function BasicAuthTest::testPerUserLoginFloodControl

Tests the per-user login flood control.

File

core/modules/basic_auth/tests/src/Functional/BasicAuthTest.php, line 123

Class

BasicAuthTest

Tests for BasicAuth authentication provider.

Namespace

Code

public function testPerUserLoginFloodControl() : void {
    $this->config('user.flood')
        ->set('ip_limit', 4000)
        ->set('user_limit', 2)
        ->save();
    $user = $this->drupalCreateUser([]);
    $incorrect_user = clone $user;
    $incorrect_user->pass_raw .= 'incorrect';
    $user2 = $this->drupalCreateUser([]);
    $url = Url::fromRoute('router_test.11');
    // Try a failed login.
    $this->basicAuthGet($url, $incorrect_user->getAccountName(), $incorrect_user->pass_raw);
    // A successful login will reset the per-user flood control count.
    $this->basicAuthGet($url, $user->getAccountName(), $user->pass_raw);
    $this->assertSession()
        ->statusCodeEquals(200);
    // Try 2 failed logins for a user. They will trigger flood control.
    for ($i = 0; $i < 2; $i++) {
        $this->basicAuthGet($url, $incorrect_user->getAccountName(), $incorrect_user->pass_raw);
    }
    // Now the user account is blocked.
    $this->basicAuthGet($url, $user->getAccountName(), $user->pass_raw);
    $this->assertSession()
        ->statusCodeEquals(403);
    // Try one successful attempt for a different user, it should not trigger
    // any flood control.
    $this->basicAuthGet($url, $user2->getAccountName(), $user2->pass_raw);
    $this->assertSession()
        ->statusCodeEquals(200);
}