class UserPasswordResetTest

Same name in this branch
  1. 11.x core/modules/user/tests/src/FunctionalJavascript/UserPasswordResetTest.php \Drupal\Tests\user\FunctionalJavascript\UserPasswordResetTest
Same name and namespace in other branches
  1. 9 core/modules/user/tests/src/FunctionalJavascript/UserPasswordResetTest.php \Drupal\Tests\user\FunctionalJavascript\UserPasswordResetTest
  2. 9 core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest
  3. 8.9.x core/modules/user/tests/src/FunctionalJavascript/UserPasswordResetTest.php \Drupal\Tests\user\FunctionalJavascript\UserPasswordResetTest
  4. 8.9.x core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest
  5. 10 core/modules/user/tests/src/FunctionalJavascript/UserPasswordResetTest.php \Drupal\Tests\user\FunctionalJavascript\UserPasswordResetTest
  6. 10 core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest

Ensure that password reset methods work as expected.

@group user

Hierarchy

Expanded class hierarchy of UserPasswordResetTest

File

core/modules/user/tests/src/Functional/UserPasswordResetTest.php, line 20

Namespace

Drupal\Tests\user\Functional
View on git.drupalcode.org
View source 
class UserPasswordResetTest extends BrowserTestBase {
  use AssertMailTrait {
    getMails as drupalGetMails;
  }
  
  /**
   * The user object to test password resetting.
   *
   * @var \Drupal\user\UserInterface
   */
  protected $account;
  
  /**
   * Language manager object.
   *
   * @var \Drupal\Core\Language\LanguageManagerInterface
   */
  protected $languageManager;
  
  /**
   * {@inheritdoc}
   */
  protected static $modules = [
    'block',
    'language',
  ];
  
  /**
   * {@inheritdoc}
   */
  protected $defaultTheme = 'stark';
  
  /**
   * {@inheritdoc}
   */
  protected function setUp() : void {
    parent::setUp();
    // Enable page caching.
    $config = $this->config('system.performance');
    $config->set('cache.page.max_age', 3600);
    $config->save();
    $this->drupalPlaceBlock('system_menu_block:account');
    // Create a user.
    $account = $this->drupalCreateUser();
    // Activate user by logging in.
    $this->drupalLogin($account);
    $this->account = User::load($account->id());
    $this->account->passRaw = $account->passRaw;
    $this->drupalLogout();
    // Set the last login time that is used to generate the one-time link so
    // that it is definitely over a second ago.
    $account->login = \Drupal::time()->getRequestTime() - mt_rand(10, 100000);
    Database::getConnection()->update('users_field_data')
      ->fields([
      'login' => $account->getLastLoginTime(),
    ])
      ->condition('uid', $account->id())
      ->execute();
  }
  
