SignUrl: Add tests for failings case

jakubboucek · jakubboucek · commit dac4d7c8cde6 · 2021-09-17T11:09:34.000+02:00
diff --git a/src/Plugin/SignedUrl.php b/src/Plugin/SignedUrl.php
@@ -190,11 +190,7 @@ public function verifyUrl(string $url, bool $allowRedirect = false): array
             }
 
             $canonicalUrl = $this->buildUrl(['query' => substr($query, 0, $remainingOffset)] + $url);
-            header('Cache-Control: s-maxage=0, max-age=0, must-revalidate', true, 302);
-            header('Expires: Mon, 23 Jan 1978 10:00:00 GMT', true);
-            header('Location: ' . $canonicalUrl);
-            $escapedUrl = htmlspecialchars($canonicalUrl, ENT_IGNORE | ENT_QUOTES, 'UTF-8');
-            echo "<h1>Redirect</h1>\n\n<p><a href=\"{$escapedUrl}\">Please click here to continue</a>.</p>";
+            $this->sendRedirectResponse($canonicalUrl);
         }
 
         $signedUrl = $this->buildUrl(['query' => substr($query, 0, $tokenOffset)] + $url);
@@ -221,7 +217,6 @@ public function verifyToken(string $token): array
         // Check mandatory claims presence
         if (isset(
                 $payload->iss,
-                $payload->aud,
                 $payload->iat,
                 $payload->exp,
                 $payload->sub,
@@ -235,7 +230,7 @@ public function verifyToken(string $token): array
         // Check mandatory claims
         if (
             $payload->iss !== self::ISSUER_ID
-            || $payload->aud !== $this->audience
+            || ($payload->aud ?? null) !== $this->audience
         ) {
             throw new SignedUrlVerificationException('JWT Token mandatory Claims doesn\'t match');
         }
@@ -263,7 +258,7 @@ public function verifyToken(string $token): array
     /**
      * @param ParsedUrl $parsedUrl
      */
-    private function buildUrl(array $parsedUrl): string
+    protected function buildUrl(array $parsedUrl): string
     {
         return (isset($parsedUrl['scheme']) ? "{$parsedUrl['scheme']}:" : '')
             . ((isset($parsedUrl['user']) || isset($parsedUrl['host'])) ? '//' : '')
@@ -277,7 +272,7 @@ private function buildUrl(array $parsedUrl): string
             . (isset($parsedUrl['fragment']) ? "#{$parsedUrl['fragment']}" : '');
     }
 
-    private function urlFromGlobal(): string
+    protected function urlFromGlobal(): string
     {
         $urlSegments = [];
         $urlSegments['scheme'] = !empty($_SERVER['HTTPS']) && strcasecmp($_SERVER['HTTPS'], 'off') ? 'https' : 'http';
@@ -302,4 +297,14 @@ public function setTimestamp(?int $timestamp): void
     {
         $this->timestamp = $timestamp;
     }
+
+    protected function sendRedirectResponse(string $canonicalUrl): void
+    {
+        header('Cache-Control: s-maxage=0, max-age=0, must-revalidate', true, 302);
+        header('Expires: Mon, 23 Jan 1978 10:00:00 GMT', true);
+        header('Location: ' . $canonicalUrl);
+        $escapedUrl = htmlspecialchars($canonicalUrl, ENT_IGNORE | ENT_QUOTES, 'UTF-8');
+        echo "<h1>Redirect</h1>\n\n<p><a href=\"{$escapedUrl}\">Please click here to continue</a>.</p>";
+        die();
+    }
 }
diff --git a/tests/Plugin/SignUrlTest.php b/tests/Plugin/SignUrlTest.php
@@ -5,7 +5,9 @@
 namespace Redbitcz\DebugModeTests\Plugin;
 
 use Firebase\JWT\JWT;
+use LogicException;
 use Redbitcz\DebugMode\Plugin\SignedUrl;
+use Redbitcz\DebugMode\Plugin\SignedUrlVerificationException;
 use Tester\Assert;
 
