]> BookStack Code Mirror - bookstack/blobdiff - tests/Auth/AuthTest.php
Replace node-sass with dart-sass
[bookstack] / tests / Auth / AuthTest.php
index eb83faded44edc67d721e595d1a11d3861e12255..f1f47696641ac4978f2dc33c87a93b5b8805a3e6 100644 (file)
@@ -1,10 +1,15 @@
-<?php namespace Tests;
+<?php namespace Tests\Auth;
 
+use BookStack\Auth\Role;
 use BookStack\Auth\User;
 use BookStack\Entities\Page;
 use BookStack\Notifications\ConfirmEmail;
+use BookStack\Notifications\ResetPassword;
 use BookStack\Settings\SettingService;
+use DB;
+use Hash;
 use Illuminate\Support\Facades\Notification;
+use Tests\BrowserKitTest;
 
 class AuthTest extends BrowserKitTest
 {
@@ -128,7 +133,7 @@ class AuthTest extends BrowserKitTest
             ->press('Resend Confirmation Email');
 
         // Get confirmation and confirm notification matches
-        $emailConfirmation = \DB::table('email_confirmations')->where('user_id', '=', $dbUser->id)->first();
+        $emailConfirmation = DB::table('email_confirmations')->where('user_id', '=', $dbUser->id)->first();
         Notification::assertSentTo($dbUser, ConfirmEmail::class, function($notification, $channels) use ($emailConfirmation) {
             return $notification->token === $emailConfirmation->token;
         });
@@ -256,7 +261,7 @@ class AuthTest extends BrowserKitTest
             ->seePageIs('/settings/users');
 
             $userPassword = User::find($user->id)->password;
-            $this->assertTrue(\Hash::check('newpassword', $userPassword));
+            $this->assertTrue(Hash::check('newpassword', $userPassword));
     }
 
     public function test_user_deletion()
@@ -275,7 +280,7 @@ class AuthTest extends BrowserKitTest
 
     public function test_user_cannot_be_deleted_if_last_admin()
     {
-        $adminRole = \BookStack\Auth\Role::getRole('admin');
+        $adminRole = Role::getRole('admin');
 
         // Delete all but one admin user if there are more than one
         $adminUsers = $adminRole->users;
@@ -308,14 +313,13 @@ class AuthTest extends BrowserKitTest
 
     public function test_reset_password_flow()
     {
-
         Notification::fake();
 
         $this->visit('/login')->click('Forgot Password?')
             ->seePageIs('/password/email')
             ->type('[email protected]', 'email')
             ->press('Send Reset Link')
-            ->see('A password reset link has been sent to [email protected]');
+            ->see('A password reset link will be sent to [email protected] if that email address is found in the system.');
 
         $this->seeInDatabase('password_resets', [
             'email' => '[email protected]'
@@ -323,8 +327,8 @@ class AuthTest extends BrowserKitTest
 
         $user = User::where('email', '=', '[email protected]')->first();
 
-        Notification::assertSentTo($user, \BookStack\Notifications\ResetPassword::class);
-        $n = Notification::sent($user, \BookStack\Notifications\ResetPassword::class);
+        Notification::assertSentTo($user, ResetPassword::class);
+        $n = Notification::sent($user, ResetPassword::class);
 
         $this->visit('/password/reset/' . $n->first()->token)
             ->see('Reset Password')
@@ -336,6 +340,28 @@ class AuthTest extends BrowserKitTest
             ->see('Your password has been successfully reset');
     }
 
+    public function test_reset_password_flow_shows_success_message_even_if_wrong_password_to_prevent_user_discovery()
+    {
+        $this->visit('/login')->click('Forgot Password?')
+            ->seePageIs('/password/email')
+            ->type('[email protected]', 'email')
+            ->press('Send Reset Link')
+            ->see('A password reset link will be sent to [email protected] if that email address is found in the system.')
+            ->dontSee('We can\'t find a user');
+
+
+        $this->visit('/password/reset/arandometokenvalue')
+            ->see('Reset Password')
+            ->submitForm('Reset Password', [
+                'email' => '[email protected]',
+                'password' => 'randompass',
+                'password_confirmation' => 'randompass'
+            ])->followRedirects()
+            ->seePageIs('/password/reset/arandometokenvalue')
+            ->dontSee('We can\'t find a user')
+            ->see('The password reset token is invalid for this email address.');
+    }
+
     public function test_reset_password_page_shows_sign_links()
     {
         $this->setSettings(['registration-enabled' => 'true']);
@@ -355,13 +381,30 @@ class AuthTest extends BrowserKitTest
             ->seePageUrlIs($page->getUrl());
     }
 
+    public function test_login_authenticates_admins_on_all_guards()
+    {
+        $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
+        $this->assertTrue(auth()->check());
+        $this->assertTrue(auth('ldap')->check());
+        $this->assertTrue(auth('saml2')->check());
+    }
+
+    public function test_login_authenticates_nonadmins_on_default_guard_only()
+    {
+        $editor = $this->getEditor();
+        $editor->password = bcrypt('password');
+        $editor->save();
+
+        $this->post('/login', ['email' => $editor->email, 'password' => 'password']);
+        $this->assertTrue(auth()->check());
+        $this->assertFalse(auth('ldap')->check());
+        $this->assertFalse(auth('saml2')->check());
+    }
+
     /**
      * Perform a login
-     * @param string $email
-     * @param string $password
-     * @return $this
      */
-    protected function login($email, $password)
+    protected function login(string $email, string $password): AuthTest
     {
         return $this->visit('/login')
             ->type($email, '#email')