  /**
   * Tests password reset functionality.
   */
  public function testUserPasswordReset() : void {
    // Verify that accessing the password reset form without having the session
    // variables set results in an access denied message.
    $this->drupalGet(Url::fromRoute('user.reset.form', [
      'uid' => $this->account
        ->id(),
    ]));
    $this->assertSession()
      ->statusCodeEquals(403);
    // Try to reset the password for a completely invalid username.
    $this->drupalGet('user/password');
    $long_name = $this->randomMachineName(UserInterface::USERNAME_MAX_LENGTH + 10);
    $edit = [
      'name' => $long_name,
    ];
    $this->submitForm($edit, 'Submit');
    $this->assertCount(0, $this->drupalGetMails([
      'id' => 'user_password_reset',
    ]), 'No email was sent when requesting a password for an invalid user name.');
    $this->assertSession()
      ->pageTextContains("The username or email address is invalid.");
    // Try to reset the password for an invalid account.
    $this->drupalGet('user/password');
    $random_name = $this->randomMachineName();
    $edit = [
      'name' => $random_name,
    ];
    $this->submitForm($edit, 'Submit');
    $this->assertNoValidPasswordReset($random_name);
    // Try to reset the password for a valid email address longer than
    // UserInterface::USERNAME_MAX_LENGTH (invalid username, valid email).
    // This should pass validation and print the generic message.
    $this->drupalGet('user/password');
    $long_name = $this->randomMachineName(UserInterface::USERNAME_MAX_LENGTH) . '@example.com';
    $edit = [
      'name' => $long_name,
    ];
    $this->submitForm($edit, 'Submit');
    $this->assertNoValidPasswordReset($long_name);
    // Reset the password by username via the password reset page.
    $this->drupalGet('user/password');
    $edit = [
      'name' => $this->account
        ->getAccountName(),
    ];
    $this->submitForm($edit, 'Submit');
    $this->assertValidPasswordReset($edit['name']);
    $resetURL = $this->getResetURL();
    $this->drupalGet($resetURL);
    // Ensure that the current URL does not contain the hash and timestamp.
    $this->assertSession()
      ->addressEquals(Url::fromRoute('user.reset.form', [
      'uid' => $this->account
        ->id(),
    ]));
    $this->assertSession()
      ->responseHeaderEquals('X-Drupal-Cache', 'UNCACHEABLE (request policy)');
    // Ensure the password reset URL is not cached.
    $this->drupalGet($resetURL);
    $this->assertSession()
      ->responseHeaderEquals('X-Drupal-Cache', 'UNCACHEABLE (request policy)');
    // Check the one-time login page.
    $this->assertSession()
      ->pageTextContains($this->account
      ->getAccountName());
    $this->assertSession()
      ->pageTextContains('This login can be used only once.');
    $this->assertSession()
      ->titleEquals('Reset password | Drupal');
    // Check successful login.
    $this->submitForm([], 'Log in');
    $this->assertSession()
      ->linkExists('Log out');
    $this->assertSession()
      ->titleEquals($this->account
      ->getAccountName() . ' | Drupal');
    // Try to save without entering password.
    $this->submitForm([], 'Save');
    $this->assertSession()
      ->pageTextContains('Password field is required.');
    // Change the forgotten password.
    $password = \Drupal::service('password_generator')->generate();
    $edit = [
      'pass[pass1]' => $password,
      'pass[pass2]' => $password,
    ];
    $this->submitForm($edit, 'Save');
    $this->assertSession()
      ->pageTextContains('The changes have been saved.');
    // Verify that the password reset session has been destroyed.
    $this->submitForm($edit, 'Save');
    $this->assertSession()
      ->pageTextContains("Your current password is missing or incorrect; it's required to change the Password.");
    // Log out, and try to log in again using the same one-time link.
    $this->drupalLogout();
    $this->drupalGet($resetURL);
    $this->assertSession()
      ->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Request a new one using the form below.');
    $this->drupalGet($resetURL . '/login');
    $this->assertSession()
      ->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Request a new one using the form below.');
    // Request a new password again, this time using the email address.
    // Count email messages before to compare with after.
    $before = count($this->drupalGetMails([
      'id' => 'user_password_reset',
    ]));
    $this->drupalGet('user/password');
    $edit = [
      'name' => $this->account
        ->getEmail(),
    ];
    $this->submitForm($edit, 'Submit');
    $this->assertValidPasswordReset($edit['name']);
    $this->assertCount($before + 1, $this->drupalGetMails([
      'id' => 'user_password_reset',
    ]), 'Email sent when requesting password reset using email address.');
    // Change the site name.
    // The site name token in the email will be replaced by this one.
    // cspell:ignore L'Equipe de l'Agriculture
    $config = $this->config('system.site');
    $config->set('name', "L'Equipe de l'Agriculture")
      ->save();
    $this->rebuildContainer();
    // Request a new password using the email address.
    $this->drupalGet('user/password');
    $edit = [
      'name' => $this->account
        ->getEmail(),
    ];
    $this->submitForm($edit, 'Submit');
    // Check that the email message body does not contain HTML entities
    // Assume the most recent email.
    $_emails = $this->drupalGetMails();
    $email = end($_emails);
    $this->assertEquals(htmlspecialchars_decode($email['body']), $email['body'], 'Email body contains HTML entities');
    // Change site name to 'Drupal'
    $config->set('name', "Drupal")
      ->save();
    $this->rebuildContainer();
    // Visit the user edit page without pass-reset-token and make sure it does
    // not cause an error.
    $resetURL = $this->getResetURL();
    $this->drupalGet($resetURL);
    $this->submitForm([], 'Log in');
    $this->drupalGet('user/' . $this->account
      ->id() . '/edit');
    $this->assertSession()
      ->pageTextNotContains('Expected user_string to be a string, NULL given');
    $this->drupalLogout();
    // Create a password reset link as if the request time was 60 seconds older
    // than the allowed limit.
    $timeout = $this->config('user.settings')
      ->get('password_reset_timeout');
    $bogus_timestamp = \Drupal::time()->getRequestTime() - $timeout - 60;
    $_uid = $this->account
      ->id();
    $this->drupalGet("user/reset/{$_uid}/{$bogus_timestamp}/" . user_pass_rehash($this->account, $bogus_timestamp));
    $this->assertSession()
      ->pageTextContains('You have tried to use a one-time login link that has expired. Request a new one using the form below.');
    $this->drupalGet("user/reset/{$_uid}/{$bogus_timestamp}/" . user_pass_rehash($this->account, $bogus_timestamp) . '/login');
    $this->assertSession()
      ->pageTextContains('You have tried to use a one-time login link that has expired. Request a new one using the form below.');
    // Create a user, block the account, and verify that a login link is denied.
    $timestamp = \Drupal::time()->getRequestTime() - 1;
    $blocked_account = $this->drupalCreateUser()
      ->block();
    $blocked_account->save();
    $this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp));
    $this->assertSession()
      ->statusCodeEquals(403);
    $this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp) . '/login');
    $this->assertSession()
      ->statusCodeEquals(403);
    // Verify a blocked user can not request a new password.
    $this->drupalGet('user/password');
    // Count email messages before to compare with after.
    $before = count($this->drupalGetMails([
      'id' => 'user_password_reset',
    ]));
    $edit = [
      'name' => $blocked_account->getAccountName(),
    ];
    $this->submitForm($edit, 'Submit');
    $this->assertCount($before, $this->drupalGetMails([
      'id' => 'user_password_reset',
    ]), 'No email was sent when requesting password reset for a blocked account');
    // Verify a password reset link is invalidated when the user's email address
    // changes.
    $this->drupalGet('user/password');
    $edit = [
      'name' => $this->account
        ->getAccountName(),
    ];
    $this->submitForm($edit, 'Submit');
    $old_email_reset_link = $this->getResetURL();
    $this->account
      ->setEmail("1" . $this->account
      ->getEmail());
    $this->account
      ->save();
    $this->drupalGet($old_email_reset_link);
    $this->assertSession()
      ->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Request a new one using the form below.');
    $this->drupalGet($old_email_reset_link . '/login');
    $this->assertSession()
      ->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Request a new one using the form below.');
    // Verify a password reset link will automatically log a user when /login is
    // appended.
    $this->drupalGet('user/password');
    $edit = [
      'name' => $this->account
        ->getAccountName(),
    ];
    $this->submitForm($edit, 'Submit');
    $reset_url = $this->getResetURL();
    $this->drupalGet($reset_url . '/login');
    $this->assertSession()
      ->linkExists('Log out');
    $this->assertSession()
      ->titleEquals($this->account
      ->getAccountName() . ' | Drupal');
    // Ensure blocked and deleted accounts can't access the user.reset.login
    // route.
    $this->drupalLogout();
    $timestamp = \Drupal::time()->getRequestTime() - 1;
    $blocked_account = $this->drupalCreateUser()
      ->block();
    $blocked_account->save();
    $this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp) . '/login');
    $this->assertSession()
      ->statusCodeEquals(403);
    $blocked_account->delete();
    $this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp) . '/login');
    $this->assertSession()
      ->statusCodeEquals(403);
  }
  
