BookStack Code Mirror - bookstack/blob - tests/Auth/AuthTest.php

   1 <?php
   2
   3 namespace Tests\Auth;
   4
   5 use BookStack\Access\Mfa\MfaSession;
   6 use Illuminate\Testing\TestResponse;
   7 use Tests\TestCase;
   8
   9 class AuthTest extends TestCase
  10 {
  11     public function test_auth_working()
  12     {
  13         $this->get('/')->assertRedirect('/login');
  14     }
  15
  16     public function test_login()
  17     {
  18         $this->login('[email protected]', 'password')->assertRedirect('/');
  19     }
  20
  21     public function test_public_viewing()
  22     {
  23         $this->setSettings(['app-public' => 'true']);
  24         $this->get('/')
  25             ->assertOk()
  26             ->assertSee('Log in');
  27     }
  28
  29     public function test_sign_up_link_on_login()
  30     {
  31         $this->get('/login')->assertDontSee('Sign up');
  32
  33         $this->setSettings(['registration-enabled' => 'true']);
  34
  35         $this->get('/login')->assertSee('Sign up');
  36     }
  37
  38     public function test_logout()
  39     {
  40         $this->asAdmin()->get('/')->assertOk();
  41         $this->post('/logout')->assertRedirect('/');
  42         $this->get('/')->assertRedirect('/login');
  43     }
  44
  45     public function test_mfa_session_cleared_on_logout()
  46     {
  47         $user = $this->users->editor();
  48         $mfaSession = $this->app->make(MfaSession::class);
  49
  50         $mfaSession->markVerifiedForUser($user);
  51         $this->assertTrue($mfaSession->isVerifiedForUser($user));
  52
  53         $this->asAdmin()->post('/logout');
  54         $this->assertFalse($mfaSession->isVerifiedForUser($user));
  55     }
  56
  57     public function test_login_redirects_to_initially_requested_url_correctly()
  58     {
  59         config()->set('app.url', 'http://localhost');
  60         $page = $this->entities->page();
  61
  62         $this->get($page->getUrl())->assertRedirect(url('/login'));
  63         $this->login('[email protected]', 'password')
  64             ->assertRedirect($page->getUrl());
  65     }
  66
  67     public function test_login_intended_redirect_does_not_redirect_to_external_pages()
  68     {
  69         config()->set('app.url', 'http://localhost');
  70         $this->setSettings(['app-public' => true]);
  71
  72         $this->get('/login', ['referer' => 'https://example.com']);
  73         $login = $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
  74
  75         $login->assertRedirect('http://localhost');
  76     }
  77
  78     public function test_login_intended_redirect_does_not_factor_mfa_routes()
  79     {
  80         $this->get('/books')->assertRedirect('/login');
  81         $this->get('/mfa/setup')->assertRedirect('/login');
  82         $login = $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
  83         $login->assertRedirect('/books');
  84     }
  85
  86     public function test_login_authenticates_admins_on_all_guards()
  87     {
  88         $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
  89         $this->assertTrue(auth()->check());
  90         $this->assertTrue(auth('ldap')->check());
  91         $this->assertTrue(auth('saml2')->check());
  92         $this->assertTrue(auth('oidc')->check());
  93     }
  94
  95     public function test_login_authenticates_nonadmins_on_default_guard_only()
  96     {
  97         $editor = $this->users->editor();
  98         $editor->password = bcrypt('password');
  99         $editor->save();
 100
 101         $this->post('/login', ['email' => $editor->email, 'password' => 'password']);
 102         $this->assertTrue(auth()->check());
 103         $this->assertFalse(auth('ldap')->check());
 104         $this->assertFalse(auth('saml2')->check());
 105         $this->assertFalse(auth('oidc')->check());
 106     }
 107
 108     public function test_failed_logins_are_logged_when_message_configured()
 109     {
 110         $log = $this->withTestLogger();
 111         config()->set(['logging.failed_login.message' => 'Failed login for %u']);
 112
 113         $this->post('/login', ['email' => '[email protected]', 'password' => 'cattreedog']);
 114         $this->assertTrue($log->hasWarningThatContains('Failed login for [email protected]'));
 115
 116         $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
 117         $this->assertFalse($log->hasWarningThatContains('Failed login for [email protected]'));
 118     }
 119
 120     public function test_logged_in_user_with_unconfirmed_email_is_logged_out()
 121     {
 122         $this->setSettings(['registration-confirmation' => 'true']);
 123         $user = $this->users->editor();
 124         $user->email_confirmed = false;
 125         $user->save();
 126
 127         auth()->login($user);
 128         $this->assertTrue(auth()->check());
 129
 130         $this->get('/books')->assertRedirect('/');
 131         $this->assertFalse(auth()->check());
 132     }
 133
 134     public function test_login_attempts_are_rate_limited()
 135     {
 136         for ($i = 0; $i < 5; $i++) {
 137             $resp = $this->login('[email protected]', 'pw123');
 138         }
 139         $resp = $this->followRedirects($resp);
 140         $resp->assertSee('These credentials do not match our records.');
 141
 142         // Check the fifth attempt provides a lockout response
 143         $resp = $this->followRedirects($this->login('[email protected]', 'pw123'));
 144         $resp->assertSee('Too many login attempts. Please try again in');
 145     }
 146
 147     /**
 148      * Perform a login.
 149      */
 150     protected function login(string $email, string $password): TestResponse
 151     {
 152         return $this->post('/login', compact('email', 'password'));
 153     }
 154 }