|
| 1 | +<?php |
| 2 | + |
| 3 | +/** |
| 4 | + * This file is part of CodeIgniter 4 framework. |
| 5 | + * |
| 6 | + * (c) CodeIgniter Foundation <admin@codeigniter.com> |
| 7 | + * |
| 8 | + * For the full copyright and license information, please view |
| 9 | + * the LICENSE file that was distributed with this source code. |
| 10 | + */ |
| 11 | + |
| 12 | +namespace CodeIgniter\Security; |
| 13 | + |
| 14 | +use CodeIgniter\Config\Factories; |
| 15 | +use CodeIgniter\Cookie\Cookie; |
| 16 | +use CodeIgniter\HTTP\IncomingRequest; |
| 17 | +use CodeIgniter\HTTP\URI; |
| 18 | +use CodeIgniter\HTTP\UserAgent; |
| 19 | +use CodeIgniter\Test\CIUnitTestCase; |
| 20 | +use CodeIgniter\Test\Mock\MockAppConfig; |
| 21 | +use CodeIgniter\Test\Mock\MockSecurity; |
| 22 | +use Config\Security as SecurityConfig; |
| 23 | + |
| 24 | +/** |
| 25 | + * @internal |
| 26 | + */ |
| 27 | +final class SecurityCSRFCookieRandomizeTokenTest extends CIUnitTestCase |
| 28 | +{ |
| 29 | + /** |
| 30 | + * @var string CSRF protection hash |
| 31 | + */ |
| 32 | + private string $hash = '8b9218a55906f9dcc1dc263dce7f005a'; |
| 33 | + |
| 34 | + /** |
| 35 | + * @var string CSRF randomized token |
| 36 | + */ |
| 37 | + private string $randomizedToken = '8bc70b67c91494e815c7d2219c1ae0ab005513c290126d34d41bf41c5265e0f1'; |
| 38 | + |
| 39 | + protected function setUp(): void |
| 40 | + { |
| 41 | + parent::setUp(); |
| 42 | + |
| 43 | + $_COOKIE = []; |
| 44 | + |
| 45 | + $config = new SecurityConfig(); |
| 46 | + $config->csrfProtection = Security::CSRF_PROTECTION_COOKIE; |
| 47 | + $config->tokenRandomize = true; |
| 48 | + Factories::injectMock('config', 'Security', $config); |
| 49 | + |
| 50 | + // Set Cookie value |
| 51 | + $security = new MockSecurity(new MockAppConfig()); |
| 52 | + $_COOKIE[$security->getCookieName()] = $this->hash; |
| 53 | + |
| 54 | + $this->resetServices(); |
| 55 | + } |
| 56 | + |
| 57 | + public function testTokenIsReadFromCookie() |
| 58 | + { |
| 59 | + $security = new MockSecurity(new MockAppConfig()); |
| 60 | + |
| 61 | + $this->assertSame( |
| 62 | + $this->randomizedToken, |
| 63 | + $security->getHash() |
| 64 | + ); |
| 65 | + } |
| 66 | + |
| 67 | + public function testCSRFVerifySetNewCookie() |
| 68 | + { |
| 69 | + $_SERVER['REQUEST_METHOD'] = 'POST'; |
| 70 | + $_POST['foo'] = 'bar'; |
| 71 | + $_POST['csrf_test_name'] = $this->randomizedToken; |
| 72 | + |
| 73 | + $request = new IncomingRequest(new MockAppConfig(), new URI('http://badurl.com'), null, new UserAgent()); |
| 74 | + |
| 75 | + $security = new Security(new MockAppConfig()); |
| 76 | + |
| 77 | + $this->assertInstanceOf(Security::class, $security->verify($request)); |
| 78 | + $this->assertLogged('info', 'CSRF token verified.'); |
| 79 | + $this->assertCount(1, $_POST); |
| 80 | + |
| 81 | + /** @var Cookie $cookie */ |
| 82 | + $cookie = $this->getPrivateProperty($security, 'cookie'); |
| 83 | + $newHash = $cookie->getValue(); |
| 84 | + |
| 85 | + $this->assertNotSame($this->hash, $newHash); |
| 86 | + $this->assertSame(32, strlen($newHash)); |
| 87 | + } |
| 88 | +} |
0 commit comments