doufei4923 2016-06-09 19:27
浏览 51
已采纳

Laravel PHPUnit总是通过CSRF

I'm currently writing a test to assure that our CSRF protection works in Laravel. The test looks like this.

public function testSecurityIncorrectCSRF()
{
    $this->visit('/login')
     ->type('REDACTED', 'email')
     ->type('123123', 'password');

     session()->regenerateToken();

     $this->press('login')
     ->seePageIs('/login');
}

No matter what I do, and even if I pass a wrong _token, the login request will always succeed. I've tried outside of the PHPUnit test and there the CSRF protection works. All my middlewares are enabled, so the CSRF protection should be enabled.

Can anybody explain why this happens?

  • 写回答

1条回答 默认 最新

  • duanjianhe1388 2016-06-09 19:58
    关注

    Have a look at the Illuminate\Foundation\Http\Middleware\VerifyCsrfToken class, especially the handle method.

    public function handle($request, Closure $next)
{
    if (
        $this->isReading($request) ||
        $this->runningUnitTests() ||
        $this->shouldPassThrough($request) ||
        $this->tokensMatch($request)
    ) {
        return $this->addCookieToResponse($request, $next($request));
    }

    throw new TokenMismatchException;
}

    It always passes the csrf token check if it detects that the request comes from a unit test: $this->runningUnitTests()

    A solution would be to put the following code at the start of your test-function:

    $this->app['env'] = 'production';

    This will change the environment to production, thus enabling the csrf token check.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?