AcadeNice/corentin_wakdo
7
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
corentin_wakdo/tests/Unit/Auth/CsrfTest.php
Corentin JOGUET 1b0b20c12d
All checks were successful
CI / secret-scan (push) Successful in 7s
Details
CI / php-lint (push) Successful in 17s
Details
CI / static-tests (push) Successful in 32s
Details
CI / auto-merge (push) Has been skipped
Details
feat: authentification back-office P2 (login/logout/reset, throttle, audit) (#11)
2026-06-15 20:18:59 +02:00

74 lines
2 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Tests\Unit\Auth;
use PHPUnit\Framework\TestCase;
use App\Auth\Csrf;
use App\Auth\SessionManager;
use App\Core\Config;
/**
* CSRF synchroniseur teste sur un SessionManager en mode test (sac memoire),
* donc sans session PHP reelle ni effet de bord d'en-tete.
*/
final class CsrfTest extends TestCase
{
private function session(): SessionManager
{
return new SessionManager(new Config(), true);
}
public function testTokenIsHighEntropyHex(): void
{
$token = Csrf::token($this->session());
// 32 octets CSPRNG en hexadecimal => 64 caracteres.
self::assertSame(64, strlen($token));
self::assertMatchesRegularExpression('/^[0-9a-f]{64}$/', $token);
}
public function testTokenIsStableAcrossCalls(): void
{
$session = $this->session();
self::assertSame(Csrf::token($session), Csrf::token($session));
}
public function testValidateAcceptsCorrectToken(): void
{
$session = $this->session();
$token = Csrf::token($session);
self::assertTrue(Csrf::validate($session, $token));
}
public function testValidateRejectsWrongOrEmptyToken(): void
{
$session = $this->session();
Csrf::token($session);
self::assertFalse(Csrf::validate($session, 'wrong'));
self::assertFalse(Csrf::validate($session, ''));
self::assertFalse(Csrf::validate($session, null));
}
public function testValidateFalseWhenNoTokenYet(): void
{
// Aucun token genere en session : meme une soumission non vide echoue.
self::assertFalse(Csrf::validate($this->session(), 'anything'));
}
public function testRotateChangesTokenAndInvalidatesOld(): void
{
$session = $this->session();
$old = Csrf::token($session);
$new = Csrf::rotate($session);
self::assertNotSame($old, $new);
self::assertFalse(Csrf::validate($session, $old));
self::assertTrue(Csrf::validate($session, $new));
}
}
Reference in a new issue View git blame Copy permalink