wiki.techinc.nl/tests/phpunit/includes/api/ApiLogoutTest.php

<?php

/**
 * @group API
 * @group Database
 * @group medium
 *
 * @covers ApiLogout
 */
class ApiLogoutTest extends ApiTestCase {

	protected function setUp() : void {
		global $wgRequest, $wgUser;

		parent::setUp();

		// Link the user to the Session properly so User::doLogout() doesn't complain.
		$wgRequest->getSession()->setUser( $wgUser );
		$wgUser = User::newFromSession( $wgRequest );
		$this->apiContext->setUser( $wgUser );
	}

	public function testUserLogoutBadToken() {
		global $wgUser;

		$this->setExpectedApiException( 'apierror-badtoken' );

		try {
			$token = 'invalid token';
			$this->doUserLogout( $token );
		} finally {
			$this->assertTrue( $wgUser->isLoggedIn(), 'not logged out' );
		}
	}

	public function testUserLogout() {
		global $wgUser;

		$this->assertTrue( $wgUser->isLoggedIn(), 'sanity check' );
		$token = $this->getUserCsrfTokenFromApi();
		$this->doUserLogout( $token );
		$this->assertFalse( $wgUser->isLoggedIn() );
	}

	public function testUserLogoutWithWebToken() {
		global $wgUser, $wgRequest;

		$this->assertTrue( $wgUser->isLoggedIn(), 'sanity check' );

		// Logic copied from SkinTemplate.
		$token = $wgUser->getEditToken( 'logoutToken', $wgRequest );

		$this->doUserLogout( $token );
		$this->assertFalse( $wgUser->isLoggedIn() );
	}

	private function getUserCsrfTokenFromApi() {
		$retToken = $this->doApiRequest( [
			'action' => 'query',
			'meta' => 'tokens',
			'type' => 'csrf'
		] );

		$this->assertArrayNotHasKey( 'warnings', $retToken );

		return $retToken[0]['query']['tokens']['csrftoken'];
	}

	private function doUserLogout( $logoutToken ) {
		return $this->doApiRequest( [
			'action' => 'logout',
			'token' => $logoutToken
		] );
	}
}
[SECURITY] [API BREAKING CHANGE] Require logout token. Special:Userlogout now requires a token Api action=logout requires a csrf token and the request to be POSTed Patch author: bawolff Bug: T25227 Change-Id: Icb674095956bb3f6c847c9553c53e404402ea774 2019-04-16 22:09:43 +00:00			`<?php`

			`/**`
			`* @group API`
			`* @group Database`
			`* @group medium`
			`*`
			`* @covers ApiLogout`
			`*/`
			`class ApiLogoutTest extends ApiTestCase {`
ApiLogout: Follow up Icb674095 This implements getWebUITokenSalt(), as mentioned in T25227#2008199 and implemented in F3328897. Somehow it didn't make it into Icb674095. This also fixes some issues in the unit test: * Properly link the user to the request's Session so User::doLogout() won't log a warning. This also gives use to the otherwise-unneeded implementation of setUp(), and lets us get rid of the broken call to User::newFromId() that was passing an IP address rather than a user ID. * Privatize some internal methods. * Use setExpectedApiException() instead of manually catching and hard-coding the English exception message. * Also assert that the bad token error didn't result in a logout. Bug: T25227 Change-Id: I2aecfba821cca3c367c5e7e8d188a88197fb82d2 2019-04-25 13:49:01 +00:00
tests: Add explicit return type void to setUp() and tearDown() Bug: T192167 Depends-On: I581e54278ac5da3f4e399e33f2c7ad468bae6b43 Change-Id: I3a21fb55db76bac51afdd399cf40ed0760e4f343 2019-10-20 18:11:08 +00:00			`protected function setUp() : void {`
ApiLogout: Follow up Icb674095 This implements getWebUITokenSalt(), as mentioned in T25227#2008199 and implemented in F3328897. Somehow it didn't make it into Icb674095. This also fixes some issues in the unit test: * Properly link the user to the request's Session so User::doLogout() won't log a warning. This also gives use to the otherwise-unneeded implementation of setUp(), and lets us get rid of the broken call to User::newFromId() that was passing an IP address rather than a user ID. * Privatize some internal methods. * Use setExpectedApiException() instead of manually catching and hard-coding the English exception message. * Also assert that the bad token error didn't result in a logout. Bug: T25227 Change-Id: I2aecfba821cca3c367c5e7e8d188a88197fb82d2 2019-04-25 13:49:01 +00:00			`global $wgRequest, $wgUser;`

