Skip to content

Commit

Permalink
Add test to clear CSRF on stateless request
Browse files Browse the repository at this point in the history
  • Loading branch information
Seb33300 committed Apr 26, 2024
1 parent 1d10333 commit d71784c
Showing 1 changed file with 22 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,14 @@
use Symfony\Component\HttpFoundation\Exception\SessionNotFoundException;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage;
use Symfony\Component\Security\Http\Event\LogoutEvent;
use Symfony\Component\Security\Http\EventListener\CsrfTokenClearingLogoutListener;

class CsrfTokenClearingLogoutListenerTest extends TestCase
{
public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
public function testSkipsClearingSessionTokenStorageOnRequestWithoutSession()
{
try {
(new CsrfTokenClearingLogoutListener(
Expand All @@ -31,6 +32,26 @@ public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
$this->fail('clear() must not be called if the request is not associated with a session instance');
}

$this->addToAssertionCount(1);
}
public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
{
$session = new Session();

// Create a stateless request with a previous session
$request = new Request();
$request->setSession($session);
$request->cookies->set($session->getName(), 'previous_session');
$request->attributes->set('_stateless', true);

try {
(new CsrfTokenClearingLogoutListener(
new SessionTokenStorage(new RequestStack())
))->onLogout(new LogoutEvent($request, null));
} catch (SessionNotFoundException) {
$this->fail('clear() must not be called if the request is stateless');
}

$this->addToAssertionCount(1);
}
}

0 comments on commit d71784c

Please sign in to comment.