CsrfRequestHeaderTest.php in Drupal 10
File
core/modules/system/tests/src/Functional/CsrfRequestHeaderTest.php
View source
<?php
namespace Drupal\Tests\system\Functional;
use Drupal\Core\Url;
use Drupal\Tests\BrowserTestBase;
class CsrfRequestHeaderTest extends BrowserTestBase {
protected static $modules = [
'system',
'csrf_test',
];
protected $defaultTheme = 'stark';
public function testRouteAccess() {
$client = $this
->getHttpClient();
$csrf_token_path = 'session/token';
$route_name = 'csrf_test.protected';
$user = $this
->drupalCreateUser();
$this
->drupalLogin($user);
$csrf_token = $this
->drupalGet($csrf_token_path);
$url = Url::fromRoute($route_name)
->setAbsolute(TRUE)
->toString();
$post_options = [
'headers' => [
'Accept' => 'text/plain',
],
'http_errors' => FALSE,
];
$result = $client
->post($url, $post_options);
$this
->assertEquals(200, $result
->getStatusCode());
$post_options['cookies'] = $this
->getSessionCookies();
$result = $client
->post($url, $post_options);
$this
->assertEquals(403, $result
->getStatusCode());
$post_options['headers']['X-CSRF-Token'] = $csrf_token;
$result = $client
->post($url, $post_options);
$this
->assertEquals(200, $result
->getStatusCode());
$post_options['headers']['X-CSRF-Token'] = 'this-is-not-the-token-you-are-looking-for';
$result = $client
->post($url, $post_options);
$this
->assertEquals(403, $result
->getStatusCode());
}
}