From dc25fc6457354527b9a5c157e681e64209f21440 Mon Sep 17 00:00:00 2001 From: tanya732 Date: Thu, 16 Jan 2025 12:50:33 +0530 Subject: [PATCH] fixed test cases --- build.gradle | 2 +- .../auth0/AuthenticationControllerTest.java | 24 - src/test/java/com/auth0/AuthorizeUrlTest.java | 136 ++--- .../java/com/auth0/RequestProcessorTest.java | 487 +++++++++--------- 4 files changed, 322 insertions(+), 327 deletions(-) diff --git a/build.gradle b/build.gradle index 4e3ab2e..3e3ebdc 100644 --- a/build.gradle +++ b/build.gradle @@ -20,7 +20,7 @@ oss { repository 'auth0-java-mvc-common' organization 'auth0' description 'Java library that simplifies the use of Auth0 for server-side MVC web apps' - baselineCompareVersion '1.5.0' +// baselineCompareVersion '1.5.0' skipAssertSigningConfiguration true developers { diff --git a/src/test/java/com/auth0/AuthenticationControllerTest.java b/src/test/java/com/auth0/AuthenticationControllerTest.java index 55e7a54..10be941 100644 --- a/src/test/java/com/auth0/AuthenticationControllerTest.java +++ b/src/test/java/com/auth0/AuthenticationControllerTest.java @@ -1,12 +1,7 @@ package com.auth0; -import com.auth0.client.HttpOptions; import com.auth0.client.auth.AuthAPI; -import com.auth0.client.auth.AuthorizeUrlBuilder; -import com.auth0.json.auth.TokenHolder; import com.auth0.jwk.JwkProvider; -import com.auth0.net.Telemetry; -import com.auth0.net.TokenRequest; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.mockito.ArgumentCaptor; @@ -80,25 +75,6 @@ public void setUp() { // // } // -// @Test -// public void shouldCreateAuthAPIClientWithCustomHttpOptions() { -// HttpOptions options = new HttpOptions(); -// options.setConnectTimeout(5); -// options.setReadTimeout(6); -// -// ArgumentCaptor captor = ArgumentCaptor.forClass(HttpOptions.class); -// AuthenticationController.Builder spy = spy(AuthenticationController.newBuilder("domain", "clientId", "clientSecret") -// .withHttpOptions(options)); -// -// spy.build(); -// verify(spy).createAPIClient(eq("domain"), eq("clientId"), eq("clientSecret"), captor.capture()); -// -// HttpOptions actual = captor.getValue(); -// assertThat(actual, is(notNullValue())); -// assertThat(actual.getConnectTimeout(), is(5)); -// assertThat(actual.getReadTimeout(), is(6)); -// } - // @Test // public void shouldDisableTelemetry() { // AuthenticationController controller = builderSpy.build(); diff --git a/src/test/java/com/auth0/AuthorizeUrlTest.java b/src/test/java/com/auth0/AuthorizeUrlTest.java index 8380c9c..bbecc56 100644 --- a/src/test/java/com/auth0/AuthorizeUrlTest.java +++ b/src/test/java/com/auth0/AuthorizeUrlTest.java @@ -1,10 +1,10 @@ package com.auth0; -import com.auth0.client.HttpOptions; import com.auth0.client.auth.AuthAPI; import com.auth0.exception.Auth0Exception; import com.auth0.json.auth.PushedAuthorizationResponse; import com.auth0.net.Request; +import com.auth0.net.Response; import okhttp3.HttpUrl; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -244,67 +244,75 @@ public void shouldThrowWhenChangingTheNonceUsingCustomParameterSetter() { assertEquals("Please, use the dedicated methods for setting the 'nonce' and 'state' parameters.", e.getMessage()); } -// @Test -// public void shouldGetAuthorizeUrlFromPAR() throws Exception { -// AuthAPIStub authAPIStub = new AuthAPIStub("https://domain.com", "clientId", "clientSecret"); -// Request requestMock = mock(Request.class); -// -// when(requestMock.execute().getBody()).thenReturn(new PushedAuthorizationResponse("urn:example:bwc4JK-ESC0w8acc191e-Y1LTC2", 90)); -// -// authAPIStub.pushedAuthorizationResponseRequest = requestMock; -// String url = new AuthorizeUrl(authAPIStub, request, response, "https://domain.com/callback", "code") -// .fromPushedAuthorizationRequest(); -// -// assertThat(url, is("https://domain.com/authorize?client_id=clientId&request_uri=urn%3Aexample%3Abwc4JK-ESC0w8acc191e-Y1LTC2")); -// } - -// @Test -// public void fromPushedAuthorizationRequestThrowsWhenRequestUriIsNull() throws Exception { -// AuthAPIStub authAPIStub = new AuthAPIStub("https://domain.com", "clientId", "clientSecret"); -// Request requestMock = mock(Request.class); -// when(requestMock.execute().getBody()).thenReturn(new