Skip to content

Commit

Permalink
Add test to clear CSRF on stateless request
Browse files Browse the repository at this point in the history
  • Loading branch information
Seb33300 committed Aug 24, 2024
1 parent f0e6aae commit cda16ba
Showing 1 changed file with 43 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -12,25 +12,66 @@
namespace Symfony\Component\Security\Http\Tests\EventListener;

use PHPUnit\Framework\TestCase;
use Symfony\Bundle\SecurityBundle\Security\FirewallConfig;
use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
use Symfony\Component\HttpFoundation\Exception\SessionNotFoundException;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage;
use Symfony\Component\Security\Http\Event\LogoutEvent;
use Symfony\Component\Security\Http\EventListener\CsrfTokenClearingLogoutListener;

class CsrfTokenClearingLogoutListenerTest extends TestCase
{
public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
public function testSkipsClearingSessionTokenStorageOnRequestWithoutSession()
{
$map = $this->createMock(FirewallMap::class);
$map
->expects($this->once())
->method('getFirewallConfig')
->willReturn(new FirewallConfig('firewall', 'user_checker'))
;

try {
(new CsrfTokenClearingLogoutListener(
new SessionTokenStorage(new RequestStack())
new SessionTokenStorage(new RequestStack()),
$map
))->onLogout(new LogoutEvent(new Request(), null));
} catch (SessionNotFoundException) {
$this->fail('clear() must not be called if the request is not associated with a session instance');
}

$this->addToAssertionCount(1);
}

public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
{
$session = new Session();

// Create a stateless request with a previous session
$request = new Request();
$request->setSession($session);
$request->cookies->set($session->getName(), 'previous_session');
$request->attributes->set('_stateless', true);

$map = $this->createMock(FirewallMap::class);
$map
->expects($this->once())
->method('getFirewallConfig')
->with($this->equalTo($request))
->willReturn(new FirewallConfig('stateless_firewall', 'user_checker', stateless: true))
;

try {
(new CsrfTokenClearingLogoutListener(
new SessionTokenStorage(new RequestStack()),
$map
))->onLogout(new LogoutEvent($request, null));
} catch (SessionNotFoundException) {
$this->fail('clear() must not be called if the request is stateless');
}

$this->addToAssertionCount(1);
}
}

0 comments on commit cda16ba

Please sign in to comment.