feat: throw separate exception type for bad request

oat-sa · Nov 20, 2024 · d2af7e4 · d2af7e4
1 parent e464bdd
commit d2af7e4
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 4 deletions.
diff --git a/src/Exception/LtiBadRequestException.php b/src/Exception/LtiBadRequestException.php
@@ -0,0 +1,29 @@
+<?php
+
+/**
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; under version 2
+ * of the License (non-upgradable).
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ * Copyright (c) 2024 (original work) Open Assessment Technologies SA;
+ */
+
+declare(strict_types=1);
+
+namespace OAT\Library\Lti1p3Core\Exception;
+
+use Exception;
+
+class LtiBadRequestException extends Exception implements LtiExceptionInterface
+{
+}
diff --git a/src/Security/Oidc/OidcAuthenticator.php b/src/Security/Oidc/OidcAuthenticator.php
@@ -23,6 +23,7 @@
 namespace OAT\Library\Lti1p3Core\Security\Oidc;
 
 use OAT\Library\Lti1p3Core\Exception\LtiException;
+use OAT\Library\Lti1p3Core\Exception\LtiBadRequestException;
 use OAT\Library\Lti1p3Core\Exception\LtiExceptionInterface;
 use OAT\Library\Lti1p3Core\Message\LtiMessage;
 use OAT\Library\Lti1p3Core\Message\LtiMessageInterface;
@@ -80,18 +81,22 @@ public function authenticate(ServerRequestInterface $request): LtiMessageInterfa
         try {
             $oidcRequest = LtiMessage::fromServerRequest($request);
 
+            if (!$oidcRequest->getParameters()->has('lti_message_hint')) {
+                throw new LtiBadRequestException('Missing LTI message hint in request');
+            }
+
             $originalToken = $this->parser->parse($oidcRequest->getParameters()->get('lti_message_hint'));
 
             $registration = $this->repository->find(
                 $originalToken->getClaims()->getMandatory(LtiMessagePayloadInterface::CLAIM_REGISTRATION_ID)
             );
 
             if (null === $registration) {
-                throw new LtiException('Invalid message hint registration id claim');
+                throw new LtiBadRequestException('Invalid message hint registration id claim');
             }
 
             if (!$this->validator->validate($originalToken, $registration->getPlatformKeyChain()->getPublicKey())) {
-                throw new LtiException('Invalid message hint');
+                throw new LtiBadRequestException('Invalid message hint');
             }
 
             $authenticationResult = $this->authenticator->authenticate(

diff --git a/tests/Unit/Security/Oidc/OidcAuthenticatorTest.php b/tests/Unit/Security/Oidc/OidcAuthenticatorTest.php
@@ -24,6 +24,7 @@
 
 use Carbon\Carbon;
 use Exception;
+use OAT\Library\Lti1p3Core\Exception\LtiBadRequestException;
 use OAT\Library\Lti1p3Core\Exception\LtiException;
 use OAT\Library\Lti1p3Core\Message\LtiMessageInterface;
 use OAT\Library\Lti1p3Core\Message\Payload\LtiMessagePayloadInterface;
@@ -165,7 +166,7 @@ public function testAuthenticationSuccessWithUserIdentityClaimsSanitization(): v
 
     public function testAuthenticationFailureOnExpiredMessageHint(): void
     {
-        $this->expectException(LtiException::class);
+        $this->expectException(LtiBadRequestException::class);
         $this->expectExceptionMessage('Invalid message hint');
 
         $registration = $this->createTestRegistration();
@@ -198,9 +199,19 @@ public function testAuthenticationFailureOnExpiredMessageHint(): void
         $this->subject->authenticate($request);
     }
 
+    public function testAuthenticationFailureOnMissingMessageHint(): void
+    {
+        $this->expectException(LtiBadRequestException::class);
+        $this->expectExceptionMessage('Missing LTI message hint in request');
+
+        $request = $this->createServerRequest('GET','http://platform.com/init');
+
+        $this->subject->authenticate($request);
+    }
+
     public function testAuthenticationFailureOnRegistrationNotFound(): void
     {
-        $this->expectException(LtiException::class);
+        $this->expectException(LtiBadRequestException::class);
         $this->expectExceptionMessage('Invalid message hint registration id claim');
 
         $registration = $this->createTestRegistration();