public function UserLoginHttpTest::doTestLogoutCsrfProtection in Drupal 10
Tests csrf protection of User Logout route for given serialization format.
File
- core/
modules/ user/ tests/ src/ Functional/ UserLoginHttpTest.php, line 465
Class
- UserLoginHttpTest
- Tests login and password reset via direct HTTP.
Namespace
Drupal\Tests\user\FunctionalCode
public function doTestLogoutCsrfProtection(string $format) : void {
$client = \Drupal::httpClient();
$login_status_url = $this
->getLoginStatusUrlString();
$account = $this
->drupalCreateUser();
$name = $account
->getAccountName();
$pass = $account->passRaw;
$response = $this
->loginRequest($name, $pass, $format);
$this
->assertEquals(200, $response
->getStatusCode());
$result_data = $this->serializer
->decode($response
->getBody(), $format);
$logout_token = $result_data['logout_token'];
// Test third party site posting to current site with logout request.
// This should not logout the current user because it lacks the CSRF
// token.
$response = $this
->logoutRequest($format);
$this
->assertEquals(403, $response
->getStatusCode());
// Ensure still logged in.
$response = $client
->get($login_status_url, [
'cookies' => $this->cookies,
]);
$this
->assertHttpResponse($response, 200, UserAuthenticationController::LOGGED_IN);
// Try with an incorrect token.
$response = $this
->logoutRequest($format, 'not-the-correct-token');
$this
->assertEquals(403, $response
->getStatusCode());
// Ensure still logged in.
$response = $client
->get($login_status_url, [
'cookies' => $this->cookies,
]);
$this
->assertHttpResponse($response, 200, UserAuthenticationController::LOGGED_IN);
// Try a logout request with correct token.
$response = $this
->logoutRequest($format, $logout_token);
$this
->assertEquals(204, $response
->getStatusCode());
// Ensure actually logged out.
$response = $client
->get($login_status_url, [
'cookies' => $this->cookies,
]);
$this
->assertHttpResponse($response, 200, UserAuthenticationController::LOGGED_OUT);
}