Warning: You are browsing the documentation for Symfony 3.4, which is no longer maintained.

Read the updated version of this page for Symfony 5.3 (the current stable version).

How to Simulate HTTP Authentication in a Functional Test

3.4 version

Maintained

4.4 5.3 current 5.4 dev 6.0

Unmaintained

2.7 2.8 3.0 3.1 3.2 3.3 3.4 4.0 4.1 4.2 4.3 5.0 5.1 5.2

How to Simulate HTTP Authentication in a Functional Test
- Using a Faster Authentication Mechanism Only for Tests
- Creating the Authentication Token

How to Simulate HTTP Authentication in a Functional Test¶

Authenticating requests in functional tests can slow down the entire test suite. This could become an issue especially when the tests reproduce the same steps that users follow to authenticate, such as submitting a login form or using OAuth authentication services.

This article explains the two most popular techniques to avoid these issues and create fast tests when using authentication.

Using a Faster Authentication Mechanism Only for Tests¶

When your application is using a form_login authentication, you can make your tests faster by allowing them to use HTTP authentication. This way your tests authenticate with the simple and fast HTTP Basic method whilst your real users still log in via the normal login form.

The trick is to use the http_basic authentication in your application firewall, but only in the configuration file used by tests:

YAML

# app/config/config_test.yml
security:
    firewalls:
        # replace 'main' by the name of your own firewall
        main:
            http_basic: ~

XML

<!-- app/config/config_test.xml -->
<security:config>
    <!-- replace 'main' by the name of your own firewall -->
    <security:firewall name="main">
        <security:http-basic/>
    </security:firewall>
</security:config>

PHP

// app/config/config_test.php
$container->loadFromExtension('security', [
    'firewalls' => [
        // replace 'main' by the name of your own firewall
        'main' => [
            'http_basic' => [],
        ],
    ],
]);

Tests can now authenticate via HTTP passing the username and password as server variables using the second argument of createClient():

$client = static::createClient([], [
    'PHP_AUTH_USER' => 'username',
    'PHP_AUTH_PW'   => 'pa$$word',
]);

The username and password can also be passed on a per request basis:

$client->request('DELETE', '/post/12', [], [], [
    'PHP_AUTH_USER' => 'username',
    'PHP_AUTH_PW'   => 'pa$$word',
]);

Creating the Authentication Token¶

If your application uses a more advanced authentication mechanism, you can’t use the previous trick, but it’s still possible to make tests faster. The trick now is to bypass the authentication process, create the authentication token yourself and store it in the session.

This technique requires some knowledge of the Security component internals, but the following example shows a complete example that you can adapt to your needs:

// tests/AppBundle/Controller/DefaultControllerTest.php
namespace Tests\AppBundle\Controller;

use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
use Symfony\Component\BrowserKit\Cookie;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;

class DefaultControllerTest extends WebTestCase
{
    private $client = null;

    public function setUp()
    {
        $this->client = static::createClient();
    }

    public function testSecuredHello()
    {
        $this->logIn();
        $crawler = $this->client->request('GET', '/admin');

        $this->assertSame(Response::HTTP_OK, $this->client->getResponse()->getStatusCode());
        $this->assertSame('Admin Dashboard', $crawler->filter('h1')->text());
    }

    private function logIn()
    {
        $session = $this->client->getContainer()->get('session');

        $firewallName = 'secure_area';
        // if you don't define multiple connected firewalls, the context defaults to the firewall name
        // See https://symfony.com/doc/current/reference/configuration/security.html#firewall-context
        $firewallContext = 'secured_area';

        // you may need to use a different token class depending on your application.
        // for example, when using Guard authentication you must instantiate PostAuthenticationGuardToken
        $token = new UsernamePasswordToken('admin', null, $firewallName, ['ROLE_ADMIN']);
        $session->set('_security_'.$firewallContext, serialize($token));
        $session->save();

        $cookie = new Cookie($session->getName(), $session->getId());
        $this->client->getCookieJar()->set($cookie);
    }
}

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.