references/coolify
1
0
Fork 0
mirror of https://github.com/coollabsio/coolify.git synced 2026-06-14 03:19:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4f509c02be77ec13d75f5bb90e8069e8b1fbfec5
coolify/tests/Feature/InvitationLinkHandlingTest.php
T
Andras Bacsai 4f509c02be fix(auth): validate invitation magic link tokens 
Accept invitation links across configured public origins while still
rejecting stored invitations whose token no longer matches.
2026-06-12 16:17:45 +02:00

160 lines
5.4 KiB
PHP
Raw Blame History

<?php
use App\Http\Middleware\CheckForcePasswordReset;
use App\Http\Middleware\DecideWhatToDoWithUser;
use App\Models\InstanceSettings;
use App\Models\Team;
use App\Models\TeamInvitation;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Config;
use Illuminate\Support\Facades\Crypt;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Once;
use Visus\Cuid2\Cuid2;
uses(RefreshDatabase::class);
beforeEach(function () {
$this->withoutMiddleware([DecideWhatToDoWithUser::class, CheckForcePasswordReset::class]);
Once::flush();
Config::set('app.maintenance.driver', 'file');
Config::set('cache.default', 'array');
Config::set('session.driver', 'array');
if (! InstanceSettings::find(0)) {
$settings = new InstanceSettings;
$settings->id = 0;
$settings->saveQuietly();
}
});
function createInvitationLinkFixture(array $invitationAttributes = []): array
{
$team = Team::factory()->create();
$password = 'temporary-password-123';
$user = User::factory()->create([
'email' => $invitationAttributes['email'] ?? 'invitee@example.com',
'password' => Hash::make($password),
'force_password_reset' => true,
'email_verified_at' => null,
]);
$uuid = (string) new Cuid2(32);
$token = Crypt::encryptString("{$user->email}@@@{$uuid}@@@{$password}");
$link = route('auth.link', ['token' => $token]);
$invitation = TeamInvitation::create(array_merge([
'team_id' => $team->id,
'uuid' => $uuid,
'email' => $user->email,
'role' => 'member',
'link' => $link,
'via' => 'link',
], $invitationAttributes));
return [$team, $user, $password, $token, $invitation];
}
it('accepts a valid magic link invitation only once and rotates the temporary password', function () {
[$team, $user, $password, $token] = createInvitationLinkFixture();
$this->get(route('auth.link', ['token' => $token]))
->assertRedirect(route('dashboard'));
$this->assertAuthenticatedAs($user);
$this->assertDatabaseMissing('team_invitations', ['email' => $user->email]);
expect($user->teams()->where('team_id', $team->id)->exists())->toBeTrue();
$user->refresh();
expect(Hash::check($password, $user->password))->toBeFalse();
auth()->logout();
session()->flush();
$this->get(route('auth.link', ['token' => $token]))
->assertRedirect(route('login'));
$this->assertGuest();
});
it('accepts a magic link when opened from a different public origin', function () {
[$team, $user, $password, $token] = createInvitationLinkFixture();
$this->get('https://coolify.example.com/auth/link?token='.urlencode($token))
->assertRedirect(route('dashboard'));
$this->assertAuthenticatedAs($user);
$this->assertDatabaseMissing('team_invitations', ['email' => $user->email]);
expect($user->teams()->where('team_id', $team->id)->exists())->toBeTrue();
$user->refresh();
expect(Hash::check($password, $user->password))->toBeFalse();
});
it('rejects a magic link when the stored invitation token differs', function () {
[, $user, , $token, $invitation] = createInvitationLinkFixture();
$differentToken = Crypt::encryptString("{$user->email}@@@{$invitation->uuid}@@@different-password");
$invitation->forceFill([
'link' => route('auth.link', ['token' => $differentToken]),
])->save();
$this->get(route('auth.link', ['token' => $token]))
->assertRedirect(route('login'));
$this->assertGuest();
});
it('rejects a magic link when the invitation was revoked', function () {
[, $user, , $token, $invitation] = createInvitationLinkFixture();
$invitation->delete();
$this->get(route('auth.link', ['token' => $token]))
->assertRedirect(route('login'));
$this->assertGuest();
expect($user->teams()->where('personal_team', false)->exists())->toBeFalse();
});
it('rejects a magic link when another invitation exists for the same email', function () {
[, $user, , $token, $invitation] = createInvitationLinkFixture();
$invitation->delete();
$otherTeam = Team::factory()->create();
TeamInvitation::create([
'team_id' => $otherTeam->id,
'uuid' => (string) new Cuid2(32),
'email' => $user->email,
'role' => 'admin',
'link' => url('/invitations/other-invitation'),
'via' => 'link',
]);
$this->get(route('auth.link', ['token' => $token]))
->assertRedirect(route('login'));
$this->assertGuest();
expect($user->teams()->where('team_id', $otherTeam->id)->exists())->toBeFalse();
});
it('rejects a magic link when the invitation expired', function () {
[, $user, , $token, $invitation] = createInvitationLinkFixture();
$invitation->forceFill([
'created_at' => now()->subDays(config('constants.invitation.link.expiration_days') + 1),
'updated_at' => now()->subDays(config('constants.invitation.link.expiration_days') + 1),
])->save();
$this->get(route('auth.link', ['token' => $token]))
->assertRedirect(route('login'));
$this->assertGuest();
$this->assertDatabaseMissing('team_invitations', ['id' => $invitation->id]);
});
it('rejects a malformed magic link token', function () {
$this->get(route('auth.link', ['token' => 'not-a-valid-token']))
->assertRedirect(route('login'));
$this->assertGuest();
});
Reference in New Issue View Git Blame Copy Permalink