Chris@0: <?php
Chris@0: 
Chris@0: namespace Drupal\Tests\system\Functional;
Chris@0: 
Chris@0: use Drupal\Core\Url;
Chris@0: use Drupal\Tests\BrowserTestBase;
Chris@0: 
Chris@0: /**
Chris@0:  * Tests protecting routes by requiring CSRF token in the request header.
Chris@0:  *
Chris@0:  * @group system
Chris@0:  */
Chris@0: class CsrfRequestHeaderTest extends BrowserTestBase {
Chris@0: 
Chris@0:   /**
Chris@0:    * Modules to enable.
Chris@0:    *
Chris@0:    * @var array
Chris@0:    */
Chris@0:   public static $modules = ['system', 'csrf_test'];
Chris@0: 
Chris@0:   /**
Chris@0:    * Tests access to routes protected by CSRF request header requirements.
Chris@0:    *
Chris@0:    * This checks one route that uses _csrf_request_header_token and one that
Chris@0:    * uses the deprecated _access_rest_csrf.
Chris@0:    */
Chris@0:   public function testRouteAccess() {
Chris@17:     $client = $this->getHttpClient();
Chris@0:     $csrf_token_paths = ['deprecated/session/token', 'session/token'];
Chris@0:     // Test using the both the current path and a test path that returns
Chris@0:     // a token using the deprecated 'rest' value.
Chris@0:     // Checking /deprecated/session/token can be removed in 8.3.
Chris@0:     // @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
Chris@0:     foreach ($csrf_token_paths as $csrf_token_path) {
Chris@0:       // Check both test routes.
Chris@0:       $route_names = ['csrf_test.protected', 'csrf_test.deprecated.protected'];
Chris@0:       foreach ($route_names as $route_name) {
Chris@0:         $user = $this->drupalCreateUser();
Chris@0:         $this->drupalLogin($user);
Chris@0: 
Chris@0:         $csrf_token = $this->drupalGet($csrf_token_path);
Chris@0:         $url = Url::fromRoute($route_name)
Chris@0:           ->setAbsolute(TRUE)
Chris@0:           ->toString();
Chris@0:         $post_options = [
Chris@0:           'headers' => ['Accept' => 'text/plain'],
Chris@0:           'http_errors' => FALSE,
Chris@0:         ];
Chris@0: 
Chris@0:         // Test that access is allowed for anonymous user with no token in header.
Chris@0:         $result = $client->post($url, $post_options);
Chris@0:         $this->assertEquals(200, $result->getStatusCode());
Chris@0: 
Chris@0:         // Add cookies to POST options so that all other requests are for the
Chris@0:         // authenticated user.
Chris@17:         $post_options['cookies'] = $this->getSessionCookies();
Chris@0: 
Chris@0:         // Test that access is denied with no token in header.
Chris@0:         $result = $client->post($url, $post_options);
Chris@0:         $this->assertEquals(403, $result->getStatusCode());
Chris@0: 
Chris@0:         // Test that access is allowed with correct token in header.
Chris@0:         $post_options['headers']['X-CSRF-Token'] = $csrf_token;
Chris@0:         $result = $client->post($url, $post_options);
Chris@0:         $this->assertEquals(200, $result->getStatusCode());
Chris@0: 
Chris@0:         // Test that access is denied with incorrect token in header.
Chris@0:         $post_options['headers']['X-CSRF-Token'] = 'this-is-not-the-token-you-are-looking-for';
Chris@0:         $result = $client->post($url, $post_options);
Chris@0:         $this->assertEquals(403, $result->getStatusCode());
Chris@0:       }
Chris@0:     }
Chris@0: 
Chris@0:   }
Chris@0: 
Chris@0: }