Optimize anonymous public sessions

2026-05-01 11:42:10 +02:00
parent 35011001ba
commit 961d21e91e
35 changed files with 888 additions and 66 deletions
--- a/tests/Feature/Http/ConditionalPublicSessionsTest.php
+++ b/tests/Feature/Http/ConditionalPublicSessionsTest.php
@@ -0,0 +1,118 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature\Http;
+
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Config;
+use Tests\TestCase;
+
+class ConditionalPublicSessionsTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        Config::set('skinbase-sessions.enabled', true);
+        Config::set('skinbase-sessions.debug_header', true);
+    }
+
+    public function test_anonymous_public_get_does_not_receive_session_cookie(): void
+    {
+        $response = $this->get('/');
+
+        $response->assertOk();
+        $response->assertHeader('X-Skinbase-Session', 'skipped');
+
+        $this->assertFalse($this->responseHasSessionCookie($response));
+    }
+
+    public function test_bot_public_get_does_not_receive_session_cookie(): void
+    {
+        $response = $this
+            ->withHeader('User-Agent', 'Googlebot/2.1')
+            ->get('/');
+
+        $response->assertOk();
+        $response->assertHeader('X-Skinbase-Session', 'skipped');
+
+        $this->assertFalse($this->responseHasSessionCookie($response));
+    }
+
+    public function test_login_page_still_starts_session(): void
+    {
+        $response = $this->get('/login');
+
+        $response->assertOk();
+        $response->assertHeader('X-Skinbase-Session', 'started');
+    }
+
+    public function test_dashboard_request_still_starts_session(): void
+    {
+        $response = $this->get('/dashboard');
+
+        $response->assertRedirect('/login');
+        $response->assertHeader('X-Skinbase-Session', 'started');
+    }
+
+    public function test_studio_request_still_starts_session(): void
+    {
+        $response = $this->get('/studio');
+
+        $response->assertRedirect('/login');
+        $response->assertHeader('X-Skinbase-Session', 'started');
+    }
+
+    public function test_settings_request_still_starts_session(): void
+    {
+        $response = $this->get('/settings/profile');
+
+        $response->assertRedirect('/login');
+        $response->assertHeader('X-Skinbase-Session', 'started');
+    }
+
+    public function test_messages_request_still_starts_session(): void
+    {
+        $response = $this->get('/messages');
+
+        $response->assertRedirect('/login');
+        $response->assertHeader('X-Skinbase-Session', 'started');
+    }
+
+    public function test_login_post_keeps_normal_session_behavior(): void
+    {
+        $response = $this->post('/login', [
+            'email' => 'missing@example.test',
+            'password' => 'not-the-right-password',
+        ]);
+
+        $response->assertRedirect();
+        $response->assertHeader('X-Skinbase-Session', 'started');
+    }
+
+    public function test_authenticated_user_keeps_session_on_public_page(): void
+    {
+        $user = User::factory()->create();
+        $sessionCookieName = (string) config('session.cookie');
+
+        $response = $this
+            ->withCookie($sessionCookieName, 'existing-session-cookie')
+            ->actingAs($user)
+            ->get('/');
+
+        $response->assertOk();
+        $response->assertHeader('X-Skinbase-Session', 'started');
+    }
+
+    private function responseHasSessionCookie($response): bool
+    {
+        $sessionCookieName = (string) config('session.cookie');
+
+        return collect($response->headers->getCookies())
+            ->contains(fn ($cookie): bool => $cookie->getName() === $sessionCookieName);
+    }
+}