What am i doing wrong when trying to use withActor() in a test?

[JeremyM1985]

I have a controller that has AuthContextInterface injected into it. The user accessing the route may or may not be authenticated.

I call $this->authContext->getActor();, if a user is authenticated, the actor is returned, else null.

In a test i use $fakeHttp->withActor($user)...

During the test $this->authContext->getActor(); is always null because no authentication context has been started.

https://spiral.dev/docs/testing-http/current/en#sessionauthentication

is says

This is why Spiral provides a withActor method that makes it easy to authenticate a given user as the current user during testing.

This method allows you to quickly and easily set the authenticated user for a test, by passing an instance of a user object to the method.

Does withActor() not create an authentication context? is it just for quickly switching actors?

Also to note that i have the UserRepository implement the ActorProviderInterface if that makes a difference.

[roxblnfk]

I think it was fixed there #1176
but it was not released yet

[JeremyM1985]

Nice. Thanks. Will look out for the release.

[JeremyM1985]

@roxblnfk

Looks like it's still the same.. also is it not meant to work with AuthMiddleware?

Also the withoutMiddleware() seems like it's also not working?

$fakeHttp->withoutMiddleware(CsrfMiddleware::class, CsrfFirewall::class)

// Received response status code [412 : Bad CSRF Token] but expected 201.

I can get around the auth issue though by creating a token and creating the session data:

$token = $tokenStorage->create(['userID' => $this->user->getUuid()]);
$fakeHttp-->withSession(
    data: [
        'auth' => [
            'token' => [
                'id'        => $token->getID(),
                'payload'   => $token->getPayload(),
                'expiresAt' => $token->getExpiresAt(),
            ]
        ]
    ],
)

[JeremyM1985]

Sorry if i am using it wrong.

I am calling it like this:

Using the AuthContextInterface:

I expected getActor() to return the authenticated user, but it's always null.

class SomeController {
    public function __construct(
        protected AuthContextInterface $auth
    ) {
        //
    }

    #[Route(route: '/some-method', methods: 'POST')]
    public function someMethod(): ResponseInterface
    {
        if ($this->auth->getActor()) {
            ...
        }
    }
}

class Test extends TestCase
{
    public function testSomeMethodHasActor(): void
    {
        $user = UserFactory::new()->createOne();

        $response = $this
            ->fakeHttp
            ->withActor($user)
            ->postJson('/some-method', ...);

        ...
    }
}

Using ExceptionFirewall:

I thought this might have worked similar to Laravel's ->actingAs()

This always returns 401, i thought it might have authenticated the user

class ProtectedByFirewallController
{

    #[Route(route: '/you-must-be-authed-to-get-here', group: 'auth')]
    public function someGuardedMethod(): ResponseInterface
    {
        ///
    }
}

class Test extends TestCase
{
    public function testSomeGuardedMethodReturnsOk(): void
    {
        $user = UserFactory::new()->createOne();

        $response = $this
            ->fakeHttp
            ->withActor($user)
            ->postJson('/you-must-be-authed-to-get-here', ...);

        ...
    }
}

And lastly, little off topic but:

withoutMiddleware() methods i can't get to work.

When calling withoutMiddleware(CsrfMiddleware::class, CsrfFirewall::class), the request still fails with 412 Bad CSRF Token. Hoping it would bypass CSRF checks and return a 201 status

class CSRFProtectedController
{

    #[Route(route: '/protected-by-csrf', group: 'auth')]
    public function someMethod(): ResponseInterface
    {
        ///
    }
}

class Test extends TestCase
{
    public function testMethod(): void
    {
        $response = $this
            ->fakeHttp
            ->withoutMiddleware(CsrfMiddleware::class, CsrfFirewall::class)
            ->postJson('/protected-by-csrf', ...);

        ...
    }
}

[roxblnfk]

About SomeController. Will it work if AuthContextInterface is resolved as a someMethod parameter?

class SomeController {
    #[Route(route: '/some-method', methods: 'POST')]
    public function someMethod(AuthContextInterface $auth): ResponseInterface
    {
        if (auth->getActor()) {
            ...
        }
    }
}

[JeremyM1985]

Resolving in the method parameter is still null.

In the case of calling getActor() on AuthContextInterface, the actorProvider is never called because the token is never set because start() is never called

// AuthContext.php

public function getActor(): ?object
{
    if ($this->closed) {
        return null;
    }

    if ($this->actor === null && $this->token !== null) {
        $this->actor = $this->actorProvider->getActor($this->token);
    }

    return $this->actor;
}

Unless withActor() isn't intended to work with AuthContextInterface ?

[roxblnfk]

What implementation do you get as an AuthContextInterface? AuthContext or AuthScope?
Do you have AuthMiddleware in the pipeline?

[roxblnfk]

$fakeHttp->withoutMiddleware() fixed in spiral/testing#78