2021-06-26 23:23:15 +08:00
|
|
|
<?php
|
|
|
|
|
|
|
|
namespace Tests\Auth;
|
2015-09-03 01:26:33 +08:00
|
|
|
|
2023-05-18 00:56:55 +08:00
|
|
|
use BookStack\Access\Mfa\MfaSession;
|
2024-12-11 22:22:48 +08:00
|
|
|
use Illuminate\Support\Facades\Hash;
|
2022-07-23 22:10:18 +08:00
|
|
|
use Illuminate\Testing\TestResponse;
|
2021-09-18 06:44:54 +08:00
|
|
|
use Tests\TestCase;
|
2015-09-22 03:54:11 +08:00
|
|
|
|
2021-09-18 06:44:54 +08:00
|
|
|
class AuthTest extends TestCase
|
2015-09-03 01:26:33 +08:00
|
|
|
{
|
2016-01-16 07:21:47 +08:00
|
|
|
public function test_auth_working()
|
2015-09-03 01:26:33 +08:00
|
|
|
{
|
2021-09-18 06:44:54 +08:00
|
|
|
$this->get('/')->assertRedirect('/login');
|
2015-09-03 01:26:33 +08:00
|
|
|
}
|
|
|
|
|
2016-01-16 07:21:47 +08:00
|
|
|
public function test_login()
|
2015-09-03 01:26:33 +08:00
|
|
|
{
|
2021-09-18 06:44:54 +08:00
|
|
|
$this->login('admin@admin.com', 'password')->assertRedirect('/');
|
2015-09-03 01:26:33 +08:00
|
|
|
}
|
|
|
|
|
2016-01-16 07:21:47 +08:00
|
|
|
public function test_public_viewing()
|
2015-09-11 03:28:53 +08:00
|
|
|
{
|
2021-09-18 06:44:54 +08:00
|
|
|
$this->setSettings(['app-public' => 'true']);
|
|
|
|
$this->get('/')
|
|
|
|
->assertOk()
|
|
|
|
->assertSee('Log in');
|
2015-09-11 03:28:53 +08:00
|
|
|
}
|
|
|
|
|
2019-04-16 19:18:51 +08:00
|
|
|
public function test_sign_up_link_on_login()
|
|
|
|
{
|
2021-09-18 06:44:54 +08:00
|
|
|
$this->get('/login')->assertDontSee('Sign up');
|
2019-04-16 19:18:51 +08:00
|
|
|
|
|
|
|
$this->setSettings(['registration-enabled' => 'true']);
|
|
|
|
|
2021-09-18 06:44:54 +08:00
|
|
|
$this->get('/login')->assertSee('Sign up');
|
2019-04-16 19:18:51 +08:00
|
|
|
}
|
2016-01-16 07:21:47 +08:00
|
|
|
|
|
|
|
public function test_logout()
|
2015-09-03 01:26:33 +08:00
|
|
|
{
|
2021-09-18 06:44:54 +08:00
|
|
|
$this->asAdmin()->get('/')->assertOk();
|
2021-11-15 05:13:24 +08:00
|
|
|
$this->post('/logout')->assertRedirect('/');
|
2021-09-18 06:44:54 +08:00
|
|
|
$this->get('/')->assertRedirect('/login');
|
2015-09-03 01:26:33 +08:00
|
|
|
}
|
2015-09-22 03:54:11 +08:00
|
|
|
|
2021-08-08 04:53:13 +08:00
|
|
|
public function test_mfa_session_cleared_on_logout()
|
|
|
|
{
|
2023-01-21 19:08:34 +08:00
|
|
|
$user = $this->users->editor();
|
2021-08-08 04:53:13 +08:00
|
|
|
$mfaSession = $this->app->make(MfaSession::class);
|
|
|
|
|
2021-08-21 22:49:40 +08:00
|
|
|
$mfaSession->markVerifiedForUser($user);
|
2021-08-08 04:53:13 +08:00
|
|
|
$this->assertTrue($mfaSession->isVerifiedForUser($user));
|
|
|
|
|
2021-11-15 05:13:24 +08:00
|
|
|
$this->asAdmin()->post('/logout');
|
2021-08-08 04:53:13 +08:00
|
|
|
$this->assertFalse($mfaSession->isVerifiedForUser($user));
|
|
|
|
}
|
|
|
|
|
2019-05-19 23:25:05 +08:00
|
|
|
public function test_login_redirects_to_initially_requested_url_correctly()
