Fix scope enforcement: fail-closed + inject stub token in tests [gh-967]

Restore the 403 deny path in requireScope() when apiCurrentToken is null —
the previous fail-open was a security regression (if the token row is ever
missing during a real request, scope enforcement silently vanished).

Fix the test infrastructure instead: loginAs() now also injects a synthetic
token row with scopes=null (all scopes allowed) onto Container::apiCurrentToken,
so handler-level integration tests that bypass TokenAuthentication satisfy the
fail-closed gate. A companion injectTokenScopes() helper lets scope-restriction
tests set an explicit allow-list.

Signed-off-by: Nicholas K. Dionysopoulos <nicholas@akeeba.com>

Author: nikosdion

src/Controller/Api/AbstractApiHandler.php

@@ -141,12 +141,12 @@ protected function requireScope(ApiScope $scope): void
 	{
 		$tokenRow = $this->container->apiCurrentToken;
 
-		// No token row on the container: authentication was either bypassed (e.g. in test
-		// infrastructure that calls handlers directly) or the token has no scope column yet
-		// (pre-scope-feature rows). Treat as "all scopes allowed" in both cases — the same
-		// semantics as a token whose scopes column is NULL.
+		// No token row: this should never happen in production (TokenAuthentication always
+		// sets apiCurrentToken before any handler runs). Fail closed.
 		if ($tokenRow === null)
 		{
+			$this->sendJsonError(403, 'Access denied: missing token context.', 'auth.forbidden');
+
 			return;
 		}
 

tests/Integration/Api/AbstractApiIntegrationTestCase.php

@@ -239,6 +239,12 @@ protected function forceUnknownCmsType(int $siteId): void
 	/**
 	 * Set an authenticated user on the container's userManager directly (skip token round-trip)
 	 * for tests that only care about the post-auth behaviour of a handler.
+	 *
+	 * Also injects a synthetic token row with scopes = null (all scopes allowed) so that
+	 * {@see \Akeeba\Panopticon\Controller\Api\AbstractApiHandler::requireScope()} does not
+	 * reject the request with a "missing token context" 403. This keeps scope enforcement
+	 * fail-closed in production while allowing handler-level integration tests to run
+	 * without a real token round-trip.
 	 */
 	protected function loginAs(int $userId): void
 	{
@@ -249,5 +255,29 @@ protected function loginAs(int $userId): void
 		$property = $ref->getProperty('currentUser');
 		$property->setAccessible(true);
 		$property->setValue($manager, $user);
+
+		// Inject a synthetic token row with null scopes so requireScope() treats this
+		// request as having all scopes. Real scope-restriction tests should call
+		// injectTokenScopes() instead to set a restricted scope list.
+		$this->container->apiCurrentToken = (object) [
+			'id'      => 0,
+			'user_id' => $userId,
+			'scopes'  => null,
+		];
+	}
+
+	/**
+	 * Override the synthetic token row's scopes for tests that specifically exercise
+	 * scope-restricted behaviour. Pass null to restore the "all scopes allowed" default.
+	 *
+	 * @param   string[]|null  $scopes  Scope value strings (e.g. ['sites:read']), or null for all.
+	 */
+	protected function injectTokenScopes(?array $scopes): void
+	{
+		$existing = $this->container->apiCurrentToken ?? (object) ['id' => 0, 'user_id' => 0, 'scopes' => null];
+
+		$existing->scopes = $scopes === null ? null : json_encode($scopes);
+
+		$this->container->apiCurrentToken = $existing;
 	}
 }