doufei4923 2016-06-09 19:27
浏览 51
已采纳

Laravel PHPUnit总是通过CSRF

I'm currently writing a test to assure that our CSRF protection works in Laravel. The test looks like this.

public function testSecurityIncorrectCSRF()
{
    $this->visit('/login')
     ->type('REDACTED', 'email')
     ->type('123123', 'password');

     session()->regenerateToken();

     $this->press('login')
     ->seePageIs('/login');
}

No matter what I do, and even if I pass a wrong _token, the login request will always succeed. I've tried outside of the PHPUnit test and there the CSRF protection works. All my middlewares are enabled, so the CSRF protection should be enabled.

Can anybody explain why this happens?

  • 写回答

1条回答 默认 最新

  • duanjianhe1388 2016-06-09 19:58
    关注

    Have a look at the Illuminate\Foundation\Http\Middleware\VerifyCsrfToken class, especially the handle method.

    public function handle($request, Closure $next)
{
    if (
        $this->isReading($request) ||
        $this->runningUnitTests() ||
        $this->shouldPassThrough($request) ||
        $this->tokensMatch($request)
    ) {
        return $this->addCookieToResponse($request, $next($request));
    }

    throw new TokenMismatchException;
}

    It always passes the csrf token check if it detects that the request comes from a unit test: $this->runningUnitTests()

    A solution would be to put the following code at the start of your test-function:

    $this->app['env'] = 'production';

    This will change the environment to production, thus enabling the csrf token check.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 微信公众平台自制会员卡可以通过收款码收款码收款进行自动积分吗
  • ¥15 随身WiFi网络灯亮但是没有网络,如何解决?
  • ¥15 gdf格式的脑电数据如何处理matlab
  • ¥20 重新写的代码替换了之后运行hbuliderx就这样了
  • ¥100 监控抖音用户作品更新可以微信公众号提醒
  • ¥15 UE5 如何可以不渲染HDRIBackdrop背景
  • ¥70 2048小游戏毕设项目
  • ¥20 mysql架构,按照姓名分表
  • ¥15 MATLAB实现区间[a,b]上的Gauss-Legendre积分
  • ¥15 delphi webbrowser组件网页下拉菜单自动选择问题