]> BookStack Code Mirror - bookstack/blob - tests/Auth/AuthTest.php
projects / bookstack / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix English translations
[bookstack] / tests / Auth / AuthTest.php
1 <?php namespace Tests\Auth;
2
3 use BookStack\Auth\Role;
4 use BookStack\Auth\User;
5 use BookStack\Entities\Page;
6 use BookStack\Notifications\ConfirmEmail;
7 use BookStack\Notifications\ResetPassword;
8 use BookStack\Settings\SettingService;
9 use DB;
10 use Hash;
11 use Illuminate\Support\Facades\Notification;
12 use Tests\BrowserKitTest;
13
14 class AuthTest extends BrowserKitTest
15 {
16
17     public function test_auth_working()
18     {
19         $this->visit('/')
20             ->seePageIs('/login');
21     }
22
23     public function test_login()
24     {
25         $this->login('[email protected]', 'password')
26             ->seePageIs('/');
27     }
28
29     public function test_public_viewing()
30     {
31         $settings = app(SettingService::class);
32         $settings->put('app-public', 'true');
33         $this->visit('/')
34             ->seePageIs('/')
35             ->see('Log In');
36     }
37
38     public function test_registration_showing()
39     {
40         // Ensure registration form is showing
41         $this->setSettings(['registration-enabled' => 'true']);
42         $this->visit('/login')
43             ->see('Sign up')
44             ->click('Sign up')
45             ->seePageIs('/register');
46     }
47
48     public function test_normal_registration()
49     {
50         // Set settings and get user instance
51         $this->setSettings(['registration-enabled' => 'true']);
52         $user = factory(User::class)->make();
53
54         // Test form and ensure user is created
55         $this->visit('/register')
56             ->see('Sign Up')
57             ->type($user->name, '#name')
58             ->type($user->email, '#email')
59             ->type($user->password, '#password')
60             ->press('Create Account')
61             ->seePageIs('/')
62             ->see($user->name)
63             ->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email]);
64     }
65
66     public function test_empty_registration_redirects_back_with_errors()
67     {
68         // Set settings and get user instance
69         $this->setSettings(['registration-enabled' => 'true']);
70
71         // Test form and ensure user is created
72         $this->visit('/register')
73             ->press('Create Account')
74             ->see('The name field is required')
75             ->seePageIs('/register');
76     }
77
78     public function test_registration_validation()
79     {
80         $this->setSettings(['registration-enabled' => 'true']);
81
82         $this->visit('/register')
83             ->type('1', '#name')
84             ->type('1', '#email')
85             ->type('1', '#password')
86             ->press('Create Account')
87             ->see('The name must be at least 2 characters.')
88             ->see('The email must be a valid email address.')
89             ->see('The password must be at least 8 characters.')
90             ->seePageIs('/register');
91     }
92
93     public function test_sign_up_link_on_login()
94     {
95         $this->visit('/login')
96             ->dontSee('Sign up');
97
98         $this->setSettings(['registration-enabled' => 'true']);
99
100         $this->visit('/login')
101             ->see('Sign up');
102     }
103
104     public function test_confirmed_registration()
105     {
106         // Fake notifications
107         Notification::fake();
108
109         // Set settings and get user instance
110         $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);
111         $user = factory(User::class)->make();
112
113         // Go through registration process
114         $this->visit('/register')
115             ->see('Sign Up')
116             ->type($user->name, '#name')
117             ->type($user->email, '#email')
118             ->type($user->password, '#password')
119             ->press('Create Account')
120             ->seePageIs('/register/confirm')
121             ->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email, 'email_confirmed' => false]);
122
123         // Ensure notification sent
124         $dbUser = User::where('email', '=', $user->email)->first();
125         Notification::assertSentTo($dbUser, ConfirmEmail::class);
126
127         // Test access and resend confirmation email
128         $this->login($user->email, $user->password)
129             ->seePageIs('/register/confirm/awaiting')
130             ->see('Resend')
131             ->visit('/books')
132             ->seePageIs('/register/confirm/awaiting')
133             ->press('Resend Confirmation Email');
134
135         // Get confirmation and confirm notification matches
136         $emailConfirmation = DB::table('email_confirmations')->where('user_id', '=', $dbUser->id)->first();
137         Notification::assertSentTo($dbUser, ConfirmEmail::class, function($notification, $channels) use ($emailConfirmation) {
138             return $notification->token === $emailConfirmation->token;
139         });
140         
141         // Check confirmation email confirmation activation.
