3 namespace Drupal\user\Tests;
5 use Drupal\simpletest\WebTestBase;
6 use Drupal\user\Entity\User;
9 * Ensure that login works as expected.
13 class UserLoginTest extends WebTestBase {
16 * Tests login with destination.
18 public function testLoginCacheTagsAndDestination() {
19 $this->drupalGet('user/login');
20 // The user login form says "Enter your <site name> username.", hence it
21 // depends on config:system.site, and its cache tags should be present.
22 $this->assertCacheTag('config:system.site');
24 $user = $this->drupalCreateUser([]);
25 $this->drupalGet('user/login', ['query' => ['destination' => 'foo']]);
26 $edit = ['name' => $user->getUserName(), 'pass' => $user->pass_raw];
27 $this->drupalPostForm(NULL, $edit, t('Log in'));
28 $this->assertUrl('foo', [], 'Redirected to the correct URL');
32 * Test the global login flood control.
34 public function testGlobalLoginFloodControl() {
35 $this->config('user.flood')
37 // Set a high per-user limit out so that it is not relevant in the test.
38 ->set('user_limit', 4000)
41 $user1 = $this->drupalCreateUser([]);
42 $incorrect_user1 = clone $user1;
43 $incorrect_user1->pass_raw .= 'incorrect';
45 // Try 2 failed logins.
46 for ($i = 0; $i < 2; $i++) {
47 $this->assertFailedLogin($incorrect_user1);
50 // A successful login will not reset the IP-based flood control count.
51 $this->drupalLogin($user1);
52 $this->drupalLogout();
54 // Try 8 more failed logins, they should not trigger the flood control
56 for ($i = 0; $i < 8; $i++) {
57 $this->assertFailedLogin($incorrect_user1);
60 // The next login trial should result in an IP-based flood error message.
61 $this->assertFailedLogin($incorrect_user1, 'ip');
63 // A login with the correct password should also result in a flood error
65 $this->assertFailedLogin($user1, 'ip');
69 * Test the per-user login flood control.
71 public function testPerUserLoginFloodControl() {
72 $this->config('user.flood')
73 // Set a high global limit out so that it is not relevant in the test.
74 ->set('ip_limit', 4000)
75 ->set('user_limit', 3)
78 $user1 = $this->drupalCreateUser([]);
79 $incorrect_user1 = clone $user1;
80 $incorrect_user1->pass_raw .= 'incorrect';
82 $user2 = $this->drupalCreateUser([]);
84 // Try 2 failed logins.
85 for ($i = 0; $i < 2; $i++) {
86 $this->assertFailedLogin($incorrect_user1);
89 // A successful login will reset the per-user flood control count.
90 $this->drupalLogin($user1);
91 $this->drupalLogout();
93 // Try 3 failed logins for user 1, they will not trigger flood control.
94 for ($i = 0; $i < 3; $i++) {
95 $this->assertFailedLogin($incorrect_user1);
98 // Try one successful attempt for user 2, it should not trigger any
100 $this->drupalLogin($user2);
101 $this->drupalLogout();
103 // Try one more attempt for user 1, it should be rejected, even if the
104 // correct password has been used.
105 $this->assertFailedLogin($user1, 'user');
109 * Test that user password is re-hashed upon login after changing $count_log2.
111 public function testPasswordRehashOnLogin() {
112 // Determine default log2 for phpass hashing algorithm
113 $default_count_log2 = 16;
115 // Retrieve instance of password hashing algorithm
116 $password_hasher = $this->container->get('password');
118 // Create a new user and authenticate.
119 $account = $this->drupalCreateUser([]);
120 $password = $account->pass_raw;
121 $this->drupalLogin($account);
122 $this->drupalLogout();
123 // Load the stored user. The password hash should reflect $default_count_log2.
124 $user_storage = $this->container->get('entity.manager')->getStorage('user');
125 $account = User::load($account->id());
126 $this->assertIdentical($password_hasher->getCountLog2($account->getPassword()), $default_count_log2);
128 // Change the required number of iterations by loading a test-module
129 // containing the necessary container builder code and then verify that the
130 // users password gets rehashed during the login.
131 $overridden_count_log2 = 19;
132 \Drupal::service('module_installer')->install(['user_custom_phpass_params_test']);
135 $account->pass_raw = $password;
136 $this->drupalLogin($account);
137 // Load the stored user, which should have a different password hash now.
138 $user_storage->resetCache([$account->id()]);
139 $account = $user_storage->load($account->id());
140 $this->assertIdentical($password_hasher->getCountLog2($account->getPassword()), $overridden_count_log2);
141 $this->assertTrue($password_hasher->check($password, $account->getPassword()));
145 * Make an unsuccessful login attempt.
147 * @param \Drupal\user\Entity\User $account
148 * A user object with name and pass_raw attributes for the login attempt.
149 * @param mixed $flood_trigger
150 * (optional) Whether or not to expect that the flood control mechanism
151 * will be triggered. Defaults to NULL.
152 * - Set to 'user' to expect a 'too many failed logins error.
153 * - Set to any value to expect an error for too many failed logins per IP
155 * - Set to NULL to expect a failed login.
157 public function assertFailedLogin($account, $flood_trigger = NULL) {
159 'name' => $account->getUsername(),
160 'pass' => $account->pass_raw,
162 $this->drupalPostForm('user/login', $edit, t('Log in'));
163 $this->assertNoFieldByXPath("//input[@name='pass' and @value!='']", NULL, 'Password value attribute is blank.');
164 if (isset($flood_trigger)) {
165 if ($flood_trigger == 'user') {
166 $this->assertRaw(\Drupal::translation()->formatPlural($this->config('user.flood')->get('user_limit'), 'There has been more than one failed login attempt for this account. It is temporarily blocked. Try again later or <a href=":url">request a new password</a>.', 'There have been more than @count failed login attempts for this account. It is temporarily blocked. Try again later or <a href=":url">request a new password</a>.', [':url' => \Drupal::url('user.pass')]));
169 // No uid, so the limit is IP-based.
170 $this->assertRaw(t('Too many failed login attempts from your IP address. This IP address is temporarily blocked. Try again later or <a href=":url">request a new password</a>.', [':url' => \Drupal::url('user.pass')]));
174 $this->assertText(t('Unrecognized username or password. Forgot your password?'));