thegrind/authentikate
4
0
Fork 0
generated from thegrind/laravel-dockerized
Code Issues Pull Requests Actions Packages Projects Releases 5 Wiki Activity

Update dockerfile
Some checks failed
linter / quality (push) Successful in 6m36s
Details
tests / ci (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Javier Feliz 2025-08-02 19:28:34 -04:00
parent 22ad5f4747
commit 6a3971257a
8 changed files with 322 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Dockerfile
View File

@ -1,4 +1,8 @@
FROM gitgud.foo/thegrind/laravel-base:latest FROM gitgud.foo/thegrind/laravel-base:latest
COPY ./hook.sh /app/hook.sh
# Get the app in there # Get the app in there
COPY . /app COPY . /app
ENV ENABLE_QUEUE_WORKER=true
ENV ENABLE_SCHEDULER=true

4
app/Http/Controllers/OIDCController.php
View File

@ -135,7 +135,7 @@ class OIDCController extends Controller
$builder = $builder $builder = $builder
->issuedBy(config('app.url')) ->issuedBy(config('app.url'))
->permittedFor($client->client_id) ->permittedFor($client->client_id)
->relatedTo((string) $user->id) ->relatedTo((string) $user->uuid)
->issuedAt($issuedAt) ->issuedAt($issuedAt)
->expiresAt($issuedAt->modify('+5 minutes')) ->expiresAt($issuedAt->modify('+5 minutes'))
->withClaim('email', $user->email); ->withClaim('email', $user->email);
@ -195,7 +195,7 @@ class OIDCController extends Controller
return response()->json([ return response()->json([
'sub' => (string) $user->id, 'sub' => (string) $user->uuid,
'email' => $user->email, 'email' => $user->email,
'name' => $user->name, 'name' => $user->name,
'preferred_username' => $user->preferred_username, 'preferred_username' => $user->preferred_username,

14
app/Models/User.php
View File

@ -14,6 +14,17 @@ class User extends Authenticatable
/** @use HasFactory<\Database\Factories\UserFactory> */ /** @use HasFactory<\Database\Factories\UserFactory> */
use HasFactory, Notifiable; use HasFactory, Notifiable;
protected static function boot()
{
parent::boot();
static::creating(function ($user) {
if (empty($user->uuid)) {
$user->uuid = Str::uuid();
}
});
}
/** /**
* The attributes that are mass assignable. * The attributes that are mass assignable.
* *
@ -26,7 +37,8 @@ class User extends Authenticatable
'avatar', 'avatar',
'preferred_username', 'preferred_username',
'is_admin', 'is_admin',
'auto_approve_apps' 'auto_approve_apps',
'uuid'
]; ];
/** /**

43
database/migrations/2025_08_02_231720_add_uuid_to_users_table.php Normal file
View File

@ -0,0 +1,43 @@
<?php
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Str;
return new class extends Migration
{
/**
* Run the migrations.
*/
public function up(): void
{
Schema::table('users', function (Blueprint $table) {
$table->uuid('uuid')->nullable()->after('id');
});
// Generate UUIDs for existing users
DB::table('users')->whereNull('uuid')->get()->each(function ($user) {
DB::table('users')
->where('id', $user->id)
->update(['uuid' => (string) Str::uuid()]);
});
// Add unique index
Schema::table('users', function (Blueprint $table) {
$table->unique('uuid');
});
}
/**
* Reverse the migrations.
*/
public function down(): void
{
Schema::table('users', function (Blueprint $table) {
$table->dropUnique(['uuid']);
$table->dropColumn('uuid');
});
}
};

0
hooks.sh → hook.sh
View File

4
tests/Feature/OIDCControllerTest.php
View File

@ -263,7 +263,7 @@ describe('OIDC Token Endpoint', function () {
// Verify ID token is valid JWT // Verify ID token is valid JWT
$parser = new Parser(new JoseEncoder()); $parser = new Parser(new JoseEncoder());
$idToken = $parser->parse($data['id_token']); $idToken = $parser->parse($data['id_token']);
expect($idToken->claims()->get('sub'))->toBe((string) $user->id); expect($idToken->claims()->get('sub'))->toBe((string) $user->uuid);
expect($idToken->claims()->get('email'))->toBe($user->email); expect($idToken->claims()->get('email'))->toBe($user->email);
}); });
@ -424,7 +424,7 @@ describe('OIDC UserInfo Endpoint', function () {
$response->assertStatus(200) $response->assertStatus(200)
->assertJson([ ->assertJson([
'sub' => (string) $user->id, 'sub' => (string) $user->uuid,
'email' => $user->email, 'email' => $user->email,
'name' => $user->name, 'name' => $user->name,
'preferred_username' => $user->preferred_username, 'preferred_username' => $user->preferred_username,

