<?php
-use BookStack\EmailConfirmation;
+namespace Tests\Auth;
+
+use BookStack\Access\Mfa\MfaSession;
+use Illuminate\Testing\TestResponse;
+use Tests\TestCase;
class AuthTest extends TestCase
{
-
public function test_auth_working()
{
- $this->visit('/')
- ->seePageIs('/login');
+ $this->get('/')->assertRedirect('/login');
}
public function test_login()
{
- ->seePageIs('/');
}
public function test_public_viewing()
{
- $settings = app('BookStack\Services\SettingService');
- $settings->put('app-public', 'true');
- $this->visit('/')
- ->seePageIs('/')
- ->see('Sign In');
+ $this->setSettings(['app-public' => 'true']);
+ $this->get('/')
+ ->assertOk()
+ ->assertSee('Log in');
}
- public function test_registration_showing()
+ public function test_sign_up_link_on_login()
{
- // Ensure registration form is showing
+ $this->get('/login')->assertDontSee('Sign up');
+
$this->setSettings(['registration-enabled' => 'true']);
- $this->visit('/login')
- ->see('Sign up')
- ->click('Sign up')
- ->seePageIs('/register');
+
+ $this->get('/login')->assertSee('Sign up');
}
- public function test_normal_registration()
+ public function test_logout()
{
- // Set settings and get user instance
- $this->setSettings(['registration-enabled' => 'true']);
- $user = factory(\BookStack\User::class)->make();
-
- // Test form and ensure user is created
- $this->visit('/register')
- ->see('Sign Up')
- ->type($user->name, '#name')
- ->type($user->email, '#email')
- ->type($user->password, '#password')
- ->press('Create Account')
- ->seePageIs('/')
- ->see($user->name)
- ->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email]);
+ $this->asAdmin()->get('/')->assertOk();
+ $this->post('/logout')->assertRedirect('/');
+ $this->get('/')->assertRedirect('/login');
}
+ public function test_mfa_session_cleared_on_logout()
+ {
+ $user = $this->users->editor();
+ $mfaSession = $this->app->make(MfaSession::class);
+
+ $mfaSession->markVerifiedForUser($user);
+ $this->assertTrue($mfaSession->isVerifiedForUser($user));
+
+ $this->asAdmin()->post('/logout');
+ $this->assertFalse($mfaSession->isVerifiedForUser($user));
+ }
- public function test_confirmed_registration()
+ public function test_login_redirects_to_initially_requested_url_correctly()
{
- // Set settings and get user instance
- $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);
- $user = factory(\BookStack\User::class)->make();
-
- // Mock Mailer to ensure mail is being sent
- $mockMailer = Mockery::mock('Illuminate\Contracts\Mail\Mailer');
- $mockMailer->shouldReceive('send')->with('emails/email-confirmation', Mockery::type('array'), Mockery::type('callable'))->twice();
- $this->app->instance('mailer', $mockMailer);
-
- // Go through registration process
- $this->visit('/register')
- ->see('Sign Up')
- ->type($user->name, '#name')
- ->type($user->email, '#email')
- ->type($user->password, '#password')
- ->press('Create Account')
- ->seePageIs('/register/confirm')
- ->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email, 'email_confirmed' => false]);
-
- // Test access and resend confirmation email
- $this->login($user->email, $user->password)
- ->seePageIs('/register/confirm/awaiting')
- ->see('Resend')
- ->visit('/books')
- ->seePageIs('/register/confirm/awaiting')
- ->press('Resend Confirmation Email');
-
- // Get confirmation
- $user = $user->where('email', '=', $user->email)->first();
- $emailConfirmation = EmailConfirmation::where('user_id', '=', $user->id)->first();
-
-
- // Check confirmation email button and confirmation activation.
- $this->visit('/register/confirm/' . $emailConfirmation->token . '/email')
- ->see('Email Confirmation')
- ->click('Confirm Email')
- ->seePageIs('/')
- ->see($user->name)
- ->notSeeInDatabase('email_confirmations', ['token' => $emailConfirmation->token])
- ->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email, 'email_confirmed' => true]);
+ config()->set('app.url', 'http://localhost');
+ $page = $this->entities->page();
+
+ $this->get($page->getUrl())->assertRedirect(url('/login'));
+ ->assertRedirect($page->getUrl());
}
- public function test_restricted_registration()
+ public function test_login_intended_redirect_does_not_redirect_to_external_pages()
{
- $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true', 'registration-restrict' => 'example.com']);
- $user = factory(\BookStack\User::class)->make();
- // Go through registration process
- $this->visit('/register')
- ->type($user->name, '#name')
- ->type($user->email, '#email')
- ->type($user->password, '#password')
- ->press('Create Account')
- ->seePageIs('/register')
- ->dontSeeInDatabase('users', ['email' => $user->email])
- ->see('That email domain does not have access to this application');
-
-
- $this->visit('/register')
- ->type($user->name, '#name')
- ->type($user->email, '#email')
- ->type($user->password, '#password')
- ->press('Create Account')
- ->seePageIs('/register/confirm')
- ->seeInDatabase('users', ['name' => $user->name, 'email' => $user->email, 'email_confirmed' => false]);
+ config()->set('app.url', 'http://localhost');
+ $this->setSettings(['app-public' => true]);
+
+ $this->get('/login', ['referer' => 'https://example.com']);
