ahmido
c5fbcaa692
Key changes Adds Entra OIDC redirect + callback endpoints under /auth/entra/* (token exchange only there). Upserts tenant users keyed by (entra_tenant_id = tid, entra_object_id = oid); regenerates session; never stores tokens. Blocks disabled / soft-deleted users with a generic error and safe logging. Membership-based post-login routing: 0 memberships → /admin/no-access 1 membership → tenant dashboard (via Filament URL helpers) >1 memberships → /admin/choose-tenant Adds Filament pages: /admin/choose-tenant (tenant selection + redirect) /admin/no-access (tenantless-safe) Both use simple layout to avoid tenant-required UI. Guards / tests Adds DbOnlyPagesDoNotMakeHttpRequestsTest to enforce DB-only render/hydration for: /admin/login, /admin/no-access, /admin/choose-tenant with Http::preventStrayRequests() Adds session separation smoke coverage to ensure tenant session doesn’t access system and vice versa. Runs: vendor/bin/sail artisan test --compact tests/Feature/Auth Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box> Reviewed-on: #76
80 lines
2.7 KiB
PHP
80 lines
2.7 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Support\Facades\Http;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
if (! function_exists('entra_build_jwt')) {
|
|
function entra_build_jwt(array $claims): string
|
|
{
|
|
$encode = static fn (array $data): string => rtrim(
|
|
strtr(base64_encode(json_encode($data, JSON_UNESCAPED_SLASHES) ?: ''), '+/', '-_'),
|
|
'='
|
|
);
|
|
|
|
return $encode(['alg' => 'none', 'typ' => 'JWT']).'.'.$encode($claims).'.';
|
|
}
|
|
}
|
|
|
|
it('redirects back to /admin/login if state is invalid without making HTTP requests', function () {
|
|
$expectedState = 'expected-state';
|
|
|
|
Http::preventStrayRequests();
|
|
|
|
$response = $this
|
|
->withSession(['entra_state' => $expectedState])
|
|
->get(route('auth.entra.callback', ['code' => 'code-123', 'state' => 'wrong-state']));
|
|
|
|
$response->assertRedirect('/admin/login');
|
|
$response->assertSessionHas('error');
|
|
});
|
|
|
|
it('redirects back to /admin/login if the token exchange fails', function () {
|
|
config()->set('services.microsoft.client_id', 'test-client');
|
|
config()->set('services.microsoft.client_secret', 'test-secret');
|
|
config()->set('services.microsoft.redirect', 'http://localhost/auth/entra/callback');
|
|
config()->set('services.microsoft.tenant', 'organizations');
|
|
|
|
$state = 'state-123';
|
|
|
|
Http::fake([
|
|
'https://login.microsoftonline.com/*/oauth2/v2.0/token' => Http::response([], 500),
|
|
]);
|
|
|
|
$response = $this
|
|
->withSession(['entra_state' => $state])
|
|
->get(route('auth.entra.callback', ['code' => 'code-123', 'state' => $state]));
|
|
|
|
$response->assertRedirect('/admin/login');
|
|
$response->assertSessionHas('error');
|
|
});
|
|
|
|
it('redirects back to /admin/login if tid/oid claims are missing', function () {
|
|
config()->set('services.microsoft.client_id', 'test-client');
|
|
config()->set('services.microsoft.client_secret', 'test-secret');
|
|
config()->set('services.microsoft.redirect', 'http://localhost/auth/entra/callback');
|
|
config()->set('services.microsoft.tenant', 'organizations');
|
|
|
|
$state = 'state-123';
|
|
|
|
Http::fake([
|
|
'https://login.microsoftonline.com/*/oauth2/v2.0/token' => Http::response([
|
|
'id_token' => entra_build_jwt([
|
|
'tid' => 'tenant-1',
|
|
// oid intentionally missing
|
|
'preferred_username' => 'user@example.com',
|
|
]),
|
|
]),
|
|
]);
|
|
|
|
$response = $this
|
|
->withSession(['entra_state' => $state])
|
|
->get(route('auth.entra.callback', ['code' => 'code-123', 'state' => $state]));
|
|
|
|
$response->assertRedirect('/admin/login');
|
|
$response->assertSessionHas('error');
|
|
});
|