Merge pull request #126 from akrabat/remove-token-on-validation

Remove token on validation

.travis.yml

@@ -19,8 +19,8 @@ before_script:
   - composer install -n
 
 script:
-  - if [[ "$ANALYSIS" != 'true' ]]; then vendor/bin/phpunit ; fi
-  - if [[ "$ANALYSIS" == 'true' ]]; then vendor/bin/phpunit --coverage-clover clover.xml ; fi
+  - if [[ "$ANALYSIS" != 'true' ]]; then XDEBUG_MODE=coverage ./vendor/bin/phpunit; fi
+  - if [[ "$ANALYSIS" == 'true' ]]; then XDEBUG_MODE=coverage ./vendor/bin/phpunit --coverage-clover clover.xml ; fi
 
 after_success:
   - if [[ "$ANALYSIS" == 'true' ]]; then vendor/bin/php-coveralls --coverage_clover=clover.xml -v ; fi

src/Guard.php

@@ -415,14 +415,13 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
                 $value = $body[$this->getTokenValueKey()] ?? null;
             }
 
-            if ($name === null
-                || $value === null
-                || !$this->validateToken((string) $name, (string) $value)
-            ) {
-                if (!$this->persistentTokenMode && is_string($name)) {
-                    $this->removeTokenFromStorage($name);
-                }
+            $isValid = $this->validateToken((string) $name, (string) $value);
+            if ($isValid && !$this->persistentTokenMode) {
+                // successfully validated token, so delete it if not in persistentTokenMode
+                $this->removeTokenFromStorage($name);
+            }
 
+            if ($name === null || $value === null || !$isValid) {
                 $request = $this->appendNewTokenToRequest($request);
                 return $this->handleFailure($request, $handler);
             }

tests/GuardTest.php

@@ -279,43 +279,46 @@ public function testEnforceStorageLimitWithIterator()
 
     public function testTokenIsRemovedFromStorageWhenPersistentModeIsOff()
     {
-        $self = $this;
-
         $storage = [
             'test_name' => 'test_value123',
         ];
+
+        $responseProphecy = $this->prophesize(ResponseInterface::class)
+            ->willImplement(ResponseInterface::class);
+
+        $requestHandlerProphecy = $this->prophesize(RequestHandlerInterface::class);
+        $requestHandlerProphecy
+            ->handle(Argument::type(ServerRequestInterface::class))
+            ->willReturn($responseProphecy->reveal())
+            ->shouldBeCalledOnce();
+
         $responseFactoryProphecy = $this->prophesize(ResponseFactoryInterface::class);
-        $handler = function () use ($self, &$called) {
-            $responseProphecy = $self->prophesize(ResponseInterface::class);
-            return $responseProphecy->reveal();
-        };
-        $mw = new Guard($responseFactoryProphecy->reveal(), 'test', $storage, $handler);
+
+        $mw = new Guard($responseFactoryProphecy->reveal(), 'test', $storage);
 
         $requestProphecy = $this->prophesize(ServerRequestInterface::class);
         $requestProphecy
             ->getMethod()
             ->willReturn('POST')
             ->shouldBeCalledOnce();
-
         $requestProphecy
             ->withAttribute(Argument::type('string'), Argument::type('string'))
             ->willReturn($requestProphecy->reveal())
             ->shouldBeCalledTimes(2);
-
         $requestProphecy
             ->getParsedBody()
             ->willReturn([
-                'test_name' => 'test_name123',
-                'test_value' => 'invalid_value',
+                'test_name' => 'test_name',
+                'test_value' => 'test_value123',
             ])
             ->shouldBeCalledOnce();
 
-        $requestHandlerProphecy = $this->prophesize(RequestHandlerInterface::class);
 
         $mw->process($requestProphecy->reveal(), $requestHandlerProphecy->reveal());
-        $this->assertArrayNotHasKey('test_name123', $storage);
+        self::assertArrayNotHasKey('test_name', $storage);
     }
 
+
     public function testProcessAppendsNewTokensWhenPersistentTokenModeIsOff()
     {
         $storage = [];