You are here

public function UserPasswordResetTest::testUserPasswordReset in Drupal 8

Same name and namespace in other branches
  1. 9 core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest::testUserPasswordReset()

Tests password reset functionality.

File

core/modules/user/tests/src/Functional/UserPasswordResetTest.php, line 76

Class

UserPasswordResetTest
Ensure that password reset methods work as expected.

Namespace

Drupal\Tests\user\Functional

Code

public function testUserPasswordReset() {

  // Verify that accessing the password reset form without having the session
  // variables set results in an access denied message.
  $this
    ->drupalGet(Url::fromRoute('user.reset.form', [
    'uid' => $this->account
      ->id(),
  ]));
  $this
    ->assertSession()
    ->statusCodeEquals(403);

  // Try to reset the password for an invalid account.
  $this
    ->drupalGet('user/password');
  $edit = [
    'name' => $this
      ->randomMachineName(),
  ];
  $this
    ->drupalPostForm(NULL, $edit, t('Submit'));
  $this
    ->assertNoValidPasswordReset($edit['name']);

  // Reset the password by username via the password reset page.
  $this
    ->drupalGet('user/password');
  $edit = [
    'name' => $this->account
      ->getAccountName(),
  ];
  $this
    ->drupalPostForm(NULL, $edit, t('Submit'));
  $this
    ->assertValidPasswordReset($edit['name']);
  $resetURL = $this
    ->getResetURL();
  $this
    ->drupalGet($resetURL);

  // Ensure that the current url does not contain the hash and timestamp.
  $this
    ->assertUrl(Url::fromRoute('user.reset.form', [
    'uid' => $this->account
      ->id(),
  ]));
  $this
    ->assertNull($this
    ->drupalGetHeader('X-Drupal-Cache'));

  // Ensure the password reset URL is not cached.
  $this
    ->drupalGet($resetURL);
  $this
    ->assertNull($this
    ->drupalGetHeader('X-Drupal-Cache'));

  // Check the one-time login page.
  $this
    ->assertText($this->account
    ->getAccountName(), 'One-time login page contains the correct username.');
  $this
    ->assertText(t('This login can be used only once.'), 'Found warning about one-time login.');
  $this
    ->assertTitle('Reset password | Drupal');

  // Check successful login.
  $this
    ->drupalPostForm(NULL, NULL, t('Log in'));
  $this
    ->assertSession()
    ->linkExists(t('Log out'));
  $this
    ->assertTitle($this->account
    ->getAccountName() . ' | Drupal');

  // Change the forgotten password.
  $password = user_password();
  $edit = [
    'pass[pass1]' => $password,
    'pass[pass2]' => $password,
  ];
  $this
    ->drupalPostForm(NULL, $edit, t('Save'));
  $this
    ->assertText(t('The changes have been saved.'), 'Forgotten password changed.');

  // Verify that the password reset session has been destroyed.
  $this
    ->drupalPostForm(NULL, $edit, t('Save'));
  $this
    ->assertText(t("Your current password is missing or incorrect; it's required to change the Password."), 'Password needed to make profile changes.');

  // Log out, and try to log in again using the same one-time link.
  $this
    ->drupalLogout();
  $this
    ->drupalGet($resetURL);
  $this
    ->drupalPostForm(NULL, NULL, t('Log in'));
  $this
    ->assertText(t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'), 'One-time link is no longer valid.');

  // Request a new password again, this time using the email address.
  // Count email messages before to compare with after.
  $before = count($this
    ->drupalGetMails([
    'id' => 'user_password_reset',
  ]));
  $this
    ->drupalGet('user/password');
  $edit = [
    'name' => $this->account
      ->getEmail(),
  ];
  $this
    ->drupalPostForm(NULL, $edit, t('Submit'));
  $this
    ->assertValidPasswordReset($edit['name']);
  $this
    ->assertCount($before + 1, $this
    ->drupalGetMails([
    'id' => 'user_password_reset',
  ]), 'Email sent when requesting password reset using email address.');

