bookstack/tests/Auth/AuthTest.php

<?php

namespace Tests\Auth;

use BookStack\Access\Mfa\MfaSession;
use Illuminate\Testing\TestResponse;
use Tests\TestCase;

class AuthTest extends TestCase
{
    public function test_auth_working()
    {
        $this->get('/')->assertRedirect('/login');
    }

    public function test_login()
    {
        $this->login('admin@admin.com', 'password')->assertRedirect('/');
    }

    public function test_public_viewing()
    {
        $this->setSettings(['app-public' => 'true']);
        $this->get('/')
            ->assertOk()
            ->assertSee('Log in');
    }

    public function test_sign_up_link_on_login()
    {
        $this->get('/login')->assertDontSee('Sign up');

        $this->setSettings(['registration-enabled' => 'true']);

        $this->get('/login')->assertSee('Sign up');
    }

    public function test_logout()
    {
        $this->asAdmin()->get('/')->assertOk();
        $this->post('/logout')->assertRedirect('/');
        $this->get('/')->assertRedirect('/login');
    }

    public function test_mfa_session_cleared_on_logout()
    {
        $user = $this->users->editor();
        $mfaSession = $this->app->make(MfaSession::class);

        $mfaSession->markVerifiedForUser($user);
        $this->assertTrue($mfaSession->isVerifiedForUser($user));

        $this->asAdmin()->post('/logout');
        $this->assertFalse($mfaSession->isVerifiedForUser($user));
    }

    public function test_login_redirects_to_initially_requested_url_correctly()
    {
        config()->set('app.url', 'http://localhost');
        $page = $this->entities->page();

        $this->get($page->getUrl())->assertRedirect(url('/login'));
        $this->login('admin@admin.com', 'password')
            ->assertRedirect($page->getUrl());
    }

    public function test_login_intended_redirect_does_not_redirect_to_external_pages()
    {
        config()->set('app.url', 'http://localhost');
        $this->setSettings(['app-public' => true]);

        $this->get('/login', ['referer' => 'https://example.com']);
        $login = $this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);

        $login->assertRedirect('http://localhost');
    }

    public function test_login_intended_redirect_does_not_factor_mfa_routes()
    {
        $this->get('/books')->assertRedirect('/login');
        $this->get('/mfa/setup')->assertRedirect('/login');
        $login = $this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);
        $login->assertRedirect('/books');
    }

    public function test_login_authenticates_admins_on_all_guards()
    {
        $this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);
        $this->assertTrue(auth()->check());
        $this->assertTrue(auth('ldap')->check());
        $this->assertTrue(auth('saml2')->check());
        $this->assertTrue(auth('oidc')->check());
    }

    public function test_login_authenticates_nonadmins_on_default_guard_only()
    {
        $editor = $this->users->editor();
        $editor->password = bcrypt('password');
        $editor->save();

        $this->post('/login', ['email' => $editor->email, 'password' => 'password']);
        $this->assertTrue(auth()->check());
        $this->assertFalse(auth('ldap')->check());
        $this->assertFalse(auth('saml2')->check());
        $this->assertFalse(auth('oidc')->check());
    }

    public function test_failed_logins_are_logged_when_message_configured()
    {
        $log = $this->withTestLogger();
        config()->set(['logging.failed_login.message' => 'Failed login for %u']);

        $this->post('/login', ['email' => 'admin@example.com', 'password' => 'cattreedog']);
        $this->assertTrue($log->hasWarningThatContains('Failed login for admin@example.com'));

        $this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);
        $this->assertFalse($log->hasWarningThatContains('Failed login for admin@admin.com'));
    }

    public function test_logged_in_user_with_unconfirmed_email_is_logged_out()
    {
        $this->setSettings(['registration-confirmation' => 'true']);
        $user = $this->users->editor();
        $user->email_confirmed = false;
        $user->save();

        auth()->login($user);
        $this->assertTrue(auth()->check());

        $this->get('/books')->assertRedirect('/');
        $this->assertFalse(auth()->check());
    }

    public function test_login_attempts_are_rate_limited()
    {
        for ($i = 0; $i < 5; $i++) {
            $resp = $this->login('bennynotexisting@example.com', 'pw123');
        }
        $resp = $this->followRedirects($resp);
        $resp->assertSee('These credentials do not match our records.');

