fix: Security class does not send cookies

Add Response::setCookieStore()

Author: kenjis

system/HTTP/ResponseTrait.php

@@ -596,6 +596,14 @@ public function getCookieStore()
         return $this->cookieStore;
     }
 
+    /**
+     * Sets the CookieStore.
+     */
+    public function setCookieStore(CookieStore $cookieStore)
+    {
+        $this->cookieStore = $cookieStore;
+    }
+
     /**
      * Checks to see if the Response has a specified cookie or not.
      */

system/Security/Security.php

@@ -528,32 +528,12 @@ private function saveHashInCookie(): void
                 'expires' => $this->expires === 0 ? 0 : time() + $this->expires,
             ]
         );
-        $this->sendCookie($this->request);
-    }
-
-    /**
-     * CSRF Send Cookie
-     *
-     * @return false|Security
-     */
-    protected function sendCookie(RequestInterface $request)
-    {
-
-        $this->doSendCookie();
-        log_message('info', 'CSRF cookie sent.');
 
-        return $this;
-    }
+        $response    = Services::response();
+        $cookieStore = $response->getCookieStore();
+        $cookieStore = $cookieStore->put($this->cookie);
 
-    /**
-     * Actual dispatching of cookies.
-     * Extracted for this to be unit tested.
-     *
-     * @codeCoverageIgnore
-     */
-    protected function doSendCookie(): void
-    {
-        cookies([$this->cookie], false)->dispatch();
+        $response->setCookieStore($cookieStore);
     }
 
     private function saveHashInSession(): void

tests/system/Security/SecurityTest.php

@@ -20,8 +20,8 @@
 use CodeIgniter\Test\CIUnitTestCase;
 use CodeIgniter\Test\Mock\MockAppConfig;
 use CodeIgniter\Test\Mock\MockSecurity;
-use Config\Cookie as CookieConfig;
 use Config\Security as SecurityConfig;
+use Config\Services;
 
 /**
  * @backupGlobals enabled
@@ -41,11 +41,7 @@ protected function setUp(): void
 
     public function testBasicConfigIsSaved()
     {
-        $config   = new MockAppConfig();
-        $security = $this->getMockBuilder(Security::class)
-            ->setConstructorArgs([$config])
-            ->onlyMethods(['doSendCookie'])
-            ->getMock();
+        $security = new MockSecurity(new MockAppConfig());
 
         $hash = $security->getHash();
 
@@ -57,11 +53,7 @@ public function testHashIsReadFromCookie()
     {
         $_COOKIE['csrf_cookie_name'] = '8b9218a55906f9dcc1dc263dce7f005a';
 
-        $config   = new MockAppConfig();
-        $security = $this->getMockBuilder(Security::class)
-            ->setConstructorArgs([$config])
-            ->onlyMethods(['doSendCookie'])
-            ->getMock();
+        $security = new MockSecurity(new MockAppConfig());
 
         $this->assertSame('8b9218a55906f9dcc1dc263dce7f005a', $security->getHash());
     }
@@ -74,7 +66,8 @@ public function testGetHashSetsCookieWhenGETWithoutCSRFCookie()
 
         $security->verify(new Request(new MockAppConfig()));
 
-        $this->assertSame($_COOKIE['csrf_cookie_name'], $security->getHash());
+        $cookie = Services::response()->getCookie('csrf_cookie_name');
+        $this->assertSame($security->getHash(), $cookie->getValue());
     }
 
     public function testGetHashReturnsCSRFCookieWhenGETWithCSRFCookie()
@@ -238,45 +231,4 @@ public function testGetters(): void
         $this->assertIsString($security->getCookieName());
         $this->assertIsBool($security->shouldRedirect());
     }
-
-    public function testSendingCookiesFalse(): void
-    {
-        $request = $this->createMock(IncomingRequest::class);
-        $request->method('isSecure')->willReturn(false);
-
-        $config = new CookieConfig();
-
-        $config->secure = true;
-        Factories::injectMock('config', CookieConfig::class, $config);
-
-        $security = $this->getMockBuilder(Security::class)
-            ->setConstructorArgs([new MockAppConfig()])
-            ->onlyMethods(['doSendCookie'])
-            ->getMock();
-
-        $sendCookie = $this->getPrivateMethodInvoker($security, 'sendCookie');
-
-        $security->expects($this->never())->method('doSendCookie');
-        $this->assertFalse($sendCookie($request));
-    }
-
-    public function testSendingGoodCookies(): void
-    {
-        $request = $this->createMock(IncomingRequest::class);
-        $request->method('isSecure')->willReturn(true);
-
-        $config = new MockAppConfig();
-
-        $config->cookieSecure = true;
-
-        $security = $this->getMockBuilder(Security::class)
-            ->setConstructorArgs([$config])
-            ->onlyMethods(['doSendCookie'])
-            ->getMock();
-
-        $sendCookie = $this->getPrivateMethodInvoker($security, 'sendCookie');
-
-        $security->expects($this->once())->method('doSendCookie');
-        $this->assertInstanceOf(Security::class, $sendCookie($request));
-    }
 }