  // Visit the user edit page without pass-reset-token and make sure it does
  // not cause an error.
  $resetURL = $this
    ->getResetURL();
  $this
    ->drupalGet($resetURL);
  $this
    ->drupalPostForm(NULL, NULL, t('Log in'));
  $this
    ->drupalGet('user/' . $this->account
    ->id() . '/edit');
  $this
    ->assertNoText('Expected user_string to be a string, NULL given');
  $this
    ->drupalLogout();

  // Create a password reset link as if the request time was 60 seconds older than the allowed limit.
  $timeout = $this
    ->config('user.settings')
    ->get('password_reset_timeout');
  $bogus_timestamp = REQUEST_TIME - $timeout - 60;
  $_uid = $this->account
    ->id();
  $this
    ->drupalGet("user/reset/{$_uid}/{$bogus_timestamp}/" . user_pass_rehash($this->account, $bogus_timestamp));
  $this
    ->drupalPostForm(NULL, NULL, t('Log in'));
  $this
    ->assertText(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'), 'Expired password reset request rejected.');

  // Create a user, block the account, and verify that a login link is denied.
  $timestamp = REQUEST_TIME - 1;
  $blocked_account = $this
    ->drupalCreateUser()
    ->block();
  $blocked_account
    ->save();
  $this
    ->drupalGet("user/reset/" . $blocked_account
    ->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp));
  $this
    ->assertSession()
    ->statusCodeEquals(403);

  // Verify a blocked user can not request a new password.
  $this
    ->drupalGet('user/password');

  // Count email messages before to compare with after.
  $before = count($this
    ->drupalGetMails([
    'id' => 'user_password_reset',
  ]));
  $edit = [
    'name' => $blocked_account
      ->getAccountName(),
  ];
  $this
    ->drupalPostForm(NULL, $edit, t('Submit'));
  $this
    ->assertRaw(t('%name is blocked or has not been activated yet.', [
    '%name' => $blocked_account
      ->getAccountName(),
  ]), 'Notified user blocked accounts can not request a new password');
  $this
    ->assertCount($before, $this
    ->drupalGetMails([
    'id' => 'user_password_reset',
  ]), 'No email was sent when requesting password reset for a blocked account');

  // Verify a password reset link is invalidated when the user's email address changes.
  $this
    ->drupalGet('user/password');
  $edit = [
    'name' => $this->account
      ->getAccountName(),
  ];
  $this
    ->drupalPostForm(NULL, $edit, t('Submit'));
  $old_email_reset_link = $this
    ->getResetURL();
  $this->account
    ->setEmail("1" . $this->account
    ->getEmail());
  $this->account
    ->save();
  $this
    ->drupalGet($old_email_reset_link);
  $this
    ->drupalPostForm(NULL, NULL, t('Log in'));
  $this
    ->assertText(t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'), 'One-time link is no longer valid.');

  // Verify a password reset link will automatically log a user when /login is
  // appended.
  $this
    ->drupalGet('user/password');
  $edit = [
    'name' => $this->account
      ->getAccountName(),
  ];
  $this
    ->drupalPostForm(NULL, $edit, t('Submit'));
  $reset_url = $this
    ->getResetURL();
  $this
    ->drupalGet($reset_url . '/login');
  $this
    ->assertSession()
    ->linkExists(t('Log out'));
  $this
    ->assertTitle($this->account
    ->getAccountName() . ' | Drupal');

  // Ensure blocked and deleted accounts can't access the user.reset.login
  // route.
  $this
    ->drupalLogout();
  $timestamp = REQUEST_TIME - 1;
  $blocked_account = $this
    ->drupalCreateUser()
    ->block();
  $blocked_account
    ->save();
  $this
    ->drupalGet("user/reset/" . $blocked_account
    ->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp) . '/login');
  $this
    ->assertSession()
    ->statusCodeEquals(403);
  $blocked_account
    ->delete();
  $this
    ->drupalGet("user/reset/" . $blocked_account
    ->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp) . '/login');
  $this
    ->assertSession()
    ->statusCodeEquals(403);
}