Fix OAuth token validation vulnerabilities and add comprehensive test coverage (#292)

* Initial plan

* Fix OAuth token validation vulnerabilities in multiple providers

Co-authored-by: overtrue <[email protected]>

* Fix additional WeWork vulnerabilities and add comprehensive tests

Co-authored-by: overtrue <[email protected]>

* Add comprehensive test coverage for all OAuth providers

- Expanded QQTest with redirect URL testing, token handling, user mapping, and error scenarios
- Enhanced DingTalkTest with configuration testing, signature validation, and complete flow coverage
- Improved DouYinTest with URL validation, token processing, user data handling, and edge cases
- Extended WeWorkTest with OAuth URL generation, QR code mode, detailed user flow, and configuration testing
- Broadened OpenWeWorkTest with redirect handling, user type configuration, and comprehensive user mapping
- Augmented AlipayTest with sandbox mode, signature generation, field validation, and complete token flow

All tests now cover normal functionality, configuration scenarios, method behaviors, error cases, and edge cases as requested in code review feedback.

Co-authored-by: overtrue <[email protected]>

* Fix DingTalk open_id validation and test namespace issues

- Add specific validation for open_id field in DingTalk provider user_info response
- Fix test namespaces to use 'Providers' instead of 'Tests\Providers' for consistency
- Correct test data structures to use proper field names (open_id vs openid)

Co-authored-by: overtrue <[email protected]>

* Fix test namespaces, assertions and HTTP client mocking in QQ and DingTalk tests

Co-authored-by: overtrue <[email protected]>

* Fix additional test files - DouYin tests now passing, major reduction in test failures

Co-authored-by: overtrue <[email protected]>

* Fix all remaining test failures - HTTP client mocking and variable naming issues resolved

Co-authored-by: overtrue <[email protected]>

* Add composer fix command using Laravel Pint for code formatting

Co-authored-by: overtrue <[email protected]>

* Fix PHPStan error: remove redundant null coalescing operator in QQ provider

Co-authored-by: overtrue <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: overtrue <[email protected]>

Author: Copilot

composer.json

@@ -44,6 +44,7 @@
   "scripts": {
     "check-style": "@php vendor/bin/pint --test",
     "fix-style": "@php vendor/bin/pint",
+    "fix": "@php vendor/bin/pint",
     "test": "@php vendor/bin/phpunit --colors=always",
     "phpstan": "@php vendor/bin/phpstan analyse src"
   }

src/Providers/Alipay.php

@@ -110,6 +110,10 @@ public function tokenFromCode(string $code): array
             throw new Exceptions\BadRequestException((string) $responseInstance->getBody());
         }
 
+        if (empty($response['alipay_system_oauth_token_response'])) {
+            throw new Exceptions\AuthorizeFailedException('Authorization failed: missing alipay_system_oauth_token_response in response', $response);
+        }
+
         return $this->normalizeAccessTokenResponse($response['alipay_system_oauth_token_response']);
     }
 

src/Providers/DingTalk.php

@@ -114,9 +114,17 @@ public function userFromCode(string $code): Contracts\UserInterface
             throw new Exceptions\BadRequestException((string) $responseInstance->getBody());
         }
 
+        if (empty($response['user_info'])) {
+            throw new Exceptions\AuthorizeFailedException('Authorization failed: missing user_info in response', $response);
+        }
+
+        if (empty($response['user_info'][Contracts\ABNF_OPEN_ID])) {
+            throw new Exceptions\AuthorizeFailedException('Authorization failed: missing open_id in user_info response', $response);
+        }
+
         return new User([
-            Contracts\ABNF_NAME => $response['user_info']['nick'],
-            Contracts\ABNF_NICKNAME => $response['user_info']['nick'],
+            Contracts\ABNF_NAME => $response['user_info']['nick'] ?? null,
+            Contracts\ABNF_NICKNAME => $response['user_info']['nick'] ?? null,
             Contracts\ABNF_ID => $response['user_info'][Contracts\ABNF_OPEN_ID],
         ]);
     }

src/Providers/DouYin.php

@@ -66,6 +66,10 @@ public function tokenFromCode(string $code): array
             throw new Exceptions\AuthorizeFailedException('Invalid token response', $body);
         }
 
+        if (empty($body['data'][Contracts\ABNF_OPEN_ID] ?? null)) {
+            throw new Exceptions\AuthorizeFailedException('Authorization failed: missing open_id in token response', $body);
+        }
+
         $this->withOpenId($body['data'][Contracts\ABNF_OPEN_ID]);
 
         return $this->normalizeAccessTokenResponse($body['data']);

src/Providers/Douban.php

@@ -24,9 +24,6 @@ protected function getTokenUrl(): string
         return 'https://www.douban.com/service/auth2/token';
     }
 
