TenantAtlas/tests/Feature/Auth/OidcFailureRedirectsSafelyTest.php

<?php

declare(strict_types=1);

use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Http;

uses(RefreshDatabase::class);

if (! function_exists('entra_build_jwt')) {
    function entra_build_jwt(array $claims): string
    {
        $encode = static fn (array $data): string => rtrim(
            strtr(base64_encode(json_encode($data, JSON_UNESCAPED_SLASHES) ?: ''), '+/', '-_'),
            '='
        );

        return $encode(['alg' => 'none', 'typ' => 'JWT']).'.'.$encode($claims).'.';
    }
}

it('redirects back to /admin/login if state is invalid without making HTTP requests', function () {
    $expectedState = 'expected-state';

    Http::preventStrayRequests();

    $response = $this
        ->withSession(['entra_state' => $expectedState])
        ->get(route('auth.entra.callback', ['code' => 'code-123', 'state' => 'wrong-state']));

    $response->assertRedirect('/admin/login');
    $response->assertSessionHas('error');
});

it('redirects back to /admin/login if the token exchange fails', function () {
    config()->set('services.microsoft.client_id', 'test-client');
    config()->set('services.microsoft.client_secret', 'test-secret');
    config()->set('services.microsoft.redirect', 'http://localhost/auth/entra/callback');
    config()->set('services.microsoft.tenant', 'organizations');

    $state = 'state-123';

    Http::fake([
        'https://login.microsoftonline.com/*/oauth2/v2.0/token' => Http::response([], 500),
    ]);

    $response = $this
        ->withSession(['entra_state' => $state])
        ->get(route('auth.entra.callback', ['code' => 'code-123', 'state' => $state]));

    $response->assertRedirect('/admin/login');
    $response->assertSessionHas('error');
});

it('redirects back to /admin/login if tid/oid claims are missing', function () {
    config()->set('services.microsoft.client_id', 'test-client');
    config()->set('services.microsoft.client_secret', 'test-secret');
    config()->set('services.microsoft.redirect', 'http://localhost/auth/entra/callback');
    config()->set('services.microsoft.tenant', 'organizations');

    $state = 'state-123';

    Http::fake([
        'https://login.microsoftonline.com/*/oauth2/v2.0/token' => Http::response([
            'id_token' => entra_build_jwt([
                'tid' => 'tenant-1',
                // oid intentionally missing
                'preferred_username' => 'user@example.com',
            ]),
        ]),
    ]);

    $response = $this
        ->withSession(['entra_state' => $state])
        ->get(route('auth.entra.callback', ['code' => 'code-123', 'state' => $state]));

    $response->assertRedirect('/admin/login');
    $response->assertSessionHas('error');
});