BookStack Code Mirror - bookstack/blob - tests/Auth/AuthTest.php

   1 <?php namespace Tests\Auth;
   2
   3 use BookStack\Auth\Role;
   4 use BookStack\Auth\User;
   5 use BookStack\Entities\Page;
   6 use BookStack\Notifications\ConfirmEmail;
   7 use BookStack\Notifications\ResetPassword;
   8 use BookStack\Settings\SettingService;
   9 use DB;
  10 use Hash;
  11 use Illuminate\Support\Facades\Notification;
  12 use Tests\BrowserKitTest;
  13
  14 class AuthTest extends BrowserKitTest
  15 {
  16
  17     public function test_auth_working()
  18     {
  19         $this->visit('/')
  20             ->seePageIs('/login');
  21     }
  22
  23     public function test_login()
  24     {
  25         $this->login('[email protected]', 'password')
  26             ->seePageIs('/');
  27     }
  28
  29     public function test_public_viewing()
  30     {
  31         $settings = app(SettingService::class);
  32         $settings->put('app-public', 'true');
  33         $this->visit('/')
  34             ->seePageIs('/')
  35             ->see('Log In');
  36     }
  37
  38     public function test_registration_showing()
  39     {
  40         // Ensure registration form is showing
  41         $this->setSettings(['registration-enabled' => 'true']);
  42         $this->visit('/login')
  43             ->see('Sign up')
  44             ->click('Sign up')
  45             ->seePageIs('/register');
  46     }
  47
  48     public function test_normal_registration()
  49     {
  50         // Set settings and get user instance
  51         $this->setSettings(['registration-enabled' => 'true']);
  52         $user = factory(User::class)->make();
  53
  54         // Test form and ensure user is created
  55         $this->visit('/register')
  56             ->see('Sign Up')
  57             ->type($user->name, '#name')
  58             ->type($user->email, '#email')
  59             ->type($user->password, '#password')
  60             ->press('Create Account')
  61             ->seePageIs('/')
  62             ->see($user->name)
  63             ->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email]);
  64     }
  65
  66     public function test_empty_registration_redirects_back_with_errors()
  67     {
  68         // Set settings and get user instance
  69         $this->setSettings(['registration-enabled' => 'true']);
  70
  71         // Test form and ensure user is created
  72         $this->visit('/register')
  73             ->press('Create Account')
  74             ->see('The name field is required')
  75             ->seePageIs('/register');
  76     }
  77
  78     public function test_registration_validation()
  79     {
  80         $this->setSettings(['registration-enabled' => 'true']);
  81
  82         $this->visit('/register')
  83             ->type('1', '#name')
  84             ->type('1', '#email')
  85             ->type('1', '#password')
  86             ->press('Create Account')
  87             ->see('The name must be at least 2 characters.')
  88             ->see('The email must be a valid email address.')
  89             ->see('The password must be at least 8 characters.')
  90             ->seePageIs('/register');
  91     }
  92
  93     public function test_sign_up_link_on_login()
  94     {
  95         $this->visit('/login')
  96             ->dontSee('Sign up');
  97
  98         $this->setSettings(['registration-enabled' => 'true']);
  99
 100         $this->visit('/login')
 101             ->see('Sign up');
 102     }
 103
 104     public function test_confirmed_registration()
 105     {
 106         // Fake notifications
 107         Notification::fake();
 108
 109         // Set settings and get user instance
 110         $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);
 111         $user = factory(User::class)->make();
 112
 113         // Go through registration process
 114         $this->visit('/register')
 115             ->see('Sign Up')
 116             ->type($user->name, '#name')
 117             ->type($user->email, '#email')
 118             ->type($user->password, '#password')
 119             ->press('Create Account')
 120             ->seePageIs('/register/confirm')
 121             ->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email, 'email_confirmed' => false]);
 122
 123         // Ensure notification sent
 124         $dbUser = User::where('email', '=', $user->email)->first();
 125         Notification::assertSentTo($dbUser, ConfirmEmail::class);
 126
 127         // Test access and resend confirmation email
 128         $this->login($user->email, $user->password)
 129             ->seePageIs('/register/confirm/awaiting')
 130             ->see('Resend')
 131             ->visit('/books')
 132             ->seePageIs('/register/confirm/awaiting')
 133             ->press('Resend Confirmation Email');
 134
 135         // Get confirmation and confirm notification matches
 136         $emailConfirmation = DB::table('email_confirmations')->where('user_id', '=', $dbUser->id)->first();
 137         Notification::assertSentTo($dbUser, ConfirmEmail::class, function($notification, $channels) use ($emailConfirmation) {
 138             return $notification->token === $emailConfirmation->token;
 139         });
 140
 141         // Check confirmation email confirmation activation.