  /**
   * Tests password reset functionality when user has set preferred language.
   */
  public function testUserPasswordResetPreferredLanguage() : void {
    // Set two new languages.
    ConfigurableLanguage::createFromLangcode('fr')->save();
    ConfigurableLanguage::createFromLangcode('zh-hant')->save();
    $this->languageManager = \Drupal::languageManager();
    // Set language prefixes.
    $config = $this->config('language.negotiation');
    $config->set('url.prefixes', [
      'en' => '',
      'fr' => 'fr',
      'zh-hant' => 'zh',
    ])
      ->save();
    $this->rebuildContainer();
    foreach ($this->languagePrefixTestProvider() as $scenario) {
      [
        $setPreferredLangcode,
        $activeLangcode,
        $prefix,
        $visitingUrl,
        $expectedResetUrl,
        $unexpectedResetUrl,
      ] = array_values($scenario);
      $this->account->preferred_langcode = $setPreferredLangcode;
      $this->account
        ->save();
      $this->assertSame($setPreferredLangcode, $this->account
        ->getPreferredLangcode(FALSE));
      // Test Default langcode is different from active langcode when visiting
      // different.
      if ($setPreferredLangcode !== 'en') {
        $this->drupalGet($prefix . '/user/password');
        $this->assertSame($activeLangcode, $this->getSession()
          ->getResponseHeader('Content-language'));
        $this->assertSame('en', $this->languageManager
          ->getDefaultLanguage()
          ->getId());
      }
      // Test password reset with language prefixes.
      $this->drupalGet($visitingUrl);
      $edit = [
        'name' => $this->account
          ->getAccountName(),
      ];
      $this->submitForm($edit, 'Submit');
      $this->assertValidPasswordReset($edit['name']);
      $resetURL = $this->getResetURL();
      $this->assertStringContainsString($expectedResetUrl, $resetURL);
      $this->assertStringNotContainsString($unexpectedResetUrl, $resetURL);
    }
  }
  
  /**
   * Provides scenarios for testUserPasswordResetPreferredLanguage().
   *
   * @return array
   *   An array of scenarios.
   */
  protected function languagePrefixTestProvider() {
    return [
      'Test language prefix set as \'\', visiting default with preferred language as en' => [
        'setPreferredLangcode' => 'en',
        'activeLangcode' => 'en',
        'prefix' => '',
        'visitingUrl' => 'user/password',
        'expectedResetUrl' => 'user/reset',
        'unexpectedResetUrl' => 'en/user/reset',
      ],
      'Test language prefix set as fr, visiting zh with preferred language as fr' => [
        'setPreferredLangcode' => 'fr',
        'activeLangcode' => 'fr',
        'prefix' => 'fr',
        'visitingUrl' => 'zh/user/password',
        'expectedResetUrl' => 'fr/user/reset',
        'unexpectedResetUrl' => 'zh/user/reset',
      ],
      'Test language prefix set as zh, visiting zh with preferred language as \'\'' => [
        'setPreferredLangcode' => '',
        'activeLangcode' => 'zh-hant',
        'prefix' => 'zh',
        'visitingUrl' => 'zh/user/password',
        'expectedResetUrl' => 'user/reset',
        'unexpectedResetUrl' => 'zh/user/reset',
      ],
    ];
  }
  
  /**
   * Retrieves password reset email and extracts the login link.
   */
  public function getResetURL() {
    // Assume the most recent email.
    $_emails = $this->drupalGetMails();
    $email = end($_emails);
    $urls = [];
    preg_match('#.+user/reset/.+#', $email['body'], $urls);
    return $urls[0];
  }
  
