X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/90b4257889a5f9a63ee5d9934e90557e67ebca56..refs/pull/5676/head:/tests/Auth/AuthTest.php

diff --git a/tests/Auth/AuthTest.php b/tests/Auth/AuthTest.php
index f0b473472..bffd8bbdb 100644
--- a/tests/Auth/AuthTest.php
+++ b/tests/Auth/AuthTest.php
@@ -2,8 +2,8 @@
 
 namespace Tests\Auth;
 
-use BookStack\Auth\Access\Mfa\MfaSession;
-use BookStack\Entities\Models\Page;
+use BookStack\Access\Mfa\MfaSession;
+use Illuminate\Support\Facades\Hash;
 use Illuminate\Testing\TestResponse;
 use Tests\TestCase;
 
@@ -45,7 +45,7 @@ class AuthTest extends TestCase
 
     public function test_mfa_session_cleared_on_logout()
     {
-        $user = $this->getEditor();
+        $user = $this->users->editor();
         $mfaSession = $this->app->make(MfaSession::class);
 
         $mfaSession->markVerifiedForUser($user);
@@ -58,8 +58,7 @@ class AuthTest extends TestCase
     public function test_login_redirects_to_initially_requested_url_correctly()
     {
         config()->set('app.url', 'http://localhost');
-        /** @var Page $page */
-        $page = Page::query()->first();
+        $page = $this->entities->page();
 
         $this->get($page->getUrl())->assertRedirect(url('/login'));
         $this->login('admin@admin.com', 'password')
@@ -96,7 +95,7 @@ class AuthTest extends TestCase
 
     public function test_login_authenticates_nonadmins_on_default_guard_only()
     {
-        $editor = $this->getEditor();
+        $editor = $this->users->editor();
         $editor->password = bcrypt('password');
         $editor->save();
 
@@ -122,7 +121,7 @@ class AuthTest extends TestCase
     public function test_logged_in_user_with_unconfirmed_email_is_logged_out()
     {
         $this->setSettings(['registration-confirmation' => 'true']);
-        $user = $this->getEditor();
+        $user = $this->users->editor();
         $user->email_confirmed = false;
         $user->save();
 
@@ -133,6 +132,38 @@ class AuthTest extends TestCase
         $this->assertFalse(auth()->check());
     }
 
+    public function test_login_attempts_are_rate_limited()
+    {
+        for ($i = 0; $i < 5; $i++) {
+            $resp = $this->login('bennynotexisting@example.com', 'pw123');
+        }
+        $resp = $this->followRedirects($resp);
+        $resp->assertSee('These credentials do not match our records.');
+
+        // Check the fifth attempt provides a lockout response
+        $resp = $this->followRedirects($this->login('bennynotexisting@example.com', 'pw123'));
+        $resp->assertSee('Too many login attempts. Please try again in');
+    }
+
+    public function test_login_specifically_disabled_for_guest_account()
+    {
+        $guest = $this->users->guest();
+
+        $resp = $this->post('/login', ['email' => $guest->email, 'password' => 'password']);
+        $resp->assertRedirect('/login');
+        $resp = $this->followRedirects($resp);
+        $resp->assertSee('These credentials do not match our records.');
+
+        // Test login even with password somehow set
+        $guest->password = Hash::make('password');
+        $guest->save();
+
+        $resp = $this->post('/login', ['email' => $guest->email, 'password' => 'password']);
+        $resp->assertRedirect('/login');
+        $resp = $this->followRedirects($resp);
+        $resp->assertSee('These credentials do not match our records.');
+    }
+
     /**
      * Perform a login.
      */