BookStack Code Mirror - bookstack/blob - tests/Auth/RegistrationTest.php

   1 <?php
   2
   3 namespace Tests\Auth;
   4
   5 use BookStack\Access\Notifications\ConfirmEmailNotification;
   6 use BookStack\Users\Models\Role;
   7 use BookStack\Users\Models\User;
   8 use Illuminate\Support\Facades\DB;
   9 use Illuminate\Support\Facades\Notification;
  10 use Tests\TestCase;
  11
  12 class RegistrationTest extends TestCase
  13 {
  14     public function test_confirmed_registration()
  15     {
  16         // Fake notifications
  17         Notification::fake();
  18
  19         // Set settings and get user instance
  20         $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);
  21         $user = User::factory()->make();
  22
  23         // Go through registration process
  24         $resp = $this->post('/register', $user->only('name', 'email', 'password'));
  25         $resp->assertRedirect('/register/confirm');
  26         $this->assertDatabaseHas('users', ['name' => $user->name, 'email' => $user->email, 'email_confirmed' => false]);
  27
  28         $resp = $this->get('/register/confirm');
  29         $resp->assertSee('Thanks for registering!');
  30
  31         // Ensure notification sent
  32         /** @var User $dbUser */
  33         $dbUser = User::query()->where('email', '=', $user->email)->first();
  34         Notification::assertSentTo($dbUser, ConfirmEmailNotification::class);
  35
  36         // Test access and resend confirmation email
  37         $resp = $this->post('/login', ['email' => $user->email, 'password' => $user->password]);
  38         $resp->assertRedirect('/register/confirm/awaiting');
  39
  40         $resp = $this->get('/register/confirm/awaiting');
  41         $this->withHtml($resp)->assertElementContains('form[action="' . url('/register/confirm/resend') . '"]', 'Resend');
  42
  43         $this->get('/books')->assertRedirect('/login');
  44         $this->post('/register/confirm/resend', $user->only('email'));
  45
  46         // Get confirmation and confirm notification matches
  47         $emailConfirmation = DB::table('email_confirmations')->where('user_id', '=', $dbUser->id)->first();
  48         Notification::assertSentTo($dbUser, ConfirmEmailNotification::class, function ($notification, $channels) use ($emailConfirmation) {
  49             return $notification->token === $emailConfirmation->token;
  50         });
  51
  52         // Check confirmation email confirmation accept page.
  53         $resp = $this->get('/register/confirm/' . $emailConfirmation->token);
  54         $acceptPage = $this->withHtml($resp);
  55         $resp->assertOk();
  56         $resp->assertSee('Thanks for confirming!');
  57         $acceptPage->assertElementExists('form[method="post"][action$="/register/confirm/accept"][component="auto-submit"] button');
  58         $acceptPage->assertFieldHasValue('token', $emailConfirmation->token);
  59
  60         // Check acceptance confirm
  61         $this->post('/register/confirm/accept', ['token' => $emailConfirmation->token])->assertRedirect('/login');
  62
  63         // Check state on login redirect
  64         $this->get('/login')->assertSee('Your email has been confirmed! You should now be able to login using this email address.');
  65         $this->assertDatabaseMissing('email_confirmations', ['token' => $emailConfirmation->token]);
  66         $this->assertDatabaseHas('users', ['name' => $dbUser->name, 'email' => $dbUser->email, 'email_confirmed' => true]);
  67     }
  68
  69     public function test_restricted_registration()
  70     {
  71         $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true', 'registration-restrict' => 'example.com']);
  72         $user = User::factory()->make();
  73
  74         // Go through registration process
  75         $this->post('/register', $user->only('name', 'email', 'password'))
  76             ->assertRedirect('/register');
  77         $resp = $this->get('/register');
  78         $resp->assertSee('That email domain does not have access to this application');
  79         $this->assertDatabaseMissing('users', $user->only('email'));
  80
  81         $user->email = '[email protected]';
  82
  83         $this->post('/register', $user->only('name', 'email', 'password'))
  84             ->assertRedirect('/register/confirm');
  85         $this->assertDatabaseHas('users', ['name' => $user->name, 'email' => $user->email, 'email_confirmed' => false]);
  86
  87         $this->assertNull(auth()->user());
  88