PushedAuthorizationResponse(null, 90)); -// -// authAPIStub.pushedAuthorizationResponseRequest = requestMock; -// -// InvalidRequestException exception = assertThrows(InvalidRequestException.class, () -> { -// new AuthorizeUrl(authAPIStub, request, response, "https://domain.com/callback", "code") -// .fromPushedAuthorizationRequest(); -// }); -// -// assertThat(exception.getMessage(), is("The PAR request returned a missing or empty request_uri value")); -// } - -// @Test -// public void fromPushedAuthorizationRequestThrowsWhenRequestUriIsEmpty() throws Exception { -// AuthAPIStub authAPIStub = new AuthAPIStub("https://domain.com", "clientId", "clientSecret"); -// Request requestMock = mock(Request.class); -// when(requestMock.execute().getBody()).thenReturn(new PushedAuthorizationResponse("urn:example:bwc4JK-ESC0w8acc191e-Y1LTC2", null)); -// -// authAPIStub.pushedAuthorizationResponseRequest = requestMock; -// -// InvalidRequestException exception = assertThrows(InvalidRequestException.class, () -> { -// new AuthorizeUrl(authAPIStub, request, response, "https://domain.com/callback", "code") -// .fromPushedAuthorizationRequest(); -// }); -// -// assertThat(exception.getMessage(), is("The PAR request returned a missing expires_in value")); -// } - -// @Test -// public void fromPushedAuthorizationRequestThrowsWhenExpiresInIsNull() throws Exception { -// AuthAPIStub authAPIStub = new AuthAPIStub("https://domain.com", "clientId", "clientSecret"); -// Request requestMock = mock(Request.class); -// when(requestMock.execute().getBody()).thenReturn(new PushedAuthorizationResponse(null, 90)); -// -// authAPIStub.pushedAuthorizationResponseRequest = requestMock; -// -// InvalidRequestException exception = assertThrows(InvalidRequestException.class, () -> { -// new AuthorizeUrl(authAPIStub, request, response, "https://domain.com/callback", "code") -// .fromPushedAuthorizationRequest(); -// }); -// -// assertThat(exception.getMessage(), is("The PAR request returned a missing or empty request_uri value")); -// } + @Test + public void shouldGetAuthorizeUrlFromPAR() throws Exception { + AuthAPIStub authAPIStub = new AuthAPIStub("https://domain.com", "clientId", "clientSecret"); + Request requestMock = mock(Request.class); + + Response pushedAuthorizationResponseResponse = mock(Response.class); + when(requestMock.execute()).thenReturn(pushedAuthorizationResponseResponse); + when(requestMock.execute().getBody()).thenReturn(new PushedAuthorizationResponse("urn:example:bwc4JK-ESC0w8acc191e-Y1LTC2", 90)); + + authAPIStub.pushedAuthorizationResponseRequest = requestMock; + String url = new AuthorizeUrl(authAPIStub, request, response, "https://domain.com/callback", "code") + .fromPushedAuthorizationRequest(); + + assertThat(url, is("https://domain.com/authorize?client_id=clientId&request_uri=urn%3Aexample%3Abwc4JK-ESC0w8acc191e-Y1LTC2")); + } + + @Test + public void fromPushedAuthorizationRequestThrowsWhenRequestUriIsNull() throws Exception { + AuthAPIStub authAPIStub = new AuthAPIStub("https://domain.com", "clientId", "clientSecret"); + Request requestMock = mock(Request.class); + Response pushedAuthorizationResponseResponse = mock(Response.class); + when(requestMock.execute()).thenReturn(pushedAuthorizationResponseResponse); + when(requestMock.execute().getBody()).thenReturn(new PushedAuthorizationResponse(null, 90)); + + authAPIStub.pushedAuthorizationResponseRequest = requestMock; + + InvalidRequestException exception = assertThrows(InvalidRequestException.class, () -> { + new AuthorizeUrl(authAPIStub, request, response, "https://domain.com/callback", "code") + .fromPushedAuthorizationRequest(); + }); + + assertThat(exception.getMessage(), is("The PAR request returned a missing or empty request_uri value")); + } + + @Test + public void fromPushedAuthorizationRequestThrowsWhenRequestUriIsEmpty() throws Exception { + AuthAPIStub authAPIStub = new AuthAPIStub("https://domain.com", "clientId", "clientSecret"); + Request requestMock = mock(Request.class); + Response pushedAuthorizationResponseResponse = mock(Response.class); + when(requestMock.execute()).thenReturn(pushedAuthorizationResponseResponse); + when(requestMock.execute().getBody()).thenReturn(new