issue('create'); assert_true($guard->validate('create', (string)$issued['ts'], $issued['token'], 3600, 'session-1')); assert_false((new CsrfGuard('secret', 'bob', 'session-1'))->validate('create', (string)$issued['ts'], $issued['token'], 3600, 'session-1')); assert_false($guard->validate('delete', (string)$issued['ts'], $issued['token'], 3600, 'session-1')); assert_false($guard->validate('create', (string)($issued['ts'] - 7200), $issued['token'], 3600, 'session-1')); assert_false($guard->validate('create', 'bad', $issued['token'], 3600, 'session-1')); }); test('csrf form fields use plugin scoped names to avoid directadmin token collisions', function (): void { $settings = Settings::load(TEST_TMP . '/missing-csrf-form.conf'); $ctx = new AppContext( new DirectAdminUser('alice', 'enhanced', 'pl', TEST_TMP . '/config'), $settings, new RuleRepository(TEST_TMP . '/data'), new CsrfGuard('secret', 'alice', 'sid'), Lang::load('pl', $settings), new AuditLog(TEST_TMP . '/audit.log') ); $html = $ctx->csrfField('create'); assert_contains('name="gar_csrf_ts"', $html); assert_contains('name="gar_csrf_sid"', $html); assert_contains('name="gar_csrf_token"', $html); assert_false(str_contains($html, 'name="csrf_token"')); }); test('http bootstrap populates post data from directadmin cli environment', function (): void { $oldGet = $_GET; $oldPost = $_POST; $oldRequest = $_REQUEST; $oldServer = $_SERVER; putenv('REQUEST_METHOD=POST'); putenv('QUERY_STRING=id=abc'); putenv('POST=gar_csrf_ts=123&gar_csrf_sid=sid&gar_csrf_token=token&body=Hello+World'); try { Http::bootstrapGlobals(); assert_same('POST', Http::method()); assert_same('abc', Http::getString($_GET, 'id')); assert_same('123', Http::getString($_POST, 'gar_csrf_ts')); assert_same('token', Http::getString($_POST, 'gar_csrf_token')); assert_same('Hello World', Http::getString($_POST, 'body')); } finally { putenv('REQUEST_METHOD'); putenv('QUERY_STRING'); putenv('POST'); $_GET = $oldGet; $_POST = $oldPost; $_REQUEST = $oldRequest; $_SERVER = $oldServer; } });