View source
<?php
namespace Drupal\Tests\user\Functional;
use Drupal\Core\Database\Database;
use Drupal\Core\Test\AssertMailTrait;
use Drupal\Core\Url;
use Drupal\language\Entity\ConfigurableLanguage;
use Drupal\Tests\BrowserTestBase;
use Drupal\user\Entity\User;
use Drupal\user\UserInterface;
class UserPasswordResetTest extends BrowserTestBase {
use AssertMailTrait {
getMails as drupalGetMails;
}
protected $account;
protected $languageManager;
protected static $modules = [
'block',
'language',
];
protected $defaultTheme = 'stark';
protected function setUp() : void {
parent::setUp();
$config = $this
->config('system.performance');
$config
->set('cache.page.max_age', 3600);
$config
->save();
$this
->drupalPlaceBlock('system_menu_block:account');
$account = $this
->drupalCreateUser();
$this
->drupalLogin($account);
$this->account = User::load($account
->id());
$this->account->passRaw = $account->passRaw;
$this
->drupalLogout();
$account->login = REQUEST_TIME - mt_rand(10, 100000);
Database::getConnection()
->update('users_field_data')
->fields([
'login' => $account
->getLastLoginTime(),
])
->condition('uid', $account
->id())
->execute();
}
public function testUserPasswordReset() {
$this
->drupalGet(Url::fromRoute('user.reset.form', [
'uid' => $this->account
->id(),
]));
$this
->assertSession()
->statusCodeEquals(403);
$this
->drupalGet('user/password');
$long_name = $this
->randomMachineName(UserInterface::USERNAME_MAX_LENGTH + 10);
$edit = [
'name' => $long_name,
];
$this
->submitForm($edit, 'Submit');
$this
->assertCount(0, $this
->drupalGetMails([
'id' => 'user_password_reset',
]), 'No e-mail was sent when requesting a password for an invalid user name.');
$this
->assertSession()
->pageTextContains("The username or email address is invalid.");
$this
->drupalGet('user/password');
$random_name = $this
->randomMachineName();
$edit = [
'name' => $random_name,
];
$this
->submitForm($edit, 'Submit');
$this
->assertNoValidPasswordReset($random_name);
$this
->drupalGet('user/password');
$long_name = $this
->randomMachineName(UserInterface::USERNAME_MAX_LENGTH) . '@example.com';
$edit = [
'name' => $long_name,
];
$this
->submitForm($edit, 'Submit');
$this
->assertNoValidPasswordReset($long_name);
$this
->drupalGet('user/password');
$edit = [
'name' => $this->account
->getAccountName(),
];
$this
->submitForm($edit, 'Submit');
$this
->assertValidPasswordReset($edit['name']);
$resetURL = $this
->getResetURL();
$this
->drupalGet($resetURL);
$this
->assertSession()
->addressEquals(Url::fromRoute('user.reset.form', [
'uid' => $this->account
->id(),
]));
$this
->assertSession()
->responseHeaderDoesNotExist('X-Drupal-Cache');
$this
->drupalGet($resetURL);
$this
->assertSession()
->responseHeaderDoesNotExist('X-Drupal-Cache');
$this
->assertSession()
->pageTextContains($this->account
->getAccountName());
$this
->assertSession()
->pageTextContains('This login can be used only once.');
$this
->assertSession()
->titleEquals('Reset password | Drupal');
$this
->submitForm([], 'Log in');
$this
->assertSession()
->linkExists('Log out');
$this
->assertSession()
->titleEquals($this->account
->getAccountName() . ' | Drupal');
$password = \Drupal::service('password_generator')
->generate();
$edit = [
'pass[pass1]' => $password,
'pass[pass2]' => $password,
];
$this
->submitForm($edit, 'Save');
$this
->assertSession()
->pageTextContains('The changes have been saved.');
$this
->submitForm($edit, 'Save');
$this
->assertSession()
->pageTextContains("Your current password is missing or incorrect; it's required to change the Password.");
$this
->drupalLogout();
$this
->drupalGet($resetURL);
$this
->submitForm([], 'Log in');
$this
->assertSession()
->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
$before = count($this
->drupalGetMails([
'id' => 'user_password_reset',
]));
$this
->drupalGet('user/password');
$edit = [
'name' => $this->account
->getEmail(),
];
$this
->submitForm($edit, 'Submit');
$this
->assertValidPasswordReset($edit['name']);
$this
->assertCount($before + 1, $this
->drupalGetMails([
'id' => 'user_password_reset',
]), 'Email sent when requesting password reset using email address.');
$resetURL = $this
