]> BookStack Code Mirror - bookstack/blob - tests/Auth/AuthTest.php
projects / bookstack / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge branch 'jb-l10n-fix-czech' of git://github.com/jakubboucek/BookStack into jakub...
[bookstack] / tests / Auth / AuthTest.php
1 <?php namespace Tests\Auth;
2
3 use BookStack\Auth\Role;
4 use BookStack\Auth\User;
5 use BookStack\Entities\Page;
6 use BookStack\Notifications\ConfirmEmail;
7 use BookStack\Notifications\ResetPassword;
8 use BookStack\Settings\SettingService;
9 use DB;
10 use Hash;
11 use Illuminate\Support\Facades\Notification;
12 use Tests\BrowserKitTest;
13
14 class AuthTest extends BrowserKitTest
15 {
16
17     public function test_auth_working()
18     {
19         $this->visit('/')
20             ->seePageIs('/login');
21     }
22
23     public function test_login()
24     {
25         $this->login('[email protected]', 'password')
26             ->seePageIs('/');
27     }
28
29     public function test_public_viewing()
30     {
31         $settings = app(SettingService::class);
32         $settings->put('app-public', 'true');
33         $this->visit('/')
34             ->seePageIs('/')
35             ->see('Log In');
36     }
37
38     public function test_registration_showing()
39     {
40         // Ensure registration form is showing
41         $this->setSettings(['registration-enabled' => 'true']);
42         $this->visit('/login')
43             ->see('Sign up')
44             ->click('Sign up')
45             ->seePageIs('/register');
46     }
47
48     public function test_normal_registration()
49     {
50         // Set settings and get user instance
51         $this->setSettings(['registration-enabled' => 'true']);
52         $user = factory(User::class)->make();
53
54         // Test form and ensure user is created
55         $this->visit('/register')
56             ->see('Sign Up')
57             ->type($user->name, '#name')
58             ->type($user->email, '#email')
59             ->type($user->password, '#password')
60             ->press('Create Account')
61             ->seePageIs('/')
62             ->see($user->name)
63             ->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email]);
64     }
65
66     public function test_empty_registration_redirects_back_with_errors()
67     {
68         // Set settings and get user instance
69         $this->setSettings(['registration-enabled' => 'true']);
70
71         // Test form and ensure user is created
72         $this->visit('/register')
73             ->press('Create Account')
74             ->see('The name field is required')
75             ->seePageIs('/register');
76     }
77
78     public function test_registration_validation()
79     {
80         $this->setSettings(['registration-enabled' => 'true']);
81
82         $this->visit('/register')
83             ->type('1', '#name')
84             ->type('1', '#email')
85             ->type('1', '#password')
86             ->press('Create Account')
87             ->see('The name must be at least 2 characters.')
88             ->see('The email must be a valid email address.')
89             ->see('The password must be at least 8 characters.')
90             ->seePageIs('/register');
91     }
92
93     public function test_sign_up_link_on_login()
94     {
95         $this->visit('/login')
96             ->dontSee('Sign up');
97
98         $this->setSettings(['registration-enabled' => 'true']);
99
100         $this->visit('/login')
101             ->see('Sign up');
102     }
103
104     public function test_confirmed_registration()
105     {
106         // Fake notifications
107         Notification::fake();
108
109         // Set settings and get user instance
110         $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);
111         $user = factory(User::class)->make();
112
113         // Go through registration process
114         $this->visit('/register')
115             ->see('Sign Up')
116             ->type($user->name, '#name')
117             ->type($user->email, '#email')
118             ->type($user->password, '#password')
119             ->press('Create Account')
120             ->seePageIs('/register/confirm')
121             ->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email, 'email_confirmed' => false]);
122
123         // Ensure notification sent
124         $dbUser = User::where('email', '=', $user->email)->first();
125         Notification::assertSentTo($dbUser, ConfirmEmail::class);
126
127         // Test access and resend confirmation email
128         $this->login($user->email, $user->password)
129             ->seePageIs('/register/confirm/awaiting')
130             ->see('Resend')
131             ->visit('/books')
132             ->seePageIs('/register/confirm/awaiting')
133             ->press('Resend Confirmation Email');
134
135         // Get confirmation and confirm notification matches
136         $emailConfirmation = DB::table('email_confirmations')->where('user_id', '=', $dbUser->id)->first();
137         Notification::assertSentTo($dbUser, ConfirmEmail::class, function($notification, $channels) use ($emailConfirmation) {
138             return $notification->token === $emailConfirmation->token;
139         });
140         
141         // Check confirmation email confirmation activation.
