Stefan Schmidt-Egermann
5c9669a688
- Composer-Package, PSR-4-Autoload - Client mit Sync, Async (mit Polling), Webhook, Verify, Download - PHP 8.1+ mit readonly-Properties - Webhook-Signatur-Verifikation (hash_equals) - PHPUnit-Tests
53 lines
1.7 KiB
PHP
53 lines
1.7 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace Hightrusted\Capture\Tests;
|
|
|
|
use Hightrusted\Capture\Webhook;
|
|
use PHPUnit\Framework\TestCase;
|
|
|
|
/**
|
|
* Tests für Webhook::verifySignature.
|
|
*
|
|
* Den Client selbst testen wir über Integration-Tests mit echten HTTP-Mocks
|
|
* (in PHP üblicherweise mit Mock-Server oder Guzzle MockHandler) — für die
|
|
* Unit-Test-Suite hier konzentrieren wir uns auf die Webhook-Logik, weil sie
|
|
* die kryptografische Komponente ist und deterministische Tests verdient.
|
|
*/
|
|
final class WebhookTest extends TestCase
|
|
{
|
|
public function testValidSignatureIsAccepted(): void
|
|
{
|
|
$body = '{"event":"capture.ready"}';
|
|
$secret = 'wh_secret_test';
|
|
$sig = 'sha256='.hash_hmac('sha256', $body, $secret);
|
|
|
|
$this->assertTrue(Webhook::verifySignature($body, $sig, $secret));
|
|
}
|
|
|
|
public function testWrongSecretIsRejected(): void
|
|
{
|
|
$body = '{"event":"capture.ready"}';
|
|
$sig = 'sha256='.hash_hmac('sha256', $body, 'right_secret');
|
|
|
|
$this->assertFalse(Webhook::verifySignature($body, $sig, 'wrong_secret'));
|
|
}
|
|
|
|
public function testEmptyInputsAreRejected(): void
|
|
{
|
|
$this->assertFalse(Webhook::verifySignature('', 'sha256=x', 'secret'));
|
|
$this->assertFalse(Webhook::verifySignature('x', '', 'secret'));
|
|
$this->assertFalse(Webhook::verifySignature('x', 'sha256=x', ''));
|
|
}
|
|
|
|
public function testTamperedBodyIsRejected(): void
|
|
{
|
|
$original = '{"event":"capture.ready"}';
|
|
$tampered = '{"event":"capture.failed"}';
|
|
$secret = 'wh_secret';
|
|
$sig = 'sha256='.hash_hmac('sha256', $original, $secret);
|
|
|
|
$this->assertFalse(Webhook::verifySignature($tampered, $sig, $secret));
|
|
}
|
|
}
|