 142         $this->visit('/register/confirm/' . $emailConfirmation->token)
 143             ->seePageIs('/')
 144             ->see($user->name)
 145             ->notSeeInDatabase('email_confirmations', ['token' => $emailConfirmation->token])
 146             ->seeInDatabase('users', ['name' => $dbUser->name, 'email' => $dbUser->email, 'email_confirmed' => true]);
 147     }
 148
 149     public function test_restricted_registration()
 150     {
 151         $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true', 'registration-restrict' => 'example.com']);
 152         $user = factory(User::class)->make();
 153         // Go through registration process
 154         $this->visit('/register')
 155             ->type($user->name, '#name')
 156             ->type($user->email, '#email')
 157             ->type($user->password, '#password')
 158             ->press('Create Account')
 159             ->seePageIs('/register')
 160             ->dontSeeInDatabase('users', ['email' => $user->email])
 161             ->see('That email domain does not have access to this application');
 162
 163         $user->email = '[email protected]';
 164
 165         $this->visit('/register')
 166             ->type($user->name, '#name')
 167             ->type($user->email, '#email')
 168             ->type($user->password, '#password')
 169             ->press('Create Account')
 170             ->seePageIs('/register/confirm')
 171             ->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email, 'email_confirmed' => false]);
 172
 173         $this->visit('/')->seePageIs('/login')
 174             ->type($user->email, '#email')
 175             ->type($user->password, '#password')
 176             ->press('Log In')
 177             ->seePageIs('/register/confirm/awaiting')
 178             ->seeText('Email Address Not Confirmed');
 179     }
 180
 181     public function test_restricted_registration_with_confirmation_disabled()
 182     {
 183         $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'false', 'registration-restrict' => 'example.com']);
 184         $user = factory(User::class)->make();
 185         // Go through registration process
 186         $this->visit('/register')
 187             ->type($user->name, '#name')
 188             ->type($user->email, '#email')
 189             ->type($user->password, '#password')
 190             ->press('Create Account')
 191             ->seePageIs('/register')
 192             ->dontSeeInDatabase('users', ['email' => $user->email])
 193             ->see('That email domain does not have access to this application');
 194
 195         $user->email = '[email protected]';
 196
 197         $this->visit('/register')
 198             ->type($user->name, '#name')
 199             ->type($user->email, '#email')
 200             ->type($user->password, '#password')
 201             ->press('Create Account')
 202             ->seePageIs('/register/confirm')
 203             ->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email, 'email_confirmed' => false]);
 204
 205         $this->visit('/')->seePageIs('/login')
 206             ->type($user->email, '#email')
 207             ->type($user->password, '#password')
 208             ->press('Log In')
 209             ->seePageIs('/register/confirm/awaiting')
 210             ->seeText('Email Address Not Confirmed');
 211     }
 212
 213     public function test_user_creation()
 214     {
 215         $user = factory(User::class)->make();
 216
 217         $this->asAdmin()
 218             ->visit('/settings/users')
 219             ->click('Add New User')
 220             ->type($user->name, '#name')
 221             ->type($user->email, '#email')
 222             ->check('roles[admin]')
 223             ->type($user->password, '#password')
 224             ->type($user->password, '#password-confirm')
 225             ->press('Save')
 226             ->seePageIs('/settings/users')
 227             ->seeInDatabase('users', $user->toArray())
 228             ->see($user->name);
 229     }
 230
 231     public function test_user_updating()
 232     {
 233         $user = $this->getNormalUser();
 234         $password = $user->password;
 235         $this->asAdmin()
 236             ->visit('/settings/users')
 237             ->click($user->name)
 238             ->seePageIs('/settings/users/' . $user->id)
 239             ->see($user->email)
 240             ->type('Barry Scott', '#name')
 241             ->press('Save')
 242             ->seePageIs('/settings/users')
 243             ->seeInDatabase('users', ['id' => $user->id, 'name' => 'Barry Scott', 'password' => $password])
 244             ->notSeeInDatabase('users', ['name' => $user->name]);
 245     }
 246
 247     public function test_user_password_update()
 248     {
 249         $user = $this->getNormalUser();
 250         $userProfilePage = '/settings/users/' . $user->id;
 251         $this->asAdmin()
 252             ->visit($userProfilePage)
 253             ->type('newpassword', '#password')
 254             ->press('Save')
 255             ->seePageIs($userProfilePage)
 256             ->see('Password confirmation required')
 257
 258             ->type('newpassword', '#password')
 259             ->type('newpassword', '#password-confirm')
 260             ->press('Save')
 261             ->seePageIs('/settings/users');
 262
 263             $userPassword = User::find($user->id)->password;
 264             $this->assertTrue(Hash::check('newpassword', $userPassword));
 265     }
 266
 267     public function test_user_deletion()
 268     {
 269         $userDetails = factory(User::class)->make();
 270         $user = $this->getEditor($userDetails->toArray());
 271
 272         $this->asAdmin()
 273             ->visit('/settings/users/' . $user->id)
 274             ->click('Delete User')
 275             ->see($user->name)
 276             ->press('Confirm')
 277             ->seePageIs('/settings/users')
 278             ->notSeeInDatabase('users', ['name' => $user->name]);
 279     }
 280
 281     public function test_user_cannot_be_deleted_if_last_admin()
 282     {
 283         $adminRole = Role::getRole('admin');
 284
 285         // Delete all but one admin user if there are more than one
 286         $adminUsers = $adminRole->users;
 287         if (count($adminUsers) > 1) {
 288             foreach ($adminUsers->splice(1) as $user) {
 289                 $user->delete();
 290             }
 291         }
 292
 293         // Ensure we currently only have 1 admin user
 294         $this->assertEquals(1, $adminRole->users()->count());
 295         $user = $adminRole->users->first();
 296
 297         $this->asAdmin()->visit('/settings/users/' . $user->id)
 298             ->click('Delete User')
 299             ->press('Confirm')
 300             ->seePageIs('/settings/users/' . $user->id)
 301             ->see('You cannot delete the only admin');
 302     }
 303
 304     public function test_logout()
 305     {
 306         $this->asAdmin()
 307             ->visit('/')
 308             ->seePageIs('/')
 309             ->visit('/logout')
 310             ->visit('/')
 311             ->seePageIs('/login');
 312     }
 313
 314     public function test_reset_password_flow()
 315     {
 316         Notification::fake();
 317
 318         $this->visit('/login')->click('Forgot Password?')
