test: verify provider key lookup, claims contract and redirect route args#48
Merged
Conversation
…args Mutation testing exposed argument-blind stubs across the Security tests: the router stub ignored the redirect_route_parameters when building a provider redirect URI, the provider manager stub matched any key (so a mangled session provider key went unnoticed), the claims returned by validateClaims were never asserted to include the open_id_connect_provider key, and a request with no loginToken at all was untested (only the empty-string case was). Kills all 4 escaped mutants in src/Security. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #48 +/- ##
===========================================
Coverage 100.00% 100.00%
Complexity 62 62
===========================================
Files 9 9
Lines 282 282
===========================================
Hits 282 282
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
…rity # Conflicts: # CHANGELOG.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Last of four scoped follow-ups to #44 killing surviving mutants to push the mutation score above 90%. This PR covers
src/Security(4 escaped mutants).Features Added
OpenIdConfigurationProviderManagerTest: the redirect-route test now mocks the router with exact argument expectations (route,redirect_route_parameters,ABSOLUTE_URL) — previously a stub ignored its arguments, so the parameters could be dropped undetectedOpenIdLoginAuthenticatorTest: the success path now expectsgetProvider()to be called with the exact provider key from the session, and asserts the returned claims contain both the IdP claims andopen_id_connect_provider(the documented claims contract)TestAuthenticatorfixture exposes the last validated claims so tests can assert on the full array (validateClaimsis protected)CliLoginTokenAuthenticatorTest: new test for a request with nologinTokenparameter at all — the null must be coerced and rejected as unauthorized, not passed to the login helper (only the empty-string case was covered)Files Changed
tests/Security/OpenIdConfigurationProviderManagerTest.php- router argument expectationstests/Security/OpenIdLoginAuthenticatorTest.php- provider key + claims contract assertionstests/Security/TestAuthenticator.php- expose last claims for assertionstests/Security/CliLoginTokenAuthenticatorTest.php- missing-token testCHANGELOG.md- Unreleased bulletTest Plan
vendor/bin/phpunit— 80 tests, 177 assertions, greenvendor/bin/infection --filter=src/Security— 48/48 mutants killed (was 44/48)🤖 Generated with Claude Code