Security: JSON-Login durchläuft die is_active-/Verifizierungschecks
RoleAwareLoginResponse gab bei wantsJson() sofort 204 zurück – VOR den Sicherheitschecks. Ein XHR/JSON-Login eines verifiziert-inaktiven Accounts erhielt damit eine Session ohne Logout. Checks laufen jetzt zuerst: verifiziert-inaktiv → Logout + Session-Invalidate + 403 (JSON) bzw. Login mit Fehler (HTML); unverifiziert → 204 (JSON) bzw. Notice (HTML); danach der Erfolgsfall. Tests: JSON-Login eines inaktiven Accounts (403, guest), JSON-Login eines aktiven Users (204, authentifiziert). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
f4ca452c6b
commit
ae79d5bee4
3 changed files with 52 additions and 16 deletions
|
|
@ -65,6 +65,28 @@ test('the fortify login post blocks inactive but verified users', function () {
|
|||
$this->assertGuest();
|
||||
});
|
||||
|
||||
test('a json login does not grant a session to an inactive verified account', function () {
|
||||
/** @var TestCase $this */
|
||||
$user = User::factory()->create(['is_active' => false]);
|
||||
|
||||
$this->postJson('/login', ['email' => $user->email, 'password' => 'password'])
|
||||
->assertStatus(403);
|
||||
|
||||
$this->assertGuest();
|
||||
});
|
||||
|
||||
test('a json login for an active user succeeds with 204', function () {
|
||||
/** @var TestCase $this */
|
||||
$this->seed(RolesAndPermissionsSeeder::class);
|
||||
$customer = User::factory()->create(['is_active' => true]);
|
||||
$customer->assignRole('customer');
|
||||
|
||||
$this->postJson('/login', ['email' => $customer->email, 'password' => 'password'])
|
||||
->assertNoContent();
|
||||
|
||||
$this->assertAuthenticatedAs($customer);
|
||||
});
|
||||
|
||||
test('the fortify login post keeps a customer out of the admin area on stale intended', function () {
|
||||
/** @var TestCase $this */
|
||||
$this->seed(RolesAndPermissionsSeeder::class);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue