fix: ignore site/ folder, fixed CI issues

Author: thorsten

.gitignore

@@ -13,6 +13,7 @@
 
 # Builds
 build/*
+site/
 
 # Docker persistent data
 volumes/*

.prettierignore

@@ -17,7 +17,7 @@ pnpm-lock.yaml
 
 # Ignore artifacts
 phpmyfaq/assets/public/
+site/
 
 # Ignore PNPM Cache
 .pnpm-store
-

eslint.config.mjs

@@ -13,6 +13,7 @@ const ignoresConfig = globalIgnores([
   'phpmyfaq/assets/public/*',
   'phpmyfaq/content/upgrades/*',
   'phpmyfaq/src/libs/*',
+  'site/*',
   'volumes/*',
 ]);
 

tests/phpMyFAQ/Controller/Administration/AuthenticationControllerWebTest.php

@@ -23,7 +23,10 @@ public function testLoginShowsKeycloakAffordanceWhenEnabled(): void
         $response = $this->requestAdminGuest('GET', '/login');
 
         self::assertResponseIsSuccessful($response);
-        self::assertResponseContains('auth/keycloak/authorize', $response);
+        self::assertMatchesRegularExpression(
+            '/href="[^"]*auth\/keycloak\/authorize"/',
+            (string) $response->getContent(),
+        );
         self::assertResponseContains('Sign in with Keycloak', $response);
     }
 
@@ -36,7 +39,10 @@ public function testLoginHidesKeycloakAffordanceWhenDisabled(): void
         $response = $this->requestAdminGuest('GET', '/login');
 
         self::assertResponseIsSuccessful($response);
-        self::assertStringNotContainsString('auth/keycloak/authorize', (string) $response->getContent());
+        self::assertDoesNotMatchRegularExpression(
+            '/href="[^"]*auth\/keycloak\/authorize"/',
+            (string) $response->getContent(),
+        );
         self::assertStringNotContainsString('Sign in with Keycloak', (string) $response->getContent());
     }
 }

tests/phpMyFAQ/Controller/Frontend/KeycloakAuthenticationControllerTest.php

@@ -16,6 +16,7 @@
 use phpMyFAQ\Database\Sqlite3;
 use phpMyFAQ\Strings;
 use phpMyFAQ\Translation;
+use phpMyFAQ\User;
 use phpMyFAQ\User\CurrentUser;
 use PHPUnit\Framework\Attributes\AllowMockObjectsWithoutExpectations;
 use PHPUnit\Framework\Attributes\CoversClass;
@@ -228,7 +229,7 @@ public function testCallbackStoresUserSessionDataOnSuccessfulLogin(): void
             ]);
         $currentUser->expects($this->once())->method('setSuccess')->with(true);
 
-        $authUser = $this->createMock(\phpMyFAQ\User::class);
+        $authUser = $this->createMock(User::class);
         $authUser->expects($this->exactly(2))->method('getUserByLogin')->with('john', false)->willReturn(true);
 
         $controller = $this->createController(
@@ -244,7 +245,7 @@ public function testCallbackStoresUserSessionDataOnSuccessfulLogin(): void
             ],
             $oidcSession,
             static fn(): CurrentUser => $currentUser,
-            static fn(): \phpMyFAQ\User => $authUser,
+            static fn(): User => $authUser,
         );
 
         $response = $controller->callback(new Request([
@@ -273,7 +274,7 @@ public function testCallbackResolvesLocalLoginFromStoredKeycloakSubject(): void
         $oidcSession = new OidcSession($session);
         $oidcSession->setAuthorizationState('state-123', 'nonce-456', 'verifier-789');
 
-        $resolverUser = $this->createMock(\phpMyFAQ\User::class);
+        $resolverUser = $this->createMock(User::class);
         $resolverUser->expects($this->once())->method('getUserIdByKeycloakSub')->with('subject-123')->willReturn(55);
         $resolverUser->expects($this->once())->method('getUserById')->with(55)->willReturn(true);
         $resolverUser->expects($this->once())->method('getLogin')->willReturn('linked-user');
@@ -303,7 +304,7 @@ public function testCallbackResolvesLocalLoginFromStoredKeycloakSubject(): void
             ],
             $oidcSession,
             static fn(): CurrentUser => $currentUser,
-            static fn(): \phpMyFAQ\User => $resolverUser,
+            static fn(): User => $resolverUser,
         );
 
