Compare revisions

Patrick Kenny · Patrick Kenny · Patrick Kenny · Patrick Kenny · Patrick Kenny · Patrick Kenny
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -29,6 +29,8 @@ phpcs:
  allow_failure: false
 phpstan:
  allow_failure: false
+phpunit (next major):
+  allow_failure: false

 ################
 # Pipeline configuration variables are defined with default values and descriptions in the file
@@ -38,9 +40,11 @@ phpstan:
 variables:
  _CSPELL_WORDS: '~validateable'
  OPT_IN_TEST_MAX_PHP: '1'
+  OPT_IN_TEST_NEXT_MAJOR: '1'
  OPT_IN_TEST_NEXT_MINOR: '1'
+  OPT_IN_TEST_PREVIOUS_MAJOR: '1'
  OPT_IN_TEST_PREVIOUS_MINOR: '1'
-#   SKIP_ESLINT: '1'
-#   OPT_IN_TEST_NEXT_MAJOR: '1'
-#   _CURL_TEMPLATES_REF: 'main'

+composer (previous major):
+  variables:
+    PHP_VERSION: '8.3'
--- a/composer.json
+++ b/composer.json
@@ -14,6 +14,7 @@
    }
  ],
  "require": {
+    "php": "^8.3",
    "e0ipso/shaper": "^1.2.1"
  }
 }
--- a/config/install/jsonrpc.settings.yml
+++ b/config/install/jsonrpc.settings.yml
+basic_auth: TRUE
+cookie: FALSE
+jwt: FALSE
+oauth2: TRUE
--- a/config/schema/jsonrpc.schema.yml
+++ b/config/schema/jsonrpc.schema.yml
+# Schema for the configuration files of the JSON-RPC module.
+jsonrpc.settings:
+  type: config_object
+  label: 'JSON-RPC settings'
+  mapping:
+    basic_auth:
+      type: boolean
+      label: 'Allow access via basic authentication'
+    cookie:
+      type: boolean
+      label: 'Allow access via cookies'
+    jwt:
+      type: boolean
+      label: 'Allow access via JWT'
+    oauth2:
+      type: boolean
+      label: 'Allow access via OAuth 2.0'
--- a/jsonrpc.info.yml
+++ b/jsonrpc.info.yml
 name: JSON-RPC 2.0
 type: module
 description: Infrastructure for JSON-RPC 2.0 compliant web services.
-core_version_requirement: ^9 || ^10 || ^11
+configure: jsonrpc.settings
+core_version_requirement: ^10.2 || ^11
 package: Web services
--- a/jsonrpc.install
+++ b/jsonrpc.install
+<?php
+
+/**
+ * @file
+ * Hook update implementations for the JSON-RPC module.
+ */
+
+declare(strict_types=1);
+
+use Drupal\jsonrpc\Enum\JsonRpcSetting;
+
+/**
+ * Add config for access control to the JSON-RPC module.
+ */
+function jsonrpc_update_2001(): void {
+  $config_factory = \Drupal::configFactory();
+  $config = $config_factory->getEditable('jsonrpc.configuration');
+  $config->set(JsonRpcSetting::BasicAuth->value, TRUE);
+  $config->set(JsonRpcSetting::Cookie->value, FALSE);
+  $config->set(JsonRpcSetting::OAuth2->value, TRUE);
+  $config->save(TRUE);
+}
--- a/jsonrpc.permissions.yml
+++ b/jsonrpc.permissions.yml
 use jsonrpc services:
  title: 'Use JSON-RPC services.'
+administer jsonrpc:
+  title: 'Administer JSON-RPC.'
--- a/jsonrpc.routing.yml
+++ b/jsonrpc.routing.yml
@@ -6,4 +6,12 @@ jsonrpc.handler:
  requirements:
    _permission: 'use jsonrpc services'
  options:
-    _auth: ['basic_auth', 'oauth2']
+    # Allowed authorization methods are set on the module configuration page.
+    _auth: []
+jsonrpc.settings:
+  path: '/admin/config/system/jsonrpc'
+  defaults:
+    _title: 'JSON-RPC'
+    _form: 'Drupal\jsonrpc\Form\JsonRpcConfigurationForm'
+  requirements:
+    _permission: 'administer jsonrpc'
--- a/jsonrpc.services.yml
+++ b/jsonrpc.services.yml
@@ -14,6 +14,11 @@ services:
        '@renderer',
        '@Drupal\jsonrpc\Exception\ErrorHandler',
      ]
+  jsonrpc.route_subscriber:
+    class: Drupal\jsonrpc\Routing\JsonRpcRouteSubscriber
+    arguments: ['@config.factory']
+    tags:
+      - { name: event_subscriber }
  jsonrpc.schema_validator:
    class: JsonSchema\Validator
  jsonrpc.options_request_listener:

