From 3c6cacfd4c0e9f278dc4559f0dee47f45ee213bc Mon Sep 17 00:00:00 2001
From: David Cook <dcook@prosentient.com.au>
Date: Wed, 16 Aug 2023 02:51:43 +0000
Subject: [PATCH] Bug 34513: Add checkauth unit test for resetting auth state
 when changing users

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
---
 t/db_dependent/Auth.t | 44 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 43 insertions(+), 1 deletion(-)

diff --git a/t/db_dependent/Auth.t b/t/db_dependent/Auth.t
index 52c9b5f5e3..502f7fad0b 100755
--- a/t/db_dependent/Auth.t
+++ b/t/db_dependent/Auth.t
@@ -42,7 +42,7 @@ $schema->storage->txn_begin;
 
 subtest 'checkauth() tests' => sub {
 
-    plan tests => 7;
+    plan tests => 8;
 
     my $patron = $builder->build_object({ class => 'Koha::Patrons', value => { flags => undef } });
 
@@ -153,6 +153,48 @@ subtest 'checkauth() tests' => sub {
         };
     };
 
+    subtest 'Reset auth state when changing users' => sub {
+        #NOTE: It's easiest to detect this when changing to a non-existent user, since
+        #that should trigger a redirect to login (instead of returning a session cookie)
+        plan tests => 2;
+        my $patron = $builder->build_object({ class => 'Koha::Patrons', value => { flags => undef } });
+
+        my $session = C4::Auth::get_session();
+        $session->param( 'number',       $patron->id );
+        $session->param( 'id',           $patron->userid );
+        $session->param( 'ip',           '1.2.3.4' );
+        $session->param( 'lasttime',     time() );
+        $session->param( 'interface',    'intranet' );
+        $session->flush;
+        my $sessionID = $session->id;
+        C4::Context->_new_userenv($sessionID);
+
+        my ( $return ) = C4::Auth::check_cookie_auth( $sessionID, undef, { skip_version_check => 1, remote_addr => '1.2.3.4' } );
+        is( $return, 'ok', 'Patron authenticated' );
+
+        my $mock1 = Test::MockModule->new('C4::Auth');
+        $mock1->mock( 'safe_exit', sub {return 'safe_exit_redirect'} );
+        my $mock2 = Test::MockModule->new('CGI');
+        $mock2->mock( 'request_method', 'POST' );
+        $mock2->mock( 'cookie', sub { return $sessionID; } ); # oversimplified..
+        my $cgi = CGI->new;
+
+        $cgi->param( -name => 'userid',             -value => 'Bond' );
+        $cgi->param( -name => 'password',           -value => 'James Bond' );
+        $cgi->param( -name => 'koha_login_context', -value => 1 );
+        my ( @return, $stdout );
+        {
+            local *STDOUT;
+            local %ENV;
+            $ENV{REMOTE_ADDR} = '1.2.3.4';
+            open STDOUT, '>', \$stdout;
+            @return = C4::Auth::checkauth( $cgi, 0, {} );
+            close STDOUT;
+        }
+        is( $return[0], 'safe_exit_redirect', 'Changing to non-existent user causes a redirect to login');
+    };
+
+
     subtest 'While still logged in, relogin with another user' => sub {
         plan tests => 6;
 
-- 
2.20.1