I'm currently writing a test to assure that our CSRF protection works in Laravel. The test looks like this.
public function testSecurityIncorrectCSRF()
{
$this->visit('/login')
->type('REDACTED', 'email')
->type('123123', 'password');
session()->regenerateToken();
$this->press('login')
->seePageIs('/login');
}
No matter what I do, and even if I pass a wrong _token, the login request will always succeed. I've tried outside of the PHPUnit test and there the CSRF protection works. All my middlewares are enabled, so the CSRF protection should be enabled.
Can anybody explain why this happens?