minor(live): add security tests

src/LiveComponent/composer.json

@@ -45,7 +45,7 @@
         "symfony/options-resolver": "^5.4|^6.0|^7.0",
         "symfony/phpunit-bridge": "^6.0|^7.0",
         "symfony/property-info": "^5.4|^6.0|^7.0",
-        "symfony/security-csrf": "^5.4|^6.0|^7.0",
+        "symfony/security-bundle": "^5.4|^6.0|^7.0",
         "symfony/serializer": "^5.4|^6.0|^7.0",
         "symfony/twig-bundle": "^5.4|^6.0|^7.0",
         "symfony/validator": "^5.4|^6.0|^7.0",

src/LiveComponent/tests/Fixtures/Component/WithSecurity.php

@@ -0,0 +1,37 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\UX\LiveComponent\Tests\Fixtures\Component;
+
+use Symfony\Component\Security\Core\User\InMemoryUser;
+use Symfony\Component\Security\Http\Attribute\CurrentUser;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+use Symfony\UX\LiveComponent\Attribute\AsLiveComponent;
+use Symfony\UX\LiveComponent\Attribute\LiveAction;
+use Symfony\UX\LiveComponent\DefaultActionTrait;
+
+/**
+ * @author Kevin Bond <kevinbond@gmail.com>
+ */
+#[AsLiveComponent('with_security')]
+#[IsGranted('ROLE_USER')]
+class WithSecurity
+{
+    use DefaultActionTrait;
+
+    public ?string $username = null;
+
+    #[LiveAction]
+    public function setUsername(#[CurrentUser] InMemoryUser $user)
+    {
+        $this->username = $user->getUserIdentifier();
+    }
+}

src/LiveComponent/tests/Fixtures/Kernel.php

@@ -16,6 +16,7 @@
 use Psr\Log\NullLogger;
 use Symfony\Bundle\FrameworkBundle\FrameworkBundle;
 use Symfony\Bundle\FrameworkBundle\Kernel\MicroKernelTrait;
+use Symfony\Bundle\SecurityBundle\SecurityBundle;
 use Symfony\Bundle\TwigBundle\TwigBundle;
 use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
 use Symfony\Component\DependencyInjection\Compiler\PassConfig;
@@ -24,6 +25,7 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Kernel as BaseKernel;
 use Symfony\Component\Routing\Loader\Configurator\RoutingConfigurator;
+use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\UX\LiveComponent\LiveComponentBundle;
 use Symfony\UX\LiveComponent\Tests\Fixtures\Component\Component1;
 use Symfony\UX\LiveComponent\Tests\Fixtures\Serializer\Entity2Normalizer;
@@ -66,6 +68,7 @@ public function registerBundles(): iterable
         yield new FrameworkBundle();
         yield new TwigBundle();
         yield new DoctrineBundle();
+        yield new SecurityBundle();
         yield new TwigComponentBundle();
         yield new LiveComponentBundle();
         yield new ZenstruckFoundryBundle();
@@ -115,6 +118,14 @@ protected function configureContainer(ContainerConfigurator $c): void
             'default_path' => '%kernel.project_dir%/tests/Fixtures/templates',
         ]);
 
+        $c->extension('security', [
+            'password_hashers' => [InMemoryUser::class => 'plaintext'],
+            'providers' => ['users' => ['memory' => ['users' => ['kevin' => ['password' => 'pass', 'roles' => ['ROLE_USER']]]]]],
+            'firewalls' => ['main' => [
+                'lazy' => true,
+            ]],
+        ]);
+
         $c->extension('twig_component', [
             'defaults' => [
                 'Symfony\UX\LiveComponent\Tests\Fixtures\Component\\' => 'components/',

src/LiveComponent/tests/Fixtures/templates/components/with_security.html.twig

@@ -0,0 +1,5 @@
+<div{{ attributes }}>
+    Successful.
+
+    Username: {{ username }}
+</div>

src/LiveComponent/tests/Functional/EventListener/LiveComponentSubscriberTest.php

@@ -14,6 +14,7 @@
 use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
 use Symfony\Component\DomCrawler\Crawler;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\UX\LiveComponent\Tests\Fixtures\Entity\Entity1;
 use Symfony\UX\LiveComponent\Tests\LiveComponentTestHelper;
 use Zenstruck\Browser\Test\HasBrowser;
@@ -500,4 +501,53 @@ public function testWithNullableEntity(): void
             ->assertContains('Prop1: default')
         ;
     }
+
+    public function testCanHaveControllerAttributes(): void
+    {
+        $dehydrated = $this->dehydrateComponent($this->mountComponent('with_security'));
+
+        $this->browser()
+            ->post('/_components/with_security?props='.urlencode(json_encode($dehydrated->getProps())))
+            ->assertStatus(401)
+            ->actingAs(new InMemoryUser('kevin', 'pass', ['ROLE_USER']))
+            ->assertAuthenticated('kevin')
+            ->post('/_components/with_security?props='.urlencode(json_encode($dehydrated->getProps())))
+            ->assertSuccessful()
+        ;
+    }
+
+    public function testCanInjectSecurityUserIntoAction(): void
+    {
+        $dehydrated = $this->dehydrateComponent($this->mountComponent('with_security'));
+        $token = null;
+
+        $this->browser()
+            ->actingAs(new InMemoryUser('kevin', 'pass', ['ROLE_USER']))
+            ->post('/_components/with_security', [
+                'body' => [
+                    'data' => json_encode([
+                        'props' => $dehydrated->getProps(),
+                    ]),
+                ],
+            ])
+            ->assertSuccessful()
+            ->assertNotSee('username: kevin')
+            ->use(function (Crawler $crawler) use (&$token) {
+                // get a valid token to use for actions
+                $token = $crawler->filter('div')->first()->attr('data-live-csrf-value');
+            })
+            ->throwExceptions()
+            ->post('/_components/with_security/setUsername', [
+                'headers' => ['X-CSRF-TOKEN' => $token],
+                'body' => [
+                    'data' => json_encode([
+                        'props' => $dehydrated->getProps(),
+                        'args' => [],
+                    ]),
+                ],
+            ])
+            ->assertSuccessful()
+            ->assertSee('username: kevin')
+        ;
+    }
 }