        // Check the fifth attempt provides a lockout response
        $resp = $this->followRedirects($this->login('bennynotexisting@example.com', 'pw123'));
        $resp->assertSee('Too many login attempts. Please try again in');
    }

    /**
     * Perform a login.
     */
    protected function login(string $email, string $password): TestResponse
    {
        return $this->post('/login', compact('email', 'password'));
    }
}
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`<?php`

			`namespace Tests\Auth;`
Tweaked some styles and started automated testing. Fixes #11. 2015-09-03 01:26:33 +08:00
Played around with a new app structure 2023-05-18 00:56:55 +08:00			`use BookStack\Access\Mfa\MfaSession;`
Updated tests to use ssddanbrown/asserthtml package Closes #3519 2022-07-23 22:10:18 +08:00			`use Illuminate\Testing\TestResponse;`
Converted AuthTest away from BrowserKit Moved some user managment tests out to more relevant classess along the way. Found some tweaks to make for email confirmation routing as part of this. 2021-09-18 06:44:54 +08:00			`use Tests\TestCase;`
Added tests for confirmed registration 2015-09-22 03:54:11 +08:00
Converted AuthTest away from BrowserKit Moved some user managment tests out to more relevant classess along the way. Found some tweaks to make for email confirmation routing as part of this. 2021-09-18 06:44:54 +08:00			`class AuthTest extends TestCase`
Tweaked some styles and started automated testing. Fixes #11. 2015-09-03 01:26:33 +08:00			`{`
Cleaned tests up, Started LDAP tests, Created LDAP wrapper 2016-01-16 07:21:47 +08:00			`public function test_auth_working()`
Tweaked some styles and started automated testing. Fixes #11. 2015-09-03 01:26:33 +08:00			`{`
Converted AuthTest away from BrowserKit Moved some user managment tests out to more relevant classess along the way. Found some tweaks to make for email confirmation routing as part of this. 2021-09-18 06:44:54 +08:00			`$this->get('/')->assertRedirect('/login');`
Tweaked some styles and started automated testing. Fixes #11. 2015-09-03 01:26:33 +08:00			`}`

Cleaned tests up, Started LDAP tests, Created LDAP wrapper 2016-01-16 07:21:47 +08:00			`public function test_login()`
Tweaked some styles and started automated testing. Fixes #11. 2015-09-03 01:26:33 +08:00			`{`
Converted AuthTest away from BrowserKit Moved some user managment tests out to more relevant classess along the way. Found some tweaks to make for email confirmation routing as part of this. 2021-09-18 06:44:54 +08:00			`$this->login('admin@admin.com', 'password')->assertRedirect('/');`
Tweaked some styles and started automated testing. Fixes #11. 2015-09-03 01:26:33 +08:00			`}`

Cleaned tests up, Started LDAP tests, Created LDAP wrapper 2016-01-16 07:21:47 +08:00			`public function test_public_viewing()`
Added some basic registration testing 2015-09-11 03:28:53 +08:00			`{`
Converted AuthTest away from BrowserKit Moved some user managment tests out to more relevant classess along the way. Found some tweaks to make for email confirmation routing as part of this. 2021-09-18 06:44:54 +08:00			`$this->setSettings(['app-public' => 'true']);`
			`$this->get('/')`
			`->assertOk()`
			`->assertSee('Log in');`
Added some basic registration testing 2015-09-11 03:28:53 +08:00			`}`

Add min length validation on name on register form & add sign up link 2019-04-16 19:18:51 +08:00			`public function test_sign_up_link_on_login()`
			`{`
Converted AuthTest away from BrowserKit Moved some user managment tests out to more relevant classess along the way. Found some tweaks to make for email confirmation routing as part of this. 2021-09-18 06:44:54 +08:00			`$this->get('/login')->assertDontSee('Sign up');`
Add min length validation on name on register form & add sign up link 2019-04-16 19:18:51 +08:00
			`$this->setSettings(['registration-enabled' => 'true']);`

