From 771679b6cbf5b5c892536e07c976db76669f9978 Mon Sep 17 00:00:00 2001
From: Brent Shaffer <betterbrent@google.com>
Date: Thu, 22 Dec 2022 13:37:58 -0800
Subject: [PATCH 1/7] fix: cache issue when token is explicit

---
 src/AuthHandler/Guzzle6AuthHandler.php       | 11 ++-
 tests/Google/AuthHandler/AuthHandlerTest.php | 85 ++++++++++++++++++++
 2 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100644 tests/Google/AuthHandler/AuthHandlerTest.php

diff --git a/src/AuthHandler/Guzzle6AuthHandler.php b/src/AuthHandler/Guzzle6AuthHandler.php
index 7e8a815c2..16aa3b019 100644
--- a/src/AuthHandler/Guzzle6AuthHandler.php
+++ b/src/AuthHandler/Guzzle6AuthHandler.php
@@ -74,10 +74,19 @@ public function attachToken(ClientInterface $http, array $token, array $scopes)
             return $token['access_token'];
         };
 
+        // Set the cache prefix to the token, to ensure setting a new token
+        // results in a cache-miss. Note: Supplying a custom "cache_prefix" will
+        // bust this behavior.
+        $cacheConfig = $this->cacheConfig;
+        if (!isset($cacheConfig['cache_prefix']) && isset($token['access_token'])) {
+            $b64Token = base64_encode($token['access_token']);
+            $cacheConfig['prefix'] = substr($b64Token, -10);
+        }
+
         $middleware = new ScopedAccessTokenMiddleware(
             $tokenFunc,
             $scopes,
-            $this->cacheConfig,
+            $cacheConfig,
             $this->cache
         );
 
diff --git a/tests/Google/AuthHandler/AuthHandlerTest.php b/tests/Google/AuthHandler/AuthHandlerTest.php
new file mode 100644
index 000000000..ae86b7d2d
--- /dev/null
+++ b/tests/Google/AuthHandler/AuthHandlerTest.php
@@ -0,0 +1,85 @@
+<?php
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+namespace Google\Tests\AuthHandler;
+
+use Google\AuthHandler\AuthHandlerFactory;
+use Google\Auth\Cache\MemoryCacheItemPool;
+use GuzzleHttp\Client;
+use GuzzleHttp\Psr7\Request;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\StreamInterface;
+use Psr\Http\Message\UriInterface;
+use Google\Tests\BaseTest;
+
+class AuthHandlerTest extends BaseTest
+{
+    public function testSetAccessTokenResultsInAuthCacheMiss()
+    {
+        $this->onlyGuzzle6Or7();
+
+        $cache = new MemoryCacheItemPool();
+        $authHandler = AuthHandlerFactory::build($cache);
+        $scopes = ['scope1', 'scope2'];
+        $token1 = ['access_token' => '1234'];
+        $token2 = ['access_token' => '5678'];
+
+        $http1 = $authHandler->attachToken(
+            new Client(),
+            $token1,
+            $scopes
+        );
+
+        // Call our middleware
+        $scopedMiddleware = $this->getGoogleAuthMiddleware($http1);
+        $callable = $scopedMiddleware(function ($request) { return $request; });
+        $request = $callable(new Request('GET', '/'), ['auth' => 'scoped']);
+        $this->assertEquals(['Bearer 1234'], $request->getHeader('Authorization'));
+
+        // try with a new token
+        $http2 = $authHandler->attachToken(
+            new Client(),
+            $token2,
+            $scopes
+        );
+
+        // Call our middleware
+        $scopedMiddleware = $this->getGoogleAuthMiddleware($http2);
+        $callable = $scopedMiddleware(function ($request) { return $request; });
+        $request = $callable(new Request('GET', '/'), ['auth' => 'scoped']);
+        $this->assertEquals(['Bearer 5678'], $request->getHeader('Authorization'));
+
+    }
+
+    private function getGoogleAuthMiddleware(Client $http)
+    {
+        // All sorts of horrible reflection to get at our middleware
+        $handler = $http->getConfig()['handler'];
+        $reflectionMethod = new \ReflectionMethod($handler, 'findByName');
+        $reflectionMethod->setAccessible(true);
+        $authMiddlewareIdx = $reflectionMethod->invoke($handler, 'google_auth');
+        $reflectionProperty = new \ReflectionProperty($handler, 'stack');
+        $reflectionProperty->setAccessible(true);
+        $stack = $reflectionProperty->getValue($handler);
+        return $stack[$authMiddlewareIdx][0];
+    }
+}
\ No newline at end of file

From 579a012ee970d2b2ce5ccb1964ce61d57d132349 Mon Sep 17 00:00:00 2001
From: Brent Shaffer <betterbrent@google.com>
Date: Thu, 22 Dec 2022 13:44:08 -0800
Subject: [PATCH 2/7] use crc instead of b64

