magdev
0cceefc890
Three bugs surfaced by the post-v0.1.2 architecture audit: - bridge.qml_path is now actually configurable. BridgeBundle::configure defines the qml_path scalar node (default ../qml/); loadExtension exposes it as the bridge.qml_path container parameter; services.yaml binds it into BridgeResourceMaker + BridgeWindowMaker. Apps override with `config/packages/bridge.yaml`. The existing maker docstrings claimed this worked already — they lied; now they don't. - SessionAuthenticator implements AuthenticationEntryPointInterface and routes the no-token entry-point path through the same problem+json helper as onAuthenticationFailure, so QML's RestClient sees one error shape regardless of which firewall path was taken. Test added. - CorrelationKeyListener::onTerminate guards on isMainRequest() now, matching onRequest's existing guard. No user-visible impact in worker mode (no sub-requests emitted), but the asymmetry was a defensive bug that would corrupt optimistic-update reconciliation. PLAN.md §13 gains a v0.1.3 section + folds the audit's API-surface items (PublisherInterface / ModelPublisherInterface / BridgeOp enum / maker DRY / DTO-shaped scaffold) into v0.2.0. CHANGELOG.md mirrors. PHPStan + cs-fixer + PHPUnit (17/17) + maker snapshot tests all green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
102 lines
4.0 KiB
PHP
102 lines
4.0 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace PhpQml\Bridge\Tests;
|
|
|
|
use PhpQml\Bridge\SessionAuthenticator;
|
|
use PHPUnit\Framework\Attributes\CoversClass;
|
|
use PHPUnit\Framework\TestCase;
|
|
use Symfony\Component\HttpFoundation\Request;
|
|
use Symfony\Component\HttpFoundation\Response;
|
|
use Symfony\Component\Security\Core\Exception\AuthenticationException;
|
|
use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
|
|
|
|
#[CoversClass(SessionAuthenticator::class)]
|
|
final class SessionAuthenticatorTest extends TestCase
|
|
{
|
|
public function testSupportsOnlyWhenAuthorizationHeaderPresent(): void
|
|
{
|
|
$auth = new SessionAuthenticator('s3cret');
|
|
|
|
self::assertFalse($auth->supports(new Request()));
|
|
|
|
$request = new Request();
|
|
$request->headers->set('Authorization', 'Bearer s3cret');
|
|
self::assertTrue($auth->supports($request));
|
|
}
|
|
|
|
public function testAuthenticateAcceptsMatchingBearerToken(): void
|
|
{
|
|
$auth = new SessionAuthenticator('s3cret');
|
|
$request = new Request();
|
|
$request->headers->set('Authorization', 'Bearer s3cret');
|
|
|
|
$passport = $auth->authenticate($request);
|
|
|
|
self::assertInstanceOf(SelfValidatingPassport::class, $passport);
|
|
self::assertSame('bridge', $passport->getBadge(\Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge::class)->getUserIdentifier());
|
|
}
|
|
|
|
public function testAuthenticateRejectsMissingBearerScheme(): void
|
|
{
|
|
$auth = new SessionAuthenticator('s3cret');
|
|
$request = new Request();
|
|
$request->headers->set('Authorization', 'Basic deadbeef');
|
|
|
|
$this->expectException(AuthenticationException::class);
|
|
$this->expectExceptionMessage('Bearer token missing.');
|
|
$auth->authenticate($request);
|
|
}
|
|
|
|
public function testAuthenticateRejectsWrongToken(): void
|
|
{
|
|
$auth = new SessionAuthenticator('s3cret');
|
|
$request = new Request();
|
|
$request->headers->set('Authorization', 'Bearer wrong');
|
|
|
|
$this->expectException(AuthenticationException::class);
|
|
$this->expectExceptionMessage('Bearer token invalid.');
|
|
$auth->authenticate($request);
|
|
}
|
|
|
|
public function testAuthenticateRejectsEmptyExpectedToken(): void
|
|
{
|
|
// Avoids passing a misconfigured (empty) deployment.
|
|
$auth = new SessionAuthenticator('');
|
|
$request = new Request();
|
|
$request->headers->set('Authorization', 'Bearer ');
|
|
|
|
$this->expectException(AuthenticationException::class);
|
|
$auth->authenticate($request);
|
|
}
|
|
|
|
public function testAuthenticationFailureProducesProblemJson(): void
|
|
{
|
|
$auth = new SessionAuthenticator('s3cret');
|
|
$response = $auth->onAuthenticationFailure(new Request(), new AuthenticationException('Bearer token invalid.'));
|
|
|
|
self::assertSame(Response::HTTP_UNAUTHORIZED, $response->getStatusCode());
|
|
self::assertSame('application/problem+json', $response->headers->get('Content-Type'));
|
|
$body = json_decode((string) $response->getContent(), true);
|
|
self::assertSame(401, $body['status']);
|
|
self::assertSame('Unauthorized', $body['title']);
|
|
}
|
|
|
|
public function testStartReturnsProblemJsonForAnonymousAccess(): void
|
|
{
|
|
// Entry-point path: no Authorization header → supports() returns false →
|
|
// Symfony invokes start() with no exception. Without our start(), the
|
|
// default would be a Form-flavoured 302/401 — wrong shape for QML.
|
|
$auth = new SessionAuthenticator('s3cret');
|
|
$response = $auth->start(new Request());
|
|
|
|
self::assertSame(Response::HTTP_UNAUTHORIZED, $response->getStatusCode());
|
|
self::assertSame('application/problem+json', $response->headers->get('Content-Type'));
|
|
$body = json_decode((string) $response->getContent(), true);
|
|
self::assertSame(401, $body['status']);
|
|
self::assertSame('Unauthorized', $body['title']);
|
|
self::assertSame('Bearer token required.', $body['detail']);
|
|
}
|
|
}
|