142         $this->visit('/register/confirm/' . $emailConfirmation->token)
143             ->seePageIs('/')
144             ->see($user->name)
145             ->notSeeInDatabase('email_confirmations', ['token' => $emailConfirmation->token])
146             ->seeInDatabase('users', ['name' => $dbUser->name, 'email' => $dbUser->email, 'email_confirmed' => true]);
147     }
148
149     public function test_restricted_registration()
150     {
151         $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true', 'registration-restrict' => 'example.com']);
152         $user = factory(User::class)->make();
153         // Go through registration process
154         $this->visit('/register')
155             ->type($user->name, '#name')
156             ->type($user->email, '#email')
157             ->type($user->password, '#password')
158             ->press('Create Account')
159             ->seePageIs('/register')
160             ->dontSeeInDatabase('users', ['email' => $user->email])
161             ->see('That email domain does not have access to this application');
162
163         $user->email = '[email protected]';
164
165         $this->visit('/register')
166             ->type($user->name, '#name')
167             ->type($user->email, '#email')
168             ->type($user->password, '#password')
169             ->press('Create Account')
170             ->seePageIs('/register/confirm')
171             ->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email, 'email_confirmed' => false]);
172
173         $this->visit('/')->seePageIs('/login')
174             ->type($user->email, '#email')
175             ->type($user->password, '#password')
176             ->press('Log In')
177             ->seePageIs('/register/confirm/awaiting')
178             ->seeText('Email Address Not Confirmed');
179     }
180
181     public function test_restricted_registration_with_confirmation_disabled()
182     {
183         $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'false', 'registration-restrict' => 'example.com']);
184         $user = factory(User::class)->make();
185         // Go through registration process
186         $this->visit('/register')
187             ->type($user->name, '#name')
188             ->type($user->email, '#email')
189             ->type($user->password, '#password')
190             ->press('Create Account')
191             ->seePageIs('/register')
192             ->dontSeeInDatabase('users', ['email' => $user->email])
193             ->see('That email domain does not have access to this application');
194
195         $user->email = '[email protected]';
196
197         $this->visit('/register')
198             ->type($user->name, '#name')
199             ->type($user->email, '#email')
200             ->type($user->password, '#password')
201             ->press('Create Account')
202             ->seePageIs('/register/confirm')
203             ->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email, 'email_confirmed' => false]);
204
205         $this->visit('/')->seePageIs('/login')
206             ->type($user->email, '#email')
207             ->type($user->password, '#password')
208             ->press('Log In')
209             ->seePageIs('/register/confirm/awaiting')
210             ->seeText('Email Address Not Confirmed');
211     }
212
213     public function test_user_creation()
214     {
215         $user = factory(User::class)->make();
216         $adminRole = Role::getRole('admin');
217
218         $this->asAdmin()
219             ->visit('/settings/users')
220             ->click('Add New User')
221             ->type($user->name, '#name')
222             ->type($user->email, '#email')
223             ->check("roles[{$adminRole->id}]")
224             ->type($user->password, '#password')
225             ->type($user->password, '#password-confirm')
226             ->press('Save')
227             ->seePageIs('/settings/users')
228             ->seeInDatabase('users', $user->toArray())
229             ->see($user->name);
230     }
231
232     public function test_user_updating()
233     {
234         $user = $this->getNormalUser();
235         $password = $user->password;
236         $this->asAdmin()
237             ->visit('/settings/users')
238             ->click($user->name)
239             ->seePageIs('/settings/users/' . $user->id)
240             ->see($user->email)
241             ->type('Barry Scott', '#name')
242             ->press('Save')
243             ->seePageIs('/settings/users')
244             ->seeInDatabase('users', ['id' => $user->id, 'name' => 'Barry Scott', 'password' => $password])
245             ->notSeeInDatabase('users', ['name' => $user->name]);
246     }
247
248     public function test_user_password_update()
249     {
250         $user = $this->getNormalUser();
251         $userProfilePage = '/settings/users/' . $user->id;
252         $this->asAdmin()
253             ->visit($userProfilePage)
254             ->type('newpassword', '#password')
255             ->press('Save')
256             ->seePageIs($userProfilePage)
257             ->see('Password confirmation required')
258
259             ->type('newpassword', '#password')
260             ->type('newpassword', '#password-confirm')
261             ->press('Save')
262             ->seePageIs('/settings/users');
263
264             $userPassword = User::find($user->id)->password;
265             $this->assertTrue(Hash::check('newpassword', $userPassword));
266     }
267
268     public function test_user_deletion()
269     {
270         $userDetails = factory(User::class)->make();
271         $user = $this->getEditor($userDetails->toArray());
272
273         $this->asAdmin()
274             ->visit('/settings/users/' . $user->id)
275             ->click('Delete User')
276             ->see($user->name)
277             ->press('Confirm')
278             ->seePageIs('/settings/users')
279             ->notSeeInDatabase('users', ['name' => $user->name]);
280     }
281
282     public function test_user_cannot_be_deleted_if_last_admin()
283     {
284         $adminRole = Role::getRole('admin');
285
286         // Delete all but one admin user if there are more than one
287         $adminUsers = $adminRole->users;
288         if (count($adminUsers) > 1) {
289             foreach ($adminUsers->splice(1) as $user) {
290                 $user->delete();
291             }
292         }
293
294         // Ensure we currently only have 1 admin user
295         $this->assertEquals(1, $adminRole->users()->count());
296         $user = $adminRole->users->first();
297
298         $this->asAdmin()->visit('/settings/users/' . $user->id)
299             ->click('Delete User')
300             ->press('Confirm')
301             ->seePageIs('/settings/users/' . $user->id)
302             ->see('You cannot delete the only admin');
303     }
304
305     public function test_logout()
306     {
307         $this->asAdmin()
308             ->visit('/')
309             ->seePageIs('/')
310             ->visit('/logout')
311             ->visit('/')
312             ->seePageIs('/login');
313     }
314
315     public function test_reset_password_flow()
316     {
317         Notification::fake();
318
319         $this->visit('/login')->click('Forgot Password?')