[SECURITY] [API BREAKING CHANGE] Require logout token. Special:Userlogout now requires a token Api action=logout requires a csrf token and the request to be POSTed Patch author: bawolff Bug: T25227 Change-Id: Icb674095956bb3f6c847c9553c53e404402ea774 2019-04-16 22:09:43 +00:00			`parent::setUp();`
ApiLogout: Follow up Icb674095 This implements getWebUITokenSalt(), as mentioned in T25227#2008199 and implemented in F3328897. Somehow it didn't make it into Icb674095. This also fixes some issues in the unit test: * Properly link the user to the request's Session so User::doLogout() won't log a warning. This also gives use to the otherwise-unneeded implementation of setUp(), and lets us get rid of the broken call to User::newFromId() that was passing an IP address rather than a user ID. * Privatize some internal methods. * Use setExpectedApiException() instead of manually catching and hard-coding the English exception message. * Also assert that the bad token error didn't result in a logout. Bug: T25227 Change-Id: I2aecfba821cca3c367c5e7e8d188a88197fb82d2 2019-04-25 13:49:01 +00:00
			`// Link the user to the Session properly so User::doLogout() doesn't complain.`
			`$wgRequest->getSession()->setUser( $wgUser );`
			`$wgUser = User::newFromSession( $wgRequest );`
			`$this->apiContext->setUser( $wgUser );`
[SECURITY] [API BREAKING CHANGE] Require logout token. Special:Userlogout now requires a token Api action=logout requires a csrf token and the request to be POSTed Patch author: bawolff Bug: T25227 Change-Id: Icb674095956bb3f6c847c9553c53e404402ea774 2019-04-16 22:09:43 +00:00			`}`

			`public function testUserLogoutBadToken() {`
ApiLogout: Follow up Icb674095 This implements getWebUITokenSalt(), as mentioned in T25227#2008199 and implemented in F3328897. Somehow it didn't make it into Icb674095. This also fixes some issues in the unit test: * Properly link the user to the request's Session so User::doLogout() won't log a warning. This also gives use to the otherwise-unneeded implementation of setUp(), and lets us get rid of the broken call to User::newFromId() that was passing an IP address rather than a user ID. * Privatize some internal methods. * Use setExpectedApiException() instead of manually catching and hard-coding the English exception message. * Also assert that the bad token error didn't result in a logout. Bug: T25227 Change-Id: I2aecfba821cca3c367c5e7e8d188a88197fb82d2 2019-04-25 13:49:01 +00:00			`global $wgUser;`

			`$this->setExpectedApiException( 'apierror-badtoken' );`

[SECURITY] [API BREAKING CHANGE] Require logout token. Special:Userlogout now requires a token Api action=logout requires a csrf token and the request to be POSTed Patch author: bawolff Bug: T25227 Change-Id: Icb674095956bb3f6c847c9553c53e404402ea774 2019-04-16 22:09:43 +00:00			`try {`
			`$token = 'invalid token';`
ApiLogout: Follow up Icb674095 This implements getWebUITokenSalt(), as mentioned in T25227#2008199 and implemented in F3328897. Somehow it didn't make it into Icb674095. This also fixes some issues in the unit test: * Properly link the user to the request's Session so User::doLogout() won't log a warning. This also gives use to the otherwise-unneeded implementation of setUp(), and lets us get rid of the broken call to User::newFromId() that was passing an IP address rather than a user ID. * Privatize some internal methods. * Use setExpectedApiException() instead of manually catching and hard-coding the English exception message. * Also assert that the bad token error didn't result in a logout. Bug: T25227 Change-Id: I2aecfba821cca3c367c5e7e8d188a88197fb82d2 2019-04-25 13:49:01 +00:00			`$this->doUserLogout( $token );`
			`} finally {`
			`$this->assertTrue( $wgUser->isLoggedIn(), 'not logged out' );`
[SECURITY] [API BREAKING CHANGE] Require logout token. Special:Userlogout now requires a token Api action=logout requires a csrf token and the request to be POSTed Patch author: bawolff Bug: T25227 Change-Id: Icb674095956bb3f6c847c9553c53e404402ea774 2019-04-16 22:09:43 +00:00			`}`
			`}`

