Added test coverage (#756)

### Changes Added test coverage for previous added issuer claim validation with custom domain. - Added expecting failure scenario with invalid `domain` not matching token issuer - Added expecting failure scenario with invalid `domain` AND invalid `custom domain` not matching token issuer - Added scenario with custom domain matching token issuer, should validate. - Added scenario with custom domain not matching token issuer, should validate with tenant domain ### References Ref: #755 ### Contributor Checklist - [x] I agree to adhere to the [Auth0 General Contribution Guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md). - [x] I agree to uphold the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md). --------- Signed-off-by: ramonschriks <[email protected]> Co-authored-by: Ramon <[email protected]>
auth0 · Jan 11, 2024 · a6adf46 · a6adf46
1 parent 347bea6
commit a6adf46
Showing 1 changed file with 76 additions and 0 deletions.
diff --git a/tests/Unit/TokenTest.php b/tests/Unit/TokenTest.php
@@ -272,6 +272,42 @@ function(): SdkConfiguration {
     fn() => TokenGenerator::create(TokenGenerator::TOKEN_LOGOUT, TokenGenerator::ALG_HS256, ['events' => null])
 ]])->throws(InvalidTokenException::class, InvalidTokenException::MSG_MISSING_EVENTS_CLAIM);
 
+it('fails validating a Logout Token with a mismatch `issuer` claim', function(
+    SdkConfiguration $configuration,
+    TokenGeneratorResponse $jwt
+): void {
+    $token = new Token($configuration, $jwt->token, Token::TYPE_LOGOUT_TOKEN);
+    $token->validate();
+})->with(['mocked hs256 access token' => [
+    function(): SdkConfiguration {
+        $this->configuration->setDomain('invalid-domain.test');
+        $this->configuration->setClientId('__test_client_id__');
+        $this->configuration->setTokenAlgorithm('HS256');
+        $this->configuration->setClientSecret('__test_client_secret__');
+        return $this->configuration;
+    },
+    fn() => TokenGenerator::create(TokenGenerator::TOKEN_LOGOUT, TokenGenerator::ALG_HS256)
+]])->throws(InvalidTokenException::class, sprintf(InvalidTokenException::MSG_MISMATCHED_ISS_CLAIM, "https://invalid-domain.test/", "https://domain.test/"));
+
+it('fails validating a Logout Token with a mismatch `issuer` claim with custom domain', function(
+    SdkConfiguration $configuration,
+    TokenGeneratorResponse $jwt
+): void {
+    $token = new Token($configuration, $jwt->token, Token::TYPE_LOGOUT_TOKEN);
+    $token->validate();
+})->with(['mocked hs256 access token' => [
+    function(): SdkConfiguration {
+        $this->configuration->setDomain('invalid-domain.test');
+        $this->configuration->setCustomDomain('invalid-custom-domain.test');
+        $this->configuration->setClientId('__test_client_id__');
+        $this->configuration->setTokenAlgorithm('HS256');
+        $this->configuration->setClientSecret('__test_client_secret__');
+        return $this->configuration;
+    },
+    fn() => TokenGenerator::create(TokenGenerator::TOKEN_LOGOUT, TokenGenerator::ALG_HS256)
+]])->throws(InvalidTokenException::class, sprintf(InvalidTokenException::MSG_MISMATCHED_ISS_CLAIM, "https://invalid-domain.test/", "https://domain.test/"));
+
+
 it('fails validating a Logout Token with a malformed `events` claim', function(
     SdkConfiguration $configuration,
     TokenGeneratorResponse $jwt
@@ -338,6 +374,46 @@ function(): SdkConfiguration {
     fn() => ['nonce' => '__test_nonce__']
 ]]);
 
+test('validate() with custom domain as token issuer fails, but succeeds with tenant domain', function(
+    SdkConfiguration $configuration,
+    TokenGeneratorResponse $jwt,
+    array $claims
+): void {
+    $token = new Token($configuration, $jwt->token, Token::TYPE_ID_TOKEN);
+    expect($token->validate(null, null, ['org_123'], $claims['nonce'], 100))->toEqual($token);
+})->with(['mocked data' => [
+    function(): SdkConfiguration {
+        $this->configuration->setDomain('domain.test');
+        $this->configuration->setCustomDomain('not-the-issuer.domain');
+        $this->configuration->setClientId('__test_client_id__');
+        $this->configuration->setTokenAlgorithm('HS256');
+        $this->configuration->setClientSecret('__test_client_secret__');
+        return $this->configuration;
+    },
+    fn() => TokenGenerator::create(TokenGenerator::TOKEN_ID, TokenGenerator::ALG_HS256, ['org_id' => 'org_123']),
+    fn() => ['nonce' => '__test_nonce__']
+]]);
+
+test('validate() with custom domain as token issuer succeeds, tenant domain is thereby irrelevant', function(
+    SdkConfiguration $configuration,
+    TokenGeneratorResponse $jwt,
+    array $claims
+): void {
+    $token = new Token($configuration, $jwt->token, Token::TYPE_ID_TOKEN);
+    expect($token->validate(null, null, ['org_123'], $claims['nonce'], 100))->toEqual($token);
+})->with(['mocked data' => [
+    function(): SdkConfiguration {
+        $this->configuration->setDomain('invalid-domain.test');
+        $this->configuration->setCustomDomain('domain.test');
+        $this->configuration->setClientId('__test_client_id__');
+        $this->configuration->setTokenAlgorithm('HS256');
+        $this->configuration->setClientSecret('__test_client_secret__');
+        return $this->configuration;
+    },
+    fn() => TokenGenerator::create(TokenGenerator::TOKEN_ID, TokenGenerator::ALG_HS256, ['org_id' => 'org_123']),
+    fn() => ['nonce' => '__test_nonce__']
+]]);
+
 test('validate() overrides globally configured algorithm', function(
     SdkConfiguration $configuration,
     TokenGeneratorResponse $jwt,