mirror of
https://github.com/flarum/framework.git
synced 2024-12-03 07:33:36 +08:00
0c95774333
- Split DispatchRoute. This allows us to run middleware after we figure out which route we're on, but before we actually execute the controller for that route. - By making the route name explicitly available to middlewares, applications like CSRF and floodgate can set patterns based on route names instead of the path, which is an implementation detail. - Support using route name match for CSRF extender, deprecate path match
134 lines
3.2 KiB
PHP
134 lines
3.2 KiB
PHP
<?php
|
|
|
|
/*
|
|
* This file is part of Flarum.
|
|
*
|
|
* For detailed copyright and license information, please view the
|
|
* LICENSE file that was distributed with this source code.
|
|
*/
|
|
|
|
namespace Flarum\Tests\integration\extenders;
|
|
|
|
use Flarum\Extend;
|
|
use Flarum\Tests\integration\TestCase;
|
|
use Flarum\User\User;
|
|
|
|
class CsrfTest extends TestCase
|
|
{
|
|
protected $testUser = [
|
|
'username' => 'test',
|
|
'password' => 'too-obscure',
|
|
'email' => 'test@machine.local',
|
|
];
|
|
|
|
protected function prepDb()
|
|
{
|
|
$this->prepareDatabase([
|
|
'users' => [],
|
|
]);
|
|
}
|
|
|
|
/**
|
|
* @test
|
|
*/
|
|
public function create_user_post_needs_csrf_token_by_default()
|
|
{
|
|
$this->prepDb();
|
|
|
|
$response = $this->send(
|
|
$this->request('POST', '/api/users', [
|
|
'json' => [
|
|
'data' => [
|
|
'attributes' => $this->testUser
|
|
]
|
|
],
|
|
])
|
|
);
|
|
|
|
$this->assertEquals(400, $response->getStatusCode());
|
|
}
|
|
|
|
/**
|
|
* @test
|
|
* @deprecated
|
|
*/
|
|
public function create_user_post_doesnt_need_csrf_token_if_whitelisted()
|
|
{
|
|
$this->extend(
|
|
(new Extend\Csrf)
|
|
->exemptPath('/api/users')
|
|
);
|
|
|
|
$this->prepDb();
|
|
|
|
$response = $this->send(
|
|
$this->request('POST', '/api/users', [
|
|
'json' => [
|
|
'data' => [
|
|
'attributes' => $this->testUser
|
|
]
|
|
],
|
|
])
|
|
);
|
|
|
|
$this->assertEquals(201, $response->getStatusCode());
|
|
|
|
$user = User::where('username', $this->testUser['username'])->firstOrFail();
|
|
|
|
$this->assertEquals(0, $user->is_email_confirmed);
|
|
$this->assertEquals($this->testUser['username'], $user->username);
|
|
$this->assertEquals($this->testUser['email'], $user->email);
|
|
}
|
|
|
|
/**
|
|
* @test
|
|
*/
|
|
public function create_user_post_doesnt_need_csrf_token_if_whitelisted_via_routename()
|
|
{
|
|
$this->extend(
|
|
(new Extend\Csrf)
|
|
->exemptRoute('users.create')
|
|
);
|
|
|
|
$this->prepDb();
|
|
|
|
$response = $this->send(
|
|
$this->request('POST', '/api/users', [
|
|
'json' => [
|
|
'data' => [
|
|
'attributes' => $this->testUser
|
|
]
|
|
],
|
|
])
|
|
);
|
|
|
|
$this->assertEquals(201, $response->getStatusCode());
|
|
|
|
$user = User::where('username', $this->testUser['username'])->firstOrFail();
|
|
|
|
$this->assertEquals(0, $user->is_email_confirmed);
|
|
$this->assertEquals($this->testUser['username'], $user->username);
|
|
$this->assertEquals($this->testUser['email'], $user->email);
|
|
}
|
|
|
|
/**
|
|
* @test
|
|
* @deprecated
|
|
*/
|
|
public function csrf_matches_wildcards_properly()
|
|
{
|
|
$this->extend(
|
|
(new Extend\Csrf)
|
|
->exemptPath('/api/fake/*/up')
|
|
);
|
|
|
|
$this->prepDb();
|
|
|
|
$response = $this->send(
|
|
$this->request('POST', '/api/fake/route/i/made/up')
|
|
);
|
|
|
|
$this->assertEquals(404, $response->getStatusCode());
|
|
}
|
|
}
|