修复认证与基础安全链路

2026-04-19 14:42:42 +08:00
parent bd97ed0b73
commit 5ce83a769d
13 changed files with 636 additions and 55 deletions
@@ -1,5 +1,12 @@
 <?php

+/**
+ * 文件功能：前台认证控制器功能测试
+ *
+ * 覆盖登录即注册、老密码升级、封禁限制、退出登录、
+ * session 轮换与服务端限流等关键认证行为。
+ */
+
 namespace Tests\Feature;

 use App\Models\Sysparam;
@@ -7,14 +14,21 @@ use App\Models\User;
 use App\Models\UsernameBlacklist;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\RateLimiter;
 use Illuminate\Support\Facades\Redis;
 use Illuminate\Support\Facades\Validator;
 use Tests\TestCase;

+/**
+ * 类功能：验证前台认证链路的核心行为。
+ */
 class AuthControllerTest extends TestCase
 {
    use RefreshDatabase;

+    /**
+     * 初始化验证码桩与基础系统参数。
+     */
    protected function setUp(): void
    {
        parent::setUp();
@@ -31,7 +45,37 @@ class AuthControllerTest extends TestCase
        );
    }

-    public function test_can_register_new_user()
+    /**
+     * 测试普通登录成功后会轮换 session id，阻断会话固定风险。
+     */
+    public function test_login_regenerates_session_id(): void
+    {
+        Redis::shouldReceive('sismember')->with('banned_ips', '127.0.0.1')->andReturn(false);
+
+        $user = User::factory()->create([
+            'username' => 'session-user',
+            'password' => Hash::make('password123'),
+        ]);
+
+        $this->startSession();
+        $oldSessionId = session()->getId();
+
+        $response = $this->postJson('/login', [
+            'username' => 'session-user',
+            'password' => 'password123',
+            'captcha' => '1234',
+        ]);
+
+        $response->assertOk()
+            ->assertJsonPath('status', 'success');
+        $this->assertAuthenticatedAs($user);
+        $this->assertNotSame($oldSessionId, session()->getId());
+    }
+
+    /**
+     * 验证首次登录的用户会被自动注册并完成登录。
+     */
+    public function test_can_register_new_user(): void
    {
        Redis::shouldReceive('sismember')->with('banned_ips', '127.0.0.1')->andReturn(false);

@@ -54,7 +98,10 @@ class AuthControllerTest extends TestCase
        $this->assertAuthenticated();
    }

-    public function test_cannot_register_with_blacklisted_username()
+    /**
+     * 验证命中黑名单的用户名会被拒绝注册。
+     */
+    public function test_cannot_register_with_blacklisted_username(): void
    {
        Redis::shouldReceive('sismember')->with('banned_ips', '127.0.0.1')->andReturn(false);

@@ -79,7 +126,10 @@ class AuthControllerTest extends TestCase
        $this->assertGuest();
    }

-    public function test_can_login_existing_user()
+    /**
+     * 验证已有用户可以通过正确密码登录。
+     */
+    public function test_can_login_existing_user(): void
    {
        Redis::shouldReceive('sismember')->with('banned_ips', '127.0.0.1')->andReturn(false);

@@ -100,7 +150,10 @@ class AuthControllerTest extends TestCase
        $this->assertAuthenticatedAs($user);
    }

-    public function test_login_md5_user_upgrades_to_bcrypt()
+    /**
+     * 验证旧版 MD5 密码会在成功登录后升级为 bcrypt。
+     */
+    public function test_login_md5_user_upgrades_to_bcrypt(): void
    {
        Redis::shouldReceive('sismember')->with('banned_ips', '127.0.0.1')->andReturn(false);

@@ -132,7 +185,10 @@ class AuthControllerTest extends TestCase
        $this->assertAuthenticatedAs($user);
    }

-    public function test_banned_user_cannot_login()
+    /**
+     * 验证被封禁账号无法登录。
+     */
+    public function test_banned_user_cannot_login(): void
    {
        $user = User::factory()->create([
            'username' => 'banneduser',
@@ -152,7 +208,10 @@ class AuthControllerTest extends TestCase
        $this->assertGuest();
    }

-    public function test_banned_ip_cannot_login()
+    /**
+     * 验证被封禁 IP 无法登录普通账号。
+     */
+    public function test_banned_ip_cannot_login(): void
    {
        Redis::shouldReceive('sismember')->with('banned_ips', '127.0.0.1')->andReturn(true);

@@ -171,7 +230,10 @@ class AuthControllerTest extends TestCase
        $this->assertGuest();
    }

-    public function test_can_logout()
+    /**
+     * 验证已登录用户可以正常退出。
+     */
+    public function test_can_logout(): void
    {
        /** @var \App\Models\User $user */
        $user = User::factory()->create();
@@ -181,4 +243,39 @@ class AuthControllerTest extends TestCase
        $response->assertRedirect('/');
        $this->assertGuest();
    }
+
+    /**
+     * 测试前台登录接口在连续失败后会触发服务端限流。
+     */
+    public function test_login_route_is_rate_limited_after_repeated_failures(): void
+    {
+        RateLimiter::clear('chat-login|rate-user|127.0.0.1');
+        Redis::shouldReceive('sismember')->zeroOrMoreTimes()->andReturn(false);
+
+        User::factory()->create([
+            'username' => 'rate-user',
+            'password' => Hash::make('correct-password'),
+        ]);
+
+        for ($attempt = 1; $attempt <= 5; $attempt++) {
+            $response = $this->withServerVariables(['REMOTE_ADDR' => '127.0.0.1'])
+                ->postJson('/login', [
+                    'username' => 'rate-user',
+                    'password' => 'wrong-password',
+                    'captcha' => '1234',
+                ]);
+
+            $response->assertStatus(422);
+        }
+
+        $rateLimitedResponse = $this->withServerVariables(['REMOTE_ADDR' => '127.0.0.1'])
+            ->postJson('/login', [
+                'username' => 'rate-user',
+                'password' => 'wrong-password',
+                'captcha' => '1234',
+            ]);
+
+        $rateLimitedResponse->assertStatus(429)
+            ->assertJsonPath('status', 'error');
+    }
 }