function UserPasswordResetTest::testUserPasswordReset

Same name in other branches
  1. 8.9.x core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest::testUserPasswordReset()
  2. 10 core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest::testUserPasswordReset()
  3. 11.x core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest::testUserPasswordReset()

Tests password reset functionality.

File

core/modules/user/tests/src/Functional/UserPasswordResetTest.php, line 84

Class

UserPasswordResetTest
Ensure that password reset methods work as expected.

Namespace

Drupal\Tests\user\Functional

Code

public function testUserPasswordReset() {
    // Verify that accessing the password reset form without having the session
    // variables set results in an access denied message.
    $this->drupalGet(Url::fromRoute('user.reset.form', [
        'uid' => $this->account
            ->id(),
    ]));
    $this->assertSession()
        ->statusCodeEquals(403);
    // Try to reset the password for a completely invalid username.
    $this->drupalGet('user/password');
    $long_name = $this->randomMachineName(UserInterface::USERNAME_MAX_LENGTH + 10);
    $edit = [
        'name' => $long_name,
    ];
    $this->submitForm($edit, 'Submit');
    $this->assertCount(0, $this->drupalGetMails([
        'id' => 'user_password_reset',
    ]), 'No e-mail was sent when requesting a password for an invalid user name.');
    $this->assertSession()
        ->pageTextContains("The username or email address is invalid.");
    // Try to reset the password for an invalid account.
    $this->drupalGet('user/password');
    $random_name = $this->randomMachineName();
    $edit = [
        'name' => $random_name,
    ];
    $this->submitForm($edit, 'Submit');
    $this->assertNoValidPasswordReset($random_name);
    // Try to reset the password for a valid email address longer than
    // UserInterface::USERNAME_MAX_LENGTH (invalid username, valid email).
    // This should pass validation and print the generic message.
    $this->drupalGet('user/password');
    $long_name = $this->randomMachineName(UserInterface::USERNAME_MAX_LENGTH) . '@example.com';
    $edit = [
        'name' => $long_name,
    ];
    $this->submitForm($edit, 'Submit');
    $this->assertNoValidPasswordReset($long_name);
    // Reset the password by username via the password reset page.
    $this->drupalGet('user/password');
    $edit = [
        'name' => $this->account
            ->getAccountName(),
    ];
    $this->submitForm($edit, 'Submit');
    $this->assertValidPasswordReset($edit['name']);
    $resetURL = $this->getResetURL();
    $this->drupalGet($resetURL);
    // Ensure that the current url does not contain the hash and timestamp.
    $this->assertSession()
        ->addressEquals(Url::fromRoute('user.reset.form', [
        'uid' => $this->account
            ->id(),
    ]));
    $this->assertSession()
        ->responseHeaderDoesNotExist('X-Drupal-Cache');
    // Ensure the password reset URL is not cached.
    $this->drupalGet($resetURL);
    $this->assertSession()
        ->responseHeaderDoesNotExist('X-Drupal-Cache');
    // Check the one-time login page.
    $this->assertSession()
        ->pageTextContains($this->account
        ->getAccountName());
    $this->assertSession()
        ->pageTextContains('This login can be used only once.');
    $this->assertSession()
        ->titleEquals('Reset password | Drupal');
    // Check successful login.
    $this->submitForm([], 'Log in');
    $this->assertSession()
        ->linkExists('Log out');
    $this->assertSession()
        ->titleEquals($this->account
        ->getAccountName() . ' | Drupal');
    // Change the forgotten password.
    $password = \Drupal::service('password_generator')->generate();
    $edit = [
        'pass[pass1]' => $password,
        'pass[pass2]' => $password,
    ];
    $this->submitForm($edit, 'Save');
    $this->assertSession()
        ->pageTextContains('The changes have been saved.');
    // Verify that the password reset session has been destroyed.
    $this->submitForm($edit, 'Save');
    $this->assertSession()
        ->pageTextContains("Your current password is missing or incorrect; it's required to change the Password.");
    // Log out, and try to log in again using the same one-time link.
    $this->drupalLogout();
    $this->drupalGet($resetURL);
    $this->assertSession()
        ->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
    $this->drupalGet($resetURL . '/login');
    $this->assertSession()
        ->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
    // Request a new password again, this time using the email address.
