summaryrefslogtreecommitdiff
path: root/tests/Unit/Middleware/VerifyCsrfTokenTest.php
diff options
context:
space:
mode:
Diffstat (limited to 'tests/Unit/Middleware/VerifyCsrfTokenTest.php')
-rw-r--r--tests/Unit/Middleware/VerifyCsrfTokenTest.php128
1 files changed, 128 insertions, 0 deletions
diff --git a/tests/Unit/Middleware/VerifyCsrfTokenTest.php b/tests/Unit/Middleware/VerifyCsrfTokenTest.php
new file mode 100644
index 00000000..60280c5b
--- /dev/null
+++ b/tests/Unit/Middleware/VerifyCsrfTokenTest.php
@@ -0,0 +1,128 @@
+<?php
+
+namespace Engelsystem\Test\Unit\Middleware;
+
+use Engelsystem\Middleware\VerifyCsrfToken;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Symfony\Component\HttpFoundation\Session\SessionInterface;
+
+class VerifyCsrfTokenTest extends TestCase
+{
+ /**
+ * @covers \Engelsystem\Middleware\VerifyCsrfToken::process
+ * @covers \Engelsystem\Middleware\VerifyCsrfToken::isReading
+ */
+ public function testProcess()
+ {
+ /** @var ServerRequestInterface|MockObject $request */
+ $request = $this->getMockForAbstractClass(ServerRequestInterface::class);
+ /** @var RequestHandlerInterface|MockObject $handler */
+ $handler = $this->getMockForAbstractClass(RequestHandlerInterface::class);
+ /** @var ResponseInterface|MockObject $response */
+ $response = $this->getMockForAbstractClass(ResponseInterface::class);
+
+ $handler->expects($this->exactly(2))
+ ->method('handle')
+ ->with($request)
+ ->willReturn($response);
+
+ /** @var VerifyCsrfToken|MockObject $middleware */
+ $middleware = $this->getMockBuilder(VerifyCsrfToken::class)
+ ->disableOriginalConstructor()
+ ->setMethods(['notAuthorizedResponse', 'tokensMatch'])
+ ->getMock();
+
+ $middleware->expects($this->exactly(1))
+ ->method('notAuthorizedResponse')
+ ->willReturn($response);
+
+ $middleware->expects($this->exactly(2))
+ ->method('tokensMatch')
+ ->willReturnOnConsecutiveCalls(true, false);
+
+ // Results in true, false, false
+ $request->expects($this->exactly(3))
+ ->method('getMethod')
+ ->willReturnOnConsecutiveCalls('GET', 'POST', 'DELETE');
+
+ $middleware->process($request, $handler);
+ $middleware->process($request, $handler);
+ $middleware->process($request, $handler);
+ }
+
+ /**
+ * @covers \Engelsystem\Middleware\VerifyCsrfToken::__construct
+ * @covers \Engelsystem\Middleware\VerifyCsrfToken::tokensMatch
+ */
+ public function testTokensMatch()
+ {
+ /** @var ServerRequestInterface|MockObject $request */
+ $request = $this->getMockForAbstractClass(ServerRequestInterface::class);
+ /** @var RequestHandlerInterface|MockObject $handler */
+ $handler = $this->getMockForAbstractClass(RequestHandlerInterface::class);
+ /** @var ResponseInterface|MockObject $response */
+ $response = $this->getMockForAbstractClass(ResponseInterface::class);
+ /** @var ResponseInterface|MockObject $noAuthResponse */
+ $noAuthResponse = $this->getMockForAbstractClass(ResponseInterface::class);
+ /** @var SessionInterface|MockObject $session */
+ $session = $this->getMockForAbstractClass(SessionInterface::class);
+
+ /** @var VerifyCsrfToken|MockObject $middleware */
+ $middleware = $this->getMockBuilder(VerifyCsrfToken::class)
+ ->setConstructorArgs([$session])
+ ->setMethods(['isReading', 'notAuthorizedResponse'])
+ ->getMock();
+
+ $middleware->expects($this->atLeastOnce())
+ ->method('isReading')
+ ->willReturn(false);
+ $middleware->expects($this->exactly(1))
+ ->method('notAuthorizedResponse')
+ ->willReturn($noAuthResponse);
+
+ $handler->expects($this->exactly(3))
+ ->method('handle')
+ ->willReturn($response);
+
+ $request->expects($this->exactly(4))
+ ->method('getParsedBody')
+ ->willReturnOnConsecutiveCalls(
+ null,
+ null,
+ ['_token' => 'PostFooToken'],
+ ['_token' => 'PostBarToken']
+ );
+ $request->expects($this->exactly(4))
+ ->method('getHeader')
+ ->with('X-CSRF-TOKEN')
+ ->willReturnOnConsecutiveCalls(
+ [],
+ ['HeaderFooToken'],
+ [],
+ ['HeaderBarToken']
+ );
+
+ $session->expects($this->exactly(4))
+ ->method('get')
+ ->with('_token')
+ ->willReturnOnConsecutiveCalls(
+ 'NotAvailableToken',
+ 'HeaderFooToken',
+ 'PostFooToken',
+ 'PostBarToken'
+ );
+
+ // Not tokens
+ $this->assertEquals($noAuthResponse, $middleware->process($request, $handler));
+ // Header token
+ $this->assertEquals($response, $middleware->process($request, $handler));
+ // POST token
+ $this->assertEquals($response, $middleware->process($request, $handler));
+ // Header and POST tokens
+ $this->assertEquals($response, $middleware->process($request, $handler));
+ }
+}