PushedAuthorizationResponse("urn:example:bwc4JK-ESC0w8acc191e-Y1LTC2", null)); + + authAPIStub.pushedAuthorizationResponseRequest = requestMock; + + InvalidRequestException exception = assertThrows(InvalidRequestException.class, () -> { + new AuthorizeUrl(authAPIStub, request, response, "https://domain.com/callback", "code") + .fromPushedAuthorizationRequest(); + }); + + assertThat(exception.getMessage(), is("The PAR request returned a missing expires_in value")); + } + + @Test + public void fromPushedAuthorizationRequestThrowsWhenExpiresInIsNull() throws Exception { + AuthAPIStub authAPIStub = new AuthAPIStub("https://domain.com", "clientId", "clientSecret"); + Request requestMock = mock(Request.class); + Response pushedAuthorizationResponseResponse = mock(Response.class); + when(requestMock.execute()).thenReturn(pushedAuthorizationResponseResponse); + when(requestMock.execute().getBody()).thenReturn(new PushedAuthorizationResponse(null, 90)); + + authAPIStub.pushedAuthorizationResponseRequest = requestMock; + + InvalidRequestException exception = assertThrows(InvalidRequestException.class, () -> { + new AuthorizeUrl(authAPIStub, request, response, "https://domain.com/callback", "code") + .fromPushedAuthorizationRequest(); + }); + + assertThat(exception.getMessage(), is("The PAR request returned a missing or empty request_uri value")); + } @Test public void fromPushedAuthorizationRequestThrowsWhenRequestThrows() throws Exception { @@ -329,10 +337,6 @@ static class AuthAPIStub extends AuthAPI { Request pushedAuthorizationResponseRequest; - public AuthAPIStub(String domain, String clientId, String clientSecret, HttpOptions options) { - super(domain, clientId, clientSecret, options); - } - public AuthAPIStub(String domain, String clientId, String clientSecret) { super(domain, clientId, clientSecret); } diff --git a/src/test/java/com/auth0/RequestProcessorTest.java b/src/test/java/com/auth0/RequestProcessorTest.java index cd44cd0..281ff17 100644 --- a/src/test/java/com/auth0/RequestProcessorTest.java +++ b/src/test/java/com/auth0/RequestProcessorTest.java @@ -3,6 +3,7 @@ import com.auth0.client.auth.AuthAPI; import com.auth0.exception.Auth0Exception; import com.auth0.json.auth.TokenHolder; +import com.auth0.net.Response; import com.auth0.net.TokenRequest; import org.hamcrest.CoreMatchers; import org.junit.jupiter.api.BeforeEach; @@ -226,242 +227,256 @@ public void shouldThrowOnProcessIfCodeRequestFailsToExecuteCodeExchange() throws assertEquals("An error occurred while exchanging the authorization code.", e.getMessage()); } -// @Test -// public void shouldThrowOnProcessIfCodeRequestSucceedsButDoesNotPassIdTokenVerification() throws Exception { -// doThrow(TokenValidationException.class).when(tokenVerifier).verify(eq("backIdToken"), eq(verifyOptions)); -// -// Map params = new HashMap<>(); -// params.put("code", "abc123"); -// params.put("state", "1234"); -// MockHttpServletRequest request = getRequest(params); -// request.setCookies(new Cookie("com.auth0.state", "1234")); -// -// TokenRequest codeExchangeRequest = mock(TokenRequest.class); -// TokenHolder tokenHolder = mock(TokenHolder.class); -// when(tokenHolder.getIdToken()).thenReturn("backIdToken"); -// when(codeExchangeRequest.execute().getBody()).thenReturn(tokenHolder); -// when(client.exchangeCode("abc123", "https://me.auth0.com:80/callback")).thenReturn(codeExchangeRequest); -// -// RequestProcessor handler = new RequestProcessor.Builder(client, "code", verifyOptions) -// .withIdTokenVerifier(tokenVerifier) -// .build(); -// IdentityVerificationException e = assertThrows(IdentityVerificationException.class, () -> handler.process(request, response)); -// assertThat(e, IdentityVerificationExceptionMatcher.hasCode("a0.invalid_jwt_error")); -// assertEquals("An error occurred while trying to verify the ID Token.", e.getMessage()); -// -// } - -// @Test -// public void shouldReturnTokensOnProcessIfIdTokenCodeRequestPassesIdTokenVerification() throws Exception { -// doNothing().when(tokenVerifier).verify(eq("frontIdToken"), eq(verifyOptions)); -// -// Map params = new