From a6adf46e0ecffd7a9540d48bbfa5f6edf3ebd244 Mon Sep 17 00:00:00 2001
From: ramonschriks <ramon.nmgn@live.nl>
Date: Thu, 11 Jan 2024 04:19:48 +0100
Subject: [PATCH] Added test coverage (#756)

### Changes

Added test coverage for previous added issuer claim validation with
custom domain.
- Added expecting failure scenario with invalid `domain` not matching
token issuer
- Added expecting failure scenario with invalid `domain` AND invalid
`custom domain` not matching token issuer
- Added scenario with custom domain matching token issuer, should
validate.
- Added scenario with custom domain not matching token issuer, should
validate with tenant domain

### References

Ref: https://github.com/auth0/auth0-PHP/pull/755

### Contributor Checklist

- [x] I agree to adhere to the [Auth0 General Contribution
Guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md).
- [x] I agree to uphold the [Auth0 Code of
Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).

---------

Signed-off-by: ramonschriks <ramon.nmgn@live.nl>
Co-authored-by: Ramon <ramon@xel.nl>
---
 tests/Unit/TokenTest.php | 76 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)

diff --git a/tests/Unit/TokenTest.php b/tests/Unit/TokenTest.php
index 3c1ba6a0..6442046a 100644
--- a/tests/Unit/TokenTest.php
+++ b/tests/Unit/TokenTest.php
@@ -272,6 +272,42 @@ function(): SdkConfiguration {
     fn() => TokenGenerator::create(TokenGenerator::TOKEN_LOGOUT, TokenGenerator::ALG_HS256, ['events' => null])
 ]])->throws(InvalidTokenException::class, InvalidTokenException::MSG_MISSING_EVENTS_CLAIM);
 
+it('fails validating a Logout Token with a mismatch `issuer` claim', function(
+    SdkConfiguration $configuration,
+    TokenGeneratorResponse $jwt
+): void {
+    $token = new Token($configuration, $jwt->token, Token::TYPE_LOGOUT_TOKEN);
+    $token->validate();
+})->with(['mocked hs256 access token' => [
+    function(): SdkConfiguration {
+        $this->configuration->setDomain('invalid-domain.test');
+        $this->configuration->setClientId('__test_client_id__');
+        $this->configuration->setTokenAlgorithm('HS256');
+        $this->configuration->setClientSecret('__test_client_secret__');
+        return $this->configuration;
+    },
+    fn() => TokenGenerator::create(TokenGenerator::TOKEN_LOGOUT, TokenGenerator::ALG_HS256)
+]])->throws(InvalidTokenException::class, sprintf(InvalidTokenException::MSG_MISMATCHED_ISS_CLAIM, "https://invalid-domain.test/", "https://domain.test/"));
+
+it('fails validating a Logout Token with a mismatch `issuer` claim with custom domain', function(
+    SdkConfiguration $configuration,
+    TokenGeneratorResponse $jwt
+): void {
+    $token = new Token($configuration, $jwt->token, Token::TYPE_LOGOUT_TOKEN);
+    $token->validate();
+})->with(['mocked hs256 access token' => [
+    function(): SdkConfiguration {
+        $this->configuration->setDomain('invalid-domain.test');
+        $this->configuration->setCustomDomain('invalid-custom-domain.test');
+        $this->configuration->setClientId('__test_client_id__');
+        $this->configuration->setTokenAlgorithm('HS256');
+        $this->configuration->setClientSecret('__test_client_secret__');
+        return $this->configuration;
+    },
+    fn() => TokenGenerator::create(TokenGenerator::TOKEN_LOGOUT, TokenGenerator::ALG_HS256)
+]])->throws(InvalidTokenException::class, sprintf(InvalidTokenException::MSG_MISMATCHED_ISS_CLAIM, "https://invalid-domain.test/", "https://domain.test/"));
+
+
 it('fails validating a Logout Token with a malformed `events` claim', function(
     SdkConfiguration $configuration,
     TokenGeneratorResponse $jwt
@@ -338,6 +374,46 @@ function(): SdkConfiguration {
     fn() => ['nonce' => '__test_nonce__']
 ]]);
 
+test('validate() with custom domain as token issuer fails, but succeeds with tenant domain', function(
+    SdkConfiguration $configuration,
+    TokenGeneratorResponse $jwt,
+    array $claims
+): void {
+    $token = new Token($configuration, $jwt->token, Token::TYPE_ID_TOKEN);
+    expect($token->validate(null, null, ['org_123'], $claims['nonce'], 100))->toEqual($token);
+})->with(['mocked data' => [
+    function(): SdkConfiguration {
+        $this->configuration->setDomain('domain.test');
+        $this->configuration->setCustomDomain('not-the-issuer.domain');
+        $this->configuration->setClientId('__test_client_id__');
+        $this->configuration->setTokenAlgorithm('HS256');
+        $this->configuration->setClientSecret('__test_client_secret__');
+        return $this->configuration;
+    },
+    fn() => TokenGenerator::create(TokenGenerator::TOKEN_ID, TokenGenerator::ALG_HS256, ['org_id' => 'org_123']),
+    fn() => ['nonce' => '__test_nonce__']
+]]);
+
+test('validate() with custom domain as token issuer succeeds, tenant domain is thereby irrelevant', function(
+    SdkConfiguration $configuration,
+    TokenGeneratorResponse $jwt,
+    array $claims
+): void {
+    $token = new Token($configuration, $jwt->token, Token::TYPE_ID_TOKEN);
+    expect($token->validate(null, null, ['org_123'], $claims['nonce'], 100))->toEqual($token);
+})->with(['mocked data' => [
+    function(): SdkConfiguration {
+        $this->configuration->setDomain('invalid-domain.test');
+        $this->configuration->setCustomDomain('domain.test');
+        $this->configuration->setClientId('__test_client_id__');
+        $this->configuration->setTokenAlgorithm('HS256');
+        $this->configuration->setClientSecret('__test_client_secret__');
+        return $this->configuration;
+    },
+    fn() => TokenGenerator::create(TokenGenerator::TOKEN_ID, TokenGenerator::ALG_HS256, ['org_id' => 'org_123']),
+    fn() => ['nonce' => '__test_nonce__']
+]]);
+
 test('validate() overrides globally configured algorithm', function(
     SdkConfiguration $configuration,
     TokenGeneratorResponse $jwt,