  /**
   * Tests user password reset while logged in.
   */
  public function testUserPasswordResetLoggedIn() : void {
    $another_account = $this->drupalCreateUser();
    $this->drupalLogin($another_account);
    $this->drupalGet('user/password');
    $this->submitForm([], 'Submit');
    // Click the reset URL while logged and change our password.
    $resetURL = $this->getResetURL();
    // Log in as a different user.
    $this->drupalLogin($this->account);
    $this->drupalGet($resetURL);
    $this->assertSession()
      ->pageTextContains("Another user ({$this->account->getAccountName()}) is already logged into the site on this computer, but you tried to use a one-time link for user {$another_account->getAccountName()}. Log out and try using the link again.");
    $this->assertSession()
      ->linkExists('Log out');
    $this->assertSession()
      ->linkByHrefExists(Url::fromRoute('user.logout')->toString());
    // Verify that the invalid password reset page does not show the user name.
    $attack_reset_url = "user/reset/" . $another_account->id() . "/1/1";
    $this->drupalGet($attack_reset_url);
    $this->assertSession()
      ->pageTextNotContains($another_account->getAccountName());
    $this->assertSession()
      ->addressEquals('user/' . $this->account
      ->id());
    $this->assertSession()
      ->pageTextContains('The one-time login link you clicked is invalid.');
    $another_account->delete();
    $this->drupalGet($resetURL);
    $this->assertSession()
      ->pageTextContains('The one-time login link you clicked is invalid.');
    // Log in.
    $this->drupalLogin($this->account);
    // Reset the password by username via the password reset page.
    $this->drupalGet('user/password');
    $this->submitForm([], 'Submit');
    // Click the reset URL while logged and change our password.
    $resetURL = $this->getResetURL();
    $this->drupalGet($resetURL);
    $this->submitForm([], 'Log in');
    // Change the password.
    $password = \Drupal::service('password_generator')->generate();
    $edit = [
      'pass[pass1]' => $password,
      'pass[pass2]' => $password,
    ];
    $this->submitForm($edit, 'Save');
    $this->assertSession()
      ->pageTextContains('The changes have been saved.');
    // Logged in users should not be able to access the user.reset.login or the
    // user.reset.form routes.
    $timestamp = \Drupal::time()->getRequestTime() - 1;
    $this->drupalGet("user/reset/" . $this->account
      ->id() . "/{$timestamp}/" . user_pass_rehash($this->account, $timestamp) . '/login');
    $this->assertSession()
      ->statusCodeEquals(403);
    $this->drupalGet("user/reset/" . $this->account
      ->id());
    $this->assertSession()
      ->statusCodeEquals(403);
  }
  
  /**
   * Tests the text box on incorrect login via link to password reset page.
   */
  public function testUserResetPasswordTextboxNotFilled() : void {
    $this->drupalGet('user/login');
    $edit = [
      'name' => $this->randomMachineName(),
      'pass' => $this->randomMachineName(),
    ];
    $this->drupalGet('user/login');
    $this->submitForm($edit, 'Log in');
    $this->assertSession()
      ->pageTextContains("Unrecognized username or password. Forgot your password?");
    $this->assertSession()
      ->linkExists("Forgot your password?");
    // Verify we don't pass the username as a query parameter.
    $this->assertSession()
      ->linkByHrefNotExists(Url::fromRoute('user.pass', [], [
      'query' => [
        'name' => $edit['name'],
      ],
    ])->toString());
    $this->assertSession()
      ->linkByHrefExists(Url::fromRoute('user.pass')->toString());
    unset($edit['pass']);
    // Verify the field is empty by default.
    $this->drupalGet('user/password');
    $this->assertSession()
      ->fieldValueEquals('name', '');
    // Ensure the name field value is not cached.
    $this->drupalGet('user/password', [
      'query' => [
        'name' => $edit['name'],
      ],
    ]);
    $this->assertSession()
      ->fieldValueEquals('name', $edit['name']);
    $this->drupalGet('user/password');
    $this->assertSession()
      ->fieldValueNotEquals('name', $edit['name']);
  }
  
  /**
   * Tests password reset flood control for one user.
   */
  public function testUserResetPasswordUserFloodControl() : void {
    \Drupal::configFactory()->getEditable('user.flood')
      ->set('user_limit', 3)
      ->save();
    $edit = [
      'name' => $this->account
        ->getAccountName(),
    ];
    // Count email messages before to compare with after.
    $before = count($this->drupalGetMails([
      'id' => 'user_password_reset',
    ]));
    // Try 3 requests that should not trigger flood control.
    for ($i = 0; $i < 3; $i++) {
      $this->drupalGet('user/password');
      $this->submitForm($edit, 'Submit');
      $this->assertValidPasswordReset($edit['name']);
    }
    // Ensure 3 emails were sent.
    $this->assertCount($before + 3, $this->drupalGetMails([
      'id' => 'user_password_reset',
    ]), '3 emails sent without triggering flood control.');
    // The next request should trigger flood control.
    $this->drupalGet('user/password');
    $this->submitForm($edit, 'Submit');
    // Ensure no further emails were sent.
    $this->assertCount($before + 3, $this->drupalGetMails([
      'id' => 'user_password_reset',
    ]), 'No further email was sent after triggering flood control.');
  }
  
  /**
   * Tests password reset flood control for one IP.
   */
  public function testUserResetPasswordIpFloodControl() : void {
    \Drupal::configFactory()->getEditable('user.flood')
      ->set('ip_limit', 3)
      ->save();
    // Try 3 requests that should not trigger flood control.
    for ($i = 0; $i < 3; $i++) {
      $this->drupalGet('user/password');
      $random_name = $this->randomMachineName();
      $edit = [
        'name' => $random_name,
      ];
      $this->submitForm($edit, 'Submit');
      // Because we're testing with a random name, the password reset will not
      // be valid.
      $this->assertNoValidPasswordReset($random_name);
      $this->assertNoPasswordIpFlood();
    }
    // The next request should trigger flood control.
    $this->drupalGet('user/password');
    $edit = [
      'name' => $this->randomMachineName(),
    ];
    $this->submitForm($edit, 'Submit');
    $this->assertPasswordIpFlood();
  }
  