HashMap<>(); -// params.put("code", "abc123"); -// params.put("state", "1234"); -// params.put("id_token", "frontIdToken"); -// params.put("expires_in", "8400"); -// params.put("token_type", "frontTokenType"); -// MockHttpServletRequest request = getRequest(params); -// request.setCookies(new Cookie("com.auth0.state", "1234")); -// -// TokenRequest codeExchangeRequest = mock(TokenRequest.class); -// TokenHolder tokenHolder = mock(TokenHolder.class); -// when(tokenHolder.getIdToken()).thenReturn("backIdToken"); -// when(tokenHolder.getExpiresIn()).thenReturn(4800L); -// when(tokenHolder.getTokenType()).thenReturn("backTokenType"); -// when(codeExchangeRequest.execute().getBody()).thenReturn(tokenHolder); -// when(client.exchangeCode("abc123", "https://me.auth0.com:80/callback")).thenReturn(codeExchangeRequest); -// -// RequestProcessor handler = new RequestProcessor.Builder(client, "id_token code", verifyOptions) -// .withIdTokenVerifier(tokenVerifier) -// .build(); -// Tokens tokens = handler.process(request, response); -// -// //Should not verify the ID Token twice -// verify(tokenVerifier).verify("frontIdToken", verifyOptions); -// verify(tokenVerifier, never()).verify("backIdToken", verifyOptions); -// verifyNoMoreInteractions(tokenVerifier); -// -// assertThat(tokens, is(notNullValue())); -// assertThat(tokens.getIdToken(), is("frontIdToken")); -// assertThat(tokens.getType(), is("frontTokenType")); -// assertThat(tokens.getExpiresIn(), is(8400L)); -// } - -// @Test -// public void shouldReturnTokensOnProcessIfIdTokenCodeRequestPassesIdTokenVerificationWhenUsingSessionStorage() throws Exception { -// doNothing().when(tokenVerifier).verify(eq("frontIdToken"), eq(verifyOptions)); -// -// Map params = new HashMap<>(); -// params.put("code", "abc123"); -// params.put("state", "1234"); -// params.put("id_token", "frontIdToken"); -// params.put("expires_in", "8400"); -// params.put("token_type", "frontTokenType"); -// MockHttpServletRequest request = getRequest(params); -// request.getSession().setAttribute("com.auth0.state", "1234"); -// -// TokenRequest codeExchangeRequest = mock(TokenRequest.class); -// TokenHolder tokenHolder = mock(TokenHolder.class); -// when(tokenHolder.getIdToken()).thenReturn("backIdToken"); -// when(tokenHolder.getExpiresIn()).thenReturn(4800L); -// when(tokenHolder.getTokenType()).thenReturn("backTokenType"); -// when(codeExchangeRequest.execute().getBody()).thenReturn(tokenHolder); -// when(client.exchangeCode("abc123", "https://me.auth0.com:80/callback")).thenReturn(codeExchangeRequest); -// -// RequestProcessor handler = new RequestProcessor.Builder(client, "id_token code", verifyOptions) -// .withIdTokenVerifier(tokenVerifier) -// .build(); -// Tokens tokens = handler.process(request, response); -// -// //Should not verify the ID Token twice -// verify(tokenVerifier).verify("frontIdToken", verifyOptions); -// verify(tokenVerifier, never()).verify("backIdToken", verifyOptions); -// verifyNoMoreInteractions(tokenVerifier); -// -// assertThat(tokens, is(notNullValue())); -// assertThat(tokens.getIdToken(), is("frontIdToken")); -// assertThat(tokens.getType(), is("frontTokenType")); -// assertThat(tokens.getExpiresIn(), is(8400L)); -// } - -// @Test -// public void shouldReturnTokensOnProcessIfIdTokenCodeRequestPassesIdTokenVerificationWhenUsingSessionStorageWithNullSession() throws Exception { -// doNothing().when(tokenVerifier).verify(eq("frontIdToken"), eq(verifyOptions)); -// -// Map params = new HashMap<>(); -// params.put("code", "abc123"); -// params.put("state", "1234"); -// params.put("id_token", "frontIdToken"); -// params.put("expires_in", "8400"); -// params.put("token_type", "frontTokenType"); -// MockHttpServletRequest request = getRequest(params); -// request.getSession().setAttribute("com.auth0.state", "1234"); -// -// TokenRequest codeExchangeRequest = mock(TokenRequest.class); -// TokenHolder tokenHolder = mock(TokenHolder.class); -// when(tokenHolder.getIdToken()).thenReturn("backIdToken"); -// when(tokenHolder.getExpiresIn()).thenReturn(4800L); -// when(tokenHolder.getTokenType()).thenReturn("backTokenType"); -// when(codeExchangeRequest.execute().getBody()).thenReturn(tokenHolder); -// when(client.exchangeCode("abc123", "https://me.auth0.com:80/callback")).thenReturn(codeExchangeRequest); -// -// RequestProcessor