function UserLoginHttpTest::testPerUserLoginFloodControl

Test the per-user login flood control.

See also

\Drupal\user\Tests\UserLoginTest::testPerUserLoginFloodControl

\Drupal\basic_auth\Tests\Authentication\BasicAuthTest::testPerUserLoginFloodControl

File

core/modules/user/tests/src/Functional/UserLoginHttpTest.php, line 350

Class

UserLoginHttpTest
Tests login and password reset via direct HTTP.

Namespace

Drupal\Tests\user\Functional

Code

public function testPerUserLoginFloodControl() {
    foreach ([
        TRUE,
        FALSE,
    ] as $uid_only_setting) {
        $this->config('user.flood')
            ->set('ip_limit', 4000)
            ->set('user_limit', 3)
            ->set('uid_only', $uid_only_setting)
            ->save();
        $user1 = $this->drupalCreateUser([]);
        $incorrect_user1 = clone $user1;
        $incorrect_user1->passRaw .= 'incorrect';
        $user2 = $this->drupalCreateUser([]);
        // Try 2 failed logins.
        for ($i = 0; $i < 2; $i++) {
            $response = $this->loginRequest($incorrect_user1->getAccountName(), $incorrect_user1->passRaw);
            $this->assertHttpResponseWithMessage($response, 400, 'Sorry, unrecognized username or password.');
        }
        // A successful login will reset the per-user flood control count.
        $response = $this->loginRequest($user1->getAccountName(), $user1->passRaw);
        $result_data = $this->serializer
            ->decode($response->getBody(), 'json');
        $this->logoutRequest('json', $result_data['logout_token']);
        // Try 3 failed logins for user 1, they will not trigger flood control.
        for ($i = 0; $i < 3; $i++) {
            $response = $this->loginRequest($incorrect_user1->getAccountName(), $incorrect_user1->passRaw);
            $this->assertHttpResponseWithMessage($response, 400, 'Sorry, unrecognized username or password.');
        }
        // Try one successful attempt for user 2, it should not trigger any
        // flood control.
        $this->drupalLogin($user2);
        $this->drupalLogout();
        // Try one more attempt for user 1, it should be rejected, even if the
        // correct password has been used.
        $response = $this->loginRequest($user1->getAccountName(), $user1->passRaw);
        // Depending on the uid_only setting the error message will be different.
        if ($uid_only_setting) {
            $excepted_message = 'There have been more than 3 failed login attempts for this account. It is temporarily blocked. Try again later or request a new password.';
        }
        else {
            $excepted_message = 'Too many failed login attempts from your IP address. This IP address is temporarily blocked.';
        }
        $this->assertHttpResponseWithMessage($response, 403, $excepted_message);
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.