Michael Schiemer
77abc65cd7
Some checks failed
Deploy Application / deploy (push) Has been cancelled
137 lines
4.6 KiB
PHP
137 lines
4.6 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Framework\DateTime\Clock;
|
|
use App\Framework\DateTime\SystemClock;
|
|
use App\Framework\Http\Session\CsrfProtection;
|
|
use App\Framework\Http\Session\Session;
|
|
use App\Framework\Http\Session\SessionId;
|
|
use App\Framework\Http\Session\ValueObjects\CsrfDataCollection;
|
|
use App\Framework\Http\Session\ValueObjects\FormDataCollection;
|
|
use App\Framework\Http\Session\ValueObjects\FlashMessageCollection;
|
|
use App\Framework\Http\Session\ValueObjects\SecurityDataCollection;
|
|
use App\Framework\Http\Session\ValueObjects\SessionData;
|
|
use App\Framework\Http\Session\ValueObjects\ValidationErrorCollection;
|
|
use App\Framework\Random\SecureRandomGenerator;
|
|
use App\Framework\Security\CsrfToken;
|
|
use App\Framework\Security\CsrfTokenGenerator;
|
|
|
|
beforeEach(function () {
|
|
$this->clock = new SystemClock();
|
|
$this->tokenGenerator = new CsrfTokenGenerator(new SecureRandomGenerator());
|
|
$this->sessionId = SessionId::fromString('test-session-' . uniqid());
|
|
|
|
$this->session = Session::fromArray(
|
|
$this->sessionId,
|
|
$this->clock,
|
|
$this->tokenGenerator,
|
|
[]
|
|
);
|
|
|
|
$this->csrfProtection = $this->session->csrf;
|
|
});
|
|
|
|
it('generates a new token every time', function () {
|
|
$formId = 'test-form';
|
|
|
|
$token1 = $this->csrfProtection->generateToken($formId);
|
|
$token2 = $this->csrfProtection->generateToken($formId);
|
|
|
|
// Tokens should be different (no reuse)
|
|
expect($token1->toString())->not->toBe($token2->toString());
|
|
});
|
|
|
|
it('generates valid 64-character hex tokens', function () {
|
|
$token = $this->csrfProtection->generateToken('test-form');
|
|
|
|
expect($token->toString())->toHaveLength(64);
|
|
expect(ctype_xdigit($token->toString()))->toBeTrue();
|
|
});
|
|
|
|
it('stores multiple tokens per form', function () {
|
|
$formId = 'test-form';
|
|
|
|
$token1 = $this->csrfProtection->generateToken($formId);
|
|
$token2 = $this->csrfProtection->generateToken($formId);
|
|
$token3 = $this->csrfProtection->generateToken($formId);
|
|
|
|
$count = $this->csrfProtection->getActiveTokenCount($formId);
|
|
|
|
// Should have 3 tokens
|
|
expect($count)->toBe(3);
|
|
});
|
|
|
|
it('validates correct token', function () {
|
|
$formId = 'test-form';
|
|
$token = $this->csrfProtection->generateToken($formId);
|
|
|
|
$result = $this->csrfProtection->validateTokenWithDebug($formId, $token);
|
|
|
|
expect($result['valid'])->toBeTrue();
|
|
});
|
|
|
|
it('rejects invalid token', function () {
|
|
$formId = 'test-form';
|
|
$this->csrfProtection->generateToken($formId);
|
|
|
|
$invalidToken = CsrfToken::fromString(str_repeat('0', 64));
|
|
|
|
$result = $this->csrfProtection->validateTokenWithDebug($formId, $invalidToken);
|
|
|
|
expect($result['valid'])->toBeFalse();
|
|
expect($result['debug']['reason'])->toBe('No matching token found in session');
|
|
});
|
|
|
|
it('allows token reuse within resubmit window', function () {
|
|
$formId = 'test-form';
|
|
$token = $this->csrfProtection->generateToken($formId);
|
|
|
|
// First validation
|
|
$result1 = $this->csrfProtection->validateTokenWithDebug($formId, $token);
|
|
expect($result1['valid'])->toBeTrue();
|
|
|
|
// Second validation within resubmit window (should still work)
|
|
$result2 = $this->csrfProtection->validateTokenWithDebug($formId, $token);
|
|
expect($result2['valid'])->toBeTrue();
|
|
});
|
|
|
|
it('limits tokens per form to maximum', function () {
|
|
$formId = 'test-form';
|
|
|
|
// Generate more than MAX_TOKENS_PER_FORM (3)
|
|
for ($i = 0; $i < 5; $i++) {
|
|
$this->csrfProtection->generateToken($formId);
|
|
}
|
|
|
|
$count = $this->csrfProtection->getActiveTokenCount($formId);
|
|
|
|
// Should be limited to 3
|
|
expect($count)->toBeLessThanOrEqual(3);
|
|
});
|
|
|
|
it('handles multiple forms independently', function () {
|
|
$formId1 = 'form-1';
|
|
$formId2 = 'form-2';
|
|
|
|
$token1 = $this->csrfProtection->generateToken($formId1);
|
|
$token2 = $this->csrfProtection->generateToken($formId2);
|
|
|
|
// Tokens should be different
|
|
expect($token1->toString())->not->toBe($token2->toString());
|
|
|
|
// Each form should have its own token
|
|
expect($this->csrfProtection->getActiveTokenCount($formId1))->toBe(1);
|
|
expect($this->csrfProtection->getActiveTokenCount($formId2))->toBe(1);
|
|
|
|
// Validation should work independently
|
|
expect($this->csrfProtection->validateToken($formId1, $token1))->toBeTrue();
|
|
expect($this->csrfProtection->validateToken($formId2, $token2))->toBeTrue();
|
|
|
|
// Cross-validation should fail
|
|
expect($this->csrfProtection->validateToken($formId1, $token2))->toBeFalse();
|
|
expect($this->csrfProtection->validateToken($formId2, $token1))->toBeFalse();
|
|
});
|
|
|
|
|