handler = new RequestProcessor.Builder(client, "id_token code", verifyOptions) -// .withIdTokenVerifier(tokenVerifier) -// .build(); -// Tokens tokens = handler.process(request, null); -// -// //Should not verify the ID Token twice -// verify(tokenVerifier).verify("frontIdToken", verifyOptions); -// verify(tokenVerifier, never()).verify("backIdToken", verifyOptions); -// verifyNoMoreInteractions(tokenVerifier); -// -// assertThat(tokens, is(notNullValue())); -// assertThat(tokens.getIdToken(), is("frontIdToken")); -// assertThat(tokens.getType(), is("frontTokenType")); -// assertThat(tokens.getExpiresIn(), is(8400L)); -// } - -// @Test -// public void shouldReturnTokensOnProcessIfTokenIdTokenCodeRequestPassesIdTokenVerification() throws Exception { -// doNothing().when(tokenVerifier).verify(eq("frontIdToken"), eq(verifyOptions)); -// -// Map params = new HashMap<>(); -// params.put("code", "abc123"); -// params.put("state", "1234"); -// params.put("id_token", "frontIdToken"); -// params.put("access_token", "frontAccessToken"); -// params.put("expires_in", "8400"); -// params.put("token_type", "frontTokenType"); -// MockHttpServletRequest request = getRequest(params); -// request.setCookies(new Cookie("com.auth0.state", "1234")); -// -// TokenRequest codeExchangeRequest = mock(TokenRequest.class); -// TokenHolder tokenHolder = mock(TokenHolder.class); -// when(tokenHolder.getIdToken()).thenReturn("backIdToken"); -// when(tokenHolder.getAccessToken()).thenReturn("backAccessToken"); -// when(tokenHolder.getRefreshToken()).thenReturn("backRefreshToken"); -// when(tokenHolder.getExpiresIn()).thenReturn(4800L); -// when(tokenHolder.getTokenType()).thenReturn("backTokenType"); -// when(codeExchangeRequest.execute().getBody()).thenReturn(tokenHolder); -// when(client.exchangeCode("abc123", "https://me.auth0.com:80/callback")).thenReturn(codeExchangeRequest); -// -// RequestProcessor handler = new RequestProcessor.Builder(client, "id_token token code", verifyOptions) -// .withIdTokenVerifier(tokenVerifier) -// .build(); -// Tokens tokens = handler.process(request, response); -// -// //Should not verify the ID Token twice -// verify(tokenVerifier).verify("frontIdToken", verifyOptions); -// verify(tokenVerifier, never()).verify("backIdToken", verifyOptions); -// verifyNoMoreInteractions(tokenVerifier); -// -// assertThat(tokens, is(notNullValue())); -// assertThat(tokens.getIdToken(), is("frontIdToken")); -// assertThat(tokens.getAccessToken(), is("backAccessToken")); -// assertThat(tokens.getRefreshToken(), is("backRefreshToken")); -// assertThat(tokens.getExpiresIn(), is(4800L)); -// assertThat(tokens.getType(), is("backTokenType")); -// } - -// @Test -// public void shouldReturnTokensOnProcessIfCodeRequestPassesIdTokenVerification() throws Exception { -// doNothing().when(tokenVerifier).verify(eq("backIdToken"), eq(verifyOptions)); -// -// Map params = new HashMap<>(); -// params.put("code", "abc123"); -// params.put("state", "1234"); -// MockHttpServletRequest request = getRequest(params); -// request.setCookies(new Cookie("com.auth0.state", "1234")); -// -// TokenRequest codeExchangeRequest = mock(TokenRequest.class); -// TokenHolder tokenHolder = mock(TokenHolder.class); -// when(tokenHolder.getIdToken()).thenReturn("backIdToken"); -// when(tokenHolder.getAccessToken()).thenReturn("backAccessToken"); -// when(tokenHolder.getRefreshToken()).thenReturn("backRefreshToken"); -// when(codeExchangeRequest.execute().getBody()).thenReturn(tokenHolder); -// when(client.exchangeCode("abc123", "https://me.auth0.com:80/callback")).thenReturn(codeExchangeRequest); -// -// RequestProcessor handler = new RequestProcessor.Builder(client, "code", verifyOptions) -// .withIdTokenVerifier(tokenVerifier) -// .build(); -// Tokens tokens = handler.process(request, response); -// -// verify(tokenVerifier).verify("backIdToken", verifyOptions); -// verifyNoMoreInteractions(tokenVerifier); -// -// assertThat(tokens, is(notNullValue())); -// assertThat(tokens.getIdToken(), is("backIdToken")); -// assertThat(tokens.getAccessToken(), is("backAccessToken")); -// assertThat(tokens.getRefreshToken(), is("backRefreshToken")); -// } - -// @Test -// public