  /**
   * Tests user password reset flood control is cleared on successful reset.
   */
  public function testUserResetPasswordUserFloodControlIsCleared() : void {
    \Drupal::configFactory()->getEditable('user.flood')
      ->set('user_limit', 3)
      ->save();
    $edit = [
      'name' => $this->account
        ->getAccountName(),
    ];
    // Count email messages before to compare with after.
    $before = count($this->drupalGetMails([
      'id' => 'user_password_reset',
    ]));
    // Try 3 requests that should not trigger flood control.
    for ($i = 0; $i < 3; $i++) {
      $this->drupalGet('user/password');
      $this->submitForm($edit, 'Submit');
      $this->assertValidPasswordReset($edit['name']);
    }
    // Ensure 3 emails were sent.
    $this->assertCount($before + 3, $this->drupalGetMails([
      'id' => 'user_password_reset',
    ]), '3 emails sent without triggering flood control.');
    // Use the last password reset URL which was generated.
    $reset_url = $this->getResetURL();
    $this->drupalGet($reset_url . '/login');
    $this->assertSession()
      ->linkExists('Log out');
    $this->assertSession()
      ->titleEquals($this->account
      ->getAccountName() . ' | Drupal');
    $this->drupalLogout();
    // The next request should *not* trigger flood control, since a successful
    // password reset should have cleared flood events for this user.
    $this->drupalGet('user/password');
    $this->submitForm($edit, 'Submit');
    $this->assertValidPasswordReset($edit['name']);
    // Ensure another email was sent.
    $this->assertCount($before + 4, $this->drupalGetMails([
      'id' => 'user_password_reset',
    ]), 'Another email was sent after clearing flood control.');
  }
  
  /**
   * Tests user password reset flood control is cleared on admin reset.
   */
  public function testUserResetPasswordUserFloodControlAdmin() : void {
    $admin_user = $this->drupalCreateUser([
      'administer account settings',
      'administer users',
    ]);
    \Drupal::configFactory()->getEditable('user.flood')
      ->set('user_limit', 3)
      ->save();
    $edit = [
      'name' => $this->account
        ->getAccountName(),
      'pass' => 'wrong_password',
    ];
    // Try 3 requests that should not trigger flood control.
    for ($i = 0; $i < 3; $i++) {
      $this->drupalGet('user/login');
      $this->submitForm($edit, 'Log in');
      $this->assertSession()
        ->pageTextNotContains('There have been more than 3 failed login attempts for this account. It is temporarily blocked.');
    }
    $this->drupalGet('user/login');
    $this->submitForm($edit, 'Log in');
    $this->assertSession()
      ->pageTextContains('There have been more than 3 failed login attempts for this account. It is temporarily blocked.');
    $password = $this->randomMachineName();
    $edit = [
      'pass[pass1]' => $password,
      'pass[pass2]' => $password,
    ];
    // Log in as admin and change the user password.
    $this->drupalLogin($admin_user);
    $this->drupalGet('user/' . $this->account
      ->id() . '/edit');
    $this->submitForm($edit, 'Save');
    $this->drupalLogout();
    $edit = [
      'name' => $this->account
        ->getAccountName(),
      'pass' => $password,
    ];
    // The next request should *not* trigger flood control, since the
    // password change should have cleared flood events for this user.
    $this->account->passRaw = $password;
    $this->drupalLogin($this->account);
    $this->assertSession()
      ->pageTextNotContains('There have been more than 3 failed login attempts for this account. It is temporarily blocked.');
  }
  
  /**
   * Helper function to make assertions about a valid password reset.
   *
   * @internal
   */
  public function assertValidPasswordReset(string $name) : void {
    $this->assertSession()
      ->pageTextContains("If {$name} is a valid account, an email will be sent with instructions to reset your password.");
    $this->assertMail('to', $this->account
      ->getEmail(), 'Password email sent to user.');
    $subject = 'Replacement login information for ' . $this->account
      ->getAccountName() . ' at Drupal';
    $this->assertMail('subject', $subject, 'Password reset email subject is correct.');
  }
  
  /**
   * Helper function to make assertions about an invalid password reset.
   *
   * @param string $name
   *   The user name.
   *
   * @internal
   */
  public function assertNoValidPasswordReset(string $name) : void {
    // This message is the same as the valid reset for privacy reasons.
    $this->assertSession()
      ->pageTextContains("If {$name} is a valid account, an email will be sent with instructions to reset your password.");
    // The difference is that no email is sent.
    $this->assertCount(0, $this->drupalGetMails([
      'id' => 'user_password_reset',
    ]), 'No email was sent when requesting a password for an invalid account.');
  }
  
  /**
   * Makes assertions about a password reset triggering IP flood control.
   *
   * @internal
   */
  public function assertPasswordIpFlood() : void {
    $this->assertSession()
      ->pageTextContains('Too many password recovery requests from your IP address. It is temporarily blocked. Try again later or contact the site administrator.');
  }
  
  /**
   * Makes assertions about a password reset not triggering IP flood control.
   *
   * @internal
   */
  public function assertNoPasswordIpFlood() : void {
    $this->assertSession()
      ->pageTextNotContains('Too many password recovery requests from your IP address. It is temporarily blocked. Try again later or contact the site administrator.');
  }
  
