Same name and namespace in other branches

1. 9 core/modules/user/tests/src/Functional/UserLoginHttpTest.php \Drupal\Tests\user\Functional\UserLoginHttpTest::doTestPerUserLoginFloodControl()
2. 10 core/modules/user/tests/src/Functional/UserLoginHttpTest.php \Drupal\Tests\user\Functional\UserLoginHttpTest::doTestPerUserLoginFloodControl()

Tests the per-user login flood control for a given serialization format.

See also

\Drupal\basic_auth\Authentication\Provider\BasicAuthTest::testPerUserLoginFloodControl

\Drupal\Tests\user\Functional\UserLoginTest::testPerUserLoginFloodControl

1 call to UserLoginHttpTest::doTestPerUserLoginFloodControl()

UserLoginHttpTest::testPasswordReset in core/modules/user/tests/src/Functional/UserLoginHttpTest.php

Tests user password reset.

File

core/modules/user/tests/src/Functional/UserLoginHttpTest.php, line 371

Class

UserLoginHttpTest

Tests login and password reset via direct HTTP.

Namespace

Drupal\Tests\user\Functional

Code

public function doTestPerUserLoginFloodControl($format) : void {
  $database = \Drupal::database();
  foreach ([
    TRUE,
    FALSE,
  ] as $uid_only_setting) {
    $this->config('user.flood')
      ->set('ip_limit', 4000)
      ->set('user_limit', 3)
      ->set('uid_only', $uid_only_setting)
      ->save();
    $user1 = $this->drupalCreateUser([]);
    $incorrect_user1 = clone $user1;
    $incorrect_user1->passRaw .= 'incorrect';
    $user2 = $this->drupalCreateUser([]);
    // Try 2 failed logins.
    for ($i = 0; $i < 2; $i++) {
      $response = $this->loginRequest($incorrect_user1->getAccountName(), $incorrect_user1->passRaw, $format);
      $this->assertHttpResponseWithMessage($response, 400, 'Sorry, unrecognized username or password.', $format);
    }
    // A successful login will reset the per-user flood control count.
    $response = $this->loginRequest($user1->getAccountName(), $user1->passRaw, $format);
    $result_data = $this->serializer
      ->decode((string) $response->getBody(), $format);
    $this->logoutRequest($format, $result_data['logout_token']);
    // Try 3 failed logins for user 1, they will not trigger flood control.
    for ($i = 0; $i < 3; $i++) {
      $response = $this->loginRequest($incorrect_user1->getAccountName(), $incorrect_user1->passRaw, $format);
      $this->assertHttpResponseWithMessage($response, 400, 'Sorry, unrecognized username or password.', $format);
    }
    // Try one successful attempt for user 2, it should not trigger any
    // flood control.
    $this->drupalLogin($user2);
    $this->drupalLogout();
    // Try one more attempt for user 1, it should be rejected, even if the
    // correct password has been used.
    $response = $this->loginRequest($user1->getAccountName(), $user1->passRaw, $format);
    // Depending on the uid_only setting the error message will be different.
    if ($uid_only_setting) {
      $expected_message = 'There have been more than 3 failed login attempts for this account. It is temporarily blocked. Try again later or request a new password.';
      $expected_log = 'Flood control blocked login attempt for uid %uid';
    }
    else {
      $expected_message = 'Too many failed login attempts from your IP address. This IP address is temporarily blocked.';
      $expected_log = 'Flood control blocked login attempt for uid %uid from %ip';
    }
    $this->assertHttpResponseWithMessage($response, 403, $expected_message, $format);
    $last_log = $database->select('watchdog', 'w')
      ->fields('w', [
      'message',
    ])
      ->condition('type', 'user')
      ->orderBy('wid', 'DESC')
      ->range(0, 1)
      ->execute()
      ->fetchField();
    $this->assertEquals($expected_log, $last_log, 'A watchdog message was logged for the login attempt blocked by flood control per user.');
  }
}

---