  89         $this->get('/')->assertRedirect('/login');
  90         $resp = $this->followingRedirects()->post('/login', $user->only('email', 'password'));
  91         $resp->assertSee('Email Address Not Confirmed');
  92         $this->assertNull(auth()->user());
  93     }
  94
  95     public function test_restricted_registration_with_confirmation_disabled()
  96     {
  97         $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'false', 'registration-restrict' => 'example.com']);
  98         $user = User::factory()->make();
  99
 100         // Go through registration process
 101         $this->post('/register', $user->only('name', 'email', 'password'))
 102             ->assertRedirect('/register');
 103         $this->assertDatabaseMissing('users', $user->only('email'));
 104         $this->get('/register')->assertSee('That email domain does not have access to this application');
 105
 106         $user->email = '[email protected]';
 107
 108         $this->post('/register', $user->only('name', 'email', 'password'))
 109             ->assertRedirect('/register/confirm');
 110         $this->assertDatabaseHas('users', ['name' => $user->name, 'email' => $user->email, 'email_confirmed' => false]);
 111
 112         $this->assertNull(auth()->user());
 113
 114         $this->get('/')->assertRedirect('/login');
 115         $resp = $this->post('/login', $user->only('email', 'password'));
 116         $resp->assertRedirect('/register/confirm/awaiting');
 117         $this->get('/register/confirm/awaiting')->assertSee('Email Address Not Confirmed');
 118         $this->assertNull(auth()->user());
 119     }
 120
 121     public function test_registration_role_unset_by_default()
 122     {
 123         $this->assertFalse(setting('registration-role'));
 124
 125         $resp = $this->asAdmin()->get('/settings/registration');
 126         $this->withHtml($resp)->assertElementContains('select[name="setting-registration-role"] option[value="0"][selected]', '-- None --');
 127     }
 128
 129     public function test_registration_showing()
 130     {
 131         // Ensure registration form is showing
 132         $this->setSettings(['registration-enabled' => 'true']);
 133         $resp = $this->get('/login');
 134         $this->withHtml($resp)->assertElementContains('a[href="' . url('/register') . '"]', 'Sign up');
 135     }
 136
 137     public function test_normal_registration()
 138     {
 139         // Set settings and get user instance
 140         /** @var Role $registrationRole */
 141         $registrationRole = Role::query()->first();
 142         $this->setSettings(['registration-enabled' => 'true', 'registration-role' => $registrationRole->id]);
 143         /** @var User $user */
 144         $user = User::factory()->make();
 145
 146         // Test form and ensure user is created
 147         $resp = $this->get('/register')
 148             ->assertSee('Sign Up');
 149         $this->withHtml($resp)->assertElementContains('form[action="' . url('/register') . '"]', 'Create Account');
 150
 151         $resp = $this->post('/register', $user->only('password', 'name', 'email'));
 152         $resp->assertRedirect('/');
 153
 154         $resp = $this->get('/');
 155         $resp->assertOk();
 156         $resp->assertSee($user->name);
 157
 158         $this->assertDatabaseHas('users', ['name' => $user->name, 'email' => $user->email]);
 159
 160         $user = User::query()->where('email', '=', $user->email)->first();
 161         $this->assertEquals(1, $user->roles()->count());
 162         $this->assertEquals($registrationRole->id, $user->roles()->first()->id);
 163     }
 164
 165     public function test_empty_registration_redirects_back_with_errors()
 166     {
 167         // Set settings and get user instance
 168         $this->setSettings(['registration-enabled' => 'true']);
 169
 170         // Test form and ensure user is created
 171         $this->get('/register');
 172         $this->post('/register', [])->assertRedirect('/register');
 173         $this->get('/register')->assertSee('The name field is required');
 174     }
 175
 176     public function test_registration_validation()
 177     {
 178         $this->setSettings(['registration-enabled' => 'true']);
 179
 180         $this->get('/register');
 181         $resp = $this->followingRedirects()->post('/register', [
 182             'name'     => '1',
 183             'email'    => '1',
 184             'password' => '1',
 185         ]);
 186         $resp->assertSee('The name must be at least 2 characters.');