|
|
|
|
{
|
|
|
|
config()->set('app.url', 'http://localhost');
|
2022-09-30 00:31:38 +08:00
|
|
|
$page = $this->entities->page();
|
2019-05-19 23:25:05 +08:00
|
|
|
|
2021-09-18 06:44:54 +08:00
|
|
|
$this->get($page->getUrl())->assertRedirect(url('/login'));
|
2019-05-19 23:25:05 +08:00
|
|
|
$this->login('admin@admin.com', 'password')
|
2021-09-18 06:44:54 +08:00
|
|
|
->assertRedirect($page->getUrl());
|
2019-05-19 23:25:05 +08:00
|
|
|
}
|
|
|
|
|
2020-07-28 23:27:16 +08:00
|
|
|
public function test_login_intended_redirect_does_not_redirect_to_external_pages()
|
|
|
|
{
|
|
|
|
config()->set('app.url', 'http://localhost');
|
|
|
|
$this->setSettings(['app-public' => true]);
|
|
|
|
|
|
|
|
$this->get('/login', ['referer' => 'https://example.com']);
|
|
|
|
$login = $this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);
|
|
|
|
|
2021-09-18 06:44:54 +08:00
|
|
|
$login->assertRedirect('http://localhost');
|
2020-07-28 23:27:16 +08:00
|
|
|
}
|
|
|
|
|
2021-08-21 22:14:24 +08:00
|
|
|
public function test_login_intended_redirect_does_not_factor_mfa_routes()
|
|
|
|
{
|
2021-09-18 06:44:54 +08:00
|
|
|
$this->get('/books')->assertRedirect('/login');
|
|
|
|
$this->get('/mfa/setup')->assertRedirect('/login');
|
2021-08-21 22:14:24 +08:00
|
|
|
$login = $this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);
|
2021-09-18 06:44:54 +08:00
|
|
|
$login->assertRedirect('/books');
|
2021-08-21 22:14:24 +08:00
|
|
|
}
|
|
|
|
|
2020-04-26 01:19:22 +08:00
|
|
|
public function test_login_authenticates_admins_on_all_guards()
|
|
|
|
{
|
|
|
|
$this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);
|
|
|
|
$this->assertTrue(auth()->check());
|
|
|
|
$this->assertTrue(auth('ldap')->check());
|
|
|
|
$this->assertTrue(auth('saml2')->check());
|
2021-10-13 23:51:27 +08:00
|
|
|
$this->assertTrue(auth('oidc')->check());
|
2020-04-26 01:19:22 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
public function test_login_authenticates_nonadmins_on_default_guard_only()
|
|
|
|
{
|
2023-01-21 19:08:34 +08:00
|
|
|
$editor = $this->users->editor();
|
2020-04-26 01:19:22 +08:00
|
|
|
$editor->password = bcrypt('password');
|
|
|
|
$editor->save();
|
|
|
|
|
|
|
|
$this->post('/login', ['email' => $editor->email, 'password' => 'password']);
|
|
|
|
$this->assertTrue(auth()->check());
|
|
|
|
$this->assertFalse(auth('ldap')->check());
|
|
|
|
$this->assertFalse(auth('saml2')->check());
|
2021-10-13 23:51:27 +08:00
|
|
|
$this->assertFalse(auth('oidc')->check());
|
2020-04-26 01:19:22 +08:00
|
|
|
}
|
|
|
|
|
2020-07-28 19:59:43 +08:00
|
|
|
public function test_failed_logins_are_logged_when_message_configured()
|
|
|
|
{
|
|
|
|
$log = $this->withTestLogger();
|
|
|
|
config()->set(['logging.failed_login.message' => 'Failed login for %u']);
|
|
|
|
|
|
|
|
