You are here

public function CsrfTest::testCookieAuth in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 core/modules/rest/src/Tests/CsrfTest.php \Drupal\rest\Tests\CsrfTest::testCookieAuth()

Tests that CSRF check is triggered for Cookie Auth requests.

File

core/modules/rest/src/Tests/CsrfTest.php, line 78
Contains \Drupal\rest\Tests\CsrfTest.

Class

CsrfTest
Tests the CSRF protection.

Namespace

Drupal\rest\Tests

Code

public function testCookieAuth() {
  $this
    ->drupalLogin($this->account);
  $curl_options = $this
    ->getCurlOptions();

  // Try to create an entity without the CSRF token.
  // Note: this will fail with PHP 5.6 when always_populate_raw_post_data is
  // set to something other than -1. See https://www.drupal.org/node/2456025.
  $this
    ->curlExec($curl_options);
  $this
    ->assertResponse(403);

  // Ensure that the entity was not created.
  $this
    ->assertFalse(entity_load_multiple($this->testEntityType, NULL, TRUE), 'No entity has been created in the database.');

  // Create an entity with the CSRF token.
  $token = $this
    ->drupalGet('rest/session/token');
  $curl_options[CURLOPT_HTTPHEADER][] = "X-CSRF-Token: {$token}";
  $this
    ->curlExec($curl_options);
  $this
    ->assertResponse(201);

  // Ensure that the entity was created.
  $loaded_entity = $this
    ->loadEntityFromLocationHeader($this
    ->drupalGetHeader('location'));
  $this
    ->assertTrue($loaded_entity, 'An entity was created in the database');
}