 319             ->seePageIs('/password/email')
 320             ->type('[email protected]', 'email')
 321             ->press('Send Reset Link')
 322             ->see('A password reset link will be sent to [email protected] if that email address is found in the system.');
 323
 324         $this->seeInDatabase('password_resets', [
 325             'email' => '[email protected]'
 326         ]);
 327
 328         $user = User::where('email', '=', '[email protected]')->first();
 329
 330         Notification::assertSentTo($user, ResetPassword::class);
 331         $n = Notification::sent($user, ResetPassword::class);
 332
 333         $this->visit('/password/reset/' . $n->first()->token)
 334             ->see('Reset Password')
 335             ->submitForm('Reset Password', [
 336                 'email' => '[email protected]',
 337                 'password' => 'randompass',
 338                 'password_confirmation' => 'randompass'
 339             ])->seePageIs('/')
 340             ->see('Your password has been successfully reset');
 341     }
 342
 343     public function test_reset_password_flow_shows_success_message_even_if_wrong_password_to_prevent_user_discovery()
 344     {
 345         $this->visit('/login')->click('Forgot Password?')
 346             ->seePageIs('/password/email')
 347             ->type('[email protected]', 'email')
 348             ->press('Send Reset Link')
 349             ->see('A password reset link will be sent to [email protected] if that email address is found in the system.')
 350             ->dontSee('We can\'t find a user');
 351
 352
 353         $this->visit('/password/reset/arandometokenvalue')
 354             ->see('Reset Password')
 355             ->submitForm('Reset Password', [
 356                 'email' => '[email protected]',
 357                 'password' => 'randompass',
 358                 'password_confirmation' => 'randompass'
 359             ])->followRedirects()
 360             ->seePageIs('/password/reset/arandometokenvalue')
 361             ->dontSee('We can\'t find a user')
 362             ->see('The password reset token is invalid for this email address.');
 363     }
 364
 365     public function test_reset_password_page_shows_sign_links()
 366     {
 367         $this->setSettings(['registration-enabled' => 'true']);
 368         $this->visit('/password/email')
 369             ->seeLink('Log in')
 370             ->seeLink('Sign up');
 371     }
 372
 373     public function test_login_redirects_to_initially_requested_url_correctly()
 374     {
 375         config()->set('app.url', 'http://localhost');
 376         $page = Page::query()->first();
 377
 378         $this->visit($page->getUrl())
 379             ->seePageUrlIs(url('/login'));
 380         $this->login('[email protected]', 'password')
 381             ->seePageUrlIs($page->getUrl());
 382     }
 383
 384     public function test_login_authenticates_admins_on_all_guards()
 385     {
 386         $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
 387         $this->assertTrue(auth()->check());
 388         $this->assertTrue(auth('ldap')->check());
 389         $this->assertTrue(auth('saml2')->check());
 390         $this->assertTrue(auth('openid')->check());
 391     }
 392
 393     public function test_login_authenticates_nonadmins_on_default_guard_only()
 394     {
 395         $editor = $this->getEditor();
 396         $editor->password = bcrypt('password');
 397         $editor->save();
 398
 399         $this->post('/login', ['email' => $editor->email, 'password' => 'password']);
 400         $this->assertTrue(auth()->check());
 401         $this->assertFalse(auth('ldap')->check());
 402         $this->assertFalse(auth('saml2')->check());
 403         $this->assertFalse(auth('openid')->check());
 404     }
 405
 406     /**
 407      * Perform a login
 408      */
 409     protected function login(string $email, string $password): AuthTest
 410     {
 411         return $this->visit('/login')
 412             ->type($email, '#email')
 413             ->type($password, '#password')
 414             ->press('Log In');
 415     }
 416 }