BookStack Code Mirror - bookstack/blob - tests/Auth/ResetPasswordTest.php

   1 <?php
   2
   3 namespace Tests\Auth;
   4
   5 use BookStack\Access\Notifications\ResetPasswordNotification;
   6 use BookStack\Users\Models\User;
   7 use Carbon\CarbonInterval;
   8 use Illuminate\Support\Facades\Notification;
   9 use Illuminate\Support\Sleep;
  10 use Tests\TestCase;
  11
  12 class ResetPasswordTest extends TestCase
  13 {
  14     protected function setUp(): void
  15     {
  16         parent::setUp();
  17         Sleep::fake();
  18     }
  19
  20     public function test_reset_flow()
  21     {
  22         Notification::fake();
  23
  24         $resp = $this->get('/login');
  25         $this->withHtml($resp)->assertElementContains('a[href="' . url('/password/email') . '"]', 'Forgot Password?');
  26
  27         $resp = $this->get('/password/email');
  28         $this->withHtml($resp)->assertElementContains('form[action="' . url('/password/email') . '"]', 'Send Reset Link');
  29
  30         $resp = $this->post('/password/email', [
  31             'email' => '[email protected]',
  32         ]);
  33         $resp->assertRedirect('/password/email');
  34
  35         $resp = $this->get('/password/email');
  36         $resp->assertSee('A password reset link will be sent to [email protected] if that email address is found in the system.');
  37
  38         $this->assertDatabaseHas('password_resets', [
  39             'email' => '[email protected]',
  40         ]);
  41
  42         /** @var User $user */
  43         $user = User::query()->where('email', '=', '[email protected]')->first();
  44
  45         Notification::assertSentTo($user, ResetPasswordNotification::class);
  46         $n = Notification::sent($user, ResetPasswordNotification::class);
  47
  48         $this->get('/password/reset/' . $n->first()->token)
  49             ->assertOk()
  50             ->assertSee('Reset Password');
  51
  52         $resp = $this->post('/password/reset', [
  53             'email'                 => '[email protected]',
  54             'password'              => 'randompass',
  55             'password_confirmation' => 'randompass',
  56             'token'                 => $n->first()->token,
  57         ]);
  58         $resp->assertRedirect('/');
  59
  60         $this->get('/')->assertSee('Your password has been successfully reset');
  61     }
  62
  63     public function test_reset_flow_shows_success_message_even_if_wrong_password_to_prevent_user_discovery()
  64     {
  65         $this->get('/password/email');
  66         $resp = $this->followingRedirects()->post('/password/email', [
  67             'email' => '[email protected]',
  68         ]);
  69         $resp->assertSee('A password reset link will be sent to [email protected] if that email address is found in the system.');
  70         $resp->assertDontSee('We can\'t find a user');
  71
  72         $this->get('/password/reset/arandometokenvalue')->assertSee('Reset Password');
  73         $resp = $this->post('/password/reset', [
  74             'email'                 => '[email protected]',
  75             'password'              => 'randompass',
  76             'password_confirmation' => 'randompass',
  77             'token'                 => 'arandometokenvalue',
  78         ]);
  79         $resp->assertRedirect('/password/reset/arandometokenvalue');
  80
  81         $this->get('/password/reset/arandometokenvalue')
  82             ->assertDontSee('We can\'t find a user')
  83             ->assertSee('The password reset token is invalid for this email address.');
  84     }
  85
  86     public function test_reset_request_with_not_found_user_still_has_delay()
  87     {
  88         $this->followingRedirects()->post('/password/email', [
  89             'email' => '[email protected]',
  90         ]);
  91
  92         Sleep::assertSlept(function (CarbonInterval $duration): bool {
  93             return $duration->totalMilliseconds > 999;
  94         }, 1);
  95     }
  96
  97     public function test_reset_page_shows_sign_links()
  98     {
  99         $this->setSettings(['registration-enabled' => 'true']);
 100         $resp = $this->get('/password/email');
 101         $this->withHtml($resp)->assertElementContains('a', 'Log in')
 102             ->assertElementContains('a', 'Sign up');
 103     }
 104
 105     public function test_reset_request_is_throttled()
 106     {
 107         $editor = $this->users->editor();
 108         Notification::fake();
 109         $this->get('/password/email');
 110         $this->followingRedirects()->post('/password/email', [
 111             'email' => $editor->email,
 112         ]);
 113
 114         $resp = $this->followingRedirects()->post('/password/email', [
 115             'email' => $editor->email,
 116         ]);
 117         Notification::assertSentTimes(ResetPasswordNotification::class, 1);
 118         $resp->assertSee('A password reset link will be sent to ' . $editor->email . ' if that email address is found in the system.');
 119     }
 120
 121     public function test_reset_request_with_not_found_user_is_throttled()
 122     {
 123         for ($i = 0; $i < 11; $i++) {
 124             $response = $this->post('/password/email', [
 125                 'email' => '[email protected]',
 126             ]);
 127         }
 128
 129         $response->assertStatus(429);
 130     }
 131
 132     public function test_reset_call_is_throttled()
 133     {
 134         for ($i = 0; $i < 11; $i++) {
 135             $response = $this->post('/password/reset', [
 136                 'email' => "arandomuser{$i}@example.com",
 137                 'token' => "randomtoken{$i}",
 138             ]);
 139         }
 140
 141         $response->assertStatus(429);
 142     }
 143 }