Merge pull request #5 from k2tzumi/fix-spoof-authentication

Fix spoof authentication
kirschbaum-development · Jul 11, 2022 · 83bbb02 · 83bbb02
2 parents 5b64d45 + da5b44c
commit 83bbb02
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 2 deletions.
diff --git a/src/ValidatesOpenApiSpec.php b/src/ValidatesOpenApiSpec.php
@@ -226,9 +226,14 @@ protected function getSpecFileType(): string
      */
     protected function getAuthenticatedRequest(SymfonyRequest $request): SymfonyRequest
     {
+        if ($request->headers->has('Authorization')) {
+            return $request;
+        }
+
+        // Spoofing when authentication headers are not present.
         $authenticatedRequest = clone $request;
         $authenticatedRequest->headers->set('Authorization', 'Bearer token');
-
+        
         return $authenticatedRequest;
     }
 

diff --git a/tests/ValidatesRequestsTest.php b/tests/ValidatesRequestsTest.php
@@ -115,6 +115,15 @@ public function provideValidationScenarios()
             ],
             true,
         ];
+
+        yield 'Authentication required' => [
+            [
+                'method' => 'GET',
+                'uri' => 'private',
+                'server' => ['HTTP_Authorization' => 'Basic MTIzNDU2Nzg5MDo='],
+            ],
+            true,
+        ];
     }
 
     private function makeRequest($method, $uri, $parameters = [], $cookies = [], $files = [], $server = [], $content = null)

diff --git a/tests/ValidatorBuildAndSetupTest.php b/tests/ValidatorBuildAndSetupTest.php
@@ -150,7 +150,23 @@ function ($faker) {
      */
     public function testBypassesAuthenticationInRequests()
     {
-        $request = $this->getAuthenticatedRequest(new SymfonyRequest());
+        $originRequest = new SymfonyRequest();
+        $request = $this->getAuthenticatedRequest($originRequest);
         $this->assertTrue($request->headers->has('Authorization'));
+        $this->assertNotSame($originRequest, $request);
+    }
+
+    /**
+     * @test
+     */
+    public function testDontSpoofAuthenticationInRequests()
+    {
+        $originRequest = new SymfonyRequest();
+        $authenticationHeaderValue = 'Basic MTIzNDU2Nzg5MDo=';
+        $originRequest->headers->set('Authorization', $authenticationHeaderValue);
+        $request = $this->getAuthenticatedRequest($originRequest);
+        $this->assertTrue($request->headers->has('Authorization'));
+        $this->assertEquals($authenticationHeaderValue, $request->headers->get('Authorization'));
+        $this->assertSame($originRequest, $request);
     }
 }
diff --git a/tests/fixtures/OpenAPI.yaml b/tests/fixtures/OpenAPI.yaml
@@ -72,3 +72,15 @@ paths:
       responses:
         '200':
           description: OK
+  /private:
+    get:
+      responses:
+        '200':
+          description: OK
+      security:
+        - Basic: []
+components:
+  securitySchemes:
+    Basic:
+      type: http
+      scheme: basic