From d71784ce7b9ee1f817c3c07618f2f4b21beba688 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Alfaiate?= <s.alfaiate@webarea.fr>
Date: Fri, 26 Apr 2024 15:56:53 +0700
Subject: [PATCH] Add test to clear CSRF on stateless request

---
 .../CsrfTokenClearingLogoutListenerTest.php   | 23 ++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/CsrfTokenClearingLogoutListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/CsrfTokenClearingLogoutListenerTest.php
index 405c7ae085510..0783dd81b25a4 100644
--- a/src/Symfony/Component/Security/Http/Tests/EventListener/CsrfTokenClearingLogoutListenerTest.php
+++ b/src/Symfony/Component/Security/Http/Tests/EventListener/CsrfTokenClearingLogoutListenerTest.php
@@ -15,13 +15,14 @@
 use Symfony\Component\HttpFoundation\Exception\SessionNotFoundException;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Session\Session;
 use Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage;
 use Symfony\Component\Security\Http\Event\LogoutEvent;
 use Symfony\Component\Security\Http\EventListener\CsrfTokenClearingLogoutListener;
 
 class CsrfTokenClearingLogoutListenerTest extends TestCase
 {
-    public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
+    public function testSkipsClearingSessionTokenStorageOnRequestWithoutSession()
     {
         try {
             (new CsrfTokenClearingLogoutListener(
@@ -31,6 +32,26 @@ public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
             $this->fail('clear() must not be called if the request is not associated with a session instance');
         }
 
+        $this->addToAssertionCount(1);
+    }
+    public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
+    {
+        $session = new Session();
+
+        // Create a stateless request with a previous session
+        $request = new Request();
+        $request->setSession($session);
+        $request->cookies->set($session->getName(), 'previous_session');
+        $request->attributes->set('_stateless', true);
+
+        try {
+            (new CsrfTokenClearingLogoutListener(
+                new SessionTokenStorage(new RequestStack())
+            ))->onLogout(new LogoutEvent($request, null));
+        } catch (SessionNotFoundException) {
+            $this->fail('clear() must not be called if the request is stateless');
+        }
+
         $this->addToAssertionCount(1);
     }
 }