harden(logout): enforce POST+CSRF and remove GET logout triggers

This commit is contained in:
2026-04-25 23:35:03 +02:00
parent a24dc0c235
commit 3207d71244
6 changed files with 82 additions and 9 deletions

View File

@@ -0,0 +1,39 @@
<?php
namespace MintyPHP\Tests\Architecture;
use PHPUnit\Framework\TestCase;
class AuthLogoutCsrfContractTest extends TestCase
{
use ProjectFileAssertionSupport;
public function testLogoutActionRequiresPostAndCsrf(): void
{
$content = $this->readProjectFile('pages/auth/logout().php');
$this->assertStringContainsString("actionRequirePost('login')", $content);
$this->assertStringContainsString("actionRequireCsrf('login', 'login', 'logout_csrf')", $content);
}
public function testTopbarLogoutUsesPostFormSubmitInsteadOfGetLink(): void
{
$content = $this->readProjectFile('templates/partials/app-topbar.phtml');
$this->assertStringNotContainsString('href="logout"', $content);
$this->assertStringContainsString('type="submit"', $content);
$this->assertStringContainsString('form="<?php e($logoutFormId); ?>"', $content);
}
public function testLayoutAndSessionWarningUseLogoutFormContract(): void
{
$layoutContent = $this->readProjectFile('templates/default.phtml');
$sessionWarningJs = $this->readProjectFile('web/js/components/app-session-warning.js');
$this->assertStringContainsString('\'logoutFormId\' => $sessionLogoutFormId', $layoutContent);
$this->assertStringContainsString('data-session-logout-form-id="<?php e($sessionLogoutFormId); ?>"', $layoutContent);
$this->assertStringContainsString('<form id="<?php e($sessionLogoutFormId); ?>" method="post" action="<?php e($sessionLogoutUrl); ?>" hidden>', $layoutContent);
$this->assertStringContainsString('requestSubmitWithFallback(form)', $sessionWarningJs);
$this->assertStringNotContainsString('window.location.href = config.logoutUrl', $sessionWarningJs);
}
}