doufei4923 2016-06-09 19:27
浏览 51
已采纳

Laravel PHPUnit总是通过CSRF

I'm currently writing a test to assure that our CSRF protection works in Laravel. The test looks like this.

public function testSecurityIncorrectCSRF()
{
    $this->visit('/login')
     ->type('REDACTED', 'email')
     ->type('123123', 'password');

     session()->regenerateToken();

     $this->press('login')
     ->seePageIs('/login');
}

No matter what I do, and even if I pass a wrong _token, the login request will always succeed. I've tried outside of the PHPUnit test and there the CSRF protection works. All my middlewares are enabled, so the CSRF protection should be enabled.

Can anybody explain why this happens?

  • 写回答

1条回答 默认 最新

  • duanjianhe1388 2016-06-09 19:58
    关注

    Have a look at the Illuminate\Foundation\Http\Middleware\VerifyCsrfToken class, especially the handle method.

    public function handle($request, Closure $next)
{
    if (
        $this->isReading($request) ||
        $this->runningUnitTests() ||
        $this->shouldPassThrough($request) ||
        $this->tokensMatch($request)
    ) {
        return $this->addCookieToResponse($request, $next($request));
    }

    throw new TokenMismatchException;
}

    It always passes the csrf token check if it detects that the request comes from a unit test: $this->runningUnitTests()

    A solution would be to put the following code at the start of your test-function:

    $this->app['env'] = 'production';

    This will change the environment to production, thus enabling the csrf token check.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 Matlab问题解答有两个问题
  • ¥50 Oracle Kubernetes服务器集群主节点无法访问,工作节点可以访问
  • ¥15 LCD12864中文显示
  • ¥15 在使用CH341SER.EXE时不小心把所有驱动文件删除了怎么解决
  • ¥15 gsoap生成onvif框架
  • ¥15 有关sql server business intellige安装,包括SSDT、SSMS。
  • ¥15 stm32的can接口不能收发数据
  • ¥15 目标检测算法移植到arm开发板
  • ¥15 利用JD51设计温度报警系统
  • ¥15 快手联盟怎么快速的跑出建立模型