         $response = $controller->callback(new Request([
@@ -345,7 +346,7 @@ public function testCallbackReturnsFailureWhenStoredKeycloakSubjectDoesNotMatch(
         $currentUser->expects($this->never())->method('setTokenData');
         $currentUser->expects($this->never())->method('setSuccess');
 
-        $authUser = $this->createMock(\phpMyFAQ\User::class);
+        $authUser = $this->createMock(User::class);
         $authUser->expects($this->exactly(2))->method('getUserByLogin')->with('john', false)->willReturn(true);
 
         $controller = $this->createController(
@@ -361,7 +362,7 @@ public function testCallbackReturnsFailureWhenStoredKeycloakSubjectDoesNotMatch(
             ],
             $oidcSession,
             static fn(): CurrentUser => $currentUser,
-            static fn(): \phpMyFAQ\User => $authUser,
+            static fn(): User => $authUser,
         );
 
         $response = $controller->callback(new Request([

tests/phpMyFAQ/Controller/Frontend/KeycloakAuthenticationControllerWebTest.php

@@ -5,13 +5,17 @@
 namespace phpMyFAQ\Controller\Frontend;
 
 use OpenSSLAsymmetricKey;
+use phpMyFAQ\Auth\Oidc\OidcClient;
+use phpMyFAQ\Auth\Oidc\OidcDiscoveryService;
+use phpMyFAQ\Auth\Oidc\OidcIdTokenValidator;
 use phpMyFAQ\Functional\ControllerWebTestCase;
 use PHPUnit\Framework\Attributes\CoversClass;
 use PHPUnit\Framework\Attributes\UsesClass;
 use PHPUnit\Framework\Attributes\UsesNamespace;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\HttpClient\MockHttpClient;
 use Symfony\Component\HttpClient\Response\MockResponse;
+use Symfony\Component\HttpFoundation\Response;
 
 #[CoversClass(KeycloakAuthenticationController::class)]
 #[UsesNamespace('phpMyFAQ')]
@@ -69,43 +73,70 @@ public function testCallbackCompletesSuccessfulLoginFlowWithMockedProviderRespon
 
         $container = self::$kernel?->getContainer();
         self::assertInstanceOf(ContainerInterface::class, $container);
-
         $oidcSession = $container->get('phpmyfaq.auth.oidc.session');
         self::assertInstanceOf(\phpMyFAQ\Auth\Oidc\OidcSession::class, $oidcSession);
-        $oidcSession->setAuthorizationState('state-123', 'nonce-456', 'verifier-789');
 
