I'm currently writing a test to assure that our CSRF protection works in Laravel. The test looks like this.
public function testSecurityIncorrectCSRF()
{
$this->visit('/login')
->type('REDACTED', 'email')
->type('123123', 'password');
session()->regenerateToken();
$this->press('login')
->seePageIs('/login');
}
No matter what I do, and even if I pass a wrong _token, the login request will always succeed. I've tried outside of the PHPUnit test and there the CSRF protection works. All my middlewares are enabled, so the CSRF protection should be enabled.
Can anybody explain why this happens?
Have a look at the Illuminate\Foundation\Http\Middleware\VerifyCsrfToken class, especially the handle method.
public function handle($request, Closure $next)
{
if (
$this->isReading($request) ||
$this->runningUnitTests() ||
$this->shouldPassThrough($request) ||
$this->tokensMatch($request)
) {
return $this->addCookieToResponse($request, $next($request));
}
throw new TokenMismatchException;
}
It always passes the csrf token check if it detects that the request comes from a unit test: $this->runningUnitTests()
A solution would be to put the following code at the start of your test-function:
$this->app['env'] = 'production';
This will change the environment to production, thus enabling the csrf token check.