harden(logout): enforce POST+CSRF and remove GET logout triggers
This commit is contained in:
39
tests/Architecture/AuthLogoutCsrfContractTest.php
Normal file
39
tests/Architecture/AuthLogoutCsrfContractTest.php
Normal file
@@ -0,0 +1,39 @@
|
||||
<?php
|
||||
|
||||
namespace MintyPHP\Tests\Architecture;
|
||||
|
||||
use PHPUnit\Framework\TestCase;
|
||||
|
||||
class AuthLogoutCsrfContractTest extends TestCase
|
||||
{
|
||||
use ProjectFileAssertionSupport;
|
||||
|
||||
public function testLogoutActionRequiresPostAndCsrf(): void
|
||||
{
|
||||
$content = $this->readProjectFile('pages/auth/logout().php');
|
||||
|
||||
$this->assertStringContainsString("actionRequirePost('login')", $content);
|
||||
$this->assertStringContainsString("actionRequireCsrf('login', 'login', 'logout_csrf')", $content);
|
||||
}
|
||||
|
||||
public function testTopbarLogoutUsesPostFormSubmitInsteadOfGetLink(): void
|
||||
{
|
||||
$content = $this->readProjectFile('templates/partials/app-topbar.phtml');
|
||||
|
||||
$this->assertStringNotContainsString('href="logout"', $content);
|
||||
$this->assertStringContainsString('type="submit"', $content);
|
||||
$this->assertStringContainsString('form="<?php e($logoutFormId); ?>"', $content);
|
||||
}
|
||||
|
||||
public function testLayoutAndSessionWarningUseLogoutFormContract(): void
|
||||
{
|
||||
$layoutContent = $this->readProjectFile('templates/default.phtml');
|
||||
$sessionWarningJs = $this->readProjectFile('web/js/components/app-session-warning.js');
|
||||
|
||||
$this->assertStringContainsString('\'logoutFormId\' => $sessionLogoutFormId', $layoutContent);
|
||||
$this->assertStringContainsString('data-session-logout-form-id="<?php e($sessionLogoutFormId); ?>"', $layoutContent);
|
||||
$this->assertStringContainsString('<form id="<?php e($sessionLogoutFormId); ?>" method="post" action="<?php e($sessionLogoutUrl); ?>" hidden>', $layoutContent);
|
||||
$this->assertStringContainsString('requestSubmitWithFallback(form)', $sessionWarningJs);
|
||||
$this->assertStringNotContainsString('window.location.href = config.logoutUrl', $sessionWarningJs);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user