Converted AuthTest away from BrowserKit Moved some user managment tests out to more relevant classess along the way. Found some tweaks to make for email confirmation routing as part of this. 2021-09-18 06:44:54 +08:00			`$this->get('/login')->assertSee('Sign up');`
Add min length validation on name on register form & add sign up link 2019-04-16 19:18:51 +08:00			`}`
Cleaned tests up, Started LDAP tests, Created LDAP wrapper 2016-01-16 07:21:47 +08:00
			`public function test_logout()`
Tweaked some styles and started automated testing. Fixes #11. 2015-09-03 01:26:33 +08:00			`{`
Converted AuthTest away from BrowserKit Moved some user managment tests out to more relevant classess along the way. Found some tweaks to make for email confirmation routing as part of this. 2021-09-18 06:44:54 +08:00			`$this->asAdmin()->get('/')->assertOk();`
Changed logout routes to POST instead of GET As per #3047. Also made some SAML specific fixes: - IDP initiated login was broken due to forced default session value. Double checked against OneLogin lib docs that this reverted logic was fine. - Changed how the saml login flow works to use 'withoutMiddleware' on the route instead of hacking out the session driver. This was due to the array driver (previously used for the hack) no longer being considered non-persistent. 2021-11-15 05:13:24 +08:00			`$this->post('/logout')->assertRedirect('/');`
Converted AuthTest away from BrowserKit Moved some user managment tests out to more relevant classess along the way. Found some tweaks to make for email confirmation routing as part of this. 2021-09-18 06:44:54 +08:00			`$this->get('/')->assertRedirect('/login');`
Tweaked some styles and started automated testing. Fixes #11. 2015-09-03 01:26:33 +08:00			`}`
Added tests for confirmed registration 2015-09-22 03:54:11 +08:00
Verified mfa session expires on logout Since sessions are invalidated upon logout. 2021-08-08 04:53:13 +08:00			`public function test_mfa_session_cleared_on_logout()`
			`{`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$user = $this->users->editor();`
Verified mfa session expires on logout Since sessions are invalidated upon logout. 2021-08-08 04:53:13 +08:00			`$mfaSession = $this->app->make(MfaSession::class);`

Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`$mfaSession->markVerifiedForUser($user);`
Verified mfa session expires on logout Since sessions are invalidated upon logout. 2021-08-08 04:53:13 +08:00			`$this->assertTrue($mfaSession->isVerifiedForUser($user));`

Changed logout routes to POST instead of GET As per #3047. Also made some SAML specific fixes: - IDP initiated login was broken due to forced default session value. Double checked against OneLogin lib docs that this reverted logic was fine. - Changed how the saml login flow works to use 'withoutMiddleware' on the route instead of hacking out the session driver. This was due to the array driver (previously used for the hack) no longer being considered non-persistent. 2021-11-15 05:13:24 +08:00			`$this->asAdmin()->post('/logout');`
Verified mfa session expires on logout Since sessions are invalidated upon logout. 2021-08-08 04:53:13 +08:00			`$this->assertFalse($mfaSession->isVerifiedForUser($user));`
			`}`

Fixed faulty baseUrl rewrites Fixes #1452 May help #1377 2019-05-19 23:25:05 +08:00			`public function test_login_redirects_to_initially_requested_url_correctly()`
			`{`
			`config()->set('app.url', 'http://localhost');`
Migrated much test entity usage via find/replace 2022-09-30 00:31:38 +08:00			`$page = $this->entities->page();`
Fixed faulty baseUrl rewrites Fixes #1452 May help #1377 2019-05-19 23:25:05 +08:00
Converted AuthTest away from BrowserKit Moved some user managment tests out to more relevant classess along the way. Found some tweaks to make for email confirmation routing as part of this. 2021-09-18 06:44:54 +08:00			`$this->get($page->getUrl())->assertRedirect(url('/login'));`
Fixed faulty baseUrl rewrites Fixes #1452 May help #1377 2019-05-19 23:25:05 +08:00			`$this->login('admin@admin.com', 'password')`
Converted AuthTest away from BrowserKit Moved some user managment tests out to more relevant classess along the way. Found some tweaks to make for email confirmation routing as part of this. 2021-09-18 06:44:54 +08:00			`->assertRedirect($page->getUrl());`
Fixed faulty baseUrl rewrites Fixes #1452 May help #1377 2019-05-19 23:25:05 +08:00			`}`