 require __DIR__ . '/../bootstrap.php';
@@ -89,6 +91,103 @@ public function testVerifyRequest(): void
         $expected = [0, 1, 1600000600];
         Assert::equal($expected, $parsed);
     }
+
+    public function testSignInvalidUrl()
+    {
+        Assert::exception(function () {
+            $url = (string)base64_decode('Ly8Eijrg+qawZw==');
+            $plugin = new SignedUrl(self::KEY_HS256, 'HS256');
+            $plugin->signUrl($url, 1600000600);
+        }, LogicException::class);
+    }
+
+    public function testSignRelativeUrl()
+    {
+        Assert::exception(function () {
+            $url = '/login?email=foo@bar.cz';
+            $plugin = new SignedUrl(self::KEY_HS256, 'HS256');
+            $plugin->signUrl($url, 1600000600);
+        }, LogicException::class);
+    }
+
+    public function testVerifyPostRequest(): void
+    {
+        $audience = 'test.' . __FUNCTION__;
+        $timestamp = 1600000000;
+        $url = 'https://host.tld/path?query=value';
+
+        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin->setTimestamp($timestamp);
+        $tokenUrl = $plugin->signUrl($url, 1600000600);
+
+        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin->setTimestamp($timestamp);
+        JWT::$timestamp = $timestamp;
+        Assert::exception(function () use ($plugin, $tokenUrl) {
+            $plugin->verifyRequest(false, $tokenUrl, 'POST');
+        }, SignedUrlVerificationException::class, 'HTTP method doesn\'t match signed HTTP method');
+    }
+
+    public function testVerifyInvalidRequest(): void
+    {
+        Assert::exception(function () {
+            $plugin = new SignedUrl(self::KEY_HS256, 'HS256');
+            $url = (string)base64_decode('Ly8Eijrg+qawZw==');
+            $plugin->verifyRequest(false, $url, 'GET');
+        }, SignedUrlVerificationException::class, 'Url is invalid');
+    }
+
+    public function testVerifyInvalidUrl()
+    {
+        Assert::exception(function () {
+            $plugin = new SignedUrl(self::KEY_HS256, 'HS256');
+            $plugin->verifyUrl('https://host.tld/path?query=value');
+        }, SignedUrlVerificationException::class, 'No token in URL');
+    }
+
+    public function testVerifyUrlWithSuffix(): void
+    {
+        $timestamp = 1600000000;
+        $url = 'https://host.tld/path?query=value';
+
+        $plugin = new SignedUrl(self::KEY_HS256, 'HS256');
+        $plugin->setTimestamp($timestamp);
+        $tokenUrl = $plugin->signUrl($url, 1600000600);
+
+        $tokenUrl .= '&fbclid=123456789';
+
+        Assert::exception(
+            function () use ($timestamp, $tokenUrl) {
+                $plugin = new SignedUrl(self::KEY_HS256, 'HS256');
+                $plugin->setTimestamp($timestamp);
+                JWT::$timestamp = $timestamp;
+                $plugin->verifyUrl($tokenUrl);
+            },
+            SignedUrlVerificationException::class,
+            'URL contains unallowed queries after Signing Token'
+        );
+    }
+
+    public function testVerifyUrlWithSuffixRedirect(): void
+    {
+        $timestamp = 1600000000;
+        $expected = 'https://host.tld/path?query=value&_debug=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjei5yZWRiaXQuZGVidWcudXJsIiwiYXVkIjoidGVzdC50ZXN0U2lnbiIsImlhdCI6MTYwMDAwMDAwMCwiZXhwIjoxNjAwMDAwNjAwLCJzdWIiOiJodHRwczpcL1wvaG9zdC50bGRcL3BhdGg_cXVlcnk9dmFsdWUiLCJtZXRoIjoiZ2V0IiwibW9kIjowLCJ2YWwiOjF9.61Z0pPW3lJN2WDoUhOfsZ4m16Q3hjtVFJep_t_qoQ5c';
+
+        $tokenUrl = $expected . '&fbclid=123456789';
+
+        // Mock plugin without redirect
+        $plugin = new class(self::KEY_HS256, 'HS256', 'test.testSign') extends SignedUrl {
+            protected function sendRedirectResponse(string $canonicalUrl): void
+            {
+                $expected = 'https://host.tld/path?query=value&_debug=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjei5yZWRiaXQuZGVidWcudXJsIiwiYXVkIjoidGVzdC50ZXN0U2lnbiIsImlhdCI6MTYwMDAwMDAwMCwiZXhwIjoxNjAwMDAwNjAwLCJzdWIiOiJodHRwczpcL1wvaG9zdC50bGRcL3BhdGg_cXVlcnk9dmFsdWUiLCJtZXRoIjoiZ2V0IiwibW9kIjowLCJ2YWwiOjF9.61Z0pPW3lJN2WDoUhOfsZ4m16Q3hjtVFJep_t_qoQ5c';
+                Assert::equal($canonicalUrl, $expected);
+            }
+        };
+
+        $plugin->setTimestamp($timestamp);
+        JWT::$timestamp = $timestamp;
+        $plugin->verifyUrl($tokenUrl, true);
+    }
 }
 
 (new SignUrlTest())->run();