  /**
   * Make sure that users cannot forge password reset URLs of other users.
   */
  public function testResetImpersonation() : void {
    // Create two identical user accounts except for the user name. They must
    // have the same empty password, so we can't use $this->drupalCreateUser().
    $edit = [];
    $edit['name'] = $this->randomMachineName();
    $edit['mail'] = $edit['name'] . '@example.com';
    $edit['status'] = 1;
    $user1 = User::create($edit);
    $user1->save();
    $edit['name'] = $this->randomMachineName();
    $user2 = User::create($edit);
    $user2->save();
    // Unique password hashes are automatically generated, the only way to
    // change that is to update it directly in the database.
    Database::getConnection()->update('users_field_data')
      ->fields([
      'pass' => NULL,
    ])
      ->condition('uid', [
      $user1->id(),
      $user2->id(),
    ], 'IN')
      ->execute();
    \Drupal::entityTypeManager()->getStorage('user')
      ->resetCache();
    $user1 = User::load($user1->id());
    $user2 = User::load($user2->id());
    $this->assertEquals($user2->getPassword(), $user1->getPassword(), 'Both users have the same password hash.');
    // The password reset URL must not be valid for the second user when only
    // the user ID is changed in the URL.
    $reset_url = user_pass_reset_url($user1);
    $attack_reset_url = str_replace("user/reset/{$user1->id()}", "user/reset/{$user2->id()}", $reset_url);
    $this->drupalGet($attack_reset_url);
    // Verify that the invalid password reset page does not show the user name.
    $this->assertSession()
      ->pageTextNotContains($user2->getAccountName());
    $this->assertSession()
      ->addressEquals('user/password');
    $this->assertSession()
      ->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Request a new one using the form below.');
    $this->drupalGet($attack_reset_url . '/login');
    // Verify that the invalid password reset page does not show the user name.
    $this->assertSession()
      ->pageTextNotContains($user2->getAccountName());
    $this->assertSession()
      ->addressEquals('user/password');
    $this->assertSession()
      ->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Request a new one using the form below.');
  }
  
  /**
   * Test the autocomplete attribute is present.
   */
  public function testResetFormHasAutocompleteAttribute() : void {
    $this->drupalGet('user/password');
    $field = $this->getSession()
      ->getPage()
      ->findField('name');
    $this->assertEquals('username', $field->getAttribute('autocomplete'));
  }

