session()); // 32 octets CSPRNG en hexadecimal => 64 caracteres. self::assertSame(64, strlen($token)); self::assertMatchesRegularExpression('/^[0-9a-f]{64}$/', $token); } public function testTokenIsStableAcrossCalls(): void { $session = $this->session(); self::assertSame(Csrf::token($session), Csrf::token($session)); } public function testValidateAcceptsCorrectToken(): void { $session = $this->session(); $token = Csrf::token($session); self::assertTrue(Csrf::validate($session, $token)); } public function testValidateRejectsWrongOrEmptyToken(): void { $session = $this->session(); Csrf::token($session); self::assertFalse(Csrf::validate($session, 'wrong')); self::assertFalse(Csrf::validate($session, '')); self::assertFalse(Csrf::validate($session, null)); } public function testValidateFalseWhenNoTokenYet(): void { // Aucun token genere en session : meme une soumission non vide echoue. self::assertFalse(Csrf::validate($this->session(), 'anything')); } public function testRotateChangesTokenAndInvalidatesOld(): void { $session = $this->session(); $old = Csrf::token($session); $new = Csrf::rotate($session); self::assertNotSame($old, $new); self::assertFalse(Csrf::validate($session, $old)); self::assertTrue(Csrf::validate($session, $new)); } }