178
tests/Feature/OIDCUuidSubClaimTest.php Normal file
View File

@ -0,0 +1,178 @@
<?php
use App\Models\Application;
use App\Models\AuthenticationToken;
use App\Models\User;
use Illuminate\Support\Facades\Cache;
use Illuminate\Support\Str;
use Lcobucci\JWT\Encoding\JoseEncoder;
use Lcobucci\JWT\Token\Parser;
uses(\Illuminate\Foundation\Testing\RefreshDatabase::class);
test('JWT sub claim uses user UUID instead of ID', function () {
$user = User::factory()->create();
$app = Application::factory()->create();
// Store authorization code
$code = 'test-auth-code';
Cache::put("auth_code:$code", [
'user_id' => $user->id,
'client_id' => $app->id,
'scope' => 'openid profile email',
], now()->addMinutes(5));
$this->actingAs($user);
$response = $this->post(route('auth.token'), [
'grant_type' => 'authorization_code',
'code' => $code,
'redirect_uri' => $app->redirect_uri,
'client_id' => $app->client_id,
'client_secret' => $app->client_secret,
]);
$response->assertStatus(200);
$data = $response->json();
// Parse the JWT ID token
$parser = new Parser(new JoseEncoder());
$idToken = $parser->parse($data['id_token']);
// Verify that the 'sub' claim contains the user's UUID, not the ID
expect($idToken->claims()->get('sub'))->toBe((string) $user->uuid);
expect($idToken->claims()->get('sub'))->not->toBe((string) $user->id);
expect(Str::isUuid($idToken->claims()->get('sub')))->toBeTrue();
});
test('userinfo endpoint sub claim uses user UUID', function () {
$user = User::factory()->create([
'name' => 'Test User',
'email' => 'test@example.com',
'preferred_username' => 'testuser',
'avatar' => 'avatar.jpg'
]);
$app = Application::factory()->create();
// Create a valid access token
$accessToken = 'valid-access-token';
AuthenticationToken::create([
'user_id' => $user->id,
'application_id' => $app->id,
'token' => $accessToken,
'issued_at' => now(),
'expires_at' => now()->addHour(),
'ip' => '127.0.0.1',
'user_agent' => 'Test Agent'
]);
$response = $this->get(route('auth.userinfo'), [
'Authorization' => 'Bearer ' . $accessToken
]);
$response->assertStatus(200);
$data = $response->json();
// Verify that the 'sub' field contains the user's UUID, not the ID
expect($data['sub'])->toBe((string) $user->uuid);
expect($data['sub'])->not->toBe((string) $user->id);
expect(Str::isUuid($data['sub']))->toBeTrue();
// Verify other fields are still correct
expect($data['email'])->toBe($user->email);
expect($data['name'])->toBe($user->name);
expect($data['preferred_username'])->toBe($user->preferred_username);
});
test('JWT sub claim is consistent across multiple tokens for same user', function () {
$user = User::factory()->create();
$app = Application::factory()->create();
// Generate first token
$code1 = 'test-auth-code-1';
Cache::put("auth_code:$code1", [
'user_id' => $user->id,
'client_id' => $app->id,
'scope' => 'openid profile email',
], now()->addMinutes(5));
$response1 = $this->post(route('auth.token'), [
'grant_type' => 'authorization_code',
'code' => $code1,
'redirect_uri' => $app->redirect_uri,
'client_id' => $app->client_id,
'client_secret' => $app->client_secret,
]);
// Generate second token
$code2 = 'test-auth-code-2';
Cache::put("auth_code:$code2", [
'user_id' => $user->id,
'client_id' => $app->id,
'scope' => 'openid profile email',
], now()->addMinutes(5));
$response2 = $this->post(route('auth.token'), [
'grant_type' => 'authorization_code',
'code' => $code2,
'redirect_uri' => $app->redirect_uri,
'client_id' => $app->client_id,
'client_secret' => $app->client_secret,
]);
$parser = new Parser(new JoseEncoder());
$idToken1 = $parser->parse($response1->json()['id_token']);
$idToken2 = $parser->parse($response2->json()['id_token']);
// Both tokens should have the same 'sub' claim (user's UUID)
expect($idToken1->claims()->get('sub'))->toBe($idToken2->claims()->get('sub'));
expect($idToken1->claims()->get('sub'))->toBe((string) $user->uuid);
});
test('different users have different UUID sub claims', function () {
$user1 = User::factory()->create();
$user2 = User::factory()->create();
$app = Application::factory()->create();
// Generate token for user 1
$code1 = 'test-auth-code-1';
Cache::put("auth_code:$code1", [
'user_id' => $user1->id,
'client_id' => $app->id,
'scope' => 'openid profile email',
], now()->addMinutes(5));
$response1 = $this->post(route('auth.token'), [
'grant_type' => 'authorization_code',
'code' => $code1,
'redirect_uri' => $app->redirect_uri,
'client_id' => $app->client_id,
'client_secret' => $app->client_secret,
]);
// Generate token for user 2
$code2 = 'test-auth-code-2';
Cache::put("auth_code:$code2", [
'user_id' => $user2->id,
'client_id' => $app->id,
'scope' => 'openid profile email',
], now()->addMinutes(5));
$response2 = $this->post(route('auth.token'), [
'grant_type' => 'authorization_code',
'code' => $code2,
'redirect_uri' => $app->redirect_uri,
'client_id' => $app->client_id,
'client_secret' => $app->client_secret,
]);
$parser = new Parser(new JoseEncoder());
$idToken1 = $parser->parse($response1->json()['id_token']);
$idToken2 = $parser->parse($response2->json()['id_token']);
// Each user should have different 'sub' claims
expect($idToken1->claims()->get('sub'))->not->toBe($idToken2->claims()->get('sub'));
expect($idToken1->claims()->get('sub'))->toBe((string) $user1->uuid);
expect($idToken2->claims()->get('sub'))->toBe((string) $user2->uuid);
});

