doufei4923 2016-06-09 19:27
浏览 51
已采纳

Laravel PHPUnit总是通过CSRF

I'm currently writing a test to assure that our CSRF protection works in Laravel. The test looks like this.

public function testSecurityIncorrectCSRF()
{
    $this->visit('/login')
     ->type('REDACTED', 'email')
     ->type('123123', 'password');

     session()->regenerateToken();

     $this->press('login')
     ->seePageIs('/login');
}

No matter what I do, and even if I pass a wrong _token, the login request will always succeed. I've tried outside of the PHPUnit test and there the CSRF protection works. All my middlewares are enabled, so the CSRF protection should be enabled.

Can anybody explain why this happens?

  • 写回答

1条回答 默认 最新

  • duanjianhe1388 2016-06-09 19:58
    关注

    Have a look at the Illuminate\Foundation\Http\Middleware\VerifyCsrfToken class, especially the handle method.

    public function handle($request, Closure $next)
    {
        if (
            $this->isReading($request) ||
            $this->runningUnitTests() ||
            $this->shouldPassThrough($request) ||
            $this->tokensMatch($request)
        ) {
            return $this->addCookieToResponse($request, $next($request));
        }
    
        throw new TokenMismatchException;
    }
    

    It always passes the csrf token check if it detects that the request comes from a unit test: $this->runningUnitTests()

    A solution would be to put the following code at the start of your test-function:

    $this->app['env'] = 'production';
    

    This will change the environment to production, thus enabling the csrf token check.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 cplex运行后参数报错是为什么
  • ¥15 之前不小心删了pycharm的文件,后面重新安装之后软件打不开了
  • ¥15 vue3获取动态宽度,刷新后动态宽度值为0
  • ¥15 升腾威讯云桌面V2.0.0摄像头问题
  • ¥15 关于Python的会计设计
  • ¥15 聚类分析 设计k-均值算法分类器,对一组二维模式向量进行分类。
  • ¥15 stm32c8t6工程,使用hal库
  • ¥15 找能接spark如图片的,可议价
  • ¥15 关于#单片机#的问题,请各位专家解答!
  • ¥15 博通raid 的写入速度很高也很低