->getResetURL();
$this
->drupalGet($resetURL);
$this
->submitForm([], 'Log in');
$this
->drupalGet('user/' . $this->account
->id() . '/edit');
$this
->assertSession()
->pageTextNotContains('Expected user_string to be a string, NULL given');
$this
->drupalLogout();
$timeout = $this
->config('user.settings')
->get('password_reset_timeout');
$bogus_timestamp = REQUEST_TIME - $timeout - 60;
$_uid = $this->account
->id();
$this
->drupalGet("user/reset/{$_uid}/{$bogus_timestamp}/" . user_pass_rehash($this->account, $bogus_timestamp));
$this
->submitForm([], 'Log in');
$this
->assertSession()
->pageTextContains('You have tried to use a one-time login link that has expired. Please request a new one using the form below.');
$timestamp = REQUEST_TIME - 1;
$blocked_account = $this
->drupalCreateUser()
->block();
$blocked_account
->save();
$this
->drupalGet("user/reset/" . $blocked_account
->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp));
$this
->assertSession()
->statusCodeEquals(403);
$this
->drupalGet('user/password');
$before = count($this
->drupalGetMails([
'id' => 'user_password_reset',
]));
$edit = [
'name' => $blocked_account
->getAccountName(),
];
$this
->submitForm($edit, 'Submit');
$this
->assertCount($before, $this
->drupalGetMails([
'id' => 'user_password_reset',
]), 'No email was sent when requesting password reset for a blocked account');
$this
->drupalGet('user/password');
$edit = [
'name' => $this->account
->getAccountName(),
];
$this
->submitForm($edit, 'Submit');
$old_email_reset_link = $this
->getResetURL();
$this->account
->setEmail("1" . $this->account
->getEmail());
$this->account
->save();
$this
->drupalGet($old_email_reset_link);
$this
->submitForm([], 'Log in');
$this
->assertSession()
->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
$this
->drupalGet('user/password');
$edit = [
'name' => $this->account
->getAccountName(),
];
$this
->submitForm($edit, 'Submit');
$reset_url = $this
->getResetURL();
$this
->drupalGet($reset_url . '/login');
$this
->assertSession()
->linkExists('Log out');
$this
->assertSession()
->titleEquals($this->account
->getAccountName() . ' | Drupal');
$this
->drupalLogout();
$timestamp = REQUEST_TIME - 1;
$blocked_account = $this
->drupalCreateUser()
->block();
$blocked_account
->save();
$this
->drupalGet("user/reset/" . $blocked_account
->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp) . '/login');
$this
->assertSession()
->statusCodeEquals(403);
$blocked_account
->delete();
$this
->drupalGet("user/reset/" . $blocked_account
->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp) . '/login');
$this
->assertSession()
->statusCodeEquals(403);
}
public function testUserPasswordResetPreferredLanguage($setPreferredLangcode, $activeLangcode, $prefix, $visitingUrl, $expectedResetUrl, $unexpectedResetUrl) {
ConfigurableLanguage::createFromLangcode('fr')
->save();
ConfigurableLanguage::createFromLangcode('zh-hant')
->save();
$this->languageManager = \Drupal::languageManager();
$config = $this
->config('language.negotiation');
$config
->set('url.prefixes', [
'en' => '',
'fr' => 'fr',
'zh-hant' => 'zh',
])
->save();
$this
->rebuildContainer();
$this->account->preferred_langcode = $setPreferredLangcode;
$this->account
->save();
$this
->assertSame($setPreferredLangcode, $this->account
->getPreferredLangcode(FALSE));
if ($setPreferredLangcode !== 'en') {
$this
->drupalGet($prefix . '/user/password');
$this
->assertSame($activeLangcode, $this
->getSession()
->getResponseHeader('Content-language'));
$this
->assertSame('en', $this->languageManager
->getDefaultLanguage()
->getId());
}
$this
->drupalGet($visitingUrl);
$edit = [
'name' => $this->account
->getAccountName(),
];
$this
->submitForm($edit, 'Submit');
$this
->assertValidPasswordReset($edit['name']);
$resetURL = $this
->getResetURL();
$this
->assertStringContainsString($expectedResetUrl, $resetURL);
$this
->assertStringNotContainsString($unexpectedResetUrl, $resetURL);
}
public function languagePrefixTestProvider() {
return [
'Test language prefix set as \'\', visiting default with preferred language as en' => [
'setPreferredLangcode' => 'en',
'activeLangcode' => 'en',
'prefix' => '',
