From cda16ba843cd9be75a529c5b1def85e5285989d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Alfaiate?= <s.alfaiate@webarea.fr>
Date: Sat, 24 Aug 2024 11:10:02 +0700
Subject: [PATCH] Add test to clear CSRF on stateless request

---
 .../CsrfTokenClearingLogoutListenerTest.php   | 45 ++++++++++++++++++-
 1 file changed, 43 insertions(+), 2 deletions(-)

diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/CsrfTokenClearingLogoutListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/CsrfTokenClearingLogoutListenerTest.php
index 405c7ae085510..06599416ff341 100644
--- a/src/Symfony/Component/Security/Http/Tests/EventListener/CsrfTokenClearingLogoutListenerTest.php
+++ b/src/Symfony/Component/Security/Http/Tests/EventListener/CsrfTokenClearingLogoutListenerTest.php
@@ -12,20 +12,31 @@
 namespace Symfony\Component\Security\Http\Tests\EventListener;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Bundle\SecurityBundle\Security\FirewallConfig;
+use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
 use Symfony\Component\HttpFoundation\Exception\SessionNotFoundException;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Session\Session;
 use Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage;
 use Symfony\Component\Security\Http\Event\LogoutEvent;
 use Symfony\Component\Security\Http\EventListener\CsrfTokenClearingLogoutListener;
 
 class CsrfTokenClearingLogoutListenerTest extends TestCase
 {
-    public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
+    public function testSkipsClearingSessionTokenStorageOnRequestWithoutSession()
     {
+        $map = $this->createMock(FirewallMap::class);
+        $map
+            ->expects($this->once())
+            ->method('getFirewallConfig')
+            ->willReturn(new FirewallConfig('firewall', 'user_checker'))
+        ;
+
         try {
             (new CsrfTokenClearingLogoutListener(
-                new SessionTokenStorage(new RequestStack())
+                new SessionTokenStorage(new RequestStack()),
+                $map
             ))->onLogout(new LogoutEvent(new Request(), null));
         } catch (SessionNotFoundException) {
             $this->fail('clear() must not be called if the request is not associated with a session instance');
@@ -33,4 +44,34 @@ public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
 
         $this->addToAssertionCount(1);
     }
+
+    public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
+    {
+        $session = new Session();
+
+        // Create a stateless request with a previous session
+        $request = new Request();
+        $request->setSession($session);
+        $request->cookies->set($session->getName(), 'previous_session');
+        $request->attributes->set('_stateless', true);
+
+        $map = $this->createMock(FirewallMap::class);
+        $map
+            ->expects($this->once())
+            ->method('getFirewallConfig')
+            ->with($this->equalTo($request))
+            ->willReturn(new FirewallConfig('stateless_firewall', 'user_checker', stateless: true))
+        ;
+
+        try {
+            (new CsrfTokenClearingLogoutListener(
+                new SessionTokenStorage(new RequestStack()),
+                $map
+            ))->onLogout(new LogoutEvent($request, null));
+        } catch (SessionNotFoundException) {
+            $this->fail('clear() must not be called if the request is stateless');
+        }
+
+        $this->addToAssertionCount(1);
+    }
 }