Refactoring: Throw HttpAuthExpired on csrf token mismatch

4 files changed, 69 insertions, 34 deletions

diff --git a/src/Http/Exceptions/HttpAuthExpired.php b/src/Http/Exceptions/HttpAuthExpired.php
new file mode 100644
index 00000000..83ca240f
--- /dev/null
+++ b/src/Http/Exceptions/HttpAuthExpired.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace Engelsystem\Http\Exceptions;
+
+use Throwable;
+
+class HttpAuthExpired extends HttpException
+{
+    /**
+     * @param string         $message
+     * @param array          $headers
+     * @param int            $code
+     * @param Throwable|null $previous
+     */
+    public function __construct(
+        string $message = 'Authentication Expired',
+        array $headers = [],
+        int $code = 0,
+        Throwable $previous = null
+    ) {
+        // The 419 code is used as "Page Expired" to differentiate from a 401 (not authorized)
+        parent::__construct(419, $message, $headers, $code, $previous);
+    }
+}
diff --git a/src/Middleware/VerifyCsrfToken.php b/src/Middleware/VerifyCsrfToken.php
index cc0c1fbc..0623fa72 100644
--- a/src/Middleware/VerifyCsrfToken.php
+++ b/src/Middleware/VerifyCsrfToken.php
@@ -2,6 +2,7 @@
 
 namespace Engelsystem\Middleware;
 
+use Engelsystem\Http\Exceptions\HttpAuthExpired;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface;
@@ -37,7 +38,7 @@ class VerifyCsrfToken implements MiddlewareInterface
             return $handler->handle($request);
         }
 
-        return $this->notAuthorizedResponse();
+        throw new HttpAuthExpired('Authentication Token Mismatch');
     }
 
     /**
@@ -77,14 +78,4 @@ class VerifyCsrfToken implements MiddlewareInterface
             && is_string($sessionToken)
             && hash_equals($sessionToken, $token);
     }
-
-    /**
-     * @return ResponseInterface
-     * @codeCoverageIgnore
-     */
-    protected function notAuthorizedResponse(): ResponseInterface
-    {
-        // The 419 code is used as "Page Expired" to differentiate from a 401 (not authorized)
-        return response()->withStatus(419, 'Authentication Token Mismatch');
-    }
 }
diff --git a/tests/Unit/Http/Exceptions/HttpAuthExpiredTest.php b/tests/Unit/Http/Exceptions/HttpAuthExpiredTest.php
new file mode 100644
index 00000000..4eaee032
--- /dev/null
+++ b/tests/Unit/Http/Exceptions/HttpAuthExpiredTest.php
@@ -0,0 +1,22 @@
+<?php
+
+namespace Engelsystem\Test\Unit\Http\Exceptions;
+
+use Engelsystem\Http\Exceptions\HttpAuthExpired;
+use PHPUnit\Framework\TestCase;
+
+class HttpAuthExpiredTest extends TestCase
+{
+    /**
+     * @covers \Engelsystem\Http\Exceptions\HttpAuthExpired::__construct
+     */
+    public function testConstruct()
+    {
+        $exception = new HttpAuthExpired();
+        $this->assertEquals(419, $exception->getStatusCode());
+        $this->assertEquals('Authentication Expired', $exception->getMessage());
+
+        $exception = new HttpAuthExpired('Oops!');
+        $this->assertEquals('Oops!', $exception->getMessage());
+    }
+}
diff --git a/tests/Unit/Middleware/VerifyCsrfTokenTest.php b/tests/Unit/Middleware/VerifyCsrfTokenTest.php
index 60280c5b..636e1f81 100644
--- a/tests/Unit/Middleware/VerifyCsrfTokenTest.php
+++ b/tests/Unit/Middleware/VerifyCsrfTokenTest.php
@@ -2,6 +2,7 @@
 
 namespace Engelsystem\Test\Unit\Middleware;
 
