Refactor Access Tokens (#2651)

- Make session token-based instead of user-based - Clear current session access tokens on logout - Introduce increment ID so we can show tokens to moderators in the future without exposing secrets - Switch to type classes to manage the different token types. New implementation fixes #2075 - Drop ability to customize lifetime per-token - Add developer access keys that don't expire. These must be created from the database for now - Add title in preparation for the developer token UI - Add IP and user agent logging - Delete all non-remember tokens in migration
2025-08-10 10:24:46 +02:00 · 2021-03-04 22:50:38 +01:00
parent 8eef7230e9
commit 08ba2599d7
28 changed files with 772 additions and 53 deletions
--- a/tests/integration/api/access_tokens/RemembererTest.php
+++ b/tests/integration/api/access_tokens/RemembererTest.php
@@ -0,0 +1,97 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\Tests\integration\api\access_tokens;
+
+use Carbon\Carbon;
+use Flarum\Tests\integration\RetrievesAuthorizedUsers;
+use Flarum\Tests\integration\TestCase;
+
+class RemembererTest extends TestCase
+{
+    use RetrievesAuthorizedUsers;
+
+    /**
+     * @inheritDoc
+     */
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->prepareDatabase([
+            'access_tokens' => [
+                ['token' => 'a', 'user_id' => 1, 'last_activity_at' => Carbon::parse('2021-01-01 02:00:00'), 'type' => 'session'],
+                ['token' => 'b', 'user_id' => 1, 'last_activity_at' => Carbon::parse('2021-01-01 02:00:00'), 'type' => 'session_remember'],
+            ],
+        ]);
+    }
+
+    /**
+     * @test
+     */
+    public function non_remember_tokens_cannot_be_used()
+    {
+        $this->populateDatabase();
+
+        Carbon::setTestNow('2021-01-01 02:30:00');
+
+        $response = $this->send(
+            $this->request('GET', '/api')->withCookieParams([
+                'flarum_remember' => 'a',
+            ])
+        );
+
+        Carbon::setTestNow();
+
+        $data = json_decode($response->getBody(), true);
+        $this->assertFalse($data['data']['attributes']['canViewUserList']);
+    }
+
+    /**
+     * @test
+     */
+    public function expired_tokens_cannot_be_used()
+    {
+        $this->populateDatabase();
+
+        Carbon::setTestNow('2027-01-01 02:30:00');
+
+        $response = $this->send(
+            $this->request('GET', '/api')->withCookieParams([
+                'flarum_remember' => 'b',
+            ])
+        );
+
+        Carbon::setTestNow();
+
+        $data = json_decode($response->getBody(), true);
+        $this->assertFalse($data['data']['attributes']['canViewUserList']);
+    }
+
+    /**
+     * @test
+     */
+    public function valid_tokens_can_be_used()
+    {
+        $this->populateDatabase();
+
+        Carbon::setTestNow('2021-01-01 02:30:00');
+
+        $response = $this->send(
+            $this->request('GET', '/api')->withCookieParams([
+                'flarum_remember' => 'b',
+            ])
+        );
+
+        Carbon::setTestNow();
+
+        $data = json_decode($response->getBody(), true);
+        $this->assertTrue($data['data']['attributes']['canViewUserList']);
+    }
+}