+ $login = $this->post('/login', ['email' => '
[email protected]', 'password' => 'password']);
+
+ $login->assertRedirect('http://localhost');
}
- public function test_user_creation()
+ public function test_login_intended_redirect_does_not_factor_mfa_routes()
{
- $user = factory(\BookStack\User::class)->make();
-
- $this->asAdmin()
- ->visit('/users')
- ->click('Add new user')
- ->type($user->name, '#name')
- ->type($user->email, '#email')
- ->select(2, '#role')
- ->type($user->password, '#password')
- ->type($user->password, '#password-confirm')
- ->press('Save')
- ->seeInDatabase('users', $user->toArray())
- ->seePageIs('/users')
- ->see($user->name);
+ $this->get('/books')->assertRedirect('/login');
+ $this->get('/mfa/setup')->assertRedirect('/login');
+ $login = $this->post('/login', ['email' => '
[email protected]', 'password' => 'password']);
+ $login->assertRedirect('/books');
}
- public function test_user_updating()
+ public function test_login_authenticates_admins_on_all_guards()
{
- $user = \BookStack\User::all()->last();
- $password = $user->password;
- $this->asAdmin()
- ->visit('/users')
- ->click($user->name)
- ->seePageIs('/users/' . $user->id)
- ->see($user->email)
- ->type('Barry Scott', '#name')
- ->press('Save')
- ->seePageIs('/users')
- ->seeInDatabase('users', ['id' => $user->id, 'name' => 'Barry Scott', 'password' => $password])
- ->notSeeInDatabase('users', ['name' => $user->name]);
+ $this->assertTrue(auth()->check());
+ $this->assertTrue(auth('ldap')->check());
+ $this->assertTrue(auth('saml2')->check());
+ $this->assertTrue(auth('oidc')->check());
}
- public function test_user_password_update()
+ public function test_login_authenticates_nonadmins_on_default_guard_only()
{
- $user = \BookStack\User::all()->last();
- $userProfilePage = '/users/' . $user->id;
- $this->asAdmin()
- ->visit($userProfilePage)
- ->type('newpassword', '#password')
- ->press('Save')
- ->seePageIs($userProfilePage)
- ->see('Password confirmation required')
-
- ->type('newpassword', '#password')
- ->type('newpassword', '#password-confirm')
- ->press('Save')
- ->seePageIs('/users');
-
- $userPassword = \BookStack\User::find($user->id)->password;
- $this->assertTrue(Hash::check('newpassword', $userPassword));
+ $editor = $this->users->editor();
+ $editor->password = bcrypt('password');
+ $editor->save();
+
+ $this->post('/login', ['email' => $editor->email, 'password' => 'password']);
+ $this->assertTrue(auth()->check());
+ $this->assertFalse(auth('ldap')->check());
+ $this->assertFalse(auth('saml2')->check());
+ $this->assertFalse(auth('oidc')->check());
}
- public function test_user_deletion()
+ public function test_failed_logins_are_logged_when_message_configured()
{
- $userDetails = factory(\BookStack\User::class)->make();
- $user = $this->getNewUser($userDetails->toArray());
-
- $this->asAdmin()
- ->visit('/users/' . $user->id)
- ->click('Delete User')
- ->see($user->name)
- ->press('Confirm')
- ->seePageIs('/users')
- ->notSeeInDatabase('users', ['name' => $user->name]);
+ $log = $this->withTestLogger();
+ config()->set(['logging.failed_login.message' => 'Failed login for %u']);
+
+ $this->post('/login', ['email' => '
[email protected]', 'password' => 'cattreedog']);
+ $this->assertTrue($log->hasWarningThatContains('Failed login for
[email protected]'));
+
+ $this->assertFalse($log->hasWarningThatContains('Failed login for
[email protected]'));
}
- public function test_user_cannot_be_deleted_if_last_admin()
+ public function test_logged_in_user_with_unconfirmed_email_is_logged_out()
{
- $adminRole = \BookStack\Role::getRole('admin');
- // Ensure we currently only have 1 admin user
- $this->assertEquals(1, $adminRole->users()->count());
- $user = $adminRole->users->first();
-
- $this->asAdmin()->visit('/users/' . $user->id)
- ->click('Delete User')
- ->press('Confirm')
- ->seePageIs('/users/' . $user->id)
- ->see('You cannot delete the only admin');
+ $this->setSettings(['registration-confirmation' => 'true']);
+ $user = $this->users->editor();
+ $user->email_confirmed = false;
+ $user->save();
+
+ auth()->login($user);
+ $this->assertTrue(auth()->check());
+
+ $this->get('/books')->assertRedirect('/');
+ $this->assertFalse(auth()->check());
}
- public function test_logout()
+ public function test_login_attempts_are_rate_limited()
{
- $this->asAdmin()
- ->visit('/')
- ->seePageIs('/')
- ->visit('/logout')
- ->visit('/')
- ->seePageIs('/login');
+ for ($i = 0; $i < 5; $i++) {
+ }
+ $resp = $this->followRedirects($resp);
+ $resp->assertSee('These credentials do not match our records.');
+
+ // Check the fifth attempt provides a lockout response
+ $resp->assertSee('Too many login attempts. Please try again in');
}
/**
- * Perform a login
- * @param string $email
- * @param string $password
- * @return $this
+ * Perform a login.
*/
- protected function login($email, $password)
+ protected function login(string $email, string $password): TestResponse
{
- return $this->visit('/login')
- ->type($email, '#email')
- ->type($password, '#password')
- ->press('Sign In');
+ return $this->post('/login', compact('email', 'password'));
}
}
projects / bookstack / blobdiff