1

To prevent CSRF attacks, I'm adding a state parameter with my current CSRF token to an external link. When the external page redirects the user back to my site, it will include the state.

With a simple condition I can check it in my controller:

if($data['state'] !== csrf_token()){
    throw new TokenMismatchException;
}

Now I want to write a test for it to pass the if condition, but csrf_token() is empty in the test directory, however not in the controller. So it fails, unfortunately. Here is an excerpt of the test:

/** @test */
public function it_saves_the_data_in_database() 
{
  $this->get(route('connect.index', [
    'scope' => $this->scope,
    'code' => $this->code,
    'state' => csrf_token(), //it's null here...
  ]))->assertStatus(200); //however it returns 419
}

Is it possible to generate the token before?

Philipp Mochine
  • 4,351
  • 10
  • 36
  • 68

1 Answers1

1

If you wrote HTTP access testing code before you use crsf_token() like below example.

The csrf token seems to be generated in that test session.

$this->get(...)

$this->get(route('connect.index', [
    'scope' => $this->scope,
    'code' => $this->code,
    'state' => csrf_token(), //it's null here...
  ]))->assertStatus(200);
hirakei1203
  • 31
  • 2