V2.0.41.1 broke functional test

shyevsa · April 22, 2021, 9:58pm

Upgraded from v2.0.40 to v2.0.41.1 and it seems codeception functional test is now broken
because the CSRF cookie or session is not send/validated in the next request.

Below is test result using fresh app-advanced

using yiisoft/yii2 2.0.40

      I am on route "site/login"
      [Request Headers] []
      [yii\web\Session::open] 'Session started'
      [Page] /index-test.php?r=site%2Flogin
      [Response] 200
      [Request Cookies] []
      [Response Headers] {"content-type":["text/html; charset=UTF-8"]}
     I submit form "#login-form",{"LoginForm[username]":"erau","LoginForm[password]":"password_0"}
      [Uri] http://localhost/index-test.php?r=site%2Flogin
      [Method] POST
      [Parameters] {"_csrf-frontend":"z7FowVFMlXYbNPYWARB4ad51AtJb1g9wIHOpUkzaneb54xCUCBijHXB_kSF7fg8QlCxQog6hOT1uHO45H4XaqQ==","LoginForm[username]":"erau","LoginForm[password]":"password_0","LoginForm[rememberMe]":"1"}
      [Request Headers] []
      [yii\db\Connection::open] 'Opening DB connection: mysql:host=localhost;dbname=yii2advanced_test'
      [ConnectionWatcher] Connection opened!
      [TransactionForcer] Connection opened!
      [TransactionForcer] Transaction started for: mysql:host=localhost;dbname=yii2advanced_test
      [yii\web\User::login] 'User \'1\' logged in from  with duration 2592000.'
      [Redirect with headers]Array
      (
          [location] => Array
              (
                  [0] => http://localhost/index-test.php
              )

          [content-type] => Array
              (
                  [0] => text/html; charset=UTF-8
              )

      )

      [Page] http://localhost/index-test.php?r=site%2Flogin
      [Response] 302
      [Request Cookies] {"_csrf-frontend":"cfd45b9337b6f638ea8a7539f5a039c93f3d9f60df9c842f7220b6d9f267d976a:2:{i:0;s:14:"_csrf-frontend";i:1;s:32:"6RxUYT6kkKg7znwyJYRpUw6MNoGkS_GO";}"}
      [Response Headers] {"location":["http://localhost/index-test.php"],"content-type":["text/html; charset=UTF-8"]}
      [Redirecting to] http://localhost/index-test.php
      [Page] http://localhost/index-test.php
      [Response] 200
      [Request Cookies] {"_csrf-frontend":"399c201d428f502980fbf4125f423dd06cb44652d06b8291a39138dfbef799e4a:2:{i:0;s:14:"_csrf-frontend";i:1;s:32:"tGglWn00XXM8R4F7WYai-Nf_IUZiFVEi";}","_identity-frontend":"df543e6ff5c72705f7df60022ee49dc2b51c81638671f90bc9cf6dc68132d47fa:2:{i:0;s:18:"_identity-frontend";i:1;s:46:"[1,"tUu1qHcde0diwUol3xeI-18MuHkkprQI",2592000]";}"}
      [Response Headers] {"content-type":["text/html; charset=UTF-8"]}
     I see "Logout (erau)","form button[type=submit]"
     I don't see link "Login"
     I don't see link "Signup"
     PASSED

using yiisoft/yii2 2.0.41.1

    I am on route "site/login"
      [Request Headers] []
      [yii\web\Session::open] 'Session started'
      [Page] /index-test.php?r=site%2Flogin
      [Response] 200
      [Request Cookies] []
      [Response Headers] {"content-type":["text/html; charset=UTF-8"]}
     I submit form "#login-form",{"LoginForm[username]":"","LoginForm[password]":""}
      [Uri] http://localhost/index-test.php?r=site%2Flogin
      [Method] POST
      [Parameters] {"_csrf-frontend":"DvCDTUBBg061NmV4L_4aTqY378ik9HR-gDJMQGcSpuxGh8QjIgu0P_0OLToZvXcH6UeHuum2DBjTWR0zPVDH3Q==","LoginForm[username]":"","LoginForm[password]":"","LoginForm[rememberMe]":"1"}
      [Request Headers] []
      [yii\web\HttpException:400] 'yii\\web\\BadRequestHttpException: Unable to verify your data submission. in /app/vendor/yiisoft/yii2/web/Controller.php:216
      Stack trace:
      #0 /app/vendor/yiisoft/yii2/base/Controller.php(179): yii\\web\\Controller->beforeAction(Object(yii\\base\\InlineAction))
      #1 /app/vendor/yiisoft/yii2/base/Module.php(534): yii\\base\\Controller->runAction(\'login\', Array)
      #2 /app/vendor/yiisoft/yii2/web/Application.php(104): yii\\base\\Module->runAction(\'site/login\', Array)
      #3 /app/vendor/codeception/module-yii2/src/Codeception/Lib/Connector/Yii2.php(347): yii\\web\\Application->handleRequest(Object(yii\\web\\Request))
      #4 /app/vendor/symfony/browser-kit/Client.php(405): Codeception\\Lib\\Connector\\Yii2->doRequest(Object(Symfony\\Component\\BrowserKit\\Request))
      #5 

...

However the test work if I set requestCleanMethod: ‘clear’ instead of recreate or force_recreate

Any Fix or workaround for this?

This probably different issue as only happen on my apps with behavior attached to Request,

when using requestCleanMethod: ‘recreate’

Controller::redirect() create “http://localhost:0/” after the 3rd or 4rd request

and throw [yii\base\ErrorException] array_replace(): Argument #2 is not an array because the
Symfony\Component\BrowserKit\CookieJar::allValues

parse_url() seems unable to parse http://localhost:0

Bizley · April 23, 2021, 9:05am

Have you read the upgrade instructions? I guess this is because of that change:

The methods getAuthKey() and validateAuthKey() of yii\web\IdentityInterface are now also used to validate active sessions (previously these methods were only used for cookie-based login). If your identity class does not properly implement these methods yet, you should update it accordingly (an example can be found in the guide under Security -> Authentication ). Alternatively, you can simply return null in the getAuthKey() method to keep the old behavior (that is, no validation of active sessions). Applications that change the underlying authKey of an authenticated identity, should now call yii\web\User::switchIdentity() , yii\web\User::login() or yii\web\User::logout() to recreate the active session with the new authKey .

shyevsa · April 23, 2021, 12:59pm

yes I read it but all page that use CSRF be it logged in or guest affected.

the upgrade instruction only mention how the session verification now use authKey. pretty sure guess does not have authkey. or they?

I am more inclined this is about the Samesite default to Lax setting. gotta try php 7.4 (I test this on php 7.0 and php 7.2 )