+use Engelsystem\Http\Exceptions\HttpAuthExpired;
 use Engelsystem\Middleware\VerifyCsrfToken;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
@@ -33,13 +34,9 @@ class VerifyCsrfTokenTest extends TestCase
         /** @var VerifyCsrfToken|MockObject $middleware */
         $middleware = $this->getMockBuilder(VerifyCsrfToken::class)
             ->disableOriginalConstructor()
-            ->setMethods(['notAuthorizedResponse', 'tokensMatch'])
+            ->setMethods(['tokensMatch'])
             ->getMock();
 
-        $middleware->expects($this->exactly(1))
-            ->method('notAuthorizedResponse')
-            ->willReturn($response);
-
         $middleware->expects($this->exactly(2))
             ->method('tokensMatch')
             ->willReturnOnConsecutiveCalls(true, false);
@@ -47,10 +44,15 @@ class VerifyCsrfTokenTest extends TestCase
         // Results in true, false, false
         $request->expects($this->exactly(3))
             ->method('getMethod')
-            ->willReturnOnConsecutiveCalls('GET', 'POST', 'DELETE');
+            ->willReturnOnConsecutiveCalls('GET', 'DELETE', 'POST');
 
+        // Is reading
         $middleware->process($request, $handler);
+        // Tokens match
         $middleware->process($request, $handler);
+
+        // No match
+        $this->expectException(HttpAuthExpired::class);
         $middleware->process($request, $handler);
     }
 
@@ -66,23 +68,18 @@ class VerifyCsrfTokenTest extends TestCase
         $handler = $this->getMockForAbstractClass(RequestHandlerInterface::class);
         /** @var ResponseInterface|MockObject $response */
         $response = $this->getMockForAbstractClass(ResponseInterface::class);
-        /** @var ResponseInterface|MockObject $noAuthResponse */
-        $noAuthResponse = $this->getMockForAbstractClass(ResponseInterface::class);
         /** @var SessionInterface|MockObject $session */
         $session = $this->getMockForAbstractClass(SessionInterface::class);
 
         /** @var VerifyCsrfToken|MockObject $middleware */
         $middleware = $this->getMockBuilder(VerifyCsrfToken::class)
             ->setConstructorArgs([$session])
-            ->setMethods(['isReading', 'notAuthorizedResponse'])
+            ->setMethods(['isReading'])
             ->getMock();
 
         $middleware->expects($this->atLeastOnce())
             ->method('isReading')
             ->willReturn(false);
-        $middleware->expects($this->exactly(1))
-            ->method('notAuthorizedResponse')
-            ->willReturn($noAuthResponse);
 
         $handler->expects($this->exactly(3))
             ->method('handle')
@@ -92,37 +89,38 @@ class VerifyCsrfTokenTest extends TestCase
             ->method('getParsedBody')
             ->willReturnOnConsecutiveCalls(
                 null,
-                null,
                 ['_token' => 'PostFooToken'],
-                ['_token' => 'PostBarToken']
+                ['_token' => 'PostBarToken'],
+                null
             );
         $request->expects($this->exactly(4))
             ->method('getHeader')
             ->with('X-CSRF-TOKEN')
             ->willReturnOnConsecutiveCalls(
-                [],
                 ['HeaderFooToken'],
                 [],
-                ['HeaderBarToken']
+                ['HeaderBarToken'],
+                []
             );
 
         $session->expects($this->exactly(4))
             ->method('get')
             ->with('_token')
             ->willReturnOnConsecutiveCalls(
-                'NotAvailableToken',
                 'HeaderFooToken',
                 'PostFooToken',
-                'PostBarToken'
+                'PostBarToken',
+                'NotAvailableToken'
             );
 
-        // Not tokens
-        $this->assertEquals($noAuthResponse, $middleware->process($request, $handler));
         // Header token
-        $this->assertEquals($response, $middleware->process($request, $handler));
+        $middleware->process($request, $handler);
         // POST token
-        $this->assertEquals($response, $middleware->process($request, $handler));
+        $middleware->process($request, $handler);
         // Header and POST tokens
-        $this->assertEquals($response, $middleware->process($request, $handler));
+        $middleware->process($request, $handler);
+        // No tokens
+        $this->expectException(HttpAuthExpired::class);
+        $middleware->process($request, $handler);
     }
 }