--- a/modules/jsonrpc_core/jsonrpc_core.info.yml
+++ b/modules/jsonrpc_core/jsonrpc_core.info.yml
 name: JSON-RPC 2.0 Core
 type: module
 description: JSON-RPC 2.0 services for Drupal core.
-core_version_requirement: ^9 || ^10 || ^11
+core_version_requirement: ^10.2 || ^11
 package: Web services
 dependencies:
  - jsonrpc:jsonrpc
--- a/modules/jsonrpc_core/src/Plugin/jsonrpc/Method/AddPermissionToRole.php
+++ b/modules/jsonrpc_core/src/Plugin/jsonrpc/Method/AddPermissionToRole.php
@@ -6,8 +6,8 @@ namespace Drupal\jsonrpc_core\Plugin\jsonrpc\Method;

 use Drupal\Core\Entity\EntityStorageException;
 use Drupal\jsonrpc\Exception\JsonRpcException;
-use Drupal\jsonrpc\Object\Error;
-use Drupal\jsonrpc\Object\ParameterBag;
+use Drupal\jsonrpc\JsonRpcObject\Error;
+use Drupal\jsonrpc\JsonRpcObject\ParameterBag;
 use Symfony\Component\Validator\ConstraintViolationInterface;

 /**
@@ -28,7 +28,8 @@ class AddPermissionToRole extends UserPermissionsBase {
  /**
   * {@inheritdoc}
   */
-  public function execute(ParameterBag $params) {
+  #[\Override]
+  public function execute(ParameterBag $params): int {
    $permission = $params->get('permission');
    /** @var \Drupal\user\RoleInterface $role */
    $role = $params->get('role');
@@ -36,9 +37,7 @@ class AddPermissionToRole extends UserPermissionsBase {
      $role->grantPermission($permission);
      $violations = $role->getTypedData()->validate();
      if ($violations->count() !== 0) {
-        $error = Error::invalidParams(array_map(function (ConstraintViolationInterface $violation) {
-          return $violation->getMessage();
-        }, iterator_to_array($violations)));
+        $error = Error::invalidParams(array_map(fn(ConstraintViolationInterface $violation): string|\Stringable => $violation->getMessage(), iterator_to_array($violations)));
        throw JsonRpcException::fromError($error);
      }
      return $role->save();
@@ -52,7 +51,8 @@ class AddPermissionToRole extends UserPermissionsBase {
  /**
   * {@inheritdoc}
   */
-  public static function outputSchema() {
+  #[\Override]
+  public static function outputSchema(): array {
    return ['type' => 'number'];
  }


--- a/modules/jsonrpc_core/src/Plugin/jsonrpc/Method/Cache.php
+++ b/modules/jsonrpc_core/src/Plugin/jsonrpc/Method/Cache.php
@@ -4,7 +4,7 @@ declare(strict_types=1);

 namespace Drupal\jsonrpc_core\Plugin\jsonrpc\Method;

-use Drupal\jsonrpc\Object\ParameterBag;
+use Drupal\jsonrpc\JsonRpcObject\ParameterBag;
 use Drupal\jsonrpc\Plugin\JsonRpcMethodBase;

