public function FloodTest::testUserResetPasswordIpFloodControl in Username Enumeration Prevention 8
Tests password reset flood control for one IP.
File
- tests/
src/ Functional/ FloodTest.php, line 35
Class
- FloodTest
- Ensure flood protection works, despite lack of end-user feedback.
Namespace
Drupal\Tests\username_enumeration_prevention\FunctionalCode
public function testUserResetPasswordIpFloodControl() {
\Drupal::configFactory()
->getEditable('user.flood')
->set('ip_limit', 3)
->save();
$name = 'foo';
$this
->createUser([], $name, FALSE, [
'mail' => 'foo@bar',
]);
// Try 3 requests that should not trigger flood control.
for ($i = 0; $i < 3; $i++) {
$this
->drupalGet('user/password');
$edit = [
'name' => $name,
];
$this
->drupalPostForm(NULL, $edit, $this
->t('Submit'));
}
// The next request should trigger flood control.
$this
->drupalGet('user/password');
$edit = [
'name' => $this
->randomMachineName(),
];
$this
->drupalPostForm(NULL, $edit, $this
->t('Submit'));
// Error should not be displayed to the end user.
$this
->assertNoText($this
->t('Too many password recovery requests from your IP address. It is temporarily blocked. Try again later or contact the site administrator.'));
// But mail should be.
$mail = $this
->drupalGetMails();
$this
->assert(!empty($mail), "password reset mails were sent");
}