function UserLoginHttpTest::doTestLogoutCsrfProtection

Same name and namespace in other branches
  1. 9 core/modules/user/tests/src/Functional/UserLoginHttpTest.php \Drupal\Tests\user\Functional\UserLoginHttpTest::doTestLogoutCsrfProtection()
  2. 10 core/modules/user/tests/src/Functional/UserLoginHttpTest.php \Drupal\Tests\user\Functional\UserLoginHttpTest::doTestLogoutCsrfProtection()

Tests csrf protection of User Logout route for given serialization format.

1 call to UserLoginHttpTest::doTestLogoutCsrfProtection()
UserLoginHttpTest::testPasswordReset in core/modules/user/tests/src/Functional/UserLoginHttpTest.php
Tests user password reset.

File

core/modules/user/tests/src/Functional/UserLoginHttpTest.php, line 471

Class

UserLoginHttpTest
Tests login and password reset via direct HTTP.

Namespace

Drupal\Tests\user\Functional

Code

public function doTestLogoutCsrfProtection(string $format) : void {
    $client = \Drupal::httpClient();
    $login_status_url = $this->getLoginStatusUrlString();
    $account = $this->drupalCreateUser();
    $name = $account->getAccountName();
    $pass = $account->passRaw;
    $response = $this->loginRequest($name, $pass, $format);
    $this->assertEquals(200, $response->getStatusCode());
    $result_data = $this->serializer
        ->decode((string) $response->getBody(), $format);
    $logout_token = $result_data['logout_token'];
    // Test third party site posting to current site with logout request.
    // This should not logout the current user because it lacks the CSRF
    // token.
    $response = $this->logoutRequest($format);
    $this->assertEquals(403, $response->getStatusCode());
    // Ensure still logged in.
    $response = $client->get($login_status_url, [
        'cookies' => $this->cookies,
    ]);
    $this->assertHttpResponse($response, 200, UserAuthenticationController::LOGGED_IN);
    // Try with an incorrect token.
    $response = $this->logoutRequest($format, 'not-the-correct-token');
    $this->assertEquals(403, $response->getStatusCode());
    // Ensure still logged in.
    $response = $client->get($login_status_url, [
        'cookies' => $this->cookies,
    ]);
    $this->assertHttpResponse($response, 200, UserAuthenticationController::LOGGED_IN);
    // Try a logout request with correct token.
    $response = $this->logoutRequest($format, $logout_token);
    $this->assertEquals(204, $response->getStatusCode());
    // Ensure actually logged out.
    $response = $client->get($login_status_url, [
        'cookies' => $this->cookies,
    ]);
    $this->assertHttpResponse($response, 200, UserAuthenticationController::LOGGED_OUT);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.