test: migrate UserLoginTurnstileTest to session-driven captcha preconditions and add 3 new tests

matiasperrone-exo · claude · matiasperrone-exo · commit 4d08c41e8fb0 · 2026-05-18T22:39:19.000Z
Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/tests/UserLoginTurnstileTest.php b/tests/UserLoginTurnstileTest.php
@@ -14,6 +14,7 @@
  **/
 
 use Auth\User;
+use Illuminate\Cookie\CookieValuePrefix;
 use Illuminate\Support\Facades\Session;
 use LaravelDoctrine\ORM\Facades\EntityManager;
 use RyanChandler\LaravelCloudflareTurnstile\Facades\Turnstile;
@@ -59,18 +60,33 @@ private function getTestUser(): User
             ->findOneBy(['identifier' => 'sebastian.marcet']);
     }
 
-    private function postLogin(array $overrides = [])
+    private function postLogin(array $overrides = [], array $sessionData = [])
     {
-        // GET the login page first so the session (and its CSRF token) is established,
-        // mirroring how a real browser submits the form.
-        $this->call('GET', self::LOGIN_URL);
+        // GET establishes the session and CSRF token, mirroring a real browser.
+        $getResponse = $this->call('GET', self::LOGIN_URL);
+
+        // Inject session data after session is established, before the POST reads it.
+        foreach ($sessionData as $key => $value) {
+            $this->app['session']->driver()->put($key, $value);
+        }
+
+        // Persist injected data to the session store so the POST kernel cycle can load it.
+        $this->app['session']->driver()->save();
+
+        // Re-send the session cookie so StartSession loads the same session ID on the POST.
+        $sessionName = $this->app['session']->getName();
+        $sessionId   = $this->app['session']->driver()->getId();
+        $encryptedSessionCookie = encrypt(
+            CookieValuePrefix::create($sessionName, $this->app['encrypter']->getKey()) . $sessionId,
+            false
+        );
 
         return $this->call('POST', self::LOGIN_URL, array_merge([
             'username' => $this->testEmail,
             'password' => $this->testPassword,
             'flow' => 'password',
             '_token' => Session::token(),
-        ], $overrides));
+        ], $overrides), [$sessionName => $encryptedSessionCookie]);
     }
 
     private function fakeTurnstilePass(): void
@@ -101,15 +117,14 @@ private function sessionHasValidationError(string $field): bool
 
     public function testMissingTurnstileResponseFailsValidationWhenAtThreshold(): void
     {
-        $user = $this->getTestUser();
-
-        $this->postLogin([
-            "login_attempts" => self::CAPTCHA_THRESHOLD,
-        ]); // no cf-turnstile-response
+        $this->postLogin(
+            [],  // no cf-turnstile-response
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD]
+        );
 
         $this->assertTrue(
             $this->sessionHasValidationError('cf-turnstile-response'),
-            'Expected a validation error for cf-turnstile-response when user is at threshold'
+            'Expected a validation error for cf-turnstile-response when session counter is at threshold'
         );
     }
 
@@ -119,28 +134,25 @@ public function testMissingTurnstileResponseFailsValidationWhenAtThreshold(): vo
 
     public function testLoginBelowThresholdDoesNotRequireTurnstile(): void
     {
-        $user = $this->getTestUser();
-
-        $this->postLogin([
-            'login_attempts' => self::CAPTCHA_THRESHOLD - 1
-        ]); // correct credentials, no captcha token
+        $this->postLogin(
+            [],
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD - 1]
+        );
 
         $this->assertFalse(
             $this->sessionHasValidationError('cf-turnstile-response'),
-            'Turnstile must not be required when login attempts are below threshold'
+            'Turnstile must not be required when session counter is below threshold'
         );
     }
 
     public function testLoginAtThresholdWithValidTokenPassesValidation(): void
     {
-        $user = $this->getTestUser();
-
         $this->fakeTurnstilePass();
 
-        $this->postLogin([
-            'cf-turnstile-response' => 'dummy-token-accepted-by-mock',
-            'login_attempts' => self::CAPTCHA_THRESHOLD
-        ]);
+        $this->postLogin(
+            ['cf-turnstile-response' => 'dummy-token-accepted-by-mock'],
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD]
+        );
 
         $this->assertFalse(
             $this->sessionHasValidationError('cf-turnstile-response'),
@@ -150,16 +162,15 @@ public function testLoginAtThresholdWithValidTokenPassesValidation(): void
 
     public function testOmittedLoginAttemptsFieldDefaultsToZeroNoCaptchaRequired(): void
     {
-        // No login_attempts key posted → intval(null) = 0 → below threshold →
-        // captcha rule is never added to the validator.
+        // No captcha_failed_attempts in session → defaults to 0 → below threshold.
         $this->postLogin([
             'username' => 'nobody@doesnotexist.example',
             'password' => 'irrelevant',
         ]);
 