142         $this->visit('/register/confirm/' . $emailConfirmation->token)
143             ->seePageIs('/')
144             ->see($user->name)
145             ->notSeeInDatabase('email_confirmations', ['token' => $emailConfirmation->token])
146             ->seeInDatabase('users', ['name' => $dbUser->name, 'email' => $dbUser->email, 'email_confirmed' => true]);
147     }
148
149     public function test_restricted_registration()
150     {
151         $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true', 'registration-restrict' => 'example.com']);
152         $user = factory(User::class)->make();
153         // Go through registration process
154         $this->visit('/register')
155             ->type($user->name, '#name')
156             ->type($user->email, '#email')
157             ->type($user->password, '#password')
158             ->press('Create Account')
159             ->seePageIs('/register')
160             ->dontSeeInDatabase('users', ['email' => $user->email])
161             ->see('That email domain does not have access to this application');
162
163         $user->email = '[email protected]';
164
165         $this->visit('/register')
166             ->type($user->name, '#name')
167             ->type($user->email, '#email')
168             ->type($user->password, '#password')
169             ->press('Create Account')
170             ->seePageIs('/register/confirm')
171             ->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email, 'email_confirmed' => false]);
172
173         $this->visit('/')
174             ->seePageIs('/register/confirm/awaiting');
175
176         auth()->logout();
177
178         $this->visit('/')->seePageIs('/login')
179             ->type($user->email, '#email')
180             ->type($user->password, '#password')
181             ->press('Log In')
182             ->seePageIs('/register/confirm/awaiting')
183             ->seeText('Email Address Not Confirmed');
184     }
185
186     public function test_restricted_registration_with_confirmation_disabled()
187     {
188         $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'false', 'registration-restrict' => 'example.com']);
189         $user = factory(User::class)->make();
190         // Go through registration process
191         $this->visit('/register')
192             ->type($user->name, '#name')
193             ->type($user->email, '#email')
194             ->type($user->password, '#password')
195             ->press('Create Account')
196             ->seePageIs('/register')
197             ->dontSeeInDatabase('users', ['email' => $user->email])
198             ->see('That email domain does not have access to this application');
199
200         $user->email = '[email protected]';
201
202         $this->visit('/register')
203             ->type($user->name, '#name')
204             ->type($user->email, '#email')
205             ->type($user->password, '#password')
206             ->press('Create Account')
207             ->seePageIs('/register/confirm')
208             ->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email, 'email_confirmed' => false]);
209
210         $this->visit('/')
211             ->seePageIs('/register/confirm/awaiting');
212
213         auth()->logout();
214         $this->visit('/')->seePageIs('/login')
215             ->type($user->email, '#email')
216             ->type($user->password, '#password')
217             ->press('Log In')
218             ->seePageIs('/register/confirm/awaiting')
219             ->seeText('Email Address Not Confirmed');
220     }
221
222     public function test_user_creation()
223     {
224         $user = factory(User::class)->make();
225         $adminRole = Role::getRole('admin');
226
227         $this->asAdmin()
228             ->visit('/settings/users')
229             ->click('Add New User')
230             ->type($user->name, '#name')
231             ->type($user->email, '#email')
232             ->check("roles[{$adminRole->id}]")
233             ->type($user->password, '#password')
234             ->type($user->password, '#password-confirm')
235             ->press('Save')
236             ->seePageIs('/settings/users')
237             ->seeInDatabase('users', $user->toArray())
238             ->see($user->name);
239     }
240
241     public function test_user_updating()
242     {
243         $user = $this->getNormalUser();
244         $password = $user->password;
245         $this->asAdmin()
246             ->visit('/settings/users')
247             ->click($user->name)
248             ->seePageIs('/settings/users/' . $user->id)
249             ->see($user->email)
250             ->type('Barry Scott', '#name')
251             ->press('Save')
252             ->seePageIs('/settings/users')
253             ->seeInDatabase('users', ['id' => $user->id, 'name' => 'Barry Scott', 'password' => $password])
254             ->notSeeInDatabase('users', ['name' => $user->name]);
255     }
256
257     public function test_user_password_update()
258     {
259         $user = $this->getNormalUser();
260         $userProfilePage = '/settings/users/' . $user->id;
261         $this->asAdmin()
262             ->visit($userProfilePage)
263             ->type('newpassword', '#password')
264             ->press('Save')
265             ->seePageIs($userProfilePage)
266             ->see('Password confirmation required')
267
268             ->type('newpassword', '#password')
269             ->type('newpassword', '#password-confirm')
270             ->press('Save')
271             ->seePageIs('/settings/users');
272
273             $userPassword = User::find($user->id)->password;
274             $this->assertTrue(Hash::check('newpassword', $userPassword));
275     }
276
277     public function test_user_deletion()
278     {
279         $userDetails = factory(User::class)->make();
280         $user = $this->getEditor($userDetails->toArray());
281
282         $this->asAdmin()
283             ->visit('/settings/users/' . $user->id)
284             ->click('Delete User')
285             ->see($user->name)
286             ->press('Confirm')
287             ->seePageIs('/settings/users')
288             ->notSeeInDatabase('users', ['name' => $user->name]);
289     }
290
291     public function test_user_cannot_be_deleted_if_last_admin()
292     {
293         $adminRole = Role::getRole('admin');
294
295         // Delete all but one admin user if there are more than one
296         $adminUsers = $adminRole->users;
297         if (count($adminUsers) > 1) {
298             foreach ($adminUsers->splice(1) as $user) {
299                 $user->delete();
300             }
301         }
302
303         // Ensure we currently only have 1 admin user
304         $this->assertEquals(1, $adminRole->users()->count());
305         $user = $adminRole->users->first();
306
307         $this->asAdmin()->visit('/settings/users/' . $user->id)
308             ->click('Delete User')
309             ->press('Confirm')
310             ->seePageIs('/settings/users/' . $user->id)
311             ->see('You cannot delete the only admin');
312     }
313
314     public function test_logout()
315     {
316         $this->asAdmin()
317             ->visit('/')
318             ->seePageIs('/')
319             ->visit('/logout')
320             ->visit('/')
321             ->seePageIs('/login');
322     }
323
324     public function test_reset_password_flow()
325     {
326         Notification::fake();
327
328         $this->visit('/login')->click('Forgot Password?')