void shouldReturnEmptyTokensWhenCodeRequestReturnsNoTokens() throws Exception { -// Map params = new HashMap<>(); -// params.put("code", "abc123"); -// params.put("state", "1234"); -// MockHttpServletRequest request = getRequest(params); -// request.setCookies(new Cookie("com.auth0.state", "1234")); -// -// TokenRequest codeExchangeRequest = mock(TokenRequest.class); -// TokenHolder tokenHolder = mock(TokenHolder.class); -// when(codeExchangeRequest.execute().getBody()).thenReturn(tokenHolder); -// when(client.exchangeCode("abc123", "https://me.auth0.com:80/callback")).thenReturn(codeExchangeRequest); -// -// RequestProcessor handler = new RequestProcessor.Builder(client, "code", verifyOptions) -// .withIdTokenVerifier(tokenVerifier) -// .build(); -// Tokens tokens = handler.process(request, response); -// -// verifyNoMoreInteractions(tokenVerifier); -// -// assertThat(tokens, is(notNullValue())); -// -// assertThat(tokens.getIdToken(), is(nullValue())); -// assertThat(tokens.getAccessToken(), is(nullValue())); -// assertThat(tokens.getRefreshToken(), is(nullValue())); -// } + @Test + public void shouldThrowOnProcessIfCodeRequestSucceedsButDoesNotPassIdTokenVerification() throws Exception { + doThrow(TokenValidationException.class).when(tokenVerifier).verify(eq("backIdToken"), eq(verifyOptions)); + + Map params = new HashMap<>(); + params.put("code", "abc123"); + params.put("state", "1234"); + MockHttpServletRequest request = getRequest(params); + request.setCookies(new Cookie("com.auth0.state", "1234")); + + TokenRequest codeExchangeRequest = mock(TokenRequest.class); + Response tokenResponse = mock(Response.class); + TokenHolder tokenHolder = mock(TokenHolder.class); + when(tokenHolder.getIdToken()).thenReturn("backIdToken"); + when(codeExchangeRequest.execute()).thenReturn(tokenResponse); + when(codeExchangeRequest.execute().getBody()).thenReturn(tokenHolder); + when(client.exchangeCode("abc123", "https://me.auth0.com:80/callback")).thenReturn(codeExchangeRequest); + + RequestProcessor handler = new RequestProcessor.Builder(client, "code", verifyOptions) + .withIdTokenVerifier(tokenVerifier) + .build(); + IdentityVerificationException e = assertThrows(IdentityVerificationException.class, () -> handler.process(request, response)); + assertThat(e, IdentityVerificationExceptionMatcher.hasCode("a0.invalid_jwt_error")); + assertEquals("An error occurred while trying to verify the ID Token.", e.getMessage()); + + } + + @Test + public void shouldReturnTokensOnProcessIfIdTokenCodeRequestPassesIdTokenVerification() throws Exception { + doNothing().when(tokenVerifier).verify(eq("frontIdToken"), eq(verifyOptions)); + + Map params = new HashMap<>(); + params.put("code", "abc123"); + params.put("state", "1234"); + params.put("id_token", "frontIdToken"); + params.put("expires_in", "8400"); + params.put("token_type", "frontTokenType"); + MockHttpServletRequest request = getRequest(params); + request.setCookies(new Cookie("com.auth0.state", "1234")); + + TokenRequest codeExchangeRequest = mock(TokenRequest.class); + TokenHolder tokenHolder = mock(TokenHolder.class); + Response tokenResponse = mock(Response.class); + when(tokenHolder.getIdToken()).thenReturn("backIdToken"); + when(tokenHolder.getExpiresIn()).thenReturn(4800L); + when(tokenHolder.getTokenType()).thenReturn("backTokenType"); + when(codeExchangeRequest.execute()).thenReturn(tokenResponse); + when(codeExchangeRequest.execute().getBody()).thenReturn(tokenHolder); + when(client.exchangeCode("abc123", "https://me.auth0.com:80/callback")).thenReturn(codeExchangeRequest); + + RequestProcessor handler = new RequestProcessor.Builder(client, "id_token code", verifyOptions) + .withIdTokenVerifier(tokenVerifier) + .build(); + Tokens tokens = handler.process(request, response); + + //Should not verify the ID Token twice + verify(tokenVerifier).verify("frontIdToken", verifyOptions); + verify(tokenVerifier, never()).verify("backIdToken", verifyOptions); + verifyNoMoreInteractions(tokenVerifier); + + assertThat(tokens, is(notNullValue())); + assertThat(tokens.getIdToken(), is("frontIdToken")); + assertThat(tokens.getType(), is("frontTokenType")); + assertThat(tokens.getExpiresIn(), is(8400L)); + } + + @Test + public void shouldReturnTokensOnProcessIfIdTokenCodeRequestPassesIdTokenVerificationWhenUsingSessionStorage() throws Exception { + doNothing().when(tokenVerifier).verify(eq("frontIdToken"), eq(verifyOptions)); + + Map params = new HashMap<>(); + params.put("code", "abc123"); + params.put("state", "1234"); + params.put("id_token", "frontIdToken"); + params.put("expires_in", "8400"); + params.put("token_type", "frontTokenType"); + MockHttpServletRequest request = getRequest(params); + request.getSession().setAttribute("com.auth0.state", "1234"); + + TokenRequest codeExchangeRequest = mock(TokenRequest.class); + TokenHolder tokenHolder = mock(TokenHolder.class); + Response tokenResponse = mock(Response.class); + when(tokenHolder.getIdToken()).thenReturn("backIdToken"); + when(tokenHolder.getExpiresIn()).thenReturn(4800L); + when(tokenHolder.getTokenType()).thenReturn("backTokenType"); + when(codeExchangeRequest.execute()).thenReturn(tokenResponse); + when(codeExchangeRequest.execute().getBody()).thenReturn(tokenHolder); + when(client.exchangeCode("abc123", "https://me.auth0.com:80/callback")).thenReturn(codeExchangeRequest); + + RequestProcessor handler = new RequestProcessor.Builder(client, "id_token code", verifyOptions) + .withIdTokenVerifier(tokenVerifier) + .build(); + Tokens tokens = handler.process(request, response); + + //Should not verify the ID Token twice + verify(tokenVerifier).verify("frontIdToken", verifyOptions); + verify(tokenVerifier, never()).verify("backIdToken", verifyOptions); + verifyNoMoreInteractions(tokenVerifier); + + assertThat(tokens, is(notNullValue())); + assertThat(tokens.getIdToken(), is("frontIdToken")); + assertThat(tokens.getType(), is("frontTokenType")); + assertThat(tokens.getExpiresIn(), is(8400L)); + } + + @Test + public void shouldReturnTokensOnProcessIfIdTokenCodeRequestPassesIdTokenVerificationWhenUsingSessionStorageWithNullSession() throws Exception { + doNothing().when(tokenVerifier).verify(eq("frontIdToken"), eq(verifyOptions)); + + Map params = new HashMap<>(); + params.put("code", "abc123"); + params.put("state", "1234"); + params.put("id_token", "frontIdToken"); + params.put("expires_in", "8400"); + params.put("token_type", "frontTokenType"); + MockHttpServletRequest request = getRequest(params); + request.getSession().setAttribute("com.auth0.state", "1234"); + + TokenRequest codeExchangeRequest = mock(TokenRequest.class); + TokenHolder tokenHolder = mock(TokenHolder.class); + Response tokenResponse = mock(Response.class); + when(tokenHolder.getIdToken()).thenReturn("backIdToken"); + when(tokenHolder.getExpiresIn()).thenReturn(4800L); + when(tokenHolder.getTokenType()).thenReturn("backTokenType"); + when(codeExchangeRequest.execute()).thenReturn(tokenResponse); + when(codeExchangeRequest.execute().getBody()).thenReturn(tokenHolder); + when(client.exchangeCode("abc123", "https://me.auth0.com:80/callback")).thenReturn(codeExchangeRequest); + + RequestProcessor handler = new RequestProcessor.Builder(client, "id_token code", verifyOptions) + .withIdTokenVerifier(tokenVerifier) + .build(); + Tokens tokens = handler.process(request, null); + + //Should not verify the ID Token twice + verify(tokenVerifier).verify("frontIdToken", verifyOptions); + verify(tokenVerifier, never()).verify("backIdToken", verifyOptions); + verifyNoMoreInteractions(tokenVerifier); + + assertThat(tokens, is(notNullValue())); + assertThat(tokens.getIdToken(), is("frontIdToken")); + assertThat(tokens.getType(), is("frontTokenType")); + assertThat(tokens.getExpiresIn(), is(8400L)); + } + + @Test + public void shouldReturnTokensOnProcessIfTokenIdTokenCodeRequestPassesIdTokenVerification() throws Exception { + doNothing().when(tokenVerifier).verify(eq("frontIdToken"), eq(verifyOptions)); + + Map params = new HashMap<>(); + params.put("code", "abc123"); + params.put("state", "1234"); + params.put("id_token", "frontIdToken"); + params.put("access_token", "frontAccessToken"); + params.put("expires_in", "8400"); + params.put("token_type", "frontTokenType"); + MockHttpServletRequest request = getRequest(params); + request.setCookies(new Cookie("com.auth0.state", "1234")); + + TokenRequest codeExchangeRequest = mock(TokenRequest.class); + TokenHolder tokenHolder = mock(TokenHolder.class); + Response tokenResponse = mock(Response.class); + when(tokenHolder.getIdToken()).thenReturn("backIdToken"); + when(tokenHolder.getAccessToken()).thenReturn("backAccessToken"); + when(tokenHolder.getRefreshToken()).thenReturn("backRefreshToken"); + when(tokenHolder.getExpiresIn()).thenReturn(4800L); + when(tokenHolder.getTokenType()).thenReturn("backTokenType"); + when(codeExchangeRequest.execute()).thenReturn(tokenResponse); + when(codeExchangeRequest.execute().getBody()).thenReturn(tokenHolder); + when(client.exchangeCode("abc123", "https://me.auth0.com:80/callback")).thenReturn(codeExchangeRequest); + + RequestProcessor handler = new RequestProcessor.Builder(client, "id_token token code", verifyOptions) + .withIdTokenVerifier(tokenVerifier) + .build(); + Tokens tokens = handler.process(request, response); + + //Should not verify the ID Token twice + verify(tokenVerifier).verify("frontIdToken", verifyOptions); + verify(tokenVerifier, never()).verify("backIdToken", verifyOptions); + verifyNoMoreInteractions(tokenVerifier); + + assertThat(tokens, is(notNullValue())); + assertThat(tokens.getIdToken(), is("frontIdToken")); + assertThat(tokens.getAccessToken(), is("backAccessToken")); + assertThat(tokens.getRefreshToken(), is("backRefreshToken")); + assertThat(tokens.getExpiresIn(), is(4800L)); + assertThat(tokens.getType(), is("backTokenType")); + } + + @Test + public void shouldReturnTokensOnProcessIfCodeRequestPassesIdTokenVerification() throws Exception { + doNothing().when(tokenVerifier).verify(eq("backIdToken"), eq(verifyOptions)); + + Map params = new HashMap<>(); + params.put("code", "abc123"); + params.put("state", "1234"); + MockHttpServletRequest request = getRequest(params); + request.setCookies(new Cookie("com.auth0.state", "1234")); + + TokenRequest codeExchangeRequest = mock(TokenRequest.class); + TokenHolder tokenHolder = mock(TokenHolder.class); + Response tokenResponse = mock(Response.class); + when(tokenHolder.getIdToken()).thenReturn("backIdToken"); + when(tokenHolder.getAccessToken()).thenReturn("backAccessToken"); + when(tokenHolder.getRefreshToken()).thenReturn("backRefreshToken"); + when(codeExchangeRequest.execute()).thenReturn(tokenResponse); + when(codeExchangeRequest.execute().getBody()).thenReturn(tokenHolder); + when(client.exchangeCode("abc123", "https://me.auth0.com:80/callback")).thenReturn(codeExchangeRequest); + + RequestProcessor handler = new RequestProcessor.Builder(client, "code", verifyOptions) + .withIdTokenVerifier(tokenVerifier) + .build(); + Tokens tokens = handler.process(request, response); + + verify(tokenVerifier).verify("backIdToken", verifyOptions); + verifyNoMoreInteractions(tokenVerifier); + + assertThat(tokens, is(notNullValue())); + assertThat(tokens.getIdToken(), is("backIdToken")); + assertThat(tokens.getAccessToken(), is("backAccessToken")); + assertThat(tokens.getRefreshToken(), is("backRefreshToken")); + } + + @Test + public void shouldReturnEmptyTokensWhenCodeRequestReturnsNoTokens() throws Exception { + Map params = new HashMap<>(); + params.put("code", "abc123"); + params.put("state", "1234"); + MockHttpServletRequest request = getRequest(params); + request.setCookies(new Cookie("com.auth0.state", "1234")); + + TokenRequest codeExchangeRequest = mock(TokenRequest.class); + TokenHolder tokenHolder = mock(TokenHolder.class); + Response tokenResponse = mock(Response.class); + when(codeExchangeRequest.execute()).thenReturn(tokenResponse); + when(codeExchangeRequest.execute().getBody()).thenReturn(tokenHolder); + when(client.exchangeCode("abc123", "https://me.auth0.com:80/callback")).thenReturn(codeExchangeRequest); + + RequestProcessor handler = new RequestProcessor.Builder(client, "code", verifyOptions) + .withIdTokenVerifier(tokenVerifier) + .build(); + Tokens tokens = handler.process(request, response); + + verifyNoMoreInteractions(tokenVerifier); + + assertThat(tokens, is(notNullValue())); + + assertThat(tokens.getIdToken(), is(nullValue())); + assertThat(tokens.getAccessToken(), is(nullValue())); + assertThat(tokens.getRefreshToken(), is(nullValue())); + } @Test public void shouldBuildAuthorizeUrl() {