---
 src/AuthHandler/Guzzle6AuthHandler.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/AuthHandler/Guzzle6AuthHandler.php b/src/AuthHandler/Guzzle6AuthHandler.php
index 16aa3b019..7dfbb7388 100644
--- a/src/AuthHandler/Guzzle6AuthHandler.php
+++ b/src/AuthHandler/Guzzle6AuthHandler.php
@@ -79,8 +79,8 @@ public function attachToken(ClientInterface $http, array $token, array $scopes)
         // bust this behavior.
         $cacheConfig = $this->cacheConfig;
         if (!isset($cacheConfig['cache_prefix']) && isset($token['access_token'])) {
-            $b64Token = base64_encode($token['access_token']);
-            $cacheConfig['prefix'] = substr($b64Token, -10);
+            $tokenPart = substr($token['access_token'], -10);
+            $cacheConfig['prefix'] = crc32($tokenPart);
         }
 
         $middleware = new ScopedAccessTokenMiddleware(

From 4b8ec04a94638d7e731baef2dd7150953e960804 Mon Sep 17 00:00:00 2001
From: Brent Shaffer <betterbrent@google.com>
Date: Thu, 22 Dec 2022 13:45:45 -0800
Subject: [PATCH 3/7] fix cs

---
 tests/Google/AuthHandler/AuthHandlerTest.php | 37 ++++++++++----------
 1 file changed, 18 insertions(+), 19 deletions(-)

diff --git a/tests/Google/AuthHandler/AuthHandlerTest.php b/tests/Google/AuthHandler/AuthHandlerTest.php
index ae86b7d2d..b72437014 100644
--- a/tests/Google/AuthHandler/AuthHandlerTest.php
+++ b/tests/Google/AuthHandler/AuthHandlerTest.php
@@ -26,9 +26,6 @@
 use Google\Auth\Cache\MemoryCacheItemPool;
 use GuzzleHttp\Client;
 use GuzzleHttp\Psr7\Request;
-use Psr\Http\Message\RequestInterface;
-use Psr\Http\Message\StreamInterface;
-use Psr\Http\Message\UriInterface;
 use Google\Tests\BaseTest;
 
 class AuthHandlerTest extends BaseTest
@@ -37,37 +34,34 @@ public function testSetAccessTokenResultsInAuthCacheMiss()
     {
         $this->onlyGuzzle6Or7();
 
+        $client = new Client();
         $cache = new MemoryCacheItemPool();
         $authHandler = AuthHandlerFactory::build($cache);
         $scopes = ['scope1', 'scope2'];
-        $token1 = ['access_token' => '1234'];
-        $token2 = ['access_token' => '5678'];
 
+        // Attach the first token to the HTTP client
         $http1 = $authHandler->attachToken(
-            new Client(),
-            $token1,
+            $client,
+            ['access_token' => '1234'],
             $scopes
         );
 
-        // Call our middleware
+        // Call our middleware and verify the token is set
         $scopedMiddleware = $this->getGoogleAuthMiddleware($http1);
-        $callable = $scopedMiddleware(function ($request) { return $request; });
-        $request = $callable(new Request('GET', '/'), ['auth' => 'scoped']);
+        $request = $scopedMiddleware(new Request('GET', '/'), ['auth' => 'scoped']);
         $this->assertEquals(['Bearer 1234'], $request->getHeader('Authorization'));
 
-        // try with a new token
+        // Attach a new token to the HTTP client
         $http2 = $authHandler->attachToken(
-            new Client(),
-            $token2,
+            $client,
+            ['access_token' => '5678'],
             $scopes
         );
 
-        // Call our middleware
+        // Call our middleware and verify the NEW token is set
         $scopedMiddleware = $this->getGoogleAuthMiddleware($http2);
-        $callable = $scopedMiddleware(function ($request) { return $request; });
-        $request = $callable(new Request('GET', '/'), ['auth' => 'scoped']);
+        $request = $scopedMiddleware(new Request('GET', '/'), ['auth' => 'scoped']);
         $this->assertEquals(['Bearer 5678'], $request->getHeader('Authorization'));
-
     }
 
     private function getGoogleAuthMiddleware(Client $http)
@@ -77,9 +71,14 @@ private function getGoogleAuthMiddleware(Client $http)
         $reflectionMethod = new \ReflectionMethod($handler, 'findByName');
         $reflectionMethod->setAccessible(true);
         $authMiddlewareIdx = $reflectionMethod->invoke($handler, 'google_auth');
+
         $reflectionProperty = new \ReflectionProperty($handler, 'stack');
         $reflectionProperty->setAccessible(true);
         $stack = $reflectionProperty->getValue($handler);
-        return $stack[$authMiddlewareIdx][0];
+
+        $callable = $stack[$authMiddlewareIdx][0];
+        return $callable(function ($request) {
+            return $request;
+        });
     }
-}
\ No newline at end of file
+}