79
tests/Feature/UserUuidTest.php Normal file
View File

@ -0,0 +1,79 @@
<?php
use App\Models\User;
use Illuminate\Support\Str;
uses(\Illuminate\Foundation\Testing\RefreshDatabase::class);
test('user gets UUID automatically when created', function () {
$user = User::factory()->create();
expect($user->uuid)->not->toBeNull();
expect(Str::isUuid((string) $user->uuid))->toBeTrue();
});
test('user UUID is unique', function () {
$user1 = User::factory()->create();
$user2 = User::factory()->create();
expect($user1->uuid)->not->toBe($user2->uuid);
});
test('user UUID cannot be duplicated', function () {
$user1 = User::factory()->create();
expect(function () use ($user1) {
User::create([
'name' => 'Test User',
'email' => 'test2@example.com',
'password' => bcrypt('password'),
'uuid' => $user1->uuid
]);
})->toThrow(\Illuminate\Database\QueryException::class);
});
test('user UUID can be manually set during creation', function () {
$customUuid = Str::uuid();
$user = User::create([
'name' => 'Test User',
'email' => 'test@example.com',
'password' => bcrypt('password'),
'uuid' => $customUuid
]);
expect($user->uuid)->toBe($customUuid);
});
test('user UUID is not overwritten if already set', function () {
$customUuid = Str::uuid();
$user = new User([
'name' => 'Test User',
'email' => 'test@example.com',
'password' => bcrypt('password'),
'uuid' => $customUuid
]);
$user->save();
expect($user->uuid)->toBe($customUuid);
});
test('existing users can have UUIDs added via migration', function () {
// This test verifies that the migration properly adds UUIDs to existing users
// We can't easily test the migration directly, but we can test that users
// created without UUIDs in the factory would get them via the boot method
$user = new User([
'name' => 'Test User',
'email' => 'test@example.com',
'password' => bcrypt('password'),
]);
// Don't set UUID, let the boot method handle it
$user->save();
expect($user->uuid)->not->toBeNull();
expect(Str::isUuid((string) $user->uuid))->toBeTrue();
});