Files
global-autoresponder/tests/csrf_test.php
T
2026-06-02 21:54:56 +02:00

40 lines
1.9 KiB
PHP

<?php
declare(strict_types=1);
require_once PLUGIN_ROOT . '/exec/lib/CsrfGuard.php';
require_once PLUGIN_ROOT . '/exec/lib/Settings.php';
require_once PLUGIN_ROOT . '/exec/lib/Lang.php';
require_once PLUGIN_ROOT . '/exec/lib/DirectAdminUser.php';
require_once PLUGIN_ROOT . '/exec/lib/RuleRepository.php';
require_once PLUGIN_ROOT . '/exec/lib/AuditLog.php';
require_once PLUGIN_ROOT . '/exec/lib/AppContext.php';
test('csrf token is bound to user session action and time', function (): void {
$guard = new CsrfGuard('secret', 'alice', 'session-1');
$issued = $guard->issue('create');
assert_true($guard->validate('create', (string)$issued['ts'], $issued['token'], 3600, 'session-1'));
assert_false((new CsrfGuard('secret', 'bob', 'session-1'))->validate('create', (string)$issued['ts'], $issued['token'], 3600, 'session-1'));
assert_false($guard->validate('delete', (string)$issued['ts'], $issued['token'], 3600, 'session-1'));
assert_false($guard->validate('create', (string)($issued['ts'] - 7200), $issued['token'], 3600, 'session-1'));
assert_false($guard->validate('create', 'bad', $issued['token'], 3600, 'session-1'));
});
test('csrf form fields use plugin scoped names to avoid directadmin token collisions', function (): void {
$settings = Settings::load(TEST_TMP . '/missing-csrf-form.conf');
$ctx = new AppContext(
new DirectAdminUser('alice', 'enhanced', 'pl', TEST_TMP . '/config'),
$settings,
new RuleRepository(TEST_TMP . '/data'),
new CsrfGuard('secret', 'alice', 'sid'),
Lang::load('pl', $settings),
new AuditLog(TEST_TMP . '/audit.log')
);
$html = $ctx->csrfField('create');
assert_contains('name="gar_csrf_ts"', $html);
assert_contains('name="gar_csrf_sid"', $html);
assert_contains('name="gar_csrf_token"', $html);
assert_false(str_contains($html, 'name="csrf_token"'));
});