From 8edf8d4fac6dd294d0be82269cc00b09af45e6d8 Mon Sep 17 00:00:00 2001
From: Rick Lambrechts <rick@rl-webdiensten.nl>
Date: Mon, 30 Sep 2024 17:04:41 +0200
Subject: [PATCH] Add test for authenticate function

---
 tests/OpenIDConnectClientTest.php | 64 +++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/tests/OpenIDConnectClientTest.php b/tests/OpenIDConnectClientTest.php
index 4b46923d..1e15cb8b 100644
--- a/tests/OpenIDConnectClientTest.php
+++ b/tests/OpenIDConnectClientTest.php
@@ -142,6 +142,70 @@ public function testAuthenticateDoesNotThrowExceptionIfClaimsIsMissingNonce()
         }
     }
 
+    public function testAuthenticateWithCodeThrowsExceptionIfStateDoesNotMatch()
+    {
+        $_REQUEST['code'] = 'some-code';
+        $_REQUEST['state'] = "incorrect-state-from-user";
+        $_SESSION['openid_connect_state'] = "random-generated-state";
+
+        $client = new OpenIDConnectClient();
+
+        try {
+            $client->authenticate();
+        } catch ( OpenIDConnectClientException $e ) {
+            $this->assertEquals('Unable to determine state', $e->getMessage());
+            return;
+        }
+
+        $this->fail('OpenIDConnectClientException was not thrown when it should have been.');
+    }
+
+    public function testAuthenticateWithCodeMockedVerify()
+    {
+        $mockCode = 'some-code';
+
+        $_REQUEST['code'] = $mockCode;
+        $_REQUEST['state'] = "random-generated-state";
+        $_SESSION['openid_connect_state'] = "random-generated-state";
+
+        $mockClaims = (object)['email' => 'test@example.com'];
+        $mockIdToken = implode('.', [base64_encode('{}'), base64_encode(json_encode($mockClaims)), '']);
+        $mockAccessToken = 'some-access-token';
+        $mockRefreshToken = 'some-access-token';
+
+        $mockTokenResponse = (object)[
+            'id_token' => $mockIdToken,
+            'access_token' => $mockAccessToken,
+            'refresh_token' => $mockRefreshToken,
+        ];
+
+        $client = $this->getMockBuilder(OpenIDConnectClient::class)
+            ->onlyMethods(['requestTokens', 'verifySignatures', 'verifyJWTClaims'])
+            ->getMock();
+        $client->method('requestTokens')
+            ->with($mockCode)
+            ->willReturn($mockTokenResponse);
+        $client->method('verifySignatures')
+            ->with($mockIdToken);
+        $client->method('verifyJWTClaims')
+            ->with($mockClaims, $mockAccessToken)
+            ->willReturn(true);
+
+        try {
+            // In this mocked case we should be authenticated
+            // because we are not actually verifying the JWT
+            $authenticated = $client->authenticate();
+            $this->assertTrue($authenticated);
+            $this->assertEquals($mockIdToken, $client->getIdToken());
+            $this->assertEquals($mockAccessToken, $client->getAccessToken());
+            $this->assertEquals($mockTokenResponse, $client->getTokenResponse());
+            $this->assertEquals($mockClaims, $client->getVerifiedClaims());
+            $this->assertEquals($mockRefreshToken, $client->getRefreshToken());
+        } catch ( OpenIDConnectClientException $e ) {
+            $this->fail('OpenIDConnectClientException was thrown when it should not have been.');
+        }
+    }
+
     public function testSerialize()
     {
         $client = new OpenIDConnectClient('https://example.com', 'foo', 'bar', 'baz');