Add test to clear CSRF on stateless request

Seb33300 · Seb33300 · commit 3d4b434c0d86 · 2024-04-26T16:03:41.000+07:00
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/CsrfTokenClearingLogoutListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/CsrfTokenClearingLogoutListenerTest.php
@@ -15,13 +15,14 @@
 use Symfony\Component\HttpFoundation\Exception\SessionNotFoundException;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Session\Session;
 use Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage;
 use Symfony\Component\Security\Http\Event\LogoutEvent;
 use Symfony\Component\Security\Http\EventListener\CsrfTokenClearingLogoutListener;
 
 class CsrfTokenClearingLogoutListenerTest extends TestCase
 {
-    public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
+    public function testSkipsClearingSessionTokenStorageOnRequestWithoutSession()
     {
         try {
             (new CsrfTokenClearingLogoutListener(
@@ -33,4 +34,25 @@ public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
 
         $this->addToAssertionCount(1);
     }
+
+    public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
+    {
+        $session = new Session();
+
+        // Create a stateless request with a previous session
+        $request = new Request();
+        $request->setSession($session);
+        $request->cookies->set($session->getName(), 'previous_session');
+        $request->attributes->set('_stateless', true);
+
+        try {
+            (new CsrfTokenClearingLogoutListener(
+                new SessionTokenStorage(new RequestStack())
+            ))->onLogout(new LogoutEvent($request, null));
+        } catch (SessionNotFoundException) {
+            $this->fail('clear() must not be called if the request is stateless');
+        }
+
+        $this->addToAssertionCount(1);
+    }
 }