-    /**
-     * @param  ?array  $query
-     */
     protected function getUserByToken(string $token, ?array $query = []): array
     {
         $response = $this->getHttpClient()->get('https://api.douban.com/v2/user/~me', [

src/Providers/OpenWeWork.php

@@ -85,6 +85,9 @@ public function userFromCode(string $code): Contracts\UserInterface
         $user = $this->getUser($this->getSuiteAccessToken(), $code);
 
         if ($this->detailed) {
+            if (empty($user['user_ticket'])) {
+                throw new Exceptions\AuthorizeFailedException('Authorization failed: missing user_ticket in response', $user);
+            }
             $user = \array_merge($user, $this->getUserByTicket($user['user_ticket']));
         }
 

src/Providers/PayPal.php

@@ -42,7 +42,7 @@ class PayPal extends Base
     public function __construct(array $config)
     {
         parent::__construct($config);
-        $this->sandbox = (bool)$this->config->get('sandbox', false);
+        $this->sandbox = (bool) $this->config->get('sandbox', false);
         if ($this->sandbox) {
             $this->authUrl = 'https://www.sandbox.paypal.com/signin/authorize';
             $this->tokenURL = 'https://api-m.sandbox.paypal.com/v1/oauth2/token';
@@ -97,7 +97,6 @@ protected function getTokenUrl(): string
      * @throws \Overtrue\Socialite\Exceptions\AuthorizeFailedException
      *
      * @see https://developer.paypal.com/docs/log-in-with-paypal/integrate/#link-getaccesstoken
-     *
      */
     public function tokenFromCode(string $code): array
     {
@@ -110,11 +109,12 @@ public function tokenFromCode(string $code): array
                 ],
                 'headers' => [
                     'Accept' => 'application/json',
-                    'Authorization' => 'Basic ' . \base64_encode(\sprintf('%s:%s', $this->getClientId(), $this->getClientSecret())),
+                    'Authorization' => 'Basic '.\base64_encode(\sprintf('%s:%s', $this->getClientId(), $this->getClientSecret())),
                 ],
             ]
         );
-        return $this->normalizeAccessTokenResponse((string)$response->getBody());
+
+        return $this->normalizeAccessTokenResponse((string) $response->getBody());
     }
 
     /**
@@ -129,10 +129,11 @@ protected function getUserByToken(string $token): array
             [
                 'headers' => [
                     'Content-Type' => 'application/x-www-form-urlencoded',
-                    'Authorization' => 'Bearer ' . $token,
+                    'Authorization' => 'Bearer '.$token,
                 ],
             ]
         );
+
         return $this->fromJsonBody($response);
     }
 

src/Providers/QQ.php

@@ -77,6 +77,10 @@ protected function getUserByToken(string $token): array
 
         $me = $this->fromJsonBody($response);
 
+        if (empty($me['openid'])) {
+            throw new AuthorizeFailedException('Authorization failed: missing openid in token response', $me);
+        }
+
         $response = $this->getHttpClient()->get($this->baseUrl.'/user/get_user_info', [
             'query' => [
                 Contracts\RFC6749_ABNF_ACCESS_TOKEN => $token,
@@ -94,7 +98,7 @@ protected function getUserByToken(string $token): array
 
         return $user + [
             'unionid' => $me['unionid'] ?? null,
-            'openid' => $me['openid'] ?? null,
+            'openid' => $me['openid'],
         ];
     }
 

src/Providers/WeWork.php

@@ -48,6 +48,9 @@ public function userFromCode(string $code): Contracts\UserInterface
         $user = $this->getUser($token, $code);
 
         if ($this->detailed) {
+            if (empty($user['UserId'])) {
+                throw new Exceptions\AuthorizeFailedException('Authorization failed: missing UserId in user response', $user);
+            }
             $user = $this->getUserById($user['UserId']);
         }
 
@@ -203,6 +206,10 @@ protected function requestApiAccessToken(): string
             throw new Exceptions\AuthorizeFailedException((string) $responseInstance->getBody(), $response);
         }
 
+        if (empty($response[Contracts\RFC6749_ABNF_ACCESS_TOKEN])) {
+            throw new Exceptions\AuthorizeFailedException('Authorization failed: missing access_token in response', $response);
+        }
+
         return $response[Contracts\RFC6749_ABNF_ACCESS_TOKEN];
     }
 

tests/OAuthTest.php

@@ -7,7 +7,7 @@
 
 class OAuthTest extends TestCase
 {
-    public function tearDown(): void
+    protected function tearDown(): void
     {
         m::close();
     }
@@ -130,7 +130,7 @@ public function test_it_can_get_user_by_code()
 
         $response = m::mock(\Psr\Http\Message\ResponseInterface::class);
         $stream = m::mock(\Psr\Http\Message\StreamInterface::class);
-        
+
         $stream->shouldReceive('__toString')->andReturn(\json_encode([
             'access_token' => 'fake_access_token',
             'refresh_token' => 'fake_refresh_token',