function UserLoginHttpTest::doTestPerUserLoginFloodControl
Same name in other branches
- 10 core/modules/user/tests/src/Functional/UserLoginHttpTest.php \Drupal\Tests\user\Functional\UserLoginHttpTest::doTestPerUserLoginFloodControl()
- 11.x core/modules/user/tests/src/Functional/UserLoginHttpTest.php \Drupal\Tests\user\Functional\UserLoginHttpTest::doTestPerUserLoginFloodControl()
Tests the per-user login flood control for a given serialization format.
See also
\Drupal\basic_auth\Authentication\Provider\BasicAuthTest::testPerUserLoginFloodControl
\Drupal\Tests\user\Functional\UserLoginTest::testPerUserLoginFloodControl
2 calls to UserLoginHttpTest::doTestPerUserLoginFloodControl()
- UserHalLoginHttpTest::testPasswordReset in core/
modules/ hal/ tests/ src/ Functional/ user/ UserHalLoginHttpTest.php - Tests user password reset.
- UserLoginHttpTest::testPasswordReset in core/
modules/ user/ tests/ src/ Functional/ UserLoginHttpTest.php - Tests user password reset.
File
-
core/
modules/ user/ tests/ src/ Functional/ UserLoginHttpTest.php, line 370
Class
- UserLoginHttpTest
- Tests login and password reset via direct HTTP.
Namespace
Drupal\Tests\user\FunctionalCode
public function doTestPerUserLoginFloodControl($format) : void {
$database = \Drupal::database();
foreach ([
TRUE,
FALSE,
] as $uid_only_setting) {
$this->config('user.flood')
->set('ip_limit', 4000)
->set('user_limit', 3)
->set('uid_only', $uid_only_setting)
->save();
$user1 = $this->drupalCreateUser([]);
$incorrect_user1 = clone $user1;
$incorrect_user1->passRaw .= 'incorrect';
$user2 = $this->drupalCreateUser([]);
// Try 2 failed logins.
for ($i = 0; $i < 2; $i++) {
$response = $this->loginRequest($incorrect_user1->getAccountName(), $incorrect_user1->passRaw, $format);
$this->assertHttpResponseWithMessage($response, 400, 'Sorry, unrecognized username or password.', $format);
}
// A successful login will reset the per-user flood control count.
$response = $this->loginRequest($user1->getAccountName(), $user1->passRaw, $format);
$result_data = $this->serializer
->decode($response->getBody(), $format);
$this->logoutRequest($format, $result_data['logout_token']);
// Try 3 failed logins for user 1, they will not trigger flood control.
for ($i = 0; $i < 3; $i++) {
$response = $this->loginRequest($incorrect_user1->getAccountName(), $incorrect_user1->passRaw, $format);
$this->assertHttpResponseWithMessage($response, 400, 'Sorry, unrecognized username or password.', $format);
}
// Try one successful attempt for user 2, it should not trigger any
// flood control.
$this->drupalLogin($user2);
$this->drupalLogout();
// Try one more attempt for user 1, it should be rejected, even if the
// correct password has been used.
$response = $this->loginRequest($user1->getAccountName(), $user1->passRaw, $format);
// Depending on the uid_only setting the error message will be different.
if ($uid_only_setting) {
$expected_message = 'There have been more than 3 failed login attempts for this account. It is temporarily blocked. Try again later or request a new password.';
$expected_log = 'Flood control blocked login attempt for uid %uid';
}
else {
$expected_message = 'Too many failed login attempts from your IP address. This IP address is temporarily blocked.';
$expected_log = 'Flood control blocked login attempt for uid %uid from %ip';
}
$this->assertHttpResponseWithMessage($response, 403, $expected_message, $format);
$last_log = $database->select('watchdog', 'w')
->fields('w', [
'message',
])
->condition('type', 'user')
->orderBy('wid', 'DESC')
->range(0, 1)
->execute()
->fetchField();
$this->assertEquals($expected_log, $last_log, 'A watchdog message was logged for the login attempt blocked by flood control per user.');
}
}Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.