}

Members

Title Deprecated Modifiers Object type Summary Member alias Overriden Title Overrides
AssertMailTrait::assertMail protected function Asserts that the most recently sent email message has the given value.
AssertMailTrait::assertMailPattern protected function Asserts that the most recently sent email message has the pattern in it.
AssertMailTrait::assertMailString protected function Asserts that the most recently sent email message has the string in it.
AssertMailTrait::getMails protected function Gets an array containing all emails sent during this test case. Aliased as: drupalGetMails
BlockCreationTrait::placeBlock protected function Creates a block instance based on default settings. Aliased as: drupalPlaceBlock
BrowserHtmlDebugTrait::$htmlOutputBaseUrl protected property The Base URI to use for links to the output files.
BrowserHtmlDebugTrait::$htmlOutputClassName protected property Class name for HTML output logging.
BrowserHtmlDebugTrait::$htmlOutputCounter protected property Counter for HTML output logging.
BrowserHtmlDebugTrait::$htmlOutputCounterStorage protected property Counter storage for HTML output logging.
BrowserHtmlDebugTrait::$htmlOutputDirectory protected property Directory name for HTML output logging.
BrowserHtmlDebugTrait::$htmlOutputEnabled protected property HTML output enabled.
BrowserHtmlDebugTrait::$htmlOutputTestId protected property HTML output test ID.
BrowserHtmlDebugTrait::formatHtmlOutputHeaders protected function Formats HTTP headers as string for HTML output logging.
BrowserHtmlDebugTrait::getHtmlOutputHeaders protected function Returns headers in HTML output format. 1
BrowserHtmlDebugTrait::getResponseLogHandler protected function Provides a Guzzle middleware handler to log every response received.
BrowserHtmlDebugTrait::htmlOutput protected function Logs a HTML output message in a text file.
BrowserHtmlDebugTrait::initBrowserOutputFile protected function Creates the directory to store browser output.
BrowserTestBase::$baseUrl protected property The base URL.
BrowserTestBase::$configImporter protected property The config importer that can be used in a test.
BrowserTestBase::$mink protected property Mink session manager.
BrowserTestBase::$minkDefaultDriverArgs protected property Mink default driver params.
BrowserTestBase::$minkDefaultDriverClass protected property Mink class for the default driver to use. 1
BrowserTestBase::$originalShutdownCallbacks protected property The original array of shutdown function callbacks.
BrowserTestBase::$profile protected property The profile to install as a basis for testing. 45
BrowserTestBase::$timeLimit protected property Time limit in seconds for the test.
BrowserTestBase::cleanupEnvironment protected function Clean up the test environment.
BrowserTestBase::config protected function Configuration accessor for tests. Returns non-overridden configuration.
BrowserTestBase::filePreDeleteCallback public static function Ensures test files are deletable.
BrowserTestBase::getDefaultDriverInstance protected function Gets an instance of the default Mink driver.
BrowserTestBase::getDrupalSettings protected function Gets the JavaScript drupalSettings variable for the currently-loaded page. 1
BrowserTestBase::getHttpClient protected function Obtain the HTTP client for the system under test.
BrowserTestBase::getMinkDriverArgs protected function Gets the Mink driver args from an environment variable. 1
BrowserTestBase::getOptions Deprecated protected function Helper function to get the options of select field.
BrowserTestBase::getSession public function Returns Mink session.
BrowserTestBase::getSessionCookies protected function Get session cookies from current session.
BrowserTestBase::getTestMethodCaller protected function Retrieves the current calling line in the class under test. Overrides BrowserHtmlDebugTrait::getTestMethodCaller
BrowserTestBase::initFrontPage protected function Visits the front page when initializing Mink. 3
BrowserTestBase::initMink protected function Initializes Mink sessions. 1
BrowserTestBase::installDrupal public function Installs Drupal into the test site. 2
BrowserTestBase::registerSessions protected function Registers additional Mink sessions.
BrowserTestBase::setDebugDumpHandler public static function Registers the dumper CLI handler when the DebugDump extension is enabled.
BrowserTestBase::setUpAppRoot protected function Sets up the root application path.
BrowserTestBase::tearDown protected function 3
BrowserTestBase::translatePostValues protected function Transforms a nested array into a flat array suitable for submitForm().
BrowserTestBase::xpath protected function Performs an xpath search on the contents of the internal browser.
BrowserTestBase::__construct public function 1
BrowserTestBase::__sleep public function Prevents serializing any properties.
ConfigTestTrait::configImporter protected function Returns a ConfigImporter object to import test configuration.
ConfigTestTrait::copyConfig protected function Copies configuration objects from source storage to target storage.
ContentTypeCreationTrait::createContentType protected function Creates a custom content type based on default settings. Aliased as: drupalCreateContentType 1
ExpectDeprecationTrait::expectDeprecation public function Adds an expected deprecation.
ExpectDeprecationTrait::setUpErrorHandler public function Sets up the test error handler.
ExpectDeprecationTrait::tearDownErrorHandler public function Tears down the test error handler.
ExtensionListTestTrait::getModulePath protected function Gets the path for the specified module.
ExtensionListTestTrait::getThemePath protected function Gets the path for the specified theme.
FunctionalTestSetupTrait::$apcuEnsureUniquePrefix protected property The flag to set &#039;apcu_ensure_unique_prefix&#039; setting. 1
FunctionalTestSetupTrait::$classLoader protected property The class loader to use for installation and initialization of setup.
FunctionalTestSetupTrait::$rootUser protected property The &quot;#1&quot; admin user.
FunctionalTestSetupTrait::$usesSuperUserAccessPolicy protected property Set to TRUE to make user 1 a super user.
FunctionalTestSetupTrait::doInstall protected function Execute the non-interactive installer. 1
FunctionalTestSetupTrait::initConfig protected function Initialize various configurations post-installation. 1
FunctionalTestSetupTrait::initKernel protected function Initializes the kernel after installation.
FunctionalTestSetupTrait::initSettings protected function Initialize settings created during install.
FunctionalTestSetupTrait::initUserSession protected function Initializes user 1 for the site to be installed.
FunctionalTestSetupTrait::installDefaultThemeFromClassProperty protected function Installs the default theme defined by `static::$defaultTheme` when needed. 1
FunctionalTestSetupTrait::installModulesFromClassProperty protected function Install modules defined by `static::$modules`. 1
FunctionalTestSetupTrait::installParameters protected function Returns the parameters that will be used when the test installs Drupal. 8
FunctionalTestSetupTrait::prepareEnvironment protected function Prepares the current environment for running the test. 29
FunctionalTestSetupTrait::prepareRequestForGenerator protected function Creates a mock request and sets it on the generator.
FunctionalTestSetupTrait::prepareSettings protected function Prepares site settings and services before installation. 4
FunctionalTestSetupTrait::rebuildAll protected function Resets and rebuilds the environment after setup.
FunctionalTestSetupTrait::rebuildContainer protected function Rebuilds \Drupal::getContainer().
FunctionalTestSetupTrait::resetAll protected function Resets all data structures after having enabled new modules.
FunctionalTestSetupTrait::setContainerParameter protected function Changes parameters in the services.yml file.
FunctionalTestSetupTrait::setupBaseUrl protected function Sets up the base URL based upon the environment variable.
FunctionalTestSetupTrait::writeSettings protected function Rewrites the settings.php file of the test site. 1
NodeCreationTrait::createNode protected function Creates a node based on default settings. Aliased as: drupalCreateNode
NodeCreationTrait::getNodeByTitle public function Get a node from the database based on its title. Aliased as: drupalGetNodeByTitle
