Chris@0: getHttpClient(); Chris@0: $csrf_token_paths = ['deprecated/session/token', 'session/token']; Chris@0: // Test using the both the current path and a test path that returns Chris@0: // a token using the deprecated 'rest' value. Chris@0: // Checking /deprecated/session/token can be removed in 8.3. Chris@0: // @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access() Chris@0: foreach ($csrf_token_paths as $csrf_token_path) { Chris@0: // Check both test routes. Chris@0: $route_names = ['csrf_test.protected', 'csrf_test.deprecated.protected']; Chris@0: foreach ($route_names as $route_name) { Chris@0: $user = $this->drupalCreateUser(); Chris@0: $this->drupalLogin($user); Chris@0: Chris@0: $csrf_token = $this->drupalGet($csrf_token_path); Chris@0: $url = Url::fromRoute($route_name) Chris@0: ->setAbsolute(TRUE) Chris@0: ->toString(); Chris@0: $post_options = [ Chris@0: 'headers' => ['Accept' => 'text/plain'], Chris@0: 'http_errors' => FALSE, Chris@0: ]; Chris@0: Chris@0: // Test that access is allowed for anonymous user with no token in header. Chris@0: $result = $client->post($url, $post_options); Chris@0: $this->assertEquals(200, $result->getStatusCode()); Chris@0: Chris@0: // Add cookies to POST options so that all other requests are for the Chris@0: // authenticated user. Chris@17: $post_options['cookies'] = $this->getSessionCookies(); Chris@0: Chris@0: // Test that access is denied with no token in header. Chris@0: $result = $client->post($url, $post_options); Chris@0: $this->assertEquals(403, $result->getStatusCode()); Chris@0: Chris@0: // Test that access is allowed with correct token in header. Chris@0: $post_options['headers']['X-CSRF-Token'] = $csrf_token; Chris@0: $result = $client->post($url, $post_options); Chris@0: $this->assertEquals(200, $result->getStatusCode()); Chris@0: Chris@0: // Test that access is denied with incorrect token in header. Chris@0: $post_options['headers']['X-CSRF-Token'] = 'this-is-not-the-token-you-are-looking-for'; Chris@0: $result = $client->post($url, $post_options); Chris@0: $this->assertEquals(403, $result->getStatusCode()); Chris@0: } Chris@0: } Chris@0: Chris@0: } Chris@0: Chris@0: }