5835be0e66
Implemente mlt.md section 12 : AUTHENTICATE_USER (12.1), LOGOUT_USER (12.2), RESET_PASSWORD (12.3). Sessions PHP + argon2id, regeneration d'ID a la connexion, idle 4h / absolu 10h via SessionGuard (cable en P3), jeton CSRF synchroniseur, backoff degressif anti brute-force par compte et par IP source (login_throttle), audit_log append-only (login_success/failed, password_reset), defenses anti-enumeration d'email (timing + profil d'ecritures identique), fail-closed sur erreur base. Vues login/forgot/reset rendues serveur. Routes posees sur le vhost admin (pas de prefixe /admin : docroot = public/admin). PHPUnit sans Composer (unit + integration DB auto-skippee sans base) et PHPStan L6 restent verts.
74 lines
2 KiB
PHP
74 lines
2 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Tests\Unit\Auth;
|
|
|
|
use PHPUnit\Framework\TestCase;
|
|
use App\Auth\Csrf;
|
|
use App\Auth\SessionManager;
|
|
use App\Core\Config;
|
|
|
|
/**
|
|
* CSRF synchroniseur teste sur un SessionManager en mode test (sac memoire),
|
|
* donc sans session PHP reelle ni effet de bord d'en-tete.
|
|
*/
|
|
final class CsrfTest extends TestCase
|
|
{
|
|
private function session(): SessionManager
|
|
{
|
|
return new SessionManager(new Config(), true);
|
|
}
|
|
|
|
public function testTokenIsHighEntropyHex(): void
|
|
{
|
|
$token = Csrf::token($this->session());
|
|
|
|
// 32 octets CSPRNG en hexadecimal => 64 caracteres.
|
|
self::assertSame(64, strlen($token));
|
|
self::assertMatchesRegularExpression('/^[0-9a-f]{64}$/', $token);
|
|
}
|
|
|
|
public function testTokenIsStableAcrossCalls(): void
|
|
{
|
|
$session = $this->session();
|
|
|
|
self::assertSame(Csrf::token($session), Csrf::token($session));
|
|
}
|
|
|
|
public function testValidateAcceptsCorrectToken(): void
|
|
{
|
|
$session = $this->session();
|
|
$token = Csrf::token($session);
|
|
|
|
self::assertTrue(Csrf::validate($session, $token));
|
|
}
|
|
|
|
public function testValidateRejectsWrongOrEmptyToken(): void
|
|
{
|
|
$session = $this->session();
|
|
Csrf::token($session);
|
|
|
|
self::assertFalse(Csrf::validate($session, 'wrong'));
|
|
self::assertFalse(Csrf::validate($session, ''));
|
|
self::assertFalse(Csrf::validate($session, null));
|
|
}
|
|
|
|
public function testValidateFalseWhenNoTokenYet(): void
|
|
{
|
|
// Aucun token genere en session : meme une soumission non vide echoue.
|
|
self::assertFalse(Csrf::validate($this->session(), 'anything'));
|
|
}
|
|
|
|
public function testRotateChangesTokenAndInvalidatesOld(): void
|
|
{
|
|
$session = $this->session();
|
|
$old = Csrf::token($session);
|
|
|
|
$new = Csrf::rotate($session);
|
|
|
|
self::assertNotSame($old, $new);
|
|
self::assertFalse(Csrf::validate($session, $old));
|
|
self::assertTrue(Csrf::validate($session, $new));
|
|
}
|
|
}
|