You are here

Home » API reference » Simple OAuth (OAuth2) & OpenID Connect 5.x » RolesNegotiationFunctionalTest.php » RolesNegotiationFunctionalTest

public function RolesNegotiationFunctionalTest::testRequestWithRoleRemovedFromClient in Simple OAuth (OAuth2) & OpenID Connect 5.x

Same name and namespace in other branches
  1. 8.4 tests/src/Functional/RolesNegotiationFunctionalTest.php \Drupal\Tests\simple_oauth\Functional\RolesNegotiationFunctionalTest::testRequestWithRoleRemovedFromClient()

Test access to own unpublished node but with the role removed from client.

File

tests/src/Functional/RolesNegotiationFunctionalTest.php, line 206

Class

RolesNegotiationFunctionalTest
Tests for the roles negotiation.

Namespace

Drupal\Tests\simple_oauth\Functional

Code

public function testRequestWithRoleRemovedFromClient() {
  $access_token = $this
    ->getAccessToken([
    'oof',
  ]);

  // Get detailed information about the authenticated user.
  $response = $this
    ->get($this->tokenTestUrl, [
    'query' => [
      '_format' => 'json',
    ],
    'headers' => [
      'Authorization' => 'Bearer ' . $access_token,
    ],
  ]);
  $parsed_response = Json::decode((string) $response
    ->getBody());
  $this
    ->assertEquals($this->user
    ->id(), $parsed_response['id']);
  $this
    ->assertEquals([
    'authenticated',
    'oof',
  ], $parsed_response['roles']);
  $this
    ->assertTrue($parsed_response['permissions']['delete own simple_oauth entities']['access']);
  $this->client
    ->set('roles', []);

  // After saving the client entity, the token should be deleted.
  $this->client
    ->save();

  // User should NOT have access to view own simple_oauth entities,
  // because the scope is indicated in the token request, but
  // missing from the client content entity.
  $response = $this
    ->get($this->tokenTestUrl, [
    'query' => [
      '_format' => 'json',
    ],
    'headers' => [
      'Authorization' => 'Bearer ' . $access_token,
    ],
  ]);

  // The token was successfully removed and we were denied access.
  $this
    ->assertEquals(401, $response
    ->getStatusCode());
  $access_token = $this
    ->getAccessToken([
    'oof',
  ]);

  // Get detailed information about the authenticated user.
  $response = $this
    ->get($this->tokenTestUrl, [
    'query' => [
      '_format' => 'json',
    ],
    'headers' => [
      'Authorization' => 'Bearer ' . $access_token,
    ],
  ]);
  $parsed_response = Json::decode((string) $response
    ->getBody());
  $this
    ->assertEquals($this->user
    ->id(), $parsed_response['id']);
  $this
    ->assertEquals([
    'authenticated',
  ], $parsed_response['roles']);
  $this
    ->assertFalse($parsed_response['permissions']['delete own simple_oauth entities']['access']);
}