Updated public-login redirect to check url Direct links to the login pages for public instances could lead to a redirect back to an external page upon login. This adds a check to ensure the URL is a URL expected from the current bookstack instance, or at least under the same domain. Fixes #2073 2020-07-28 23:27:16 +08:00			`public function test_login_intended_redirect_does_not_redirect_to_external_pages()`
			`{`
			`config()->set('app.url', 'http://localhost');`
			`$this->setSettings(['app-public' => true]);`

			`$this->get('/login', ['referer' => 'https://example.com']);`
			`$login = $this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);`

Converted AuthTest away from BrowserKit Moved some user managment tests out to more relevant classess along the way. Found some tweaks to make for email confirmation routing as part of this. 2021-09-18 06:44:54 +08:00			`$login->assertRedirect('http://localhost');`
Updated public-login redirect to check url Direct links to the login pages for public instances could lead to a redirect back to an external page upon login. This adds a check to ensure the URL is a URL expected from the current bookstack instance, or at least under the same domain. Fixes #2073 2020-07-28 23:27:16 +08:00			`}`

Improved login redirect and setup experience - Updated auth system for mfa to not update intended URL so that the user is not redirected to mfa setup after eventual login. - Added notification for users setting up MFA, after setup when redirected back to login screen to advise that MFA setup was complete but they need to login again. - Updated some bits of wording to display better. 2021-08-21 22:14:24 +08:00			`public function test_login_intended_redirect_does_not_factor_mfa_routes()`
			`{`
Converted AuthTest away from BrowserKit Moved some user managment tests out to more relevant classess along the way. Found some tweaks to make for email confirmation routing as part of this. 2021-09-18 06:44:54 +08:00			`$this->get('/books')->assertRedirect('/login');`
			`$this->get('/mfa/setup')->assertRedirect('/login');`
Improved login redirect and setup experience - Updated auth system for mfa to not update intended URL so that the user is not redirected to mfa setup after eventual login. - Added notification for users setting up MFA, after setup when redirected back to login screen to advise that MFA setup was complete but they need to login again. - Updated some bits of wording to display better. 2021-08-21 22:14:24 +08:00			`$login = $this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);`
Converted AuthTest away from BrowserKit Moved some user managment tests out to more relevant classess along the way. Found some tweaks to make for email confirmation routing as part of this. 2021-09-18 06:44:54 +08:00			`$login->assertRedirect('/books');`
Improved login redirect and setup experience - Updated auth system for mfa to not update intended URL so that the user is not redirected to mfa setup after eventual login. - Added notification for users setting up MFA, after setup when redirected back to login screen to advise that MFA setup was complete but they need to login again. - Updated some bits of wording to display better. 2021-08-21 22:14:24 +08:00			`}`

Authenticated admins on all guards upon login For #2031 2020-04-26 01:19:22 +08:00			`public function test_login_authenticates_admins_on_all_guards()`
			`{`
			`$this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);`
			`$this->assertTrue(auth()->check());`
			`$this->assertTrue(auth('ldap')->check());`
			`$this->assertTrue(auth('saml2')->check());`
Fleshed out testing for OIDC system 2021-10-13 23:51:27 +08:00			`$this->assertTrue(auth('oidc')->check());`
Authenticated admins on all guards upon login For #2031 2020-04-26 01:19:22 +08:00			`}`

			`public function test_login_authenticates_nonadmins_on_default_guard_only()`
			`{`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$editor = $this->users->editor();`
Authenticated admins on all guards upon login For #2031 2020-04-26 01:19:22 +08:00			`$editor->password = bcrypt('password');`
			`$editor->save();`

			`$this->post('/login', ['email' => $editor->email, 'password' => 'password']);`
			`$this->assertTrue(auth()->check());`
			`$this->assertFalse(auth('ldap')->check());`
			`$this->assertFalse(auth('saml2')->check());`
Fleshed out testing for OIDC system 2021-10-13 23:51:27 +08:00			`$this->assertFalse(auth('oidc')->check());`
Authenticated admins on all guards upon login For #2031 2020-04-26 01:19:22 +08:00			`}`

