Add test to clear CSRF on stateless request

Seb33300 · Seb33300 · commit 1be07ff4d36b · 2024-08-24T11:20:52.000+07:00
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/CsrfTokenClearingLogoutListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/CsrfTokenClearingLogoutListenerTest.php
@@ -12,25 +12,66 @@
 namespace Symfony\Component\Security\Http\Tests\EventListener;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Bundle\SecurityBundle\Security\FirewallConfig;
+use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
 use Symfony\Component\HttpFoundation\Exception\SessionNotFoundException;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Session\Session;
 use Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage;
 use Symfony\Component\Security\Http\Event\LogoutEvent;
 use Symfony\Component\Security\Http\EventListener\CsrfTokenClearingLogoutListener;
 
 class CsrfTokenClearingLogoutListenerTest extends TestCase
 {
-    public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
+    public function testSkipsClearingSessionTokenStorageOnRequestWithoutSession()
     {
+        $map = $this->createMock(FirewallMap::class);
+        $map
+            ->expects($this->once())
+            ->method('getFirewallConfig')
+            ->willReturn(new FirewallConfig('firewall', 'user_checker'))
+        ;
+
         try {
             (new CsrfTokenClearingLogoutListener(
-                new SessionTokenStorage(new RequestStack())
+                new SessionTokenStorage(new RequestStack()),
+                $map
             ))->onLogout(new LogoutEvent(new Request(), null));
         } catch (SessionNotFoundException) {
             $this->fail('clear() must not be called if the request is not associated with a session instance');
         }
 
         $this->addToAssertionCount(1);
     }
+
+    public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
+    {
+        $session = new Session();
+
+        // Create a stateless request with a previous session
+        $request = new Request();
+        $request->setSession($session);
+        $request->cookies->set($session->getName(), 'previous_session');
+        $request->attributes->set('_stateless', true);
+
+        $map = $this->createMock(FirewallMap::class);
+        $map
+            ->expects($this->once())
+            ->method('getFirewallConfig')
+            ->with($this->equalTo($request))
+            ->willReturn(new FirewallConfig('stateless_firewall', 'user_checker', stateless: true))
+        ;
+
+        try {
+            (new CsrfTokenClearingLogoutListener(
+                new SessionTokenStorage(new RequestStack()),
+                $map
+            ))->onLogout(new LogoutEvent($request, null));
+        } catch (SessionNotFoundException) {
+            $this->fail('clear() must not be called if the request is stateless');
+        }
+
+        $this->addToAssertionCount(1);
+    }
 }
