[LiveComponent] Testing combining user login and actions is not working as expected

[Nek-]

I'm testing my component, and the test looks like this:

$adminUser = AdminUserFactory::find(['email' => '[email protected]']);
$repository = $this->getContainer()->get(Resource::class);

$testComponent = $this->createLiveComponent(
    name: 'MyAwesomeComponent',
    data: ['hotel' => $repository->find(1)],
);

$this->assertStringContainsString('Select a contract model', $testComponent->render());
$testComponent->set('contractModel', 2);

// askForDocument is protected and requires special rights
$testComponent->actingAs($adminUser->_real(), 'admin');

$testComponent->call('askForDocument');
// Fail! I get the error Symfony\Component\HttpKernel\Exception\BadRequestHttpException: Invalid CSRF token.

$this->assertStringContainsString('Success!', $testComponent->render());

I assume the CSRF protection emulation for tests (in the TestLiveComponent::request()) does not work as expected. It makes sense because here is what's happening under the hood:

1. I navigate in my component (it generates the csrf token expected)
2. I log in to be able to make the request (clears the session and hydrate with the user)
3. I request my component again with a CSRF based on... the cleared session?

It's somehow connected to #1150

Notice: No, I cannot set the user in the first statement of the test because the session is not kept during the process, a way to fix this issue may be to keep it.

[Nek-]

I'm getting rid of the error when adding the following configuration globally:

when@test:
    framework:
        csrf_protection: false

But I still have issues with the actingAs that do not seems to have effect :/ .

[smnandre]

Same thing if you call actingAs() before any actions (render, setter, ..)?

$testComponent = $this->createLiveComponent(
    name: 'MyAwesomeComponent',
    data: ['hotel' => $repository->find(1)],
);

- $this->assertStringContainsString('Select a contract model', $testComponent->render());
- $testComponent->set('contractModel', 2);

// askForDocument is protected and requires special rights
$testComponent->actingAs($adminUser->_real(), 'admin');

+ $testComponent->render();

[Nek-]

@smnandre indeed my actingAs was in the wrong place (it was not obvious because of project-related issues). No issue here.

The CSRF token generation failing is however a thing. I tried to render before my call and it still do not work (without my trick).

Also I notice the document seems to stand something wrong about CSRF being disabled in test env.

If you want this built-in CSRF protection to be effective, mind your CORS headers (e.g. DO NOT use Access-Control-Allow-Origin: *).

(In test-mode, the CSRF protection is disabled to make testing easier.)
https://symfony.com/bundles/ux-live-component/current/index.html#actions-and-csrf-protection

[smnandre]

actingAs was in the wrong place

How would you rearrange the documentation to make this more explicit ?

Also I notice the document seems to stand something wrong about CSRF being disabled in test env.

Arf indeed... it will be released in the next version (mid/late november). You can test it pulling the "2.x-dev" branch if you want.

We do not have versioning for documentation so it has been deployed a bit early, sorry for that.

[Nek-]

actingAs was in the wrong place

How would you rearrange the documentation to make this more explicit ?

Nothing to be done here! (except more than a class for the testing section maybe 😉 , but it's good enough yet)

Arf indeed... it will be released in the next version (mid/late november). You can test it pulling the "2.x-dev" branch if you want.

We do not have versioning for documentation so it has been deployed a bit early, sorry for that.

Okkkkkk. That explains a lot 😅 . I guess the release will fix this issue then.