From b69b24eea6fc50017d1ab410ed2bb063fa35e6bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dani=C3=ABl=20Klabbers?= <daniel@klabbers.email>
Date: Tue, 18 Jun 2019 17:22:23 +0200
Subject: [PATCH] Fixed issue with tmp/storage/views not existing, this caused
 tmpname to notice. Fixed csrf test that assumed an access token allows
 application access, which is actually api token. Improved return type hinting
 in the StartSession middleware

---
 .../core/src/Http/Middleware/AuthenticateWithHeader.php   | 3 +--
 framework/core/src/Http/Middleware/CheckCsrfToken.php     | 1 +
 framework/core/src/Http/Middleware/StartSession.php       | 8 ++++----
 .../api/csrf_protection/RequireCsrfTokenTest.php          | 6 +++---
 framework/core/tests/integration/tmp/storage/.gitkeep     | 0
 5 files changed, 9 insertions(+), 9 deletions(-)
 delete mode 100644 framework/core/tests/integration/tmp/storage/.gitkeep

diff --git a/framework/core/src/Http/Middleware/AuthenticateWithHeader.php b/framework/core/src/Http/Middleware/AuthenticateWithHeader.php
index 87f5bb51b..512f90101 100644
--- a/framework/core/src/Http/Middleware/AuthenticateWithHeader.php
+++ b/framework/core/src/Http/Middleware/AuthenticateWithHeader.php
@@ -40,12 +40,11 @@ class AuthenticateWithHeader implements Middleware
 
                 $request = $request->withAttribute('apiKey', $key);
                 $request = $request->withAttribute('bypassFloodgate', true);
+                $request = $request->withAttribute('bypassCsrfToken', true);
             } elseif ($token = AccessToken::find($id)) {
                 $token->touch();
 
                 $actor = $token->user;
-
-                $request = $request->withAttribute('bypassCsrfToken', true);
             }
 
             if (isset($actor)) {
diff --git a/framework/core/src/Http/Middleware/CheckCsrfToken.php b/framework/core/src/Http/Middleware/CheckCsrfToken.php
index 0d22ba340..d2b2d6da8 100644
--- a/framework/core/src/Http/Middleware/CheckCsrfToken.php
+++ b/framework/core/src/Http/Middleware/CheckCsrfToken.php
@@ -39,6 +39,7 @@ class CheckCsrfToken implements Middleware
     private function tokensMatch(Request $request): bool
     {
         $expected = (string) $request->getAttribute('session')->token();
+
         $provided = $request->getParsedBody()['csrfToken'] ??
             $request->getHeaderLine('X-CSRF-Token');
 
diff --git a/framework/core/src/Http/Middleware/StartSession.php b/framework/core/src/Http/Middleware/StartSession.php
index f5aee1573..4b4678b11 100644
--- a/framework/core/src/Http/Middleware/StartSession.php
+++ b/framework/core/src/Http/Middleware/StartSession.php
@@ -67,7 +67,7 @@ class StartSession implements Middleware
         return $this->withSessionCookie($response, $session);
     }
 
-    private function makeSession(Request $request)
+    private function makeSession(Request $request): Store
     {
         return new Store(
             $this->config['cookie'],
@@ -76,12 +76,12 @@ class StartSession implements Middleware
         );
     }
 
-    private function withCsrfTokenHeader(Response $response, Session $session)
+    private function withCsrfTokenHeader(Response $response, Session $session): Response
     {
         return $response->withHeader('X-CSRF-Token', $session->token());
     }
 
-    private function withSessionCookie(Response $response, Session $session)
+    private function withSessionCookie(Response $response, Session $session): Response
     {
         return FigResponseCookies::set(
             $response,
@@ -89,7 +89,7 @@ class StartSession implements Middleware
         );
     }
 
-    private function getSessionLifetimeInSeconds()
+    private function getSessionLifetimeInSeconds(): int
     {
         return $this->config['lifetime'] * 60;
     }
diff --git a/framework/core/tests/integration/api/csrf_protection/RequireCsrfTokenTest.php b/framework/core/tests/integration/api/csrf_protection/RequireCsrfTokenTest.php
index a3cbf4dd6..83980c6e1 100644
--- a/framework/core/tests/integration/api/csrf_protection/RequireCsrfTokenTest.php
+++ b/framework/core/tests/integration/api/csrf_protection/RequireCsrfTokenTest.php
@@ -36,11 +36,11 @@ class RequireCsrfTokenTest extends TestCase
             'group_permission' => [
                 ['permission' => 'viewUserList', 'group_id' => 3],
             ],
-            'access_tokens' => [
-                ['user_id' => 1, 'token' => 'superadmin', 'lifetime_seconds' => 30],
+            'api_keys' => [
+                ['user_id' => 1, 'key' => 'superadmin'],
             ],
             'settings' => [
-                ['key' => 'mail_driver', 'value' => 'smtp'],
+                ['key' => 'mail_driver', 'value' => 'mail'],
                 ['key' => 'version', 'value' => Application::VERSION],
             ],
         ]);
diff --git a/framework/core/tests/integration/tmp/storage/.gitkeep b/framework/core/tests/integration/tmp/storage/.gitkeep
deleted file mode 100644
index e69de29bb..000000000