Refactor: merge Authenticator into AuthUri class

Author: Greg Bowler

src/AuthUri.php

@@ -9,11 +9,20 @@ class AuthUri extends Uri {
 	const QUERY_STRING_INIT_VECTOR = "iv";
 	const QUERY_STRING_RETURN_PATH = "return";
 
+	/**
+	 * @param Token $token This must be the same instance of the Token when
+	 * creating Authenticator for the first time as it is when checking the
+	 * response from the Authwave provider (store in a session).
+	 * @param string $baseUri The base URI of the application. This is the
+	 * URI authority with optional scheme, as localhost allows http://
+	 */
 	public function __construct(
-		UriInterface $baseUri,
 		Token $token,
-		string $returnPath
+		string $baseUri,
+		string $returnPath = "/"
 	) {
+		$baseUri = $this->normaliseBaseUri($baseUri);
+
 		parent::__construct($baseUri);
 
 		$this->query = http_build_query([
@@ -22,4 +31,22 @@ public function __construct(
 			self::QUERY_STRING_RETURN_PATH => base64_encode($returnPath),
 		]);
 	}
+
+	private function normaliseBaseUri(string $baseUri):Uri {
+		$scheme = parse_url($baseUri, PHP_URL_SCHEME)
+			?? "https";
+		$host = parse_url($baseUri, PHP_URL_HOST)
+			?? parse_url($baseUri, PHP_URL_PATH);
+
+		$uri = (new Uri())
+			->withScheme($scheme)
+			->withHost($host);
+
+		if($uri->getHost() !== "localhost"
+		&& $uri->getScheme() !== "https") {
+			throw new InsecureProtocolException($uri->getScheme());
+		}
+
+		return $uri;
+	}
 }

src/Authenticator.php

@@ -3,6 +3,7 @@
 
 use Authwave\AuthUri;
 use Authwave\InitVector;
+use Authwave\InsecureProtocolException;
 use Authwave\Token;
 use PHPUnit\Framework\TestCase;
 use Psr\Http\Message\UriInterface;
@@ -14,7 +15,49 @@ public function testAuthUriHttps() {
 			->willReturn("https://example.com");
 		$token = self::createMock(Token::class);
 
-		$sut = new AuthUri($baseUri, $token, "");
+		$sut = new AuthUri($token, $baseUri, "");
+		self::assertEquals(
+			"https",
+			$sut->getScheme()
+		);
+	}
+
+	// All AuthUris MUST be served over HTTPS, with the one exception of localhost.
+// But it should still default to HTTPS on localhost.
+	public function testGetAuthUriHostnameLocalhostHttpsByDefault() {
+		$token = self::createMock(Token::class);
+		$sut = new AuthUri($token, "localhost");
+		self::assertStringStartsWith(
+			"https://localhost",
+			$sut
+		);
+	}
+
+// We should be able to set the scheme to HTTP for localhost hostname only.
+	public function testGetAuthUriHostnameLocalhostHttpAllowed() {
+		$token = self::createMock(Token::class);
+		$sut = new AuthUri($token, "http://localhost");
+		self::assertStringStartsWith(
+			"http://localhost",
+			$sut
+		);
+	}
+
+// We should NOT be able to set the scheme to HTTP for other hostnames.
+	public function testGetAuthUriHostnameNotLocalhostHttpNotAllowed() {
+		$token = self::createMock(Token::class);
+		self::expectException(InsecureProtocolException::class);
+		new AuthUri($token, "http://localhost.com");
+	}
+
+	public function testAuthUriHttpsInferred() {
+		$baseUri = self::createMock(UriInterface::class);
+		$baseUri->method("__toString")
+			->willReturn("example.com");
+// Note on the line above, no scheme is passed in - we must assume https.
+		$token = self::createMock(Token::class);
+
+		$sut = new AuthUri($token, $baseUri, "");
 		self::assertEquals(
 			"https",
 			$sut->getScheme()
@@ -36,7 +79,7 @@ public function testQueryString() {
 			->willReturn($iv);
 
 		$returnPath = "/examplePage";
-		$sut = new AuthUri($baseUri, $token, $returnPath);
+		$sut = new AuthUri($token, $baseUri, $returnPath);
 		parse_str($sut->getQuery(), $queryParts);
 
 		self::assertEquals(