RandomGeneratorTrait::getRandomGenerator protected function Gets the random generator for the utility methods.
RandomGeneratorTrait::randomMachineName protected function Generates a unique random string containing letters and numbers.
RandomGeneratorTrait::randomObject public function Generates a random PHP object.
RandomGeneratorTrait::randomString public function Generates a pseudo-random string of ASCII characters of codes 32 to 126.
RefreshVariablesTrait::refreshVariables protected function Refreshes in-memory configuration and state information. 2
SessionTestTrait::$sessionName protected property The name of the session cookie.
SessionTestTrait::generateSessionName protected function Generates a session cookie name.
SessionTestTrait::getSessionName protected function Returns the session name in use on the child site.
StorageCopyTrait::replaceStorageContents protected static function Copy the configuration from one storage to another and remove stale items.
TestRequirementsTrait::getDrupalRoot protected static function Returns the Drupal root directory.
TestSetupTrait::$configSchemaCheckerExclusions protected static property An array of config object names that are excluded from schema checking. 4
TestSetupTrait::$container protected property The dependency injection container used in the test.
TestSetupTrait::$databasePrefix protected property The database prefix of this test run.
TestSetupTrait::$kernel protected property The DrupalKernel instance used in the test.
TestSetupTrait::$originalSite protected property The site directory of the original parent site.
TestSetupTrait::$privateFilesDirectory protected property The private file directory for the test environment.
TestSetupTrait::$publicFilesDirectory protected property The public file directory for the test environment.
TestSetupTrait::$root protected property The app root.
TestSetupTrait::$siteDirectory protected property The site directory of this test run.
TestSetupTrait::$strictConfigSchema protected property Set to TRUE to strict check all configuration saved. 4
TestSetupTrait::$tempFilesDirectory protected property The temporary file directory for the test environment.
TestSetupTrait::$testId protected property The test run ID.
TestSetupTrait::changeDatabasePrefix protected function Changes the database connection to the prefixed one.
TestSetupTrait::getConfigSchemaExclusions protected function Gets the config schema exclusions for this test.
TestSetupTrait::prepareDatabasePrefix protected function Generates a database prefix for running tests. 1
UiHelperTrait::$loggedInUser protected property The current user logged in using the Mink controlled browser.
UiHelperTrait::$maximumMetaRefreshCount protected property The number of meta refresh redirects to follow, or NULL if unlimited.
UiHelperTrait::$metaRefreshCount protected property The number of meta refresh redirects followed during ::drupalGet().
UiHelperTrait::$useOneTimeLoginLinks protected property Use one-time login links instead of submitting the login form. 3
UiHelperTrait::assertSession public function Returns WebAssert object. 1
UiHelperTrait::buildUrl protected function Builds an absolute URL from a system path or a URL object.
UiHelperTrait::checkForMetaRefresh protected function Checks for meta refresh tag and if found call drupalGet() recursively.
UiHelperTrait::click protected function Clicks the element with the given CSS selector.
UiHelperTrait::clickLink protected function Follows a link by complete name.
UiHelperTrait::cssSelect protected function Searches elements using a CSS selector in the raw content.
UiHelperTrait::cssSelectToXpath protected function Translates a CSS expression to its XPath equivalent.
UiHelperTrait::drupalGet protected function Retrieves a Drupal path or an absolute path. 3
UiHelperTrait::drupalLogin protected function Logs in a user using the Mink controlled browser.
UiHelperTrait::drupalLogout protected function Logs a user out of the Mink controlled browser and confirms.
UiHelperTrait::drupalResetSession protected function Resets the current active session back to Anonymous session.
UiHelperTrait::drupalUserIsLoggedIn protected function Returns whether a given user account is logged in.
UiHelperTrait::getAbsoluteUrl protected function Takes a path and returns an absolute path.
UiHelperTrait::getTextContent protected function Retrieves the plain-text content from the current page.
UiHelperTrait::getUrl protected function Get the current URL from the browser.
UiHelperTrait::isTestUsingGuzzleClient protected function Determines if test is using DrupalTestBrowser.
UiHelperTrait::prepareRequest protected function Prepare for a request to testing site. 1
UiHelperTrait::submitForm protected function Fills and submits a form.
UserCreationTrait::checkPermissions protected function Checks whether a given list of permission names is valid.
UserCreationTrait::createAdminRole protected function Creates an administrative role.
UserCreationTrait::createRole protected function Creates a role with specified permissions. Aliased as: drupalCreateRole
UserCreationTrait::createUser protected function Create a user with a given set of permissions. Aliased as: drupalCreateUser 1
UserCreationTrait::grantPermissions protected function Grant permissions to a user role.
UserCreationTrait::setCurrentUser protected function Switch the current logged in user.
UserCreationTrait::setUpCurrentUser protected function Creates a random user account and sets it as current user.
UserPasswordResetTest::$account protected property The user object to test password resetting.
UserPasswordResetTest::$defaultTheme protected property The theme to install as the default for testing. Overrides BrowserTestBase::$defaultTheme
UserPasswordResetTest::$languageManager protected property Language manager object.
UserPasswordResetTest::$modules protected static property Modules to install. Overrides BrowserTestBase::$modules
UserPasswordResetTest::assertNoPasswordIpFlood public function Makes assertions about a password reset not triggering IP flood control.
UserPasswordResetTest::assertNoValidPasswordReset public function Helper function to make assertions about an invalid password reset.
UserPasswordResetTest::assertPasswordIpFlood public function Makes assertions about a password reset triggering IP flood control.
UserPasswordResetTest::assertValidPasswordReset public function Helper function to make assertions about a valid password reset.
UserPasswordResetTest::getResetURL public function Retrieves password reset email and extracts the login link.
UserPasswordResetTest::languagePrefixTestProvider protected function Provides scenarios for testUserPasswordResetPreferredLanguage().
UserPasswordResetTest::setUp protected function Overrides BrowserTestBase::setUp
UserPasswordResetTest::testResetFormHasAutocompleteAttribute public function Test the autocomplete attribute is present.
UserPasswordResetTest::testResetImpersonation public function Make sure that users cannot forge password reset URLs of other users.
UserPasswordResetTest::testUserPasswordReset public function Tests password reset functionality.
UserPasswordResetTest::testUserPasswordResetLoggedIn public function Tests user password reset while logged in.
UserPasswordResetTest::testUserPasswordResetPreferredLanguage public function Tests password reset functionality when user has set preferred language.
UserPasswordResetTest::testUserResetPasswordIpFloodControl public function Tests password reset flood control for one IP.
UserPasswordResetTest::testUserResetPasswordTextboxNotFilled public function Tests the text box on incorrect login via link to password reset page.
UserPasswordResetTest::testUserResetPasswordUserFloodControl public function Tests password reset flood control for one user.
UserPasswordResetTest::testUserResetPasswordUserFloodControlAdmin public function Tests user password reset flood control is cleared on admin reset.
UserPasswordResetTest::testUserResetPasswordUserFloodControlIsCleared public function Tests user password reset flood control is cleared on successful reset.
XdebugRequestTrait::extractCookiesFromRequest protected function Adds xdebug cookies, from request setup.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.