Merge pull request #68 from OpenConext/425-csrf-on-token-deletion-endpoint-missing

MKodde · web-flow · commit 945f4648a26d · 2026-01-13T11:48:38.000+01:00
Test recovery token removal
diff --git a/stepup/tests/behat/features/bootstrap/SelfServiceContext.php b/stepup/tests/behat/features/bootstrap/SelfServiceContext.php
@@ -460,6 +460,35 @@ public function numberOfTokensRegistered(int $nofRecoveryTokens)
         }
     }
 
+
+    /**
+     * @When I remove the :recoveryTokenType recovery token
+     */
+    public function removeRecoveryToken(string $recoveryTokenType)
+    {
+        $this->minkContext->visit('/overview');
+        switch ($recoveryTokenType){
+            case 'SMS':
+                $page = $this->minkContext->getMink()->getSession()->getPage();
+                $deleteButtons = $page->findAll('css', 'a[data-test_revoketokentype="sms"]');
+
+                if (empty($deleteButtons)) {
+                    throw new Exception('No recovery token remove button(s) found on the page');
+                }
+                $deleteButtons[0]->click();
+                $this->minkContext->assertPageContainsText('Remove recovery token');
+                $this->minkContext->assertPageContainsText('Recovery phone number');
+
+                $this->minkContext->pressButton('Remove');
+
+                $this->minkContext->assertPageAddress('/overview');
+                $this->minkContext->assertPageContainsText('Your recovery token was removed successfully');
+                break;
+            default:
+                throw new Exception(sprintf('Recovery token type %s is not supported', $recoveryTokenType));
+        }
+    }
+
     private function performYubikeyAuthentication()
     {
         $this->minkContext->fillField('gateway_verify_yubikey_otp_otp', 'ccccccdhgrbtfddefpkffhkkukbgfcdilhiltrrncmig');
diff --git a/stepup/tests/behat/features/selfservice_sat.feature b/stepup/tests/behat/features/selfservice_sat.feature
@@ -31,3 +31,13 @@ Feature: A user manages his tokens in the SelfService portal
     And I vet my "Yubikey" second factor in selfservice
     Then I can add an "SMS" recovery token using "Yubikey"
     And "2" recovery tokens are activated
+
+  Scenario: A user can remove a recovery token
+    Given I am logged in into the selfservice portal as "user-a5"
+    When I register a new "Yubikey" token
+    And I verify my e-mail address and choose the "Self Asserted Token registration" vetting type
+    And I vet my "Yubikey" second factor in selfservice
+    Then I can add an "SMS" recovery token using "Yubikey"
+    And "2" recovery tokens are activated
+    When I remove the "SMS" recovery token
+    Then "1" recovery tokens are activated
