diff --git a/tests/DeprecatedCsrfMiddlewareTest.php b/tests/DeprecatedCsrfMiddlewareTest.php index 4552f09..2f30f0b 100644 --- a/tests/DeprecatedCsrfMiddlewareTest.php +++ b/tests/DeprecatedCsrfMiddlewareTest.php @@ -10,6 +10,7 @@ use Yiisoft\Csrf\Synchronizer\Generator\RandomCsrfTokenGenerator; use Yiisoft\Csrf\Synchronizer\SynchronizerCsrfToken; use Yiisoft\Csrf\Tests\Synchronizer\Storage\MockCsrfTokenStorage; +use Yiisoft\Http\Method; final class DeprecatedCsrfMiddlewareTest extends TestCase { @@ -46,6 +47,7 @@ public function testImmutability(): void $original = $this->createMiddleware(); $this->assertNotSame($original, $original->withHeaderName('csrf')); $this->assertNotSame($original, $original->withParameterName('csrf')); + $this->assertNotSame($original, $original->withSafeMethods([Method::HEAD])); } private function createMiddleware(): CsrfMiddleware diff --git a/tests/DeprecatedTokenCsrfMiddlewareTest.php b/tests/DeprecatedTokenCsrfMiddlewareTest.php index c00dd65..0ccbb48 100644 --- a/tests/DeprecatedTokenCsrfMiddlewareTest.php +++ b/tests/DeprecatedTokenCsrfMiddlewareTest.php @@ -24,6 +24,27 @@ abstract class DeprecatedTokenCsrfMiddlewareTest extends TestCase private string $token; + public function testGetIsAlwaysAllowed(): void + { + $middleware = $this->createCsrfMiddleware(); + $response = $middleware->process($this->createServerRequest(Method::GET), $this->createRequestHandler()); + $this->assertEquals(200, $response->getStatusCode()); + } + + public function testHeadIsAlwaysAllowed(): void + { + $middleware = $this->createCsrfMiddleware(); + $response = $middleware->process($this->createServerRequest(Method::HEAD), $this->createRequestHandler()); + $this->assertEquals(200, $response->getStatusCode()); + } + + public function testOptionsIsAlwaysAllowed(): void + { + $middleware = $this->createCsrfMiddleware(); + $response = $middleware->process($this->createServerRequest(Method::OPTIONS), $this->createRequestHandler()); + $this->assertEquals(200, $response->getStatusCode()); + } + public function testValidTokenInBodyPostRequestResultIn200(): void { $middleware = $this->createCsrfMiddleware(); @@ -79,13 +100,6 @@ public function testValidTokenInCustomHeaderResultIn200(): void $this->assertEquals(200, $response->getStatusCode()); } - public function testGetIsAlwaysAllowed(): void - { - $middleware = $this->createCsrfMiddleware(); - $response = $middleware->process($this->createServerRequest(Method::GET), $this->createRequestHandler()); - $this->assertEquals(200, $response->getStatusCode()); - } - public function testInvalidTokenResultIn422(): void { $middleware = $this->createCsrfMiddleware(); @@ -130,6 +144,42 @@ public function testEmptyTokenInRequestResultIn422(): void $this->assertEquals(Status::UNPROCESSABLE_ENTITY, $response->getStatusCode()); } + public function testUnsafeMethodPostRequestResultIn422(): void + { + $middleware = $this->createCsrfMiddleware(); + $response = $middleware->process( + $this->createServerRequest(Method::POST), + $this->createRequestHandler() + ); + $this->assertEquals(Status::TEXTS[Status::UNPROCESSABLE_ENTITY], $response->getBody()); + $this->assertEquals(Status::UNPROCESSABLE_ENTITY, $response->getStatusCode()); + } + + public function testCustomSafeOptionsRequestResultIn200(): void + { + $middleware = $this + ->createCsrfMiddleware() + ->withSafeMethods([Method::OPTIONS]); + $response = $middleware->process( + $this->createServerRequest(Method::OPTIONS), + $this->createRequestHandler() + ); + $this->assertEquals(200, $response->getStatusCode()); + } + + public function testCustomUnsafeMethodGetRequestResultIn422(): void + { + $middleware = $this + ->createCsrfMiddleware() + ->withSafeMethods([Method::OPTIONS]); + $response = $middleware->process( + $this->createServerRequest(Method::GET), + $this->createRequestHandler() + ); + $this->assertEquals(Status::TEXTS[Status::UNPROCESSABLE_ENTITY], $response->getBody()); + $this->assertEquals(Status::UNPROCESSABLE_ENTITY, $response->getStatusCode()); + } + private function createServerRequest( string $method = Method::POST, array $bodyParams = [],