public function HandleSecureRequest(IRestServer $server, $requireAdminRole = false) { $sessionToken = $server->GetHeader(WebServiceHeaders::SESSION_TOKEN); $userId = $server->GetHeader(WebServiceHeaders::USER_ID); Log::Debug('Handling secure request. url=%s, userId=%s, sessionToken=%s', $_SERVER['REQUEST_URI'], $userId, $sessionToken); if (empty($sessionToken) || empty($userId)) { Log::Debug('Empty token or userId'); return false; } $session = $this->repository->LoadBySessionToken($sessionToken); if ($session != null && $session->IsExpired()) { Log::Debug('Session is expired'); $this->repository->Delete($session); return false; } if ($session == null || $session->UserId != $userId) { Log::Debug('Session token does not match user session token'); return false; } if ($requireAdminRole && !$session->IsAdmin) { Log::Debug('Route is limited to application administrators and this user is not an admin'); return false; } $session->ExtendSession(); $this->repository->Update($session); $server->SetSession($session); Log::Debug('Secure request was authenticated'); return true; }
public function testDoesNotLogUserOutIfUserIdAndSessionTokenMismatch() { $userId = 123; $sessionToken = 'token'; $userSession = new WebServiceUserSession(999); $this->userSessionRepository->expects($this->once())->method('LoadBySessionToken')->with($this->equalTo($sessionToken))->will($this->returnValue($userSession)); $this->webAuth->Logout($userId, $sessionToken); $this->assertFalse($this->fakeAuth->_LogoutCalled); }
public function testHandlesWhenUserIsNotAdmin() { $this->session->IsAdmin = false; $this->server->expects($this->at(0))->method('GetHeader')->with($this->equalTo(WebServiceHeaders::SESSION_TOKEN))->will($this->returnValue($this->sessionToken)); $this->server->expects($this->at(1))->method('GetHeader')->with($this->equalTo(WebServiceHeaders::USER_ID))->will($this->returnValue($this->userId)); $this->userSessionRepository->expects($this->once())->method('LoadBySessionToken')->with($this->equalTo($this->sessionToken))->will($this->returnValue($this->session)); $wasHandled = $this->security->HandleSecureRequest($this->server, true); $this->assertFalse($wasHandled); $this->assertFalse($this->session->_SessionExtended); }