Files
breadcrumb-the-shire/tests/Http/IntendedUrlServiceTest.php
fs e1c211069e fix(session): preserve intended URL across session timeout with remember-me
Session timeout redirected to /de/login?return_to=... but the remember-me
cookie was not cleared by logoutDueToSessionTimeout(). On the next request,
autoLoginFromCookie() silently re-logged the user in, causing the MintyPHP
router to resolve the login route to pages/index().php (dashboard) instead
of the login action — the intended URL redirect logic never executed.

Fix: intercept ?return_to= immediately after successful auto-login in
index.php and redirect to the sanitized route path. Also harden the login
flow with hidden return_to form fields and POST body fallback for cases
without remember-me.

Additional improvements in this commit:
- Convert stored REQUEST_URI to router-compatible path (strip leading
  slash and locale prefix) via IntendedUrlService::toRoutePath()
- Consolidate duplicate CSRF data attributes into shared data-csrf-key
  and data-csrf-token on <html> element
- Add tenant branding (logo) to auth pages via appAuthLogoUrl() helper

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 18:28:13 +01:00

282 lines
9.0 KiB
PHP

<?php
namespace MintyPHP\Tests\Http;
use MintyPHP\Http\IntendedUrlService;
use MintyPHP\Http\SessionStoreInterface;
use PHPUnit\Framework\MockObject\MockObject;
use PHPUnit\Framework\TestCase;
class IntendedUrlServiceTest extends TestCase
{
private IntendedUrlService $service;
private SessionStoreInterface&MockObject $session;
protected function setUp(): void
{
$this->service = new IntendedUrlService();
$this->session = $this->createMock(SessionStoreInterface::class);
}
// ── sanitize ──────────────────────────────────────────────
public function testSanitizeAcceptsValidInternalPath(): void
{
$this->assertSame('/admin/users/edit/5', $this->service->sanitize('/admin/users/edit/5'));
}
public function testSanitizeAcceptsPathWithQueryString(): void
{
$this->assertSame('/admin/users?page=2&sort=name', $this->service->sanitize('/admin/users?page=2&sort=name'));
}
public function testSanitizeAcceptsLocalePrefixedPath(): void
{
$this->assertSame('/de/admin/users', $this->service->sanitize('/de/admin/users'));
}
public function testSanitizeRejectsEmptyString(): void
{
$this->assertSame('', $this->service->sanitize(''));
}
public function testSanitizeRejectsWhitespaceOnly(): void
{
$this->assertSame('', $this->service->sanitize(' '));
}
public function testSanitizeRejectsRelativePath(): void
{
$this->assertSame('', $this->service->sanitize('admin/users'));
}
public function testSanitizeRejectsExternalUrlWithProtocol(): void
{
$this->assertSame('', $this->service->sanitize('https://evil.com/admin'));
}
public function testSanitizeRejectsProtocolRelativeUrl(): void
{
$this->assertSame('', $this->service->sanitize('//evil.com/admin'));
}
public function testSanitizeRejectsUrlWithEmbeddedProtocol(): void
{
$this->assertSame('', $this->service->sanitize('/admin?redirect=http://evil.com'));
}
public function testSanitizeRejectsAuthPrefix(): void
{
$this->assertSame('', $this->service->sanitize('/auth/callback'));
}
public function testSanitizeRejectsAuthPrefixWithLocale(): void
{
$this->assertSame('', $this->service->sanitize('/en/auth/callback'));
}
public function testSanitizeRejectsApiPrefix(): void
{
$this->assertSame('', $this->service->sanitize('/api/v1/users'));
}
public function testSanitizeRejectsLoginPath(): void
{
$this->assertSame('', $this->service->sanitize('/login'));
}
public function testSanitizeRejectsLoginWithLocale(): void
{
$this->assertSame('', $this->service->sanitize('/de/login'));
}
public function testSanitizeRejectsLogoutPath(): void
{
$this->assertSame('', $this->service->sanitize('/logout'));
}
public function testSanitizeRejectsFlashPrefix(): void
{
$this->assertSame('', $this->service->sanitize('/flash/something'));
}
public function testSanitizeRejectsBrandingPrefix(): void
{
$this->assertSame('', $this->service->sanitize('/branding/logo.png'));
}
public function testSanitizeRejectsOverlongUrl(): void
{
$url = '/' . str_repeat('a', 2048);
$this->assertSame('', $this->service->sanitize($url));
}
public function testSanitizeAcceptsMaxLengthUrl(): void
{
$url = '/' . str_repeat('a', 2046);