'visitingUrl' => 'user/password',
'expectedResetUrl' => 'user/reset',
'unexpectedResetUrl' => 'en/user/reset',
],
'Test language prefix set as fr, visiting zh with preferred language as fr' => [
'setPreferredLangcode' => 'fr',
'activeLangcode' => 'fr',
'prefix' => 'fr',
'visitingUrl' => 'zh/user/password',
'expectedResetUrl' => 'fr/user/reset',
'unexpectedResetUrl' => 'zh/user/reset',
],
'Test language prefix set as zh, visiting zh with preferred language as \'\'' => [
'setPreferredLangcode' => '',
'activeLangcode' => 'zh-hant',
'prefix' => 'zh',
'visitingUrl' => 'zh/user/password',
'expectedResetUrl' => 'user/reset',
'unexpectedResetUrl' => 'zh/user/reset',
],
];
}
public function getResetURL() {
$_emails = $this
->drupalGetMails();
$email = end($_emails);
$urls = [];
preg_match('#.+user/reset/.+#', $email['body'], $urls);
return $urls[0];
}
public function testUserPasswordResetLoggedIn() {
$another_account = $this
->drupalCreateUser();
$this
->drupalLogin($another_account);
$this
->drupalGet('user/password');
$this
->submitForm([], 'Submit');
$resetURL = $this
->getResetURL();
$this
->drupalLogin($this->account);
$this
->drupalGet($resetURL);
$this
->assertSession()
->pageTextContains("Another user ({$this->account->getAccountName()}) is already logged into the site on this computer, but you tried to use a one-time link for user {$another_account->getAccountName()}. Please log out and try using the link again.");
$this
->assertSession()
->linkExists('log out');
$this
->assertSession()
->linkByHrefExists(Url::fromRoute('user.logout')
->toString());
$another_account
->delete();
$this
->drupalGet($resetURL);
$this
->assertSession()
->pageTextContains('The one-time login link you clicked is invalid.');
$this
->drupalLogin($this->account);
$this
->drupalGet('user/password');
$this
->submitForm([], 'Submit');
$resetURL = $this
->getResetURL();
$this
->drupalGet($resetURL);
$this
->submitForm([], 'Log in');
$password = \Drupal::service('password_generator')
->generate();
$edit = [
'pass[pass1]' => $password,
'pass[pass2]' => $password,
];
$this
->submitForm($edit, 'Save');
$this
->assertSession()
->pageTextContains('The changes have been saved.');
$timestamp = REQUEST_TIME - 1;
$this
->drupalGet("user/reset/" . $this->account
->id() . "/{$timestamp}/" . user_pass_rehash($this->account, $timestamp) . '/login');
$this
->assertSession()
->statusCodeEquals(403);
$this
->drupalGet("user/reset/" . $this->account
->id());
$this
->assertSession()
->statusCodeEquals(403);
}
public function testUserResetPasswordTextboxFilled() {
$this
->drupalGet('user/login');
$edit = [
'name' => $this
->randomMachineName(),
'pass' => $this
->randomMachineName(),
];
$this
->drupalGet('user/login');
$this
->submitForm($edit, 'Log in');
$this
->assertSession()
->pageTextContains("Unrecognized username or password. Forgot your password?");
$this
->assertSession()
->linkExists("Forgot your password?");
$this
->assertSession()
->linkByHrefExists(Url::fromRoute('user.pass', [], [
'query' => [
'name' => $edit['name'],
],
])
->toString());
unset($edit['pass']);
$this
->drupalGet('user/password', [
'query' => [
'name' => $edit['name'],
],
]);
$this
->assertSession()
->fieldValueEquals('name', $edit['name']);
$this
->drupalGet('user/password');
$this
->assertSession()
->fieldValueNotEquals('name', $edit['name']);
}
public function testUserResetPasswordUserFloodControl() {
\Drupal::configFactory()
->getEditable('user.flood')
->set('user_limit', 3)
->save();
$edit = [
'name' => $this->account
->getAccountName(),
];
$before = count($this
->drupalGetMails([
'id' => 'user_password_reset',
]));
for ($i = 0; $i < 3; $i++) {
$this
->drupalGet('user/password');
$this
->submitForm($edit, 'Submit');
$this
->assertValidPasswordReset($edit['name']);
}
$this
->assertCount($before + 3, $this
->drupalGetMails([
'id' => 'user_password_reset',
]), '3 emails sent without triggering flood control.');
$this
->drupalGet('user/password');
$this
->submitForm($edit, 'Submit');
$this
->assertCount($before + 3, $this
->drupalGetMails([
'id' => 'user_password_reset',
]), 'No further email was sent after triggering flood control.');
}
