Merge pull request #25 from picqer/access-token-scope-casing

Accept lower case token type and scopes when validating access tokens (version 5)
picqer · Jan 26, 2022 · 308fb9e · 308fb9e
2 parents 2774a9b + 357e003
commit 308fb9e
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 4 deletions.
diff --git a/src/BaseClient.php b/src/BaseClient.php
@@ -147,13 +147,13 @@ protected function validateToken($token): void
             throw new ResponseException('Missing expires_in');
         }
 
-        if ($token['token_type'] != 'Bearer') {
+        if (strtolower($token['token_type']) !== 'bearer') {
             throw new ResponseException(
                 sprintf('Unexpected token_type \'%s\', expected \'Bearer\'', $token['token_type'])
             );
         }
 
-        if ($token['scope'] != 'RETAILER') {
+        if (strtolower($token['scope']) !== 'retailer') {
             throw new ResponseException(
                 sprintf('Unexpected token_type \'%s\', expected \'RETAILER\'', $token['scope'])
             );

diff --git a/tests/BaseClientTest.php b/tests/BaseClientTest.php
@@ -17,6 +17,7 @@
 use Prophecy\Argument;
 use Prophecy\PhpUnit\ProphecyTrait;
 use Prophecy\Prophecy\ObjectProphecy;
+use Psr\Http\Message\ResponseInterface;
 
 class BaseClientTest extends TestCase
 {
@@ -54,9 +55,9 @@ public function testClientIsInitiallyNotAuthenticated()
         $this->assertFalse($this->client->isAuthenticated());
     }
 
-    protected function authenticate()
+    protected function authenticate(?ResponseInterface $response = null)
     {
-        $response = Message::parseResponse(file_get_contents(__DIR__ . '/Fixtures/http/200-token'));
+        $response = $response ?? Message::parseResponse(file_get_contents(__DIR__ . '/Fixtures/http/200-token'));
 
         $credentials = base64_encode('secret_id' . ':' . 'somesupersecretvaluethatshouldnotbeshared');
         $this->httpProphecy->request('POST', 'https://login.bol.com/token', [
@@ -79,6 +80,20 @@ public function testClientIsAuthenticatedAfterSuccessfulAuthentication()
         $this->assertTrue($this->client->isAuthenticated());
     }
 
+    public function testClientAcceptsLowercaseScopeInAccessToken()
+    {
+        $this->authenticate(Message::parseResponse(file_get_contents(__DIR__ . '/Fixtures/http/200-token-lowercase-scope')));
+
+        $this->assertTrue($this->client->isAuthenticated());
+    }
+
+    public function testClientAcceptsLowercaseTokenTypeInAccessToken()
+    {
+        $this->authenticate(Message::parseResponse(file_get_contents(__DIR__ . '/Fixtures/http/200-token-lowercase-type')));
+
+        $this->assertTrue($this->client->isAuthenticated());
+    }
+
     public function testAuthenticateThrowsUnauthorizedExceptionWhenAuthenticatingWithBadCredentials()
     {
         $response = Message::parseResponse(file_get_contents(__DIR__ . '/Fixtures/http/401-unauthorized'));

diff --git a/tests/Fixtures/http/200-token-lowercase-scope b/tests/Fixtures/http/200-token-lowercase-scope
@@ -0,0 +1,9 @@
+HTTP/1.1 200 OK
+Content-Type: application/json;charset=UTF-8
+
+{
+  "access_token": "sometoken",
+  "token_type": "Bearer",
+  "expires_in": 299,
+  "scope": "retailer"
+}
diff --git a/tests/Fixtures/http/200-token-lowercase-type b/tests/Fixtures/http/200-token-lowercase-type
@@ -0,0 +1,9 @@
+HTTP/1.1 200 OK
+Content-Type: application/json;charset=UTF-8
+
+{
+  "access_token": "sometoken",
+  "token_type": "bearer",
+  "expires_in": 299,
+  "scope": "RETAILER"
+}