mirror of
https://github.com/MarijnDoeve/TijdVoorDeTest.git
synced 2026-07-14 05:45:18 +02:00
b290620cf9
* Declare ext-intl and ext-zip as explicit composer requirements DataExportService uses ZipArchive directly and the Dutch-locale format_datetime Twig filter needs real ext-intl (the polyfill only supports en), but composer.json only declared ext-ctype/ext-iconv. Adding them lets `composer check-platform-reqs` catch a missing extension before a runtime crash. * Add authorization checks to PrepareEliminationController index and viewElimination had no IsGranted guard, unlike every other backoffice/elimination controller, so any authenticated user could prepare or overwrite another season's elimination screens. * Prevent formula injection in spreadsheet exports Answer/candidate text starting with =, +, -, or @ was written to XLSX exports as a live formula rather than plain text. Since seasons can have multiple owners, a co-owner could plant a formula that runs (and can exfiltrate data) when another owner opens the export in Excel. * Add rate limiting to login and season-code entry points Neither /login nor the public season-code guess form (POST /) had any throttling, making both an unlimited brute-force/enumeration oracle. Adds symfony/rate-limiter and enables login_throttling on the main firewall, plus a dedicated per-IP rate limiter on the season-code form. * Add unique constraint to prevent double-submit score inflation A candidate could submit two concurrent POSTs for the same question before either committed, since GivenAnswer had no unique constraint and the "next question" check was subject to a TOCTOU race — each insert was then counted as a correct answer. * Address CodeRabbit review findings Include a Retry-After header on the season-code rate limit, correct stale line references in the security audit doc, and fix a stray comma in the reset-password email.
104 lines
3.2 KiB
PHP
104 lines
3.2 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace Tvdt\Tests\Controller;
|
|
|
|
use PHPUnit\Framework\Attributes\CoversClass;
|
|
use Symfony\Component\HttpFoundation\Request;
|
|
use Tvdt\Controller\LoginController;
|
|
|
|
#[CoversClass(LoginController::class)]
|
|
final class LoginControllerTest extends AbstractControllerWebTestCase
|
|
{
|
|
protected function setUp(): void
|
|
{
|
|
parent::setUp();
|
|
|
|
// Login attempts are rate-limited; start each test with a clean quota.
|
|
self::getContainer()->get('cache.rate_limiter')->clear();
|
|
}
|
|
|
|
public function testLoginPageLoadsWhenNotAuthenticated(): void
|
|
{
|
|
$this->client->request(Request::METHOD_GET, '/login');
|
|
|
|
self::assertResponseIsSuccessful();
|
|
self::assertSelectorExists('form');
|
|
}
|
|
|
|
public function testNavbarTogglerHasNoDeadTargetWhenNotAuthenticated(): void
|
|
{
|
|
$this->client->request(Request::METHOD_GET, '/login');
|
|
|
|
$crawler = $this->client->getCrawler();
|
|
$toggler = $crawler->filter('.navbar-toggler');
|
|
|
|
if (0 === $toggler->count()) {
|
|
self::assertSelectorNotExists('#navbarSupportedContent');
|
|
|
|
return;
|
|
}
|
|
|
|
$target = $toggler->attr('data-bs-target');
|
|
$this->assertNotNull($target);
|
|
self::assertSelectorExists($target);
|
|
}
|
|
|
|
public function testLoginRedirectsToBackofficeWhenAlreadyAuthenticated(): void
|
|
{
|
|
$this->loginAs('test@example.org');
|
|
|
|
$this->client->request(Request::METHOD_GET, '/login');
|
|
|
|
self::assertResponseRedirects('/backoffice/');
|
|
}
|
|
|
|
public function testLoginWithInvalidCredentialsShowsFlash(): void
|
|
{
|
|
$this->client->request(Request::METHOD_GET, '/login');
|
|
$form = $this->client->getCrawler()->filter('form')->form([
|
|
'_username' => 'test@example.org',
|
|
'_password' => 'wrong-password',
|
|
]);
|
|
$this->client->submit($form);
|
|
|
|
self::assertResponseRedirects('/login');
|
|
$this->client->followRedirect();
|
|
self::assertSelectorTextContains('body', 'Ongeldige inloggegevens.');
|
|
}
|
|
|
|
public function testLoginIsThrottledAfterTooManyFailedAttempts(): void
|
|
{
|
|
for ($i = 0; $i < 2; ++$i) {
|
|
$this->client->request(Request::METHOD_GET, '/login');
|
|
$form = $this->client->getCrawler()->filter('form')->form([
|
|
'_username' => 'test@example.org',
|
|
'_password' => 'wrong-password',
|
|
]);
|
|
$this->client->submit($form);
|
|
self::assertResponseRedirects('/login');
|
|
}
|
|
|
|
$this->client->request(Request::METHOD_GET, '/login');
|
|
$form = $this->client->getCrawler()->filter('form')->form([
|
|
'_username' => 'test@example.org',
|
|
'_password' => 'wrong-password',
|
|
]);
|
|
$this->client->submit($form);
|
|
|
|
self::assertResponseRedirects('/login');
|
|
$this->client->followRedirect();
|
|
self::assertSelectorTextContains('body', 'Te veel onjuiste inlogpogingen');
|
|
}
|
|
|
|
public function testLogoutIsInterceptedByFirewall(): void
|
|
{
|
|
$this->loginAs('test@example.org');
|
|
|
|
$this->client->request(Request::METHOD_GET, '/logout');
|
|
|
|
self::assertResponseRedirects();
|
|
}
|
|
}
|