/**
+ * The response should be JSON
+ */
+$I->seeResponseIsJson();
+
+/**
+ * Get the JSON response
+ */
+$response = $I->grabResponse();
+
+/**
+ * Convert the response to JSON for making assertions
+ */
+$response_array = json_decode( $response, true );
+
+/**
+ * The request should have errors, because it attempted to query data for a user without providing Auth data
+ */
+$I->assertArrayHasKey( 'errors', $response_array  );
+
+/**
+ * A valid request should contain the data in the response
+ */
+$I->assertArrayHasKey( 'data', $response_array );
+
+/**
+ * The viewer should be null in the response, because an unauthenticated request should not be able to access viewer data
+ */
+$I->assertNull( $response_array['data']['viewer'] );
+
+/**
+ * An unauthenticated request should still be able to access public data though, so let's make sure there's a post returned
+ */
+$I->assertNotEmpty( $response_array['data']['posts']['edges'][0]['node']['id'] );
+$I->assertNotEmpty( $response_array['data']['posts']['edges'][0]['node']['title'] );
diff --git a/tests/functional/LoginAndRetrieveTokensCept.php b/tests/functional/LoginAndRetrieveTokensCept.php
@@ -0,0 +1,41 @@
+<?php
+$I = new FunctionalTester($scenario);
+$I->wantTo('Login with valid username and password and retrieve accessToken and refreshToken');
+
+$username = uniqid();
+$user = $I->haveUserInDatabase( $username, 'administrator', [ 'user_pass' => 'password' ] );
+
+/**
+ * Login with username and password
+ */
+$I->sendPOST( 'http://wp.localhost/graphql', json_encode([
+	'query' => '
+		mutation Login($input: LoginInput!) {
+			login( input: $input ) {
+				authToken
+				refreshToken
+				user {
+				  username
+				}
+			}
+		}',
+	'variables' => [
+		'input' => [
+			'username' => $username,
+			'password' => 'password',
+			'clientMutationId' => uniqid(),
+		]
+	],
+], true));
+
+$I->seeResponseCodeIs( 200 );
+$I->seeResponseIsJson();
+
+$response = $I->grabResponse();
+$response_array = json_decode( $response, true );
+$I->assertArrayNotHasKey( 'errors', $response_array  );
+$I->assertArrayHasKey( 'data', $response_array );
+$I->assertNotEmpty( $response_array['data']['login']['authToken'] );
+$I->assertNotEmpty( $response_array['data']['login']['refreshToken'] );
+$I->assertNotEmpty( $response_array['data']['login']['user']['username'] );
+$I->assertEquals( $username, $response_array['data']['login']['user']['username'] );
diff --git a/tests/wpunit.suite.dist.yml b/tests/wpunit.suite.dist.yml

Original file line number	Diff line number	Diff line change
`@@ -275,7 +275,7 @@ public static function add_tokens_to_graphql_response_headers( $headers ) {`
`275`	`275`	`* If the tokens can be generated (not revoked, etc), return them`
`276`	`276`	`*/`
`277`	`277`	`if ( ! empty( $auth_token ) && ! is_wp_error( $auth_token ) ) {`
`278`		`- $headers['X-jwt-auth-token'] = $auth_token;`
	`278`	`+ $headers['X-JWT-Auth'] = $auth_token;`
`279`	`279`	`}`
`280`	`280`
`281`	`281`	`}`
`@@ -287,7 +287,7 @@ public static function add_tokens_to_graphql_response_headers( $headers ) {`
`287`	`287`	`$refresh_token = Auth::get_refresh_token( new \WP_User( $validate_auth_header->data->user->id ), false );`
`288`	`288`
`289`	`289`	`if ( ! empty( $refresh_token ) && ! is_wp_error( $refresh_token ) ) {`
`290`		`- $headers['X-jwt-refresh-token'] = $refresh_token;`
	`290`	`+ $headers['X-JWT-Refresh'] = $refresh_token;`
`291`	`291`	`}`
`292`	`292`
`293`	`293`	`}`