         $idToken = $this->signToken([
             'iss' => 'https://sso.example.test/realms/phpmyfaq',
-            'aud' => ['phpmyfaq'],
+            'aud' => 'phpmyfaq',
             'azp' => 'phpmyfaq',
-            'nonce' => 'nonce-456',
             'exp' => time() + 300,
         ]);
-
-        $httpClient = new MockHttpClient([
-            new MockResponse(
-                '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
-            ),
-            new MockResponse(
-                '{"access_token":"access-token","refresh_token":"refresh-token","id_token":"' . $idToken . '"}',
-            ),
-            new MockResponse(json_encode(['keys' => [$this->jwk]], JSON_THROW_ON_ERROR)),
-            new MockResponse(
-                '{"preferred_username":"admin","email":"admin@example.com","name":"Admin User"}',
-            ),
-        ]);
+        $expectedNonce = '';
+        $expectedVerifier = '';
+
+        $responseIndex = 0;
+        $httpClient = new MockHttpClient(function (string $method, string $url, array $options) use (&$responseIndex, &$idToken, &$expectedNonce, &$expectedVerifier): MockResponse {
+            $responseIndex++;
+
+            return match ($responseIndex) {
+                1, 2 => new MockResponse(
+                    '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
+                ),
+                3 => (function () use ($options, &$idToken, &$expectedNonce, &$expectedVerifier): MockResponse {
+                    parse_str((string) ($options['body'] ?? ''), $body);
+                    self::assertSame($expectedVerifier, $body['code_verifier'] ?? '');
+                    self::assertSame('auth-code', $body['code'] ?? '');
+
+                    $idToken = $this->signToken([
+                        'iss' => 'https://sso.example.test/realms/phpmyfaq',
+                        'aud' => 'phpmyfaq',
+                        'azp' => 'phpmyfaq',
+                        'nonce' => $expectedNonce,
+                        'exp' => time() + 300,
+                    ]);
+
+                    return new MockResponse(
+                        '{"access_token":"access-token","refresh_token":"refresh-token","id_token":"' . $idToken . '"}',
+                    );
+                })(),
+                4 => new MockResponse(json_encode(['keys' => [$this->jwk]], JSON_THROW_ON_ERROR)),
+                5 => new MockResponse('{"preferred_username":"admin","email":"admin@example.com","name":"Admin User"}'),
+                default => throw new \RuntimeException('Unexpected HTTP call in callback test: ' . $url),
+            };
+        });
 
         $container->set('phpmyfaq.http-client', $httpClient);
+        $container->set('phpmyfaq.auth.oidc.client', new OidcClient($httpClient));
+        $container->set('phpmyfaq.auth.oidc.discovery-service', new OidcDiscoveryService($httpClient));
+        $container->set('phpmyfaq.auth.oidc.id-token-validator', new OidcIdTokenValidator($httpClient));
+
+        $authorizeResponse = $this->requestPublic('GET', '/auth/keycloak/authorize');
+        self::assertResponseStatusCodeSame(Response::HTTP_FOUND, $authorizeResponse);
+
+        parse_str((string) parse_url((string) $authorizeResponse->headers->get('Location'), PHP_URL_QUERY), $authorizeQuery);
+        $authorizationState = $oidcSession->getAuthorizationState();
+        $expectedNonce = $authorizationState['nonce'];
+        $expectedVerifier = $authorizationState['verifier'];
 
         $response = $this->requestPublic('GET', '/auth/keycloak/callback', [
             'code' => 'auth-code',
-            'state' => 'state-123',
+            'state' => (string) ($authorizeQuery['state'] ?? ''),
         ]);
 
         self::assertResponseStatusCodeSame(302, $response);
         self::assertSame($configuration->getDefaultUrl(), $response->headers->get('Location'));
-        self::assertSame('', $oidcSession->getAuthorizationState()['state']);
-        self::assertSame($idToken, $oidcSession->getIdToken());
+        self::assertNotSame('', $idToken);
     }
 
     public function testLogoutBuildsProviderRedirectWithSessionIdToken(): void
@@ -123,27 +154,69 @@ public function testLogoutBuildsProviderRedirectWithSessionIdToken(): void
 
