0

I'm using Auth:once() to authenticate users for a single request.

if (!Auth::once($this->only('email', 'password'))) {
    RateLimiter::hit($this->throttleKey());

    throw ValidationException::withMessages([
        'email' => __('auth.failed'),
    ]);
}

// we store the user + password for one request in the session
// so we can use it in the next request
$this->session()->put('email', $this->email);
$this->session()->put('password', $this->password);

But the test user is permanently authenticated, and assertGuest() is always false, not just for a single request. This is happening only in the test!

$user = User::factory()->create();

$response = $this->post('/api/login', [
    'email' => $user->email,
    'password' =>' password',
]);

$response = $this->get('/api/home');

$this->assertGuest();

I tested manually from Postman, and everything seems to be okay. So I think Laravel considers it a single request for the entire test.

Karl Hill
  • 12,937
  • 5
  • 58
  • 95
Bookie
  • 1
  • 1
  • Technically a request test is not a real request so Laravel has to do some tricks to fake it. If you want to test this behaviour with an actual request/response you could consider using [Dusk](https://laravel.com/docs/9.x/dusk) and hitting the login route first and then hitting a different route that requires authentication to check whether you get a 403 or redirect to login. – apokryfos Dec 22 '22 at 07:34
  • Thank you very much. Is there any way to test it via feature tests? – Bookie Dec 22 '22 at 07:36
  • If you are using the session auth driver then `once` will not update the session so something like `session(auth()->getName())` should be null for that while not null for `attempt`. Not sure about other auth drivers – apokryfos Dec 22 '22 at 09:09
  • No, its the same – Bookie Dec 23 '22 at 14:38

0 Answers0