public function testUserResetPasswordIpFloodControl() {
\Drupal::configFactory()
->getEditable('user.flood')
->set('ip_limit', 3)
->save();
for ($i = 0; $i < 3; $i++) {
$this
->drupalGet('user/password');
$random_name = $this
->randomMachineName();
$edit = [
'name' => $random_name,
];
$this
->submitForm($edit, 'Submit');
$this
->assertNoValidPasswordReset($random_name);
$this
->assertNoPasswordIpFlood();
}
$this
->drupalGet('user/password');
$edit = [
'name' => $this
->randomMachineName(),
];
$this
->submitForm($edit, 'Submit');
$this
->assertPasswordIpFlood();
}
public function testUserResetPasswordUserFloodControlIsCleared() {
\Drupal::configFactory()
->getEditable('user.flood')
->set('user_limit', 3)
->save();
$edit = [
'name' => $this->account
->getAccountName(),
];
$before = count($this
->drupalGetMails([
'id' => 'user_password_reset',
]));
for ($i = 0; $i < 3; $i++) {
$this
->drupalGet('user/password');
$this
->submitForm($edit, 'Submit');
$this
->assertValidPasswordReset($edit['name']);
}
$this
->assertCount($before + 3, $this
->drupalGetMails([
'id' => 'user_password_reset',
]), '3 emails sent without triggering flood control.');
$reset_url = $this
->getResetURL();
$this
->drupalGet($reset_url . '/login');
$this
->assertSession()
->linkExists('Log out');
$this
->assertSession()
->titleEquals($this->account
->getAccountName() . ' | Drupal');
$this
->drupalLogout();
$this
->drupalGet('user/password');
$this
->submitForm($edit, 'Submit');
$this
->assertValidPasswordReset($edit['name']);
$this
->assertCount($before + 4, $this
->drupalGetMails([
'id' => 'user_password_reset',
]), 'Another email was sent after clearing flood control.');
}
public function assertValidPasswordReset($name) {
$this
->assertSession()
->pageTextContains("If {$name} is a valid account, an email will be sent with instructions to reset your password.");
$this
->assertMail('to', $this->account
->getEmail(), 'Password e-mail sent to user.');
$subject = t('Replacement login information for @username at @site', [
'@username' => $this->account
->getAccountName(),
'@site' => \Drupal::config('system.site')
->get('name'),
]);
$this
->assertMail('subject', $subject, 'Password reset e-mail subject is correct.');
}
public function assertNoValidPasswordReset($name) {
$this
->assertSession()
->pageTextContains("If {$name} is a valid account, an email will be sent with instructions to reset your password.");
$this
->assertCount(0, $this
->drupalGetMails([
'id' => 'user_password_reset',
]), 'No e-mail was sent when requesting a password for an invalid account.');
}
public function assertPasswordIpFlood() {
$this
->assertSession()
->pageTextContains('Too many password recovery requests from your IP address. It is temporarily blocked. Try again later or contact the site administrator.');
}
public function assertNoPasswordIpFlood() {
$this
->assertSession()
->pageTextNotContains('Too many password recovery requests from your IP address. It is temporarily blocked. Try again later or contact the site administrator.');
}
public function testResetImpersonation() {
$edit = [];
$edit['name'] = $this
->randomMachineName();
$edit['mail'] = $edit['name'] . '@example.com';
$edit['status'] = 1;
$user1 = User::create($edit);
$user1
->save();
$edit['name'] = $this
->randomMachineName();
$user2 = User::create($edit);
$user2
->save();
Database::getConnection()
->update('users_field_data')
->fields([
'pass' => NULL,
])
->condition('uid', [
$user1
->id(),
$user2
->id(),
], 'IN')
->execute();
\Drupal::entityTypeManager()
->getStorage('user')
->resetCache();
$user1 = User::load($user1
->id());
$user2 = User::load($user2
->id());
$this
->assertEquals($user2
->getPassword(), $user1
->getPassword(), 'Both users have the same password hash.');
$reset_url = user_pass_reset_url($user1);
$attack_reset_url = str_replace("user/reset/{$user1->id()}", "user/reset/{$user2->id()}", $reset_url);
$this
->drupalGet($attack_reset_url);
$this
->submitForm([], 'Log in');
$this
->assertSession()
->pageTextNotContains($user2
->getAccountName());
$this
->assertSession()
->addressEquals('user/password');
$this
->assertSession()
->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
}
}