public function testPostTokenIntrospectionNoEntitlement()
{
$h = new HttpRequest("https://auth.example.org/introspect", "POST");
$h->setPostParameters(array("token" => "bar"));
$t = new TokenIntrospection($this->_config, NULL);
$response = $t->handleRequest($h);
$this->assertEquals(200, $response->getStatusCode());
$this->assertRegexp('|{"active":true,"exp":[0-9]+,"iat":[0-9]+,"scope":"a b c","client_id":"testclient","sub":"frko","token_type":"bearer"}|', $response->getContent());
}
public function testCSRFAttack()
{
$h = new HttpRequest("https://auth.example.org?client_id=testclient&response_type=token&scope=read&state=xyz", "POST");
$h->setHeader("HTTP_REFERER", "https://evil.site.org/xyz");
$h->setPostParameters(array("approval" => "approve", "scope" => array("read")));
$o = new Authorize($this->_config);
$response = $o->handleRequest($h);
$this->assertEquals(400, $response->getStatusCode());
$this->assertRegexp("|.*csrf protection triggered, referrer does not match request uri.*|", $response->getContent());
}
public function testRefreshTokenNoSubScope()
{
$h = new HttpRequest("https://auth.example.org/token", "POST");
$h->setBasicAuthUser("testcodeclient");
$h->setBasicAuthPass("abcdef");
$h->setPostParameters(array("refresh_token" => "r3fr3sh", "scope" => "we want no sub scope", "grant_type" => "refresh_token"));
$t = new Token($this->_config, NULL);
$response = $t->handleRequest($h);
$this->assertEquals(200, $response->getStatusCode());
$this->assertRegexp('|^{"access_token":"[a-zA-Z0-9]+","expires_in":5,"scope":"read write foo","token_type":"bearer"}$|', $response->getContent());
}
/**
* @expectedException \RestService\Http\HttpRequestException
*/
public function testTrySetPostParametersOnGetRequest()
{
$h = new HttpRequest("http://www.example.com/request", "GET");
$h->setPostParameters(array("action" => "test"));
}