			`public function testUserLogout() {`
			`global $wgUser;`

ApiLogout: Follow up Icb674095 This implements getWebUITokenSalt(), as mentioned in T25227#2008199 and implemented in F3328897. Somehow it didn't make it into Icb674095. This also fixes some issues in the unit test: * Properly link the user to the request's Session so User::doLogout() won't log a warning. This also gives use to the otherwise-unneeded implementation of setUp(), and lets us get rid of the broken call to User::newFromId() that was passing an IP address rather than a user ID. * Privatize some internal methods. * Use setExpectedApiException() instead of manually catching and hard-coding the English exception message. * Also assert that the bad token error didn't result in a logout. Bug: T25227 Change-Id: I2aecfba821cca3c367c5e7e8d188a88197fb82d2 2019-04-25 13:49:01 +00:00			`$this->assertTrue( $wgUser->isLoggedIn(), 'sanity check' );`
[SECURITY] [API BREAKING CHANGE] Require logout token. Special:Userlogout now requires a token Api action=logout requires a csrf token and the request to be POSTed Patch author: bawolff Bug: T25227 Change-Id: Icb674095956bb3f6c847c9553c53e404402ea774 2019-04-16 22:09:43 +00:00			`$token = $this->getUserCsrfTokenFromApi();`
ApiLogout: Follow up Icb674095 This implements getWebUITokenSalt(), as mentioned in T25227#2008199 and implemented in F3328897. Somehow it didn't make it into Icb674095. This also fixes some issues in the unit test: * Properly link the user to the request's Session so User::doLogout() won't log a warning. This also gives use to the otherwise-unneeded implementation of setUp(), and lets us get rid of the broken call to User::newFromId() that was passing an IP address rather than a user ID. * Privatize some internal methods. * Use setExpectedApiException() instead of manually catching and hard-coding the English exception message. * Also assert that the bad token error didn't result in a logout. Bug: T25227 Change-Id: I2aecfba821cca3c367c5e7e8d188a88197fb82d2 2019-04-25 13:49:01 +00:00			`$this->doUserLogout( $token );`
			`$this->assertFalse( $wgUser->isLoggedIn() );`
			`}`

			`public function testUserLogoutWithWebToken() {`
			`global $wgUser, $wgRequest;`

			`$this->assertTrue( $wgUser->isLoggedIn(), 'sanity check' );`

			`// Logic copied from SkinTemplate.`
			`$token = $wgUser->getEditToken( 'logoutToken', $wgRequest );`

			`$this->doUserLogout( $token );`
[SECURITY] [API BREAKING CHANGE] Require logout token. Special:Userlogout now requires a token Api action=logout requires a csrf token and the request to be POSTed Patch author: bawolff Bug: T25227 Change-Id: Icb674095956bb3f6c847c9553c53e404402ea774 2019-04-16 22:09:43 +00:00			`$this->assertFalse( $wgUser->isLoggedIn() );`
			`}`

ApiLogout: Follow up Icb674095 This implements getWebUITokenSalt(), as mentioned in T25227#2008199 and implemented in F3328897. Somehow it didn't make it into Icb674095. This also fixes some issues in the unit test: * Properly link the user to the request's Session so User::doLogout() won't log a warning. This also gives use to the otherwise-unneeded implementation of setUp(), and lets us get rid of the broken call to User::newFromId() that was passing an IP address rather than a user ID. * Privatize some internal methods. * Use setExpectedApiException() instead of manually catching and hard-coding the English exception message. * Also assert that the bad token error didn't result in a logout. Bug: T25227 Change-Id: I2aecfba821cca3c367c5e7e8d188a88197fb82d2 2019-04-25 13:49:01 +00:00			`private function getUserCsrfTokenFromApi() {`
[SECURITY] [API BREAKING CHANGE] Require logout token. Special:Userlogout now requires a token Api action=logout requires a csrf token and the request to be POSTed Patch author: bawolff Bug: T25227 Change-Id: Icb674095956bb3f6c847c9553c53e404402ea774 2019-04-16 22:09:43 +00:00			`$retToken = $this->doApiRequest( [`
			`'action' => 'query',`
			`'meta' => 'tokens',`
			`'type' => 'csrf'`
			`] );`

			`$this->assertArrayNotHasKey( 'warnings', $retToken );`

			`return $retToken[0]['query']['tokens']['csrftoken'];`
			`}`

ApiLogout: Follow up Icb674095 This implements getWebUITokenSalt(), as mentioned in T25227#2008199 and implemented in F3328897. Somehow it didn't make it into Icb674095. This also fixes some issues in the unit test: * Properly link the user to the request's Session so User::doLogout() won't log a warning. This also gives use to the otherwise-unneeded implementation of setUp(), and lets us get rid of the broken call to User::newFromId() that was passing an IP address rather than a user ID. * Privatize some internal methods. * Use setExpectedApiException() instead of manually catching and hard-coding the English exception message. * Also assert that the bad token error didn't result in a logout. Bug: T25227 Change-Id: I2aecfba821cca3c367c5e7e8d188a88197fb82d2 2019-04-25 13:49:01 +00:00			`private function doUserLogout( $logoutToken ) {`
[SECURITY] [API BREAKING CHANGE] Require logout token. Special:Userlogout now requires a token Api action=logout requires a csrf token and the request to be POSTed Patch author: bawolff Bug: T25227 Change-Id: Icb674095956bb3f6c847c9553c53e404402ea774 2019-04-16 22:09:43 +00:00			`return $this->doApiRequest( [`
			`'action' => 'logout',`
			`'token' => $logoutToken`
			`] );`
			`}`
			`}`