BookStack Code Mirror - bookstack/blob - tests/Auth/AuthTest.php

1 <?php

3 namespace Tests\Auth;

5 use BookStack\Access\Mfa\MfaSession;

6 use Illuminate\Support\Facades\Hash;

7 use Illuminate\Testing\TestResponse;

8 use Tests\TestCase;

10 class AuthTest extends TestCase

11 {

12 public function test_auth_working()

13 {

14 $this->get('/')->assertRedirect('/login');

15 }

17 public function test_login()

18 {

19 $this->login('admin@admin.com', 'password')->assertRedirect('/');

20 }

22 public function test_public_viewing()

23 {

24 $this->setSettings(['app-public' => 'true']);

25 $this->get('/')

26 ->assertOk()

27 ->assertSee('Log in');

28 }

30 public function test_sign_up_link_on_login()

31 {

32 $this->get('/login')->assertDontSee('Sign up');

34 $this->setSettings(['registration-enabled' => 'true']);

36 $this->get('/login')->assertSee('Sign up');

37 }

39 public function test_logout()

40 {

41 $this->asAdmin()->get('/')->assertOk();

42 $this->post('/logout')->assertRedirect('/');

43 $this->get('/')->assertRedirect('/login');

44 }

46 public function test_mfa_session_cleared_on_logout()

47 {

48 $user = $this->users->editor();

49 $mfaSession = $this->app->make(MfaSession::class);

51 $mfaSession->markVerifiedForUser($user);

52 $this->assertTrue($mfaSession->isVerifiedForUser($user));

54 $this->asAdmin()->post('/logout');

55 $this->assertFalse($mfaSession->isVerifiedForUser($user));

56 }

58 public function test_login_redirects_to_initially_requested_url_correctly()

59 {

60 config()->set('app.url', 'http://localhost');

61 $page = $this->entities->page();

63 $this->get($page->getUrl())->assertRedirect(url('/login'));

64 $this->login('admin@admin.com', 'password')

65 ->assertRedirect($page->getUrl());

66 }

68 public function test_login_intended_redirect_does_not_redirect_to_external_pages()

69 {

70 config()->set('app.url', 'http://localhost');

71 $this->setSettings(['app-public' => true]);

73 $this->get('/login', ['referer' => 'https://example.com']);

74 $login = $this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);

76 $login->assertRedirect('http://localhost');

77 }

79 public function test_login_intended_redirect_does_not_factor_mfa_routes()

80 {

81 $this->get('/books')->assertRedirect('/login');

82 $this->get('/mfa/setup')->assertRedirect('/login');

83 $login = $this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);

84 $login->assertRedirect('/books');

85 }

87 public function test_login_authenticates_admins_on_all_guards()

88 {

89 $this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);

90 $this->assertTrue(auth()->check());

91 $this->assertTrue(auth('ldap')->check());

92 $this->assertTrue(auth('saml2')->check());

93 $this->assertTrue(auth('oidc')->check());

94 }

96 public function test_login_authenticates_nonadmins_on_default_guard_only()

97 {

98 $editor = $this->users->editor();

99 $editor->password = bcrypt('password');

100 $editor->save();

101

102 $this->post('/login', ['email' => $editor->email, 'password' => 'password']);

103 $this->assertTrue(auth()->check());

104 $this->assertFalse(auth('ldap')->check());

105 $this->assertFalse(auth('saml2')->check());

106 $this->assertFalse(auth('oidc')->check());

107 }

108

109 public function test_failed_logins_are_logged_when_message_configured()

110 {

111 $log = $this->withTestLogger();

112 config()->set(['logging.failed_login.message' => 'Failed login for %u']);

113

114 $this->post('/login', ['email' => 'admin@example.com', 'password' => 'cattreedog']);

115 $this->assertTrue($log->hasWarningThatContains('Failed login for admin@example.com'));

116

117 $this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);

118 $this->assertFalse($log->hasWarningThatContains('Failed login for admin@admin.com'));

119 }

120

121 public function test_logged_in_user_with_unconfirmed_email_is_logged_out()

122 {

123 $this->setSettings(['registration-confirmation' => 'true']);

124 $user = $this->users->editor();

125 $user->email_confirmed = false;

126 $user->save();

127

128 auth()->login($user);

129 $this->assertTrue(auth()->check());

130

131 $this->get('/books')->assertRedirect('/');

132 $this->assertFalse(auth()->check());

133 }

134

135 public function test_login_attempts_are_rate_limited()

136 {

137 for ($i = 0; $i < 5; $i++) {

138 $resp = $this->login('bennynotexisting@example.com', 'pw123');

139 }

140 $resp = $this->followRedirects($resp);

141 $resp->assertSee('These credentials do not match our records.');

142

143 // Check the fifth attempt provides a lockout response

144 $resp = $this->followRedirects($this->login('bennynotexisting@example.com', 'pw123'));

145 $resp->assertSee('Too many login attempts. Please try again in');

146 }

147

148 public function test_login_specifically_disabled_for_guest_account()

149 {

150 $guest = $this->users->guest();

151

152 $resp = $this->post('/login', ['email' => $guest->email, 'password' => 'password']);

153 $resp->assertRedirect('/login');

154 $resp = $this->followRedirects($resp);

155 $resp->assertSee('These credentials do not match our records.');

156

157 // Test login even with password somehow set

158 $guest->password = Hash::make('password');

159 $guest->save();

160

161 $resp = $this->post('/login', ['email' => $guest->email, 'password' => 'password']);

162 $resp->assertRedirect('/login');

163 $resp = $this->followRedirects($resp);

164 $resp->assertSee('These credentials do not match our records.');

165 }

166

167 /**

168 * Perform a login.

169 */

170 protected function login(string $email, string $password): TestResponse

171 {

172 return $this->post('/login', compact('email', 'password'));

173 }

174 }