Updated functionality for logging failed access - Added testing to cover. - Linked logging into Laravel's monolog logging system and made log channel configurable. - Updated env var names to be specific to login access. - Added extra locations as to where failed logins would be captured. Related to #1881 and #728 2020-07-28 19:59:43 +08:00			`public function test_failed_logins_are_logged_when_message_configured()`
			`{`
			`$log = $this->withTestLogger();`
			`config()->set(['logging.failed_login.message' => 'Failed login for %u']);`

			`$this->post('/login', ['email' => 'admin@example.com', 'password' => 'cattreedog']);`
			`$this->assertTrue($log->hasWarningThatContains('Failed login for admin@example.com'));`

			`$this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);`
			`$this->assertFalse($log->hasWarningThatContains('Failed login for admin@admin.com'));`
			`}`

Added back email confirmation check in middleware During writing of the update notes, found that the upgrade path would be tricky from a security point of view. If people were pending email confirmation but had an active session, they could technically be actively logged in after the next release. Added middlware as an extra precaution for now. 2021-08-31 04:28:17 +08:00			`public function test_logged_in_user_with_unconfirmed_email_is_logged_out()`
			`{`
			`$this->setSettings(['registration-confirmation' => 'true']);`
Copied over work from user_permissions branch Only that relevant to the additional testing work. 2023-01-21 19:08:34 +08:00			`$user = $this->users->editor();`
Added back email confirmation check in middleware During writing of the update notes, found that the upgrade path would be tricky from a security point of view. If people were pending email confirmation but had an active session, they could technically be actively logged in after the next release. Added middlware as an extra precaution for now. 2021-08-31 04:28:17 +08:00			`$user->email_confirmed = false;`
			`$user->save();`

			`auth()->login($user);`
			`$this->assertTrue(auth()->check());`

Converted AuthTest away from BrowserKit Moved some user managment tests out to more relevant classess along the way. Found some tweaks to make for email confirmation routing as part of this. 2021-09-18 06:44:54 +08:00			`$this->get('/books')->assertRedirect('/');`
Added back email confirmation check in middleware During writing of the update notes, found that the upgrade path would be tricky from a security point of view. If people were pending email confirmation but had an active session, they could technically be actively logged in after the next release. Added middlware as an extra precaution for now. 2021-08-31 04:28:17 +08:00			`$this->assertFalse(auth()->check());`
			`}`

Added login throttling test, updated reset-pw test method names 2022-09-23 00:29:38 +08:00			`public function test_login_attempts_are_rate_limited()`
			`{`
			`for ($i = 0; $i < 5; $i++) {`
			`$resp = $this->login('bennynotexisting@example.com', 'pw123');`
			`}`
			`$resp = $this->followRedirects($resp);`
			`$resp->assertSee('These credentials do not match our records.');`

			`// Check the fifth attempt provides a lockout response`
			`$resp = $this->followRedirects($this->login('bennynotexisting@example.com', 'pw123'));`
			`$resp->assertSee('Too many login attempts. Please try again in');`
			`}`

Added tests for confirmed registration 2015-09-22 03:54:11 +08:00			`/**`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`* Perform a login.`
Added tests for confirmed registration 2015-09-22 03:54:11 +08:00			`*/`
Converted AuthTest away from BrowserKit Moved some user managment tests out to more relevant classess along the way. Found some tweaks to make for email confirmation routing as part of this. 2021-09-18 06:44:54 +08:00			`protected function login(string $email, string $password): TestResponse`
Added tests for confirmed registration 2015-09-22 03:54:11 +08:00			`{`
Converted AuthTest away from BrowserKit Moved some user managment tests out to more relevant classess along the way. Found some tweaks to make for email confirmation routing as part of this. 2021-09-18 06:44:54 +08:00			`return $this->post('/login', compact('email', 'password'));`
Added tests for confirmed registration 2015-09-22 03:54:11 +08:00			`}`
Tweaked some styles and started automated testing. Fixes #11. 2015-09-03 01:26:33 +08:00			`}`