function UserLoginHttpTest::doTestLogoutCsrfProtection

Same name and namespace in other branches
  1. 9 core/modules/user/tests/src/Functional/UserLoginHttpTest.php \Drupal\Tests\user\Functional\UserLoginHttpTest::doTestLogoutCsrfProtection()
  2. 10 core/modules/user/tests/src/Functional/UserLoginHttpTest.php \Drupal\Tests\user\Functional\UserLoginHttpTest::doTestLogoutCsrfProtection()

Tests csrf protection of User Logout route for given serialization format.

1 call to UserLoginHttpTest::doTestLogoutCsrfProtection()
UserLoginHttpTest::testPasswordReset in core/modules/user/tests/src/Functional/UserLoginHttpTest.php
Tests user password reset.

File

core/modules/user/tests/src/Functional/UserLoginHttpTest.php, line 469

Class

UserLoginHttpTest
Tests login and password reset via direct HTTP.

Namespace

Drupal\Tests\user\Functional

Code

public function doTestLogoutCsrfProtection(string $format) : void {
  $client = \Drupal::httpClient();
  $login_status_url = $this->getLoginStatusUrlString();
  $account = $this->drupalCreateUser();
  $name = $account->getAccountName();
  $pass = $account->passRaw;
  $response = $this->loginRequest($name, $pass, $format);
  $this->assertEquals(200, $response->getStatusCode());
  $result_data = $this->serializer
    ->decode((string) $response->getBody(), $format);
  $logout_token = $result_data['logout_token'];
  // Test third party site posting to current site with logout request.
  // This should not logout the current user because it lacks the CSRF
  // token.
  $response = $this->logoutRequest($format);
  $this->assertEquals(403, $response->getStatusCode());
  // Ensure still logged in.
  $response = $client->get($login_status_url, [
    'cookies' => $this->cookies,
  ]);
  $this->assertHttpResponse($response, 200, UserAuthenticationController::LOGGED_IN);
  // Try with an incorrect token.
  $response = $this->logoutRequest($format, 'not-the-correct-token');
  $this->assertEquals(403, $response->getStatusCode());
  // Ensure still logged in.
  $response = $client->get($login_status_url, [
    'cookies' => $this->cookies,
  ]);
  $this->assertHttpResponse($response, 200, UserAuthenticationController::LOGGED_IN);
  // Try a logout request with correct token.
  $response = $this->logoutRequest($format, $logout_token);
  $this->assertEquals(204, $response->getStatusCode());
  // Ensure actually logged out.
  $response = $client->get($login_status_url, [
    'cookies' => $this->cookies,
  ]);
  $this->assertHttpResponse($response, 200, UserAuthenticationController::LOGGED_OUT);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.