320             ->seePageIs('/password/email')
321             ->type('[email protected]', 'email')
322             ->press('Send Reset Link')
323             ->see('A password reset link will be sent to [email protected] if that email address is found in the system.');
324
325         $this->seeInDatabase('password_resets', [
326             'email' => '[email protected]'
327         ]);
328
329         $user = User::where('email', '=', '[email protected]')->first();
330
331         Notification::assertSentTo($user, ResetPassword::class);
332         $n = Notification::sent($user, ResetPassword::class);
333
334         $this->visit('/password/reset/' . $n->first()->token)
335             ->see('Reset Password')
336             ->submitForm('Reset Password', [
337                 'email' => '[email protected]',
338                 'password' => 'randompass',
339                 'password_confirmation' => 'randompass'
340             ])->seePageIs('/')
341             ->see('Your password has been successfully reset');
342     }
343
344     public function test_reset_password_flow_shows_success_message_even_if_wrong_password_to_prevent_user_discovery()
345     {
346         $this->visit('/login')->click('Forgot Password?')
347             ->seePageIs('/password/email')
348             ->type('[email protected]', 'email')
349             ->press('Send Reset Link')
350             ->see('A password reset link will be sent to [email protected] if that email address is found in the system.')
351             ->dontSee('We can\'t find a user');
352
353
354         $this->visit('/password/reset/arandometokenvalue')
355             ->see('Reset Password')
356             ->submitForm('Reset Password', [
357                 'email' => '[email protected]',
358                 'password' => 'randompass',
359                 'password_confirmation' => 'randompass'
360             ])->followRedirects()
361             ->seePageIs('/password/reset/arandometokenvalue')
362             ->dontSee('We can\'t find a user')
363             ->see('The password reset token is invalid for this email address.');
364     }
365
366     public function test_reset_password_page_shows_sign_links()
367     {
368         $this->setSettings(['registration-enabled' => 'true']);
369         $this->visit('/password/email')
370             ->seeLink('Log in')
371             ->seeLink('Sign up');
372     }
373
374     public function test_login_redirects_to_initially_requested_url_correctly()
375     {
376         config()->set('app.url', 'http://localhost');
377         $page = Page::query()->first();
378
379         $this->visit($page->getUrl())
380             ->seePageUrlIs(url('/login'));
381         $this->login('[email protected]', 'password')
382             ->seePageUrlIs($page->getUrl());
383     }
384
385     public function test_login_intended_redirect_does_not_redirect_to_external_pages()
386     {
387         config()->set('app.url', 'http://localhost');
388         $this->setSettings(['app-public' => true]);
389
390         $this->get('/login', ['referer' => 'https://example.com']);
391         $login = $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
392
393         $login->assertRedirectedTo('http://localhost');
394     }
395
396     public function test_login_authenticates_admins_on_all_guards()
397     {
398         $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
399         $this->assertTrue(auth()->check());
400         $this->assertTrue(auth('ldap')->check());
401         $this->assertTrue(auth('saml2')->check());
402     }
403
404     public function test_login_authenticates_nonadmins_on_default_guard_only()
405     {
406         $editor = $this->getEditor();
407         $editor->password = bcrypt('password');
408         $editor->save();
409
410         $this->post('/login', ['email' => $editor->email, 'password' => 'password']);
411         $this->assertTrue(auth()->check());
412         $this->assertFalse(auth('ldap')->check());
413         $this->assertFalse(auth('saml2')->check());
414     }
415
416     public function test_failed_logins_are_logged_when_message_configured()
417     {
418         $log = $this->withTestLogger();
419         config()->set(['logging.failed_login.message' => 'Failed login for %u']);
420
421         $this->post('/login', ['email' => '[email protected]', 'password' => 'cattreedog']);
422         $this->assertTrue($log->hasWarningThatContains('Failed login for [email protected]'));
423
424         $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
425         $this->assertFalse($log->hasWarningThatContains('Failed login for [email protected]'));
426     }
427
428     /**
429      * Perform a login
430      */
431     protected function login(string $email, string $password): AuthTest
432     {
433         return $this->visit('/login')
434             ->type($email, '#email')
435             ->type($password, '#password')
436             ->press('Log In');
437     }
438 }
The core source code for the BookStack project.