Reviewed the quickstart and improved the READMEs. Updated the token binding check to make the pay claim mandatory to be in line with the latest changes in Approov.

Signed-off-by: Exadra37 <exadra37@gmail.com>

Author: Exadra37

docs/APPROOV_TOKEN_BINDING_QUICKSTART.md

@@ -194,14 +194,10 @@ class Approov
      * @return bool
      */
     private function verifyApproovTokenBinding(HeaderBag $headers, \stdClass $approov_token_claims): bool {
-        // Note that the `pay` claim will, under normal circumstances, be present,
-        // but if the Approov failover system is enabled, then no claim will be
-        // present, and in this case you want to return true, otherwise you will not
-        // be able to benefit from the redundancy afforded by the failover system.
         if (empty($approov_token_claims->pay)) {
             // You may want to add some logging here
             // \Log::debug("MISSIG APPROOV TOKEN BINDING CLAIM");
-            return true;
+            return false;
         }
 
         // We use the Authorization token, but feel free to use another header in

src/approov-protected-server/token-binding-check/hello/README.md

@@ -58,6 +58,29 @@ php artisan serve --port 8002
 
 > **NOTE:** If running the server inside a docker container add `--host 0.0.0.0.`, otherwise the Laravel server will not answer requests from outside the container, like the ones you may want to do from cURL or Postman to test the API.
 
+Next, you can test that it works with:
+
+```bash
+curl -iX GET 'http://localhost:8002'
+```
+
+The response will be a `401` unauthorized request:
+
+```text
+HTTP/1.1 401 Unauthorized
+Host: localhost:8002
+Date: Wed, 23 Mar 2022 12:24:03 GMT
+Connection: close
+X-Powered-By: PHP/8.1.4
+Cache-Control: no-cache, private
+Date: Wed, 23 Mar 2022 12:24:03 GMT
+Content-Type: application/json
+
+{}
+```
+
+The reason you got a `401` is because no Approoov token isn't provided in the headers of the request.
+
 Finally, you can test that the Approov integration example works as expected with this [Postman collection](/README.md#testing-with-postman) or with some cURL requests [examples](/README.md#testing-with-curl).
 
 

src/approov-protected-server/token-binding-check/hello/app/Http/Middleware/Approov.php

@@ -89,14 +89,10 @@ private function verifyApproovToken(HeaderBag $headers): ?\stdClass {
      * @return bool
      */
     private function verifyApproovTokenBinding(HeaderBag $headers, \stdClass $approov_token_claims): bool {
-        // Note that the `pay` claim will, under normal circumstances, be present,
-        // but if the Approov failover system is enabled, then no claim will be
-        // present, and in this case you want to return true, otherwise you will not
-        // be able to benefit from the redundancy afforded by the failover system.
         if (empty($approov_token_claims->pay)) {
             // You may want to add some logging here
             // \Log::debug("MISSIG APPROOV TOKEN BINDING CLAIM");
-            return true;
+            return false;
         }
 
         // We use the Authorization token, but feel free to use another header in

src/approov-protected-server/token-check/hello/README.md

@@ -57,6 +57,29 @@ php artisan serve --port 8002
 
 > **NOTE:** If running the server inside a docker container add `--host 0.0.0.0.`, otherwise the Laravel server will not answer requests from outside the container, like the ones you may want to do from cURL or Postman to test the API.
 
+Next, you can test that it works with:
+
+```bash
+curl -iX GET 'http://localhost:8002'
+```
+
+The response will be a `401` unauthorized request:
+
+```text
+HTTP/1.1 401 Unauthorized
+Host: localhost:8002
+Date: Wed, 23 Mar 2022 12:24:03 GMT
+Connection: close
+X-Powered-By: PHP/8.1.4
+Cache-Control: no-cache, private
+Date: Wed, 23 Mar 2022 12:24:03 GMT
+Content-Type: application/json
+
+{}
+```
+
+The reason you got a `401` is because no Approoov token isn't provided in the headers of the request.
+
 Finally, you can test that the Approov integration example works as expected with this [Postman collection](/README.md#testing-with-postman) or with some cURL requests [examples](/README.md#testing-with-curl).
 
 [TOC](#toc---table-of-contents)