From d6016d4b7a621cd4b3ae7adc65cfd955f7d0c89c Mon Sep 17 00:00:00 2001
From: Damian Mooyman <damian@silverstripe.com>
Date: Wed, 20 Apr 2016 10:59:48 +1200
Subject: [PATCH 1/2] API Respect CSRF on login form

---
 .editorconfig                                 | 18 ++++++++++
 .../BehatExtension/Context/LoginContext.php   | 34 ++++++-------------
 2 files changed, 29 insertions(+), 23 deletions(-)
 create mode 100644 .editorconfig

diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..f1d3982
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,18 @@
+# For more information about the properties used in this file,
+# please see the EditorConfig documentation:
+# http://editorconfig.org
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[{*.yml,package.json}]
+indent_size = 2
+
+# The indent size used in the package.json file cannot be changed:
+# https://github.com/npm/npm/pull/3180#issuecomment-16336516
+
diff --git a/src/SilverStripe/BehatExtension/Context/LoginContext.php b/src/SilverStripe/BehatExtension/Context/LoginContext.php
index 81fb553..cdac001 100644
--- a/src/SilverStripe/BehatExtension/Context/LoginContext.php
+++ b/src/SilverStripe/BehatExtension/Context/LoginContext.php
@@ -68,7 +68,7 @@ class LoginContext extends BehatContext
     /**
      * Creates a member in a group with the correct permissions.
      * Example: Given I am logged in with "ADMIN" permissions
-     * 
+     *
      * @Given /^I am logged in with "([^"]*)" permissions$/
      */
     function iAmLoggedInWithPermissions($permCode)
@@ -78,7 +78,7 @@ class LoginContext extends BehatContext
             if (!$group) {
                 $group = \Injector::inst()->create('Group');
             }
- 
+
             $group->Title = "$permCode group";
             $group->write();
 
@@ -123,29 +123,14 @@ class LoginContext extends BehatContext
      * @When /^I log in with "(?<username>[^"]*)" and "(?<password>[^"]*)"$/
      */
     public function stepILogInWith($email, $password)
-    {        
+    {
+        $c = $this->getMainContext();
+        $loginUrl = $c->joinUrlParts($c->getBaseUrl(), $c->getLoginUrl());
+        $this->getSession()->visit($loginUrl);
         $page = $this->getSession()->getPage();
         $forms = $page->findAll('xpath', '//form[contains(@action, "Security/LoginForm")]');
         assertNotNull($forms, 'Login form not found');
 
-        // Try to find visible forms on current page
-        // Allow multiple login forms (e.g. social login) by filering for "Email" field
-        $visibleForm = null;
-        foreach($forms as $form) {
-            if($form->isVisible() && $form->find('css', '[name=Email]')) {
-                $visibleForm = $form;
-            }
-        }
-    
-        // If no login form, go to /security/login page
-        if(!$visibleForm) {
-            $c = $this->getMainContext();
-            $loginUrl = $c->joinUrlParts($c->getBaseUrl(), $c->getLoginUrl());
-            $this->getSession()->visit($loginUrl);
-            $page = $this->getSession()->getPage();
-            $forms = $page->findAll('xpath', '//form[contains(@action, "Security/LoginForm")]');
-        }
-
         // Try to find visible forms again on login page.
         $visibleForm = null;
         foreach($forms as $form) {
@@ -155,18 +140,21 @@ class LoginContext extends BehatContext
         }
 
         assertNotNull($visibleForm, 'Could not find login form');
-        
+
         $emailField = $visibleForm->find('css', '[name=Email]');
         $passwordField = $visibleForm->find('css', '[name=Password]');
         $submitButton = $visibleForm->find('css', '[type=submit]');
+        $securityID = $visibleForm->find('css', '[name=SecurityID]');
 
         assertNotNull($emailField, 'Email field on login form not found');
         assertNotNull($passwordField, 'Password field on login form not found');
         assertNotNull($submitButton, 'Submit button on login form not found');
+        // @todo Once CSRF is mandatory, uncomment this
+        // assertNotNull($securityID, 'CSRF token not found');
 
         $emailField->setValue($email);
         $passwordField->setValue($password);
-        $submitButton->press(); 
+        $submitButton->press();
     }
 
     /**

From 207984e7af8323ba0c292a2bc9bf3dbf007cb9ed Mon Sep 17 00:00:00 2001
From: Damian Mooyman <damian@silverstripe.com>
Date: Wed, 20 Apr 2016 12:00:19 +1200
Subject: [PATCH 2/2] BUG Fix phpunit autoloading (for phpunit 3.7)

---
 tests/Context/SilverStripeContextTest.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tests/Context/SilverStripeContextTest.php b/tests/Context/SilverStripeContextTest.php
index 7ba40ab..f977573 100644
--- a/tests/Context/SilverStripeContextTest.php
+++ b/tests/Context/SilverStripeContextTest.php
@@ -4,6 +4,9 @@ namespace SilverStripe\BehatExtension\Tests;
 use SilverStripe\BehatExtension\Context\SilverStripeContext,
 	Behat\Mink\Mink;
 
+require_once 'PHPUnit/Autoload.php';
+require_once 'PHPUnit/Framework/TestCase.php';
+
 class SilverStripeContextTest extends \PHPUnit_Framework_TestCase {
 
 	/**
@@ -78,4 +81,4 @@ class SilverStripeContextTest extends \PHPUnit_Framework_TestCase {
 			->disableOriginalConstructor()
 			->getMock();
 	}
-}
\ No newline at end of file
+}