Add test to clear CSRF on stateless request

symfony · Apr 26, 2024 · a3662fe · a3662fe
1 parent 279036c
commit a3662fe
Showing 1 changed file with 22 additions and 1 deletion.
diff --git a/...mfony/Component/Security/Http/Tests/EventListener/CsrfTokenClearingLogoutListenerTest.php b/...mfony/Component/Security/Http/Tests/EventListener/CsrfTokenClearingLogoutListenerTest.php
@@ -15,13 +15,14 @@
 use Symfony\Component\HttpFoundation\Exception\SessionNotFoundException;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Session\Session;
 use Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage;
 use Symfony\Component\Security\Http\Event\LogoutEvent;
 use Symfony\Component\Security\Http\EventListener\CsrfTokenClearingLogoutListener;
 
 class CsrfTokenClearingLogoutListenerTest extends TestCase
 {
-    public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
+    public function testSkipsClearingSessionTokenStorageOnRequestWithoutSession()
     {
         try {
             (new CsrfTokenClearingLogoutListener(
@@ -31,6 +32,26 @@ public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
             $this->fail('clear() must not be called if the request is not associated with a session instance');
         }
 
+        $this->addToAssertionCount(1);
+    }
+    public function testSkipsClearingSessionTokenStorageOnStatelessRequest()
+    {
+        $session = new Session();
+
+        // Create a stateless request with a previous session
+        $request = new Request();
+        $request->setSession($session);
+        $request->cookies->set($session->getName(), 'previous_session');
+        $request->attributes->set('_stateless', true);
+
+        try {
+            (new CsrfTokenClearingLogoutListener(
+                new SessionTokenStorage(new RequestStack())
+            ))->onLogout(new LogoutEvent($request, null));
+        } catch (SessionNotFoundException) {
+            $this->fail('clear() must not be called if the request is stateless');
+        }
+
         $this->addToAssertionCount(1);
     }
 }