 187         $resp->assertSee('The email must be a valid email address.');
 188         $resp->assertSee('The password must be at least 8 characters.');
 189     }
 190
 191     public function test_registration_simple_honeypot_active()
 192     {
 193         $this->setSettings(['registration-enabled' => 'true']);
 194
 195         $resp = $this->get('/register');
 196         $this->withHtml($resp)->assertElementExists('form input[name="username"]');
 197
 198         $resp = $this->post('/register', [
 199             'name' => 'Barry',
 200             'email' => '[email protected]',
 201             'password' => 'barryIsTheBestBot',
 202             'username' => 'MyUsername'
 203         ]);
 204         $resp->assertRedirect('/register');
 205
 206         $resp = $this->followRedirects($resp);
 207         $this->withHtml($resp)->assertElementExists('form input[name="username"].text-neg');
 208     }
 209
 210     public function test_registration_endpoint_throttled()
 211     {
 212         $this->setSettings(['registration-enabled' => 'true']);
 213
 214         for ($i = 0; $i < 11; $i++) {
 215             $response = $this->post('/register/', [
 216                 'name' => "Barry{$i}",
 217                 'email' => "barry{$i}@example.com",
 218                 'password' => "barryIsTheBest{$i}",
 219             ]);
 220             auth()->logout();
 221         }
 222
 223         $response->assertStatus(429);
 224     }
 225
 226     public function test_registration_confirmation_throttled()
 227     {
 228         $this->setSettings(['registration-enabled' => 'true']);
 229
 230         for ($i = 0; $i < 11; $i++) {
 231             $response = $this->post('/register/confirm/accept', [
 232                 'token' => "token{$i}",
 233             ]);
 234         }
 235
 236         $response->assertStatus(429);
 237     }
 238
 239     public function test_registration_confirmation_resend()
 240     {
 241         Notification::fake();
 242         $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);
 243         $user = User::factory()->make();
 244
 245         $resp = $this->post('/register', $user->only('name', 'email', 'password'));
 246         $resp->assertRedirect('/register/confirm');
 247         $dbUser = User::query()->where('email', '=', $user->email)->first();
 248
 249         $resp = $this->post('/login', ['email' => $user->email, 'password' => $user->password]);
 250         $resp->assertRedirect('/register/confirm/awaiting');
 251
 252         $resp = $this->post('/register/confirm/resend');
 253         $resp->assertRedirect('/register/confirm');
 254         Notification::assertSentToTimes($dbUser, ConfirmEmailNotification::class, 2);
 255     }
 256
 257     public function test_registration_confirmation_expired_resend()
 258     {
 259         Notification::fake();
 260         $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);
 261         $user = User::factory()->make();
 262
 263         $resp = $this->post('/register', $user->only('name', 'email', 'password'));
 264         $resp->assertRedirect('/register/confirm');
 265         $dbUser = User::query()->where('email', '=', $user->email)->first();
 266
 267         $resp = $this->post('/login', ['email' => $user->email, 'password' => $user->password]);
 268         $resp->assertRedirect('/register/confirm/awaiting');
 269
 270         $emailConfirmation = DB::table('email_confirmations')->where('user_id', '=', $dbUser->id)->first();
 271         $this->travel(2)->days();
 272
 273         $resp = $this->post("/register/confirm/accept", [
 274             'token' => $emailConfirmation->token,
 275         ]);
 276         $resp->assertRedirect('/register/confirm');
 277         $this->assertSessionError('The confirmation token has expired, A new confirmation email has been sent.');
 278
 279         Notification::assertSentToTimes($dbUser, ConfirmEmailNotification::class, 2);
 280     }
 281
 282     public function test_registration_confirmation_awaiting_and_resend_returns_to_log_if_no_login_attempt_user_found()
 283     {
 284         $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);
 285
 286         $this->get('/register/confirm/awaiting')->assertRedirect('/login');
 287         $this->assertSessionError('A user for this action could not be found.');
 288         $this->flushSession();
 289
 290         $this->post('/register/confirm/resend')->assertRedirect('/login');
 291         $this->assertSessionError('A user for this action could not be found.');
 292     }
 293 }