feat(session): preserve intended URL across session timeout and add expiry warning dialog
When a session expires, the user's current URL is now captured and restored after re-authentication (via remember-me cookie or manual login), instead of always redirecting to the dashboard. A JavaScript session warning dialog appears ~2 minutes before idle timeout, allowing users to extend their session with a single click. Includes open-redirect prevention via URL validation, Microsoft SSO callback support, and 33 unit tests. Refs: SESSION-REDIRECT-PRESERVE-001 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
253
tests/Http/IntendedUrlServiceTest.php
Normal file
253
tests/Http/IntendedUrlServiceTest.php
Normal file
@@ -0,0 +1,253 @@
|
||||
<?php
|
||||
|
||||
namespace MintyPHP\Tests\Http;
|
||||
|
||||
use MintyPHP\Http\IntendedUrlService;
|
||||
use MintyPHP\Http\SessionStoreInterface;
|
||||
use PHPUnit\Framework\MockObject\MockObject;
|
||||
use PHPUnit\Framework\TestCase;
|
||||
|
||||
class IntendedUrlServiceTest extends TestCase
|
||||
{
|
||||
private IntendedUrlService $service;
|
||||
private SessionStoreInterface&MockObject $session;
|
||||
|
||||
protected function setUp(): void
|
||||
{
|
||||
$this->service = new IntendedUrlService();
|
||||
$this->session = $this->createMock(SessionStoreInterface::class);
|
||||
}
|
||||
|
||||
// ── sanitize ──────────────────────────────────────────────
|
||||
|
||||
public function testSanitizeAcceptsValidInternalPath(): void
|
||||
{
|
||||
$this->assertSame('/admin/users/edit/5', $this->service->sanitize('/admin/users/edit/5'));
|
||||
}
|
||||
|
||||
public function testSanitizeAcceptsPathWithQueryString(): void
|
||||
{
|
||||
$this->assertSame('/admin/users?page=2&sort=name', $this->service->sanitize('/admin/users?page=2&sort=name'));
|
||||
}
|
||||
|
||||
public function testSanitizeAcceptsLocalePrefixedPath(): void
|
||||
{
|
||||
$this->assertSame('/de/admin/users', $this->service->sanitize('/de/admin/users'));
|
||||
}
|
||||
|
||||
public function testSanitizeRejectsEmptyString(): void
|
||||
{
|
||||
$this->assertSame('', $this->service->sanitize(''));
|
||||
}
|
||||
|
||||
public function testSanitizeRejectsWhitespaceOnly(): void
|
||||
{
|
||||
$this->assertSame('', $this->service->sanitize(' '));
|
||||
}
|
||||
|
||||
public function testSanitizeRejectsRelativePath(): void
|
||||
{
|
||||
$this->assertSame('', $this->service->sanitize('admin/users'));
|
||||
}
|
||||
|
||||
public function testSanitizeRejectsExternalUrlWithProtocol(): void
|
||||
{
|
||||
$this->assertSame('', $this->service->sanitize('https://evil.com/admin'));
|
||||
}
|
||||
|
||||
public function testSanitizeRejectsProtocolRelativeUrl(): void
|
||||
{
|
||||
$this->assertSame('', $this->service->sanitize('//evil.com/admin'));
|
||||
}
|
||||
|
||||
public function testSanitizeRejectsUrlWithEmbeddedProtocol(): void
|
||||
{
|
||||
$this->assertSame('', $this->service->sanitize('/admin?redirect=http://evil.com'));
|
||||
}
|
||||
|
||||
public function testSanitizeRejectsAuthPrefix(): void
|
||||
{
|
||||
$this->assertSame('', $this->service->sanitize('/auth/callback'));
|
||||
}
|
||||
|
||||
public function testSanitizeRejectsAuthPrefixWithLocale(): void
|
||||
{
|
||||
$this->assertSame('', $this->service->sanitize('/en/auth/callback'));
|
||||
}
|
||||
|
||||
public function testSanitizeRejectsApiPrefix(): void
|
||||
{
|
||||
$this->assertSame('', $this->service->sanitize('/api/v1/users'));
|
||||
}
|
||||
|
||||
public function testSanitizeRejectsLoginPath(): void
|
||||
{
|
||||
$this->assertSame('', $this->service->sanitize('/login'));
|
||||
}
|
||||
|
||||
public function testSanitizeRejectsLoginWithLocale(): void
|
||||
{
|
||||
$this->assertSame('', $this->service->sanitize('/de/login'));
|
||||
}
|
||||
|
||||
public function testSanitizeRejectsLogoutPath(): void
|
||||
{
|
||||
$this->assertSame('', $this->service->sanitize('/logout'));
|
||||
}
|
||||
|
||||
public function testSanitizeRejectsFlashPrefix(): void
|
||||
{
|
||||
$this->assertSame('', $this->service->sanitize('/flash/something'));
|
||||
}
|
||||
|
||||
public function testSanitizeRejectsBrandingPrefix(): void
|
||||
{
|
||||
$this->assertSame('', $this->service->sanitize('/branding/logo.png'));
|
||||
}
|
||||
|
||||
public function testSanitizeRejectsOverlongUrl(): void
|
||||
{
|
||||
$url = '/' . str_repeat('a', 2048);
|
||||
$this->assertSame('', $this->service->sanitize($url));
|
||||
}
|
||||
|
||||
public function testSanitizeAcceptsMaxLengthUrl(): void
|
||||
{
|
||||
