WebhooksTest.php

<?php

declare(strict_types=1);

namespace Rapttor\WhopSdk\Tests\Unit\Resources;

use Rapttor\WhopSdk\Resources\Webhooks;
use Rapttor\WhopSdk\Tests\SdkTestCase;

/**
 * @covers \Rapttor\WhopSdk\Resources\Webhooks
 */
final class WebhooksTest extends SdkTestCase
{
    private const SECRET  = 'super_secret_key';
    private const PAYLOAD = '{"event":"payment.completed","data":{"id":"pay_123"}}';

    // ── verifySignature ────────────────────────────────────────────────────────

    public function testVerifySignatureReturnsTrueForValidHmac(): void
    {
        $sig = hash_hmac('sha256', self::PAYLOAD, self::SECRET);

        $this->assertTrue(Webhooks::verifySignature(self::PAYLOAD, $sig, self::SECRET));
    }

    public function testVerifySignatureReturnsTrueWhenSha256PrefixPresent(): void
    {
        $sig = 'sha256=' . hash_hmac('sha256', self::PAYLOAD, self::SECRET);

        $this->assertTrue(Webhooks::verifySignature(self::PAYLOAD, $sig, self::SECRET));
    }

    public function testVerifySignatureReturnsFalseForWrongSecret(): void
    {
        $sig = hash_hmac('sha256', self::PAYLOAD, 'wrong_secret');

        $this->assertFalse(Webhooks::verifySignature(self::PAYLOAD, $sig, self::SECRET));
    }

    public function testVerifySignatureReturnsFalseForTamperedPayload(): void
    {
        $sig = hash_hmac('sha256', self::PAYLOAD, self::SECRET);

        $this->assertFalse(
            Webhooks::verifySignature('{"event":"payment.completed","data":{"id":"pay_999"}}', $sig, self::SECRET)
        );
    }

    public function testVerifySignatureReturnsFalseForEmptySignature(): void
    {
        $this->assertFalse(Webhooks::verifySignature(self::PAYLOAD, '', self::SECRET));
    }

    public function testVerifySignatureReturnsFalseForGarbageSignature(): void
    {
        $this->assertFalse(Webhooks::verifySignature(self::PAYLOAD, 'not_a_real_sig', self::SECRET));
    }
}