$this->post('/login', ['email' => 'admin@example.com', 'password' => 'cattreedog']);
|
|
|
|
$this->assertTrue($log->hasWarningThatContains('Failed login for admin@example.com'));
|
|
|
|
|
|
|
|
$this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);
|
|
|
|
$this->assertFalse($log->hasWarningThatContains('Failed login for admin@admin.com'));
|
|
|
|
}
|
|
|
|
|
2021-08-31 04:28:17 +08:00
|
|
|
public function test_logged_in_user_with_unconfirmed_email_is_logged_out()
|
|
|
|
{
|
|
|
|
$this->setSettings(['registration-confirmation' => 'true']);
|
2023-01-21 19:08:34 +08:00
|
|
|
$user = $this->users->editor();
|
2021-08-31 04:28:17 +08:00
|
|
|
$user->email_confirmed = false;
|
|
|
|
$user->save();
|
|
|
|
|
|
|
|
auth()->login($user);
|
|
|
|
$this->assertTrue(auth()->check());
|
|
|
|
|
2021-09-18 06:44:54 +08:00
|
|
|
$this->get('/books')->assertRedirect('/');
|
2021-08-31 04:28:17 +08:00
|
|
|
$this->assertFalse(auth()->check());
|
|
|
|
}
|
|
|
|
|
2022-09-23 00:29:38 +08:00
|
|
|
public function test_login_attempts_are_rate_limited()
|
|
|
|
{
|
|
|
|
for ($i = 0; $i < 5; $i++) {
|
|
|
|
$resp = $this->login('bennynotexisting@example.com', 'pw123');
|
|
|
|
}
|
|
|
|
$resp = $this->followRedirects($resp);
|
|
|
|
$resp->assertSee('These credentials do not match our records.');
|
|
|
|
|
|
|
|
// Check the fifth attempt provides a lockout response
|
|
|
|
$resp = $this->followRedirects($this->login('bennynotexisting@example.com', 'pw123'));
|
|
|
|
$resp->assertSee('Too many login attempts. Please try again in');
|
|
|
|
}
|
|
|
|
|
2024-12-11 22:22:48 +08:00
|
|
|
public function test_login_specifically_disabled_for_guest_account()
|
|
|
|
{
|
|
|
|
$guest = $this->users->guest();
|
|
|
|
|
|
|
|
$resp = $this->post('/login', ['email' => $guest->email, 'password' => 'password']);
|
|
|
|
$resp->assertRedirect('/login');
|
|
|
|
$resp = $this->followRedirects($resp);
|
|
|
|
$resp->assertSee('These credentials do not match our records.');
|
|
|
|
|
|
|
|
// Test login even with password somehow set
|
|
|
|
$guest->password = Hash::make('password');
|
|
|
|
$guest->save();
|
|
|
|
|
|
|
|
$resp = $this->post('/login', ['email' => $guest->email, 'password' => 'password']);
|
|
|
|
$resp->assertRedirect('/login');
|
|
|
|
$resp = $this->followRedirects($resp);
|
|
|
|
$resp->assertSee('These credentials do not match our records.');
|
|
|
|
}
|
|
|
|
|
2015-09-22 03:54:11 +08:00
|
|
|
/**
|
2021-06-26 23:23:15 +08:00
|
|
|
* Perform a login.
|
2015-09-22 03:54:11 +08:00
|
|
|
*/
|
2021-09-18 06:44:54 +08:00
|
|
|
protected function login(string $email, string $password): TestResponse
|
2015-09-22 03:54:11 +08:00
|
|
|
{
|
2021-09-18 06:44:54 +08:00
|
|
|
return $this->post('/login', compact('email', 'password'));
|
2015-09-22 03:54:11 +08:00
|
|
|
}
|
2015-09-03 01:26:33 +08:00
|
|
|
}
|