Skip to content

Commit

Permalink
Merge pull request #165 from akrabat/164-enforce-storage-on-failure
Browse files Browse the repository at this point in the history
Bug fix: Enforce storage limit on failure
  • Loading branch information
akrabat authored Nov 5, 2022
2 parents 045fb11 + b36dc89 commit ebaaf29
Show file tree
Hide file tree
Showing 2 changed files with 63 additions and 0 deletions.
1 change: 1 addition & 0 deletions src/Guard.php
Original file line number Diff line number Diff line change
Expand Up @@ -460,6 +460,7 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
} else {
// Method is GET/OPTIONS/HEAD/etc, so do not accept the token in the body of this request
if ($name !== null) {
$this->enforceStorageLimit();
return $this->handleFailure($request, $handler);
}
}
Expand Down
62 changes: 62 additions & 0 deletions tests/GuardTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -366,6 +366,68 @@ public function testTokenIsRemovedFromStorageWhenPersistentModeIsOff()
self::assertArrayNotHasKey('test_name', $storage);
}

public function testTokenIsRemovedFromStorageWhenPersistentModeIsOffOnFailure()
{
$storage = [
'test_name' => 'test_value123',
'test_name2' => 'test_value234',
];

$streamProphecy = $this->prophesize(StreamInterface::class);
$streamProphecy
->write('Failed CSRF check!')
->shouldBeCalledOnce();

$responseProphecy = $this->prophesize(ResponseInterface::class);

$responseProphecy
->getBody()
->willReturn($streamProphecy->reveal())
->shouldBeCalledOnce();

$responseProphecy
->withStatus(400)
->willReturn($responseProphecy->reveal())
->shouldBeCalledOnce();

$responseProphecy
->withHeader('Content-Type', 'text/plain')
->willReturn($responseProphecy->reveal())
->shouldBeCalledOnce();

$responseProphecy
->withBody($streamProphecy->reveal())
->willReturn($responseProphecy->reveal())
->shouldBeCalledOnce();

$responseFactoryProphecy = $this->prophesize(ResponseFactoryInterface::class);
$responseFactoryProphecy
->createResponse()
->willReturn($responseProphecy->reveal());

$requestHandlerProphecy = $this->prophesize(RequestHandlerInterface::class);

$mw = new Guard($responseFactoryProphecy->reveal(), 'test', $storage, null, 1);
$mw->setStorage($storage); // pass $storage in by reference so we can inspect it later

$requestProphecy = $this->prophesize(ServerRequestInterface::class);
$requestProphecy
->getMethod()
->willReturn('GET')
->shouldBeCalledOnce();

$requestProphecy
->getParsedBody()
->willReturn([
'test_name' => 'test_value123',
])
->shouldBeCalledOnce();

$mw->process($requestProphecy->reveal(), $requestHandlerProphecy->reveal());

$this->assertArrayNotHasKey('test_name', $storage);
}

public function testTokenInBodyOfGetIsInvalid()
{
$storage = [
Expand Down

0 comments on commit ebaaf29

Please sign in to comment.