BookStack Code Mirror - bookstack/blobdiff

index f1f47696641ac4978f2dc33c87a93b5b8805a3e6..657728c175e712e8d075ed2436483b1e6c2dacd9 100644 (file)

--- a/tests/Auth/AuthTest.php

+++ b/tests/Auth/AuthTest.php

@@ -1,19 +1,22 @@

-<?php namespace Tests\Auth;

+<?php

+namespace Tests\Auth;

+use BookStack\Auth\Access\Mfa\MfaSession;

use BookStack\Auth\Role;

use BookStack\Auth\User;

-use BookStack\Entities\Page;

+use BookStack\Entities\Models\Page;

use BookStack\Notifications\ConfirmEmail;

use BookStack\Notifications\ResetPassword;

use BookStack\Settings\SettingService;

use DB;

use Hash;

use Illuminate\Support\Facades\Notification;

+use Illuminate\Support\Str;

use Tests\BrowserKitTest;

class AuthTest extends BrowserKitTest

{

public function test_auth_working()

{

$this->visit('/')

@@ -129,15 +132,16 @@ class AuthTest extends BrowserKitTest

->seePageIs('/register/confirm/awaiting')

->see('Resend')

->visit('/books')

- ->seePageIs('/register/confirm/awaiting')

+ ->seePageIs('/login')

+ ->visit('/register/confirm/awaiting')

->press('Resend Confirmation Email');

// Get confirmation and confirm notification matches

$emailConfirmation = DB::table('email_confirmations')->where('user_id', '=', $dbUser->id)->first();

- Notification::assertSentTo($dbUser, ConfirmEmail::class, function($notification, $channels) use ($emailConfirmation) {

+ Notification::assertSentTo($dbUser, ConfirmEmail::class, function ($notification, $channels) use ($emailConfirmation) {

return $notification->token === $emailConfirmation->token;

});

// Check confirmation email confirmation activation.

$this->visit('/register/confirm/' . $emailConfirmation->token)

->seePageIs('/')

@@ -170,6 +174,8 @@ class AuthTest extends BrowserKitTest

->seePageIs('/register/confirm')

->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email, 'email_confirmed' => false]);

+ $this->assertNull(auth()->user());

$this->visit('/')->seePageIs('/login')

->type($user->email, '#email')

->type($user->password, '#password')

@@ -202,6 +208,8 @@ class AuthTest extends BrowserKitTest

->seePageIs('/register/confirm')

->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email, 'email_confirmed' => false]);

+ $this->assertNull(auth()->user());

$this->visit('/')->seePageIs('/login')

->type($user->email, '#email')

->type($user->password, '#password')

@@ -212,20 +220,25 @@ class AuthTest extends BrowserKitTest

public function test_user_creation()

{

+ /** @var User $user */

$user = factory(User::class)->make();

+ $adminRole = Role::getRole('admin');

$this->asAdmin()

->visit('/settings/users')

->click('Add New User')

->type($user->name, '#name')

->type($user->email, '#email')

- ->check('roles[admin]')

+ ->check("roles[{$adminRole->id}]")

->type($user->password, '#password')

->type($user->password, '#password-confirm')

->press('Save')

->seePageIs('/settings/users')

- ->seeInDatabase('users', $user->toArray())

+ ->seeInDatabase('users', $user->only(['name', 'email']))

->see($user->name);

+ $user->refresh();

+ $this->assertStringStartsWith(Str::slug($user->name), $user->slug);

}

public function test_user_updating()

@@ -242,6 +255,9 @@ class AuthTest extends BrowserKitTest

->seePageIs('/settings/users')

->seeInDatabase('users', ['id' => $user->id, 'name' => 'Barry Scott', 'password' => $password])

->notSeeInDatabase('users', ['name' => $user->name]);

+ $user->refresh();

+ $this->assertStringStartsWith(Str::slug($user->name), $user->slug);

}

public function test_user_password_update()

@@ -260,8 +276,8 @@ class AuthTest extends BrowserKitTest

->press('Save')

->seePageIs('/settings/users');