$this->assertSame($url, $this->service->sanitize($url));
}
// ── store ─────────────────────────────────────────────────
public function testStoreWritesValidUrlToSession(): void
{
$this->session->expects($this->once())
->method('set')
->with('intended_url', '/admin/users/edit/5');
$this->service->store('/admin/users/edit/5', $this->session);
}
public function testStoreIgnoresInvalidUrl(): void
{
$this->session->expects($this->never())->method('set');
$this->service->store('https://evil.com', $this->session);
}
public function testStoreIgnoresEmptyUrl(): void
{
$this->session->expects($this->never())->method('set');
$this->service->store('', $this->session);
}
// ── retrieve ──────────────────────────────────────────────
public function testRetrieveReturnsStoredUrl(): void
{
$this->session->expects($this->any())
->method('get')
->with('intended_url')
->willReturn('/admin/dashboard');
$this->assertSame('/admin/dashboard', $this->service->retrieve($this->session));
}
public function testRetrieveReturnsNullWhenEmpty(): void
{
$this->session->expects($this->any())
->method('get')
->with('intended_url')
->willReturn(null);
$this->assertNull($this->service->retrieve($this->session));
}
public function testRetrieveReturnsNullForEmptyString(): void
{
$this->session->expects($this->any())
->method('get')
->with('intended_url')
->willReturn('');
$this->assertNull($this->service->retrieve($this->session));
}
public function testRetrieveReturnsNullForNonStringValue(): void
{
$this->session->expects($this->any())
->method('get')
->with('intended_url')
->willReturn(42);
$this->assertNull($this->service->retrieve($this->session));
}
// ── retrieveAndForget ─────────────────────────────────────
public function testRetrieveAndForgetReturnsRoutePathAndRemovesIt(): void
{
$this->session->expects($this->any())
->method('get')
->with('intended_url')
->willReturn('/admin/users');
$this->session->expects($this->once())
->method('remove')
->with('intended_url');
$this->assertSame('admin/users', $this->service->retrieveAndForget($this->session));
}
public function testRetrieveAndForgetStripsLocalePrefix(): void
{
$this->session->expects($this->any())
->method('get')
->with('intended_url')
->willReturn('/de/admin/users/edit/5');
$this->session->expects($this->once())
->method('remove')
->with('intended_url');
$this->assertSame('admin/users/edit/5', $this->service->retrieveAndForget($this->session));
}
public function testRetrieveAndForgetPreservesQueryString(): void
{
$this->session->expects($this->any())
->method('get')
->with('intended_url')
->willReturn('/de/admin/users?page=2&sort=name');
$this->session->expects($this->once())
->method('remove')
->with('intended_url');
$this->assertSame('admin/users?page=2&sort=name', $this->service->retrieveAndForget($this->session));
}
public function testRetrieveAndForgetReturnsFallbackWhenNoUrlStored(): void
{
$this->session->expects($this->any())
->method('get')
->with('intended_url')
->willReturn(null);
$this->session->expects($this->once())
->method('remove')
->with('intended_url');
$this->assertSame('admin', $this->service->retrieveAndForget($this->session));
}
// ── buildLoginRedirect ────────────────────────────────────
public function testBuildLoginRedirectAppendsReturnTo(): void
{
$result = $this->service->buildLoginRedirect('/en/login', '/en/admin/users/edit/5');
$this->assertSame('/en/login?return_to=%2Fen%2Fadmin%2Fusers%2Fedit%2F5', $result);
}
public function testBuildLoginRedirectAppendsWithAmpersandWhenQueryExists(): void
{
$result = $this->service->buildLoginRedirect('/en/login?tenant=acme', '/en/admin/users');
$this->assertSame('/en/login?tenant=acme&return_to=%2Fen%2Fadmin%2Fusers', $result);
}
public function testBuildLoginRedirectReturnsLoginPathWhenReturnToIsInvalid(): void
{
$result = $this->service->buildLoginRedirect('/en/login', 'https://evil.com');
$this->assertSame('/en/login', $result);
}
public function testBuildLoginRedirectReturnsLoginPathWhenReturnToIsEmpty(): void
{
$result = $this->service->buildLoginRedirect('/en/login', '');
$this->assertSame('/en/login', $result);
}
public function testBuildLoginRedirectReturnsLoginPathWhenReturnToIsBlockedPath(): void
{
$result = $this->service->buildLoginRedirect('/en/login', '/auth/callback');
$this->assertSame('/en/login', $result);
}
}