         $this->assertFalse(
             $this->sessionHasValidationError('cf-turnstile-response'),
-            'Turnstile must not be required when login_attempts is absent from the request'
+            'Turnstile must not be required when captcha_failed_attempts is absent from session'
         );
     }
 
@@ -169,22 +180,17 @@ public function testOmittedLoginAttemptsFieldDefaultsToZeroNoCaptchaRequired():
 
     public function testLoginScreenIncludesTurnstileConfigWhenAboveThreshold(): void
     {
-        $user = $this->getTestUser();
-
-        // Place user one below threshold; the wrong-password attempt crosses it.
-        $this->postLogin([
-            'password' => 'wrong-password',
-            'login_attempts' => self::CAPTCHA_THRESHOLD - 1
-        ]);
+        // Session counter one below threshold; the wrong-password attempt crosses it.
+        $this->postLogin(
+            ['password' => 'wrong-password'],
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD - 1]
+        );
 
-        // errorLogin() flashes max_login_attempts_2_show_captcha into the session;
+        // errorLogin() flashes login_attempts (updated session counter) into the session;
         // following the redirect renders login.blade.php which emits those values.
         $html = $this->call('GET', self::LOGIN_URL)->getContent();
 
-        // captchaPublicKey is always rendered (login.blade.php, not conditional)
         $this->assertStringContainsString('captchaPublicKey', $html);
-
-        // maxLoginAttempts2ShowCaptcha is emitted when the session key is set
         $this->assertStringContainsString('maxLoginAttempts2ShowCaptcha', $html);
     }
 
@@ -194,15 +200,12 @@ public function testLoginScreenIncludesTurnstileConfigWhenAboveThreshold(): void
 
     public function testExpiredTurnstileTokenFailsValidation(): void
     {
-        $user = $this->getTestUser();
-
-        // Cloudflare API returns success=false (expired / already-used token)
         $this->fakeTurnstileFail();
 
-        $this->postLogin([
-            'cf-turnstile-response' => 'expired-or-invalid-token',
-            'login_attempts' => self::CAPTCHA_THRESHOLD
-        ]);
+        $this->postLogin(
+            ['cf-turnstile-response' => 'expired-or-invalid-token'],
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD]
+        );
 
         $this->assertTrue(
             $this->sessionHasValidationError('cf-turnstile-response'),
@@ -212,17 +215,74 @@ public function testExpiredTurnstileTokenFailsValidation(): void
 
     public function testUnsolvedCaptchaEmptyTokenFailsValidation(): void
     {
-        $user = $this->getTestUser();
-
-        // Empty string triggers the 'required' rule before any Cloudflare call
-        $this->postLogin([
-            'cf-turnstile-response' => '',
-            'login_attempts' => self::CAPTCHA_THRESHOLD
-        ]);
+        $this->postLogin(
+            ['cf-turnstile-response' => ''],
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD]
+        );
 
         $this->assertTrue(
             $this->sessionHasValidationError('cf-turnstile-response'),
             'An empty Turnstile response must be rejected by the required rule'
         );
     }
+
+    // -------------------------------------------------------------------------
+    // 6. Request-body login_attempts is ignored; only session counter matters
+    // -------------------------------------------------------------------------
+
+    public function testRequestSuppliedLoginAttemptsIsIgnored(): void
+    {
+        // Session counter is at threshold but the POST body claims login_attempts=0.
+        // The captcha gate must still fire because the server ignores the body field.
+        $this->postLogin(
+            ['login_attempts' => 0],  // attacker-supplied body value: below threshold
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD]  // server session: at threshold
+        );
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'cf-turnstile-response must be required based on the session counter, not the request body'
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // 7. Enumeration safety: captcha fires for non-existent users too
+    // -------------------------------------------------------------------------
+
+    public function testCaptchaRequiredForUnknownUsernameWhenSessionAtThreshold(): void
+    {
+        // A non-existent username must still require captcha when the session counter
+        // is at threshold — no oracle for whether the account exists.
+        $this->postLogin(
+            [
+                'username' => 'nobody@doesnotexist.example',
+                'password' => 'irrelevant',
+            ],
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD]
+        );
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'cf-turnstile-response must be required for non-existent users when session counter is at threshold'
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // 8. Successful login resets the session counter
+    // -------------------------------------------------------------------------
+
+    public function testSuccessfulLoginClearsSessionCounter(): void
+    {
+        $this->fakeTurnstilePass();
+
+        $this->postLogin(
+            ['cf-turnstile-response' => 'valid-token'],
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD]
+        );
+
+        $this->assertNull(
+            $this->app['session']->driver()->get('captcha_failed_attempts'),
+            'captcha_failed_attempts must be removed from session after a successful login'
+        );
+    }
 }