- $userPassword = User::find($user->id)->password;

- $this->assertTrue(Hash::check('newpassword', $userPassword));

+ $userPassword = User::find($user->id)->password;

+ $this->assertTrue(Hash::check('newpassword', $userPassword));

}

public function test_user_deletion()

@@ -311,6 +327,18 @@ class AuthTest extends BrowserKitTest

->seePageIs('/login');

}

+ public function test_mfa_session_cleared_on_logout()

+ {

+ $user = $this->getEditor();

+ $mfaSession = $this->app->make(MfaSession::class);

+ $mfaSession->markVerifiedForUser($user);

+ $this->assertTrue($mfaSession->isVerifiedForUser($user));

+ $this->asAdmin()->visit('/logout');

+ $this->assertFalse($mfaSession->isVerifiedForUser($user));

+ }

public function test_reset_password_flow()

{

Notification::fake();

@@ -322,7 +350,7 @@ class AuthTest extends BrowserKitTest

->see('A password reset link will be sent to [email protected] if that email address is found in the system.');

$this->seeInDatabase('password_resets', [

- 'email' => '[email protected]'

+ 'email' => '[email protected]',

]);

$user = User::where('email', '=', '[email protected]')->first();

@@ -333,9 +361,9 @@ class AuthTest extends BrowserKitTest

$this->visit('/password/reset/' . $n->first()->token)

->see('Reset Password')

->submitForm('Reset Password', [

- 'email' => '[email protected]',

- 'password' => 'randompass',

- 'password_confirmation' => 'randompass'

+ 'email' => '[email protected]',

+ 'password' => 'randompass',

+ 'password_confirmation' => 'randompass',

])->seePageIs('/')

->see('Your password has been successfully reset');

}

@@ -349,13 +377,12 @@ class AuthTest extends BrowserKitTest

->see('A password reset link will be sent to [email protected] if that email address is found in the system.')

->dontSee('We can\'t find a user');

$this->visit('/password/reset/arandometokenvalue')

->see('Reset Password')

->submitForm('Reset Password', [

- 'email' => '[email protected]',

- 'password' => 'randompass',

- 'password_confirmation' => 'randompass'

+ 'email' => '[email protected]',

+ 'password' => 'randompass',

+ 'password_confirmation' => 'randompass',

])->followRedirects()

->seePageIs('/password/reset/arandometokenvalue')

->dontSee('We can\'t find a user')

@@ -381,6 +408,25 @@ class AuthTest extends BrowserKitTest

->seePageUrlIs($page->getUrl());

}

+ public function test_login_intended_redirect_does_not_redirect_to_external_pages()

+ {

+ config()->set('app.url', 'http://localhost');

+ $this->setSettings(['app-public' => true]);

+ $this->get('/login', ['referer' => 'https://example.com']);

+ $login = $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);

+ $login->assertRedirectedTo('http://localhost');

+ }

+ public function test_login_intended_redirect_does_not_factor_mfa_routes()

+ {

+ $this->get('/books')->assertRedirectedTo('/login');

+ $this->get('/mfa/setup')->assertRedirectedTo('/login');

+ $login = $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);

+ $login->assertRedirectedTo('/books');

+ }

public function test_login_authenticates_admins_on_all_guards()

{

$this->post('/login', ['email' => '[email protected]', 'password' => 'password']);

@@ -401,8 +447,20 @@ class AuthTest extends BrowserKitTest

$this->assertFalse(auth('saml2')->check());

}

+ public function test_failed_logins_are_logged_when_message_configured()

+ {

+ $log = $this->withTestLogger();

+ config()->set(['logging.failed_login.message' => 'Failed login for %u']);

+ $this->post('/login', ['email' => '[email protected]', 'password' => 'cattreedog']);

+ $this->assertTrue($log->hasWarningThatContains('Failed login for [email protected]'));

+ $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);

+ $this->assertFalse($log->hasWarningThatContains('Failed login for [email protected]'));

+ }

/**

- * Perform a login

+ * Perform a login.

protected function login(string $email, string $password): AuthTest

{