From eb1435a4c177a59f1992ae0f2b78103a3949caa2 Mon Sep 17 00:00:00 2001
From: Brent Shaffer <betterbrent@google.com>
Date: Thu, 22 Dec 2022 13:57:23 -0800
Subject: [PATCH 4/7] Update Guzzle6AuthHandler.php

---
 src/AuthHandler/Guzzle6AuthHandler.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/AuthHandler/Guzzle6AuthHandler.php b/src/AuthHandler/Guzzle6AuthHandler.php
index 7dfbb7388..50e653a1a 100644
--- a/src/AuthHandler/Guzzle6AuthHandler.php
+++ b/src/AuthHandler/Guzzle6AuthHandler.php
@@ -74,9 +74,9 @@ public function attachToken(ClientInterface $http, array $token, array $scopes)
             return $token['access_token'];
         };
 
-        // Set the cache prefix to the token, to ensure setting a new token
-        // results in a cache-miss. Note: Supplying a custom "cache_prefix" will
-        // bust this behavior.
+        // Derive a cache prefix from the token, to ensure setting a new token
+        // results in a cache-miss.
+        // Note: Supplying a custom "cache_prefix" will bust this behavior.
         $cacheConfig = $this->cacheConfig;
         if (!isset($cacheConfig['cache_prefix']) && isset($token['access_token'])) {
             $tokenPart = substr($token['access_token'], -10);

From 12a1c5cef58146579ad727291c4b65a028e92f07 Mon Sep 17 00:00:00 2001
From: Brent Shaffer <betterbrent@google.com>
Date: Fri, 23 Dec 2022 07:08:57 -0800
Subject: [PATCH 5/7] Update Guzzle6AuthHandler.php

---
 src/AuthHandler/Guzzle6AuthHandler.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/AuthHandler/Guzzle6AuthHandler.php b/src/AuthHandler/Guzzle6AuthHandler.php
index 50e653a1a..29053002f 100644
--- a/src/AuthHandler/Guzzle6AuthHandler.php
+++ b/src/AuthHandler/Guzzle6AuthHandler.php
@@ -76,9 +76,9 @@ public function attachToken(ClientInterface $http, array $token, array $scopes)
 
         // Derive a cache prefix from the token, to ensure setting a new token
         // results in a cache-miss.
-        // Note: Supplying a custom "cache_prefix" will bust this behavior.
+        // Note: Supplying a custom "prefix" will bust this behavior.
         $cacheConfig = $this->cacheConfig;
-        if (!isset($cacheConfig['cache_prefix']) && isset($token['access_token'])) {
+        if (!isset($cacheConfig['prefix']) && isset($token['access_token'])) {
             $tokenPart = substr($token['access_token'], -10);
             $cacheConfig['prefix'] = crc32($tokenPart);
         }

From cbcca296834390925e3d1fc05a498bd6e53b1680 Mon Sep 17 00:00:00 2001
From: Brent Shaffer <betterbrent@google.com>
Date: Wed, 28 Dec 2022 09:41:20 -0800
Subject: [PATCH 6/7] Update Guzzle6AuthHandler.php

---
 src/AuthHandler/Guzzle6AuthHandler.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/AuthHandler/Guzzle6AuthHandler.php b/src/AuthHandler/Guzzle6AuthHandler.php
index 29053002f..0c4d12852 100644
--- a/src/AuthHandler/Guzzle6AuthHandler.php
+++ b/src/AuthHandler/Guzzle6AuthHandler.php
@@ -79,8 +79,7 @@ public function attachToken(ClientInterface $http, array $token, array $scopes)
         // Note: Supplying a custom "prefix" will bust this behavior.
         $cacheConfig = $this->cacheConfig;
         if (!isset($cacheConfig['prefix']) && isset($token['access_token'])) {
-            $tokenPart = substr($token['access_token'], -10);
-            $cacheConfig['prefix'] = crc32($tokenPart);
+            $cacheConfig['prefix'] = substr(sha1($token['access_token']), -10);
         }
 
         $middleware = new ScopedAccessTokenMiddleware(

From 7edb0f4023fa4333cf509329ecde996140023134 Mon Sep 17 00:00:00 2001
From: Brent Shaffer <betterbrent@google.com>
Date: Mon, 4 Sep 2023 21:51:09 -0700
Subject: [PATCH 7/7] Update AuthHandlerTest.php

---
 tests/Google/AuthHandler/AuthHandlerTest.php | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tests/Google/AuthHandler/AuthHandlerTest.php b/tests/Google/AuthHandler/AuthHandlerTest.php
index b72437014..0bc34aa82 100644
--- a/tests/Google/AuthHandler/AuthHandlerTest.php
+++ b/tests/Google/AuthHandler/AuthHandlerTest.php
@@ -32,8 +32,6 @@ class AuthHandlerTest extends BaseTest
 {
     public function testSetAccessTokenResultsInAuthCacheMiss()
     {
-        $this->onlyGuzzle6Or7();
-
         $client = new Client();
         $cache = new MemoryCacheItemPool();
         $authHandler = AuthHandlerFactory::build($cache);