]> BookStack Code Mirror - bookstack/blob - tests/Auth/AuthTest.php
projects / bookstack / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Added login throttling test, updated reset-pw test method names
[bookstack] / tests / Auth / AuthTest.php
1 <?php
2
3 namespace Tests\Auth;
4
5 use BookStack\Auth\Access\Mfa\MfaSession;
6 use BookStack\Entities\Models\Page;
7 use Illuminate\Testing\TestResponse;
8 use Tests\TestCase;
9
10 class AuthTest extends TestCase
11 {
12     public function test_auth_working()
13     {
14         $this->get('/')->assertRedirect('/login');
15     }
16
17     public function test_login()
18     {
19         $this->login('[email protected]', 'password')->assertRedirect('/');
20     }
21
22     public function test_public_viewing()
23     {
24         $this->setSettings(['app-public' => 'true']);
25         $this->get('/')
26             ->assertOk()
27             ->assertSee('Log in');
28     }
29
30     public function test_sign_up_link_on_login()
31     {
32         $this->get('/login')->assertDontSee('Sign up');
33
34         $this->setSettings(['registration-enabled' => 'true']);
35
36         $this->get('/login')->assertSee('Sign up');
37     }
38
39     public function test_logout()
40     {
41         $this->asAdmin()->get('/')->assertOk();
42         $this->post('/logout')->assertRedirect('/');
43         $this->get('/')->assertRedirect('/login');
44     }
45
46     public function test_mfa_session_cleared_on_logout()
47     {
48         $user = $this->getEditor();
49         $mfaSession = $this->app->make(MfaSession::class);
50
51         $mfaSession->markVerifiedForUser($user);
52         $this->assertTrue($mfaSession->isVerifiedForUser($user));
53
54         $this->asAdmin()->post('/logout');
55         $this->assertFalse($mfaSession->isVerifiedForUser($user));
56     }
57
58     public function test_login_redirects_to_initially_requested_url_correctly()
59     {
60         config()->set('app.url', 'http://localhost');
61         /** @var Page $page */
62         $page = Page::query()->first();
63
64         $this->get($page->getUrl())->assertRedirect(url('/login'));
65         $this->login('[email protected]', 'password')
66             ->assertRedirect($page->getUrl());
67     }
68
69     public function test_login_intended_redirect_does_not_redirect_to_external_pages()
70     {
71         config()->set('app.url', 'http://localhost');
72         $this->setSettings(['app-public' => true]);
73
74         $this->get('/login', ['referer' => 'https://example.com']);
75         $login = $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
76
77         $login->assertRedirect('http://localhost');
78     }
79
80     public function test_login_intended_redirect_does_not_factor_mfa_routes()
81     {
82         $this->get('/books')->assertRedirect('/login');
83         $this->get('/mfa/setup')->assertRedirect('/login');
84         $login = $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
85         $login->assertRedirect('/books');
86     }
87
88     public function test_login_authenticates_admins_on_all_guards()
89     {
90         $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
91         $this->assertTrue(auth()->check());
92         $this->assertTrue(auth('ldap')->check());
93         $this->assertTrue(auth('saml2')->check());
94         $this->assertTrue(auth('oidc')->check());
95     }
96
97     public function test_login_authenticates_nonadmins_on_default_guard_only()
98     {
99         $editor = $this->getEditor();
100         $editor->password = bcrypt('password');
101         $editor->save();
102
103         $this->post('/login', ['email' => $editor->email, 'password' => 'password']);
104         $this->assertTrue(auth()->check());
105         $this->assertFalse(auth('ldap')->check());
106         $this->assertFalse(auth('saml2')->check());
107         $this->assertFalse(auth('oidc')->check());
108     }
109
110     public function test_failed_logins_are_logged_when_message_configured()
111     {
112         $log = $this->withTestLogger();
113         config()->set(['logging.failed_login.message' => 'Failed login for %u']);
114
115         $this->post('/login', ['email' => '[email protected]', 'password' => 'cattreedog']);
116         $this->assertTrue($log->hasWarningThatContains('Failed login for [email protected]'));
117
118         $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
119         $this->assertFalse($log->hasWarningThatContains('Failed login for [email protected]'));
120     }
121
122     public function test_logged_in_user_with_unconfirmed_email_is_logged_out()
123     {
124         $this->setSettings(['registration-confirmation' => 'true']);
125         $user = $this->getEditor();
126         $user->email_confirmed = false;
127         $user->save();
128
129         auth()->login($user);
130         $this->assertTrue(auth()->check());
131
132         $this->get('/books')->assertRedirect('/');
133         $this->assertFalse(auth()->check());
134     }
135
136     public function test_login_attempts_are_rate_limited()
137     {
138         for ($i = 0; $i < 5; $i++) {
139             $resp = $this->login('[email protected]', 'pw123');
140         }
141         $resp = $this->followRedirects($resp);
142         $resp->assertSee('These credentials do not match our records.');
143
144         // Check the fifth attempt provides a lockout response
145         $resp = $this->followRedirects($this->login('[email protected]', 'pw123'));
146         $resp->assertSee('Too many login attempts. Please try again in');
147     }
148
149     /**
150      * Perform a login.
151      */
152     protected function login(string $email, string $password): TestResponse
153     {
154         return $this->post('/login', compact('email', 'password'));
155     }
156 }
The core source code for the BookStack project.