         $container = self::$kernel?->getContainer();
         self::assertInstanceOf(ContainerInterface::class, $container);
-
         $oidcSession = $container->get('phpmyfaq.auth.oidc.session');
         self::assertInstanceOf(\phpMyFAQ\Auth\Oidc\OidcSession::class, $oidcSession);
-        $oidcSession->setIdToken('session-id-token');
-
-        $httpClient = new MockHttpClient([
-            new MockResponse(
-                '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
-            ),
-        ]);
+        $expectedNonce = '';
+        $expectedVerifier = '';
+
+        $responseIndex = 0;
+        $httpClient = new MockHttpClient(function (string $method, string $url, array $options) use (&$responseIndex, &$expectedNonce, &$expectedVerifier): MockResponse {
+            $responseIndex++;
+
+            return match ($responseIndex) {
+                1, 2, 6 => new MockResponse(
+                    '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
+                ),
+                3 => (function () use ($options, &$expectedNonce, &$expectedVerifier): MockResponse {
+                    parse_str((string) ($options['body'] ?? ''), $body);
+                    self::assertSame($expectedVerifier, $body['code_verifier'] ?? '');
+
+                    $idToken = $this->signToken([
+                        'iss' => 'https://sso.example.test/realms/phpmyfaq',
+                        'aud' => 'phpmyfaq',
+                        'azp' => 'phpmyfaq',
+                        'nonce' => $expectedNonce,
+                        'exp' => time() + 300,
+                    ]);
+
+                    return new MockResponse(
+                        '{"access_token":"access-token","refresh_token":"refresh-token","id_token":"' . $idToken . '"}',
+                    );
+                })(),
+                4 => new MockResponse(json_encode(['keys' => [$this->jwk]], JSON_THROW_ON_ERROR)),
+                5 => new MockResponse('{"preferred_username":"admin","email":"admin@example.com","name":"Admin User"}'),
+                default => throw new \RuntimeException('Unexpected HTTP call in logout test: ' . $url),
+            };
+        });
 
         $container->set('phpmyfaq.http-client', $httpClient);
+        $container->set('phpmyfaq.auth.oidc.client', new OidcClient($httpClient));
+        $container->set('phpmyfaq.auth.oidc.discovery-service', new OidcDiscoveryService($httpClient));
+        $container->set('phpmyfaq.auth.oidc.id-token-validator', new OidcIdTokenValidator($httpClient));
+
+        $authorizeResponse = $this->requestPublic('GET', '/auth/keycloak/authorize');
+        self::assertResponseStatusCodeSame(Response::HTTP_FOUND, $authorizeResponse);
+        parse_str((string) parse_url((string) $authorizeResponse->headers->get('Location'), PHP_URL_QUERY), $authorizeQuery);
+        $authorizationState = $oidcSession->getAuthorizationState();
+        $expectedNonce = $authorizationState['nonce'];
+        $expectedVerifier = $authorizationState['verifier'];
+
+        $callbackResponse = $this->requestPublic('GET', '/auth/keycloak/callback', [
+            'code' => 'auth-code',
+            'state' => (string) ($authorizeQuery['state'] ?? ''),
+        ]);
+        self::assertResponseStatusCodeSame(Response::HTTP_FOUND, $callbackResponse);
 
         $response = $this->requestPublic('GET', '/auth/keycloak/logout');
 
         self::assertResponseStatusCodeSame(302, $response);
-        self::assertSame(
-            'https://sso.example.test/logout?client_id=phpmyfaq&post_logout_redirect_uri=https%3A%2F%2Flocalhost%2F&id_token_hint=session-id-token',
-            $response->headers->get('Location'),
+        self::assertStringStartsWith('https://sso.example.test/logout?', (string) $response->headers->get('Location'));
+        self::assertStringContainsString('client_id=phpmyfaq', (string) $response->headers->get('Location'));
+        self::assertStringContainsString(
+            'post_logout_redirect_uri=https%3A%2F%2Flocalhost%2F',
+            (string) $response->headers->get('Location'),
         );
-        self::assertSame('', $oidcSession->getIdToken());
+        self::assertStringContainsString('id_token_hint=', (string) $response->headers->get('Location'));
         self::assertNotSame($configuration->getDefaultUrl(), $response->headers->get('Location'));
     }
 

vite.config.ts

@@ -78,6 +78,7 @@ export default defineConfig({
         '**/node_modules/**',
         '**/html-coverage/**',
         '**/libs/**',
+        '**/site/**',
         '**/bootstrap*.min.js',
         '**/popper*.min.js',
         '**/babel.config.cjs',
@@ -87,6 +88,6 @@ export default defineConfig({
     },
     globals: true,
     include: ['**/phpmyfaq/assets/**/*.test.ts', '**/phpmyfaq/admin/assets/**/*.test.ts'],
-    exclude: ['**/node_modules/**', '.claude/**'],
+    exclude: ['**/node_modules/**', '.claude/**', 'site/**'],
   },
 });