View source
<?php
namespace Drupal\system\Tests\Session;
use Drupal\Core\Url;
use Drupal\basic_auth\Tests\BasicAuthTestTrait;
use Drupal\simpletest\WebTestBase;
class SessionAuthenticationTest extends WebTestBase {
use BasicAuthTestTrait;
protected $user;
public static $modules = [
'basic_auth',
'session_test',
];
protected function setUp() {
parent::setUp();
$this->user = $this
->drupalCreateUser([
'administer site configuration',
]);
}
public function testSessionFromBasicAuthenticationDoesNotLeak() {
$protected_url = Url::fromRoute('session_test.get_session_basic_auth');
$unprotected_url = Url::fromRoute('session_test.get_session_no_auth');
$this
->drupalGet($protected_url);
$this
->assertResponse(401, 'An anonymous user cannot access a route protected with basic authentication.');
$this
->basicAuthGet($protected_url, $this->user
->getUsername(), $this->user->pass_raw);
$this
->assertResponse(200, 'A route protected with basic authentication can be accessed by an authenticated user.');
$this
->assertEqual($this->user
->id(), json_decode($this
->getRawContent())->user, 'The correct user is authenticated on a route with basic authentication.');
$this
->drupalGet($unprotected_url);
$this
->assertResponse(200, 'An unprotected route can be accessed without basic authentication.');
$this
->assertFalse(json_decode($this
->getRawContent())->user, 'The user is no longer authenticated after visiting a page without basic authentication.');
$this
->drupalGet($protected_url);
$this
->assertResponse(401, 'A subsequent request to the same route without basic authentication is not authorized.');
}
public function testBasicAuthSession() {
$test_value = 'alpaca';
$response = $this
->basicAuthGet('session-test/set-session/' . $test_value, $this->user
->getUsername(), $this->user->pass_raw);
$this
->assertSessionData($response, $test_value);
$this
->assertResponse(200, 'The request to set a session value was successful.');
$response = $this
->basicAuthGet('session-test/get-session', $this->user
->getUsername(), $this->user->pass_raw);
$this
->assertSessionData($response, $test_value);
$this
->assertResponse(200, 'The request to get a session value was successful.');
}
protected function assertSessionData($response, $expected) {
$response = json_decode($response, TRUE);
$this
->assertEqual([
'test_value' => $expected,
], $response['session'], 'The session data matches the expected value.');
$this
->assertEqual($this->user
->id(), $response['user'], 'The correct user is logged in.');
}
public function testBasicAuthNoSession() {
$no_cookie_url = Url::fromRoute('session_test.get_session_basic_auth');
$cookie_url = '<front>';
$this
->basicAuthGet($no_cookie_url, $this->user
->getUsername(), $this->user->pass_raw);
$this
->assertResponse(200, 'The user is successfully authenticated using basic authentication.');
$this
->assertFalse($this
->drupalGetHeader('set-cookie', TRUE), 'No cookie is set on a route protected with basic authentication.');
$edit = [
'name' => $this->user
->getUsername(),
'pass' => $this->user->pass_raw,
];
$this
->drupalPostForm($cookie_url, $edit, t('Log in'));
$this
->assertResponse(200, 'The user is successfully authenticated using cookie authentication.');
$this
->assertTrue($this
->drupalGetHeader('set-cookie', TRUE), 'A cookie is set on a route protected with cookie authentication.');
}
}