$url = '/' . str_repeat('a', 2046);
|
||||
$this->assertSame($url, $this->service->sanitize($url));
|
||||
}
|
||||
|
||||
// ── store ─────────────────────────────────────────────────
|
||||
|
||||
public function testStoreWritesValidUrlToSession(): void
|
||||
{
|
||||
$this->session->expects($this->once())
|
||||
->method('set')
|
||||
->with('intended_url', '/admin/users/edit/5');
|
||||
|
||||
$this->service->store('/admin/users/edit/5', $this->session);
|
||||
}
|
||||
|
||||
public function testStoreIgnoresInvalidUrl(): void
|
||||
{
|
||||
$this->session->expects($this->never())->method('set');
|
||||
|
||||
$this->service->store('https://evil.com', $this->session);
|
||||
}
|
||||
|
||||
public function testStoreIgnoresEmptyUrl(): void
|
||||
{
|
||||
$this->session->expects($this->never())->method('set');
|
||||
|
||||
$this->service->store('', $this->session);
|
||||
}
|
||||
|
||||
// ── retrieve ──────────────────────────────────────────────
|
||||
|
||||
public function testRetrieveReturnsStoredUrl(): void
|
||||
{
|
||||
$this->session->expects($this->any())
|
||||
->method('get')
|
||||
->with('intended_url')
|
||||
->willReturn('/admin/dashboard');
|
||||
|
||||
$this->assertSame('/admin/dashboard', $this->service->retrieve($this->session));
|
||||
}
|
||||
|
||||
public function testRetrieveReturnsNullWhenEmpty(): void
|
||||
{
|
||||
$this->session->expects($this->any())
|
||||
->method('get')
|
||||
->with('intended_url')
|
||||
->willReturn(null);
|
||||
|
||||
$this->assertNull($this->service->retrieve($this->session));
|
||||
}
|
||||
|
||||
public function testRetrieveReturnsNullForEmptyString(): void
|
||||
{
|
||||
$this->session->expects($this->any())
|
||||
->method('get')
|
||||
->with('intended_url')
|
||||
->willReturn('');
|
||||
|
||||
$this->assertNull($this->service->retrieve($this->session));
|
||||
}
|
||||
|
||||
public function testRetrieveReturnsNullForNonStringValue(): void
|
||||
{
|
||||
$this->session->expects($this->any())
|
||||
->method('get')
|
||||
->with('intended_url')
|
||||
->willReturn(42);
|
||||
|
||||
$this->assertNull($this->service->retrieve($this->session));
|
||||
}
|
||||
|
||||
// ── retrieveAndForget ─────────────────────────────────────
|
||||
|
||||
public function testRetrieveAndForgetReturnsStoredUrlAndRemovesIt(): void
|
||||
{
|
||||
$this->session->expects($this->any())
|
||||
->method('get')
|
||||
->with('intended_url')
|
||||
->willReturn('/admin/users');
|
||||
|
||||
$this->session->expects($this->once())
|
||||
->method('remove')
|
||||
->with('intended_url');
|
||||
|
||||
$this->assertSame('/admin/users', $this->service->retrieveAndForget($this->session));
|
||||
}
|
||||
|
||||
public function testRetrieveAndForgetReturnsFallbackWhenNoUrlStored(): void
|
||||
{
|
||||
$this->session->expects($this->any())
|
||||
->method('get')
|
||||
->with('intended_url')
|
||||
->willReturn(null);
|
||||
|
||||
$this->session->expects($this->once())
|
||||
->method('remove')
|
||||
->with('intended_url');
|
||||
|
||||
$this->assertSame('admin', $this->service->retrieveAndForget($this->session));
|
||||
}
|
||||
|
||||
// ── buildLoginRedirect ────────────────────────────────────
|
||||
|
||||
public function testBuildLoginRedirectAppendsReturnTo(): void
|
||||
{
|
||||
$result = $this->service->buildLoginRedirect('/en/login', '/en/admin/users/edit/5');
|
||||
|
||||
$this->assertSame('/en/login?return_to=%2Fen%2Fadmin%2Fusers%2Fedit%2F5', $result);
|
||||
}
|
||||
|
||||
public function testBuildLoginRedirectAppendsWithAmpersandWhenQueryExists(): void
|
||||
{
|
||||
$result = $this->service->buildLoginRedirect('/en/login?tenant=acme', '/en/admin/users');
|
||||
|
||||
$this->assertSame('/en/login?tenant=acme&return_to=%2Fen%2Fadmin%2Fusers', $result);
|
||||
}
|
||||
|
||||
public function testBuildLoginRedirectReturnsLoginPathWhenReturnToIsInvalid(): void
|
||||
{
|
||||
$result = $this->service->buildLoginRedirect('/en/login', 'https://evil.com');
|
||||
|
||||
$this->assertSame('/en/login', $result);
|
||||
}
|
||||
|
||||
public function testBuildLoginRedirectReturnsLoginPathWhenReturnToIsEmpty(): void
|
||||
{
|
||||
$result = $this->service->buildLoginRedirect('/en/login', '');
|
||||
|
||||
$this->assertSame('/en/login', $result);
|
||||
}
|
||||
|
||||
public function testBuildLoginRedirectReturnsLoginPathWhenReturnToIsBlockedPath(): void
|
||||
{
|
||||
$result = $this->service->buildLoginRedirect('/en/login', '/auth/callback');
|
||||
|
||||
$this->assertSame('/en/login', $result);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user