You are here

Home » API reference » CAPTCHA 8 » CaptchaSessionReuseAttackTestCase.php » CaptchaSessionReuseAttackTestCase

public function CaptchaSessionReuseAttackTestCase::testCaptchaSessionReuseAttackDetectionOnCommentPreview in CAPTCHA 8

Test captcha attack detection on comment form.

File

tests/src/Functional/CaptchaSessionReuseAttackTestCase.php, line 26

Class

CaptchaSessionReuseAttackTestCase
Tests CAPTCHA session reusing.

Namespace

Drupal\Tests\captcha\Functional

Code

public function testCaptchaSessionReuseAttackDetectionOnCommentPreview() {

  // Create commentable node.
  $node = $this
    ->drupalCreateNode();

  // Set Test CAPTCHA on comment form.
  captcha_set_form_id_setting(self::COMMENT_FORM_ID, 'captcha/Test');
  $this
    ->config('captcha.settings')
    ->set('persistence', CAPTCHA_PERSISTENCE_SKIP_ONCE_SUCCESSFUL_PER_FORM_INSTANCE)
    ->save();

  // Log in as normal user.
  $this
    ->drupalLogin($this->normalUser);

  // Go to comment form of commentable node.
  $this
    ->drupalGet('comment/reply/node/' . $node
    ->id() . '/comment');
  $this
    ->assertCaptchaPresence(TRUE);

  // Get CAPTCHA session ID and solution of the challenge.
  $captcha_sid = $this
    ->getCaptchaSidFromForm();
  $captcha_token = $this
    ->getCaptchaTokenFromForm();
  $solution = "Test 123";

  // Post the form with the solution.
  $edit = $this
    ->getCommentFormValues();
  $edit['captcha_response'] = $solution;
  $this
    ->submitForm($edit, 'Preview');

  // Answer should be accepted and further CAPTCHA omitted.
  $this
    ->assertCaptchaResponseAccepted();
  $this
    ->assertCaptchaPresence(FALSE);

  // Go to comment form of commentable node again.
  $this
    ->drupalGet('comment/reply/node/' . $node
    ->id() . '/comment');

  // Post a new comment, reusing the previous CAPTCHA session.
  $edit = $this
    ->getCommentFormValues();
  $this
    ->assertSession()
    ->hiddenFieldExists("captcha_sid")
    ->setValue((string) $captcha_sid);
  $this
    ->assertSession()
    ->hiddenFieldExists("captcha_token")
    ->setValue((string) $captcha_token);
  $edit['captcha_response'] = $solution;
  $this
    ->submitForm($edit, 'Preview');

  // CAPTCHA session reuse attack should be detected.
  $this
    ->assertCaptchaSessionIdReuseAttackDetection();

  // There should be a CAPTCHA.
  $this
    ->assertCaptchaPresence(TRUE);
}