    // Count email messages before to compare with after.
    $before = count($this->drupalGetMails([
        'id' => 'user_password_reset',
    ]));
    $this->drupalGet('user/password');
    $edit = [
        'name' => $this->account
            ->getEmail(),
    ];
    $this->submitForm($edit, 'Submit');
    $this->assertValidPasswordReset($edit['name']);
    $this->assertCount($before + 1, $this->drupalGetMails([
        'id' => 'user_password_reset',
    ]), 'Email sent when requesting password reset using email address.');
    // Visit the user edit page without pass-reset-token and make sure it does
    // not cause an error.
    $resetURL = $this->getResetURL();
    $this->drupalGet($resetURL);
    $this->submitForm([], 'Log in');
    $this->drupalGet('user/' . $this->account
        ->id() . '/edit');
    $this->assertSession()
        ->pageTextNotContains('Expected user_string to be a string, NULL given');
    $this->drupalLogout();
    // Create a password reset link as if the request time was 60 seconds older than the allowed limit.
    $timeout = $this->config('user.settings')
        ->get('password_reset_timeout');
    $bogus_timestamp = REQUEST_TIME - $timeout - 60;
    $_uid = $this->account
        ->id();
    $this->drupalGet("user/reset/{$_uid}/{$bogus_timestamp}/" . user_pass_rehash($this->account, $bogus_timestamp));
    $this->assertSession()
        ->pageTextContains('You have tried to use a one-time login link that has expired. Please request a new one using the form below.');
    $this->drupalGet("user/reset/{$_uid}/{$bogus_timestamp}/" . user_pass_rehash($this->account, $bogus_timestamp) . '/login');
    $this->assertSession()
        ->pageTextContains('You have tried to use a one-time login link that has expired. Please request a new one using the form below.');
    // Create a user, block the account, and verify that a login link is denied.
    $timestamp = REQUEST_TIME - 1;
    $blocked_account = $this->drupalCreateUser()
        ->block();
    $blocked_account->save();
    $this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp));
    $this->assertSession()
        ->statusCodeEquals(403);
    $this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp) . '/login');
    $this->assertSession()
        ->statusCodeEquals(403);
    // Verify a blocked user can not request a new password.
    $this->drupalGet('user/password');
    // Count email messages before to compare with after.
    $before = count($this->drupalGetMails([
        'id' => 'user_password_reset',
    ]));
    $edit = [
        'name' => $blocked_account->getAccountName(),
    ];
    $this->submitForm($edit, 'Submit');
    $this->assertCount($before, $this->drupalGetMails([
        'id' => 'user_password_reset',
    ]), 'No email was sent when requesting password reset for a blocked account');
    // Verify a password reset link is invalidated when the user's email address changes.
    $this->drupalGet('user/password');
    $edit = [
        'name' => $this->account
            ->getAccountName(),
    ];
    $this->submitForm($edit, 'Submit');
    $old_email_reset_link = $this->getResetURL();
    $this->account
        ->setEmail("1" . $this->account
        ->getEmail());
    $this->account
        ->save();
    $this->drupalGet($old_email_reset_link);
    $this->assertSession()
        ->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
    $this->drupalGet($old_email_reset_link . '/login');
    $this->assertSession()
        ->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
    // Verify a password reset link will automatically log a user when /login is
    // appended.
    $this->drupalGet('user/password');
    $edit = [
        'name' => $this->account
            ->getAccountName(),
    ];
    $this->submitForm($edit, 'Submit');
    $reset_url = $this->getResetURL();
    $this->drupalGet($reset_url . '/login');
    $this->assertSession()
        ->linkExists('Log out');
    $this->assertSession()
        ->titleEquals($this->account
        ->getAccountName() . ' | Drupal');
    // Ensure blocked and deleted accounts can't access the user.reset.login
    // route.
    $this->drupalLogout();
    $timestamp = REQUEST_TIME - 1;
    $blocked_account = $this->drupalCreateUser()
        ->block();
    $blocked_account->save();
    $this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp) . '/login');
    $this->assertSession()
        ->statusCodeEquals(403);
    $blocked_account->delete();
    $this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp) . '/login');
    $this->assertSession()
        ->statusCodeEquals(403);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.