Fixes session tests

Fixes CSRF issue after login with 2fa code
2025-04-12 16:48:53 +03:00 · 2025-04-12 16:28:33 +03:00
3 changed files with 18 additions and 9 deletions
--- a/app/includes/csrf_middleware.php
+++ b/app/includes/csrf_middleware.php
@ -12,10 +12,18 @@ function applyCsrfMiddleware() {
        return true;
    }

+    // Skip CSRF check for initial login, registration, and 2FA verification attempts
+    if ($_SERVER['REQUEST_METHOD'] === 'POST' &&
+        isset($_GET['page']) && isset($_GET['action']) &&
+        $_GET['page'] === 'login' && $_GET['action'] === 'verify' &&
+        isset($_SESSION['2fa_pending_user_id'])) {
+        return true;
+    }
+
    // Skip CSRF check for initial login and registration attempts
-    if ($_SERVER['REQUEST_METHOD'] === 'POST' && 
-        isset($_GET['page']) && 
-        in_array($_GET['page'], ['login', 'register']) && 
+    if ($_SERVER['REQUEST_METHOD'] === 'POST' &&
+        isset($_GET['page']) &&
+        in_array($_GET['page'], ['login', 'register']) &&
        !isset($_SESSION['username'])) {
        return true;
    }
--- a/app/includes/session_middleware.php
+++ b/app/includes/session_middleware.php
@ -60,10 +60,10 @@ function applySessionMiddleware($config, $app_root) {
 * Helper function to clean up session data and redirect
 */
 function cleanupSession($config, $app_root, $isTest) {
-    if (!$isTest) {
-        // Clear session data
-        $_SESSION = array();
+    // Always clear session data
+    $_SESSION = array();

+    if (!$isTest) {
        if (session_status() === PHP_SESSION_ACTIVE) {
            session_unset();
            session_destroy();
--- a/tests/Feature/Middleware/SessionMiddlewareTest.php
+++ b/tests/Feature/Middleware/SessionMiddlewareTest.php
@ -8,6 +8,7 @@ class SessionMiddlewareTest extends TestCase
 {
    protected $config;
    protected $app_root;
+    protected const SESSION_TIMEOUT = 7200; // 2 hours in seconds

    protected function setUp(): void
    {
@ -52,7 +53,7 @@ class SessionMiddlewareTest extends TestCase

    public function testSessionTimeout()
    {
-        $_SESSION['LAST_ACTIVITY'] = time() - 1500; // 25 minutes ago
+        $_SESSION['LAST_ACTIVITY'] = time() - (self::SESSION_TIMEOUT + 60); // 2 hours + 1 minute ago

        $result = applySessionMiddleware($this->config, $this->app_root);

@ -76,7 +77,7 @@ class SessionMiddlewareTest extends TestCase
    public function testRememberMe()
    {
        $_SESSION['REMEMBER_ME'] = true;
-        $_SESSION['LAST_ACTIVITY'] = time() - 86500; // More than 24 hours ago
+        $_SESSION['LAST_ACTIVITY'] = time() - (self::SESSION_TIMEOUT + 60); // More than 2 hours ago

        $result = applySessionMiddleware($this->config, $this->app_root);

@ -95,7 +96,7 @@ class SessionMiddlewareTest extends TestCase

    public function testSessionHeaders()
    {
-        $_SESSION['LAST_ACTIVITY'] = time() - 1500; // 25 minutes ago
+        $_SESSION['LAST_ACTIVITY'] = time() - (self::SESSION_TIMEOUT + 60); // 2 hours + 1 minute ago

        $result = applySessionMiddleware($this->config, $this->app_root);
Author	SHA1	Message	Date
Yasen Pramatarov	f8118315e7	Fixes session tests	2025-04-12 16:48:53 +03:00
Yasen Pramatarov	d28d69d350	Fixes CSRF issue after login with 2fa code	2025-04-12 16:28:33 +03:00