diff --git a/core/modules/system/src/Tests/Session/SessionAuthenticationTest.php b/core/modules/system/src/Tests/Session/SessionAuthenticationTest.php index d1c737f..493d7d2 100644 --- a/core/modules/system/src/Tests/Session/SessionAuthenticationTest.php +++ b/core/modules/system/src/Tests/Session/SessionAuthenticationTest.php @@ -7,8 +7,6 @@ namespace Drupal\system\Tests\Session; -use Drupal\Component\Serialization\Yaml; -use Drupal\Core\DependencyInjection\YamlFileLoader; use Drupal\Core\Url; use Drupal\basic_auth\Tests\BasicAuthTestTrait; use Drupal\simpletest\WebTestBase; @@ -30,6 +28,20 @@ class SessionAuthenticationTest extends WebTestBase { protected $user; /** + * The username of the test user. + * + * @var string + */ + protected $username; + + /** + * The password of the test user. + * + * @var string + */ + protected $password; + + /** * {@inheritdoc} */ public static $modules = ['basic_auth', 'session_test']; @@ -42,6 +54,8 @@ protected function setUp() { // Create a test administrator user. $this->user = $this->drupalCreateUser(['administer site configuration']); + $this->username = $this->user->getUsername(); + $this->password = $this->user->pass_raw; } /** @@ -62,7 +76,7 @@ public function testSessionFromBasicAuthenticationDoesNotLeak() { $this->assertResponse(401, 'An anonymous user cannot access a route protected with basic authentication.'); // We should be able to access the route with basic authentication. - $this->basicAuthGet($protected_url, $this->user->getUsername(), $this->user->pass_raw); + $this->basicAuthGet($protected_url, $this->username, $this->password); $this->assertResponse(200, 'A route protected with basic authentication can be accessed by an authenticated user.'); // Check that the correct user is logged in. @@ -87,59 +101,37 @@ public function testLoginWithBasicAuthCredentials() { // If we use basic authentication with valid credentials this results in a // successful authentication. When we are already authenticated we should // be denied access when submitting the login form. - $username = $this->user->getUsername(); - $password = $this->user->pass_raw; - $edit = ['name' => $username, 'pass' => $password]; + $edit = ['name' => $this->username, 'pass' => $this->password]; - $this->basicAuthPostForm('', $edit, t('Log in'), $username, $password); + $this->basicAuthPostForm('', $edit, t('Log in'), $this->username, $this->password); $this->assertResponse(403); - // Basic auth doesn't open up a session, so the user is not logged in. + // Basic auth doesn't set a cookie, so if we do a subsequent request without + // using basic authentication we are no longer logged in. $this->drupalGet($this->user->urlInfo()); $this->assertResponse(403); // Let's send some basic_auth authentication headers, but that particular // route does not have basic_auth authentications. - $this->basicAuthGet($this->user->urlInfo(), $this->user->getUsername(), $this->user->pass_raw); + $this->basicAuthGet($this->user->urlInfo(), $this->username, $this->password); $this->assertResponse(403); - - return; - // Now change the default global authentication providers to also include - // cookie, which means that those routes don't need basic_auth as part of - // the router. - /** @var \Drupal\Core\DrupalKernelInterface $kernel */ - $kernel = \Drupal::service('kernel'); - $path = $kernel->getSitePath(); - $filepath = $path . '/services.yml'; - $data = Yaml::decode(file_get_contents($filepath)); - $data['services']['authentication'] = [ - 'class' => 'Drupal\Core\Authentication\AuthenticationManager', - 'arguments' => [['cookie' => TRUE, 'basic_auth' => TRUE]], - 'tags' => [ - [ - 'name' => 'service_collector', - 'tag' => 'authentication_provider', - 'call' => 'addProvider' - ] - ] - ]; - file_put_contents($filepath, Yaml::encode($data)); - YamlFileLoader::reset(); - $kernel->rebuildContainer(); - - $this->basicAuthGet($this->user->urlInfo(), $this->user->getUsername(), $this->user->pass_raw); - $this->assertResponse(200); } /** - * Tests HTTP requests with basic authentication. + * Tests if a session can be initiated through basic authentication. */ - public function testRequestWithBasicAuthCredentials() { - $result = $this->basicAuthGet('session-test/get-session', $this->user->getUsername(), $this->user->pass_raw); - $this->assertResponse(200); - $data = json_decode($result); - $this->assertEqual([], $data->session); - $this->assertEqual($this->user->id(), $data->user); + public function testBasicAuthSession() { + // Set a session value on a request through basic auth. + $test_session_value = 'alpaca'; + $this->basicAuthGet('session-test/set-session/' . $test_session_value, $this->user->getUsername(), $this->user->pass_raw); + + // Test that on a subsequent request the session value is still present. + $result = $this->basicAuthGet('session-test/get-session', $this->username, $this->password); + $data = json_decode($result, TRUE); + $this->assertEqual(['test_value' => $test_session_value], $data['session']); + + // Check that we are still logged in as the same user. + $this->assertEqual($this->user->id(), $data['user']); } } diff --git a/core/modules/system/tests/modules/session_test/src/Controller/SessionTestController.php b/core/modules/system/tests/modules/session_test/src/Controller/SessionTestController.php index e63cbee..b5333ee 100644 --- a/core/modules/system/tests/modules/session_test/src/Controller/SessionTestController.php +++ b/core/modules/system/tests/modules/session_test/src/Controller/SessionTestController.php @@ -189,8 +189,8 @@ public function getSession(Request $request) { public function setSession(Request $request, $test_value) { $session = $request->getSession(); $session->set('test_value', $test_value); - $session->save(); - return new JsonResponse(['session' => $session->all(), 'user' => $this->currentUser()->id()]); + // Nothing to see here, just return 200 OK. + return new Response(); } }