You are here

protected function CookieResourceTestTrait::assertAuthenticationEdgeCases in Drupal 9

Same name and namespace in other branches
  1. 8 core/modules/rest/tests/src/Functional/CookieResourceTestTrait.php \Drupal\Tests\rest\Functional\CookieResourceTestTrait::assertAuthenticationEdgeCases()

File

core/modules/rest/tests/src/Functional/CookieResourceTestTrait.php, line 126

Class

CookieResourceTestTrait
Trait for ResourceTestBase subclasses testing $auth=cookie.

Namespace

Drupal\Tests\rest\Functional

Code

protected function assertAuthenticationEdgeCases($method, Url $url, array $request_options) {

  // X-CSRF-Token request header is unnecessary for safe and side effect-free
  // HTTP methods. No need for additional assertions.
  // @see https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
  if (in_array($method, [
    'HEAD',
    'GET',
    'OPTIONS',
    'TRACE',
  ])) {
    return;
  }
  unset($request_options[RequestOptions::HEADERS]['X-CSRF-Token']);

  // DX: 403 when missing X-CSRF-Token request header.
  $response = $this
    ->request($method, $url, $request_options);
  $this
    ->assertResourceErrorResponse(403, 'X-CSRF-Token request header is missing', $response);
  $request_options[RequestOptions::HEADERS]['X-CSRF-Token'] = 'this-is-not-the-token-you-are-looking-for';

  // DX: 403 when invalid X-CSRF-Token request header.
  $response = $this
    ->request($method, $url, $request_options);
  $this
    ->assertResourceErrorResponse(403, 'X-CSRF-Token request header is invalid', $response);
  $request_options[RequestOptions::HEADERS]['X-CSRF-Token'] = $this->csrfToken;
}