329             ->seePageIs('/password/email')
330             ->type('[email protected]', 'email')
331             ->press('Send Reset Link')
332             ->see('A password reset link will be sent to [email protected] if that email address is found in the system.');
333
334         $this->seeInDatabase('password_resets', [
335             'email' => '[email protected]'
336         ]);
337
338         $user = User::where('email', '=', '[email protected]')->first();
339
340         Notification::assertSentTo($user, ResetPassword::class);
341         $n = Notification::sent($user, ResetPassword::class);
342
343         $this->visit('/password/reset/' . $n->first()->token)
344             ->see('Reset Password')
345             ->submitForm('Reset Password', [
346                 'email' => '[email protected]',
347                 'password' => 'randompass',
348                 'password_confirmation' => 'randompass'
349             ])->seePageIs('/')
350             ->see('Your password has been successfully reset');
351     }
352
353     public function test_reset_password_flow_shows_success_message_even_if_wrong_password_to_prevent_user_discovery()
354     {
355         $this->visit('/login')->click('Forgot Password?')
356             ->seePageIs('/password/email')
357             ->type('[email protected]', 'email')
358             ->press('Send Reset Link')
359             ->see('A password reset link will be sent to [email protected] if that email address is found in the system.')
360             ->dontSee('We can\'t find a user');
361
362
363         $this->visit('/password/reset/arandometokenvalue')
364             ->see('Reset Password')
365             ->submitForm('Reset Password', [
366                 'email' => '[email protected]',
367                 'password' => 'randompass',
368                 'password_confirmation' => 'randompass'
369             ])->followRedirects()
370             ->seePageIs('/password/reset/arandometokenvalue')
371             ->dontSee('We can\'t find a user')
372             ->see('The password reset token is invalid for this email address.');
373     }
374
375     public function test_reset_password_page_shows_sign_links()
376     {
377         $this->setSettings(['registration-enabled' => 'true']);
378         $this->visit('/password/email')
379             ->seeLink('Log in')
380             ->seeLink('Sign up');
381     }
382
383     public function test_login_redirects_to_initially_requested_url_correctly()
384     {
385         config()->set('app.url', 'http://localhost');
386         $page = Page::query()->first();
387
388         $this->visit($page->getUrl())
389             ->seePageUrlIs(url('/login'));
390         $this->login('[email protected]', 'password')
391             ->seePageUrlIs($page->getUrl());
392     }
393
394     public function test_login_intended_redirect_does_not_redirect_to_external_pages()
395     {
396         config()->set('app.url', 'http://localhost');
397         $this->setSettings(['app-public' => true]);
398
399         $this->get('/login', ['referer' => 'https://example.com']);
400         $login = $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
401
402         $login->assertRedirectedTo('http://localhost');
403     }
404
405     public function test_login_authenticates_admins_on_all_guards()
406     {
407         $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
408         $this->assertTrue(auth()->check());
409         $this->assertTrue(auth('ldap')->check());
410         $this->assertTrue(auth('saml2')->check());
411     }
412
413     public function test_login_authenticates_nonadmins_on_default_guard_only()
414     {
415         $editor = $this->getEditor();
416         $editor->password = bcrypt('password');
417         $editor->save();
418
419         $this->post('/login', ['email' => $editor->email, 'password' => 'password']);
420         $this->assertTrue(auth()->check());
421         $this->assertFalse(auth('ldap')->check());
422         $this->assertFalse(auth('saml2')->check());
423     }
424
425     public function test_failed_logins_are_logged_when_message_configured()
426     {
427         $log = $this->withTestLogger();
428         config()->set(['logging.failed_login.message' => 'Failed login for %u']);
429
430         $this->post('/login', ['email' => '[email protected]', 'password' => 'cattreedog']);
431         $this->assertTrue($log->hasWarningThatContains('Failed login for [email protected]'));
432
433         $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
434         $this->assertFalse($log->hasWarningThatContains('Failed login for [email protected]'));
435     }
436
437     /**
438      * Perform a login
439      */
440     protected function login(string $email, string $password): AuthTest
441     {
442         return $this->visit('/login')
443             ->type($email, '#email')
444             ->type($password, '#password')
445             ->press('Log In');
446     }
447 }
The core source code for the BookStack project.