 /**
@@ -21,7 +21,8 @@ class Cache extends JsonRpcMethodBase {
  /**
   * {@inheritdoc}
   */
-  public function execute(ParameterBag $params) {
+  #[\Override]
+  public function execute(ParameterBag $params): true {
    drupal_flush_all_caches();
    return TRUE;
  }
@@ -29,7 +30,8 @@ class Cache extends JsonRpcMethodBase {
  /**
   * {@inheritdoc}
   */
-  public static function outputSchema() {
+  #[\Override]
+  public static function outputSchema(): null {
    return NULL;
  }


--- a/modules/jsonrpc_core/src/Plugin/jsonrpc/Method/ListPermissions.php
+++ b/modules/jsonrpc_core/src/Plugin/jsonrpc/Method/ListPermissions.php
@@ -4,7 +4,7 @@ declare(strict_types=1);

 namespace Drupal\jsonrpc_core\Plugin\jsonrpc\Method;

-use Drupal\jsonrpc\Object\ParameterBag;
+use Drupal\jsonrpc\JsonRpcObject\ParameterBag;

 /**
 * RPC method to list all the permissions.
@@ -23,7 +23,8 @@ class ListPermissions extends UserPermissionsBase {
  /**
   * {@inheritdoc}
   */
-  public function execute(ParameterBag $params) {
+  #[\Override]
+  public function execute(ParameterBag $params): array {
    $page = $params->get('page');
    return array_slice(
      $this->permissions->getPermissions(),
@@ -35,7 +36,8 @@ class ListPermissions extends UserPermissionsBase {
  /**
   * {@inheritdoc}
   */
-  public static function outputSchema() {
+  #[\Override]
+  public static function outputSchema(): array {
    // @todo Fix the schema.
    return ['type' => 'foo'];
  }

--- a/modules/jsonrpc_core/src/Plugin/jsonrpc/Method/MaintenanceModeEnabled.php
+++ b/modules/jsonrpc_core/src/Plugin/jsonrpc/Method/MaintenanceModeEnabled.php
@@ -5,8 +5,8 @@ declare(strict_types=1);
 namespace Drupal\jsonrpc_core\Plugin\jsonrpc\Method;

 use Drupal\Core\State\StateInterface;
+use Drupal\jsonrpc\JsonRpcObject\ParameterBag;
 use Drupal\jsonrpc\MethodInterface;
-use Drupal\jsonrpc\Object\ParameterBag;
 use Drupal\jsonrpc\Plugin\JsonRpcMethodBase;
 use Symfony\Component\DependencyInjection\ContainerInterface;

@@ -27,33 +27,29 @@ class MaintenanceModeEnabled extends JsonRpcMethodBase {
  const ENABLED = 'enabled';
  const DISABLED = 'disabled';

-  /**
-   * The state API service.
-   *
-   * @var \Drupal\Core\State\StateInterface
-   */
-  protected $state;
-
-  /**
-   * {@inheritdoc}
-   */
-  public function __construct(array $configuration, $plugin_id, MethodInterface $plugin_definition, StateInterface $state) {
+  public function __construct(
+    array $configuration,
+    string $plugin_id,
+    MethodInterface $plugin_definition,
+    protected StateInterface $state,
+  ) {
    parent::__construct($configuration, $plugin_id, $plugin_definition);
-    $this->state = $state;
  }

  /**
   * {@inheritdoc}
   */
-  public static function create(ContainerInterface $container, array $configuration, $plugin_id, $plugin_definition) {
+  #[\Override]
+  public static function create(ContainerInterface $container, array $configuration, $plugin_id, $plugin_definition): static {
    return new static($configuration, $plugin_id, $plugin_definition, $container->get('state'));
  }

  /**
   * {@inheritdoc}
   */
-  public function execute(ParameterBag $parameters) {
-    $enabled = $parameters->get('enabled');
+  #[\Override]
+  public function execute(ParameterBag $params): string {
+    $enabled = $params->get('enabled');

    $this->state->set('system.maintenance_mode', $enabled);
    return $this->state->get('system.maintenance_mode')
@@ -64,7 +60,8 @@ class MaintenanceModeEnabled extends JsonRpcMethodBase {
  /**
   * {@inheritdoc}
   */
-  public static function outputSchema() {
+  #[\Override]
+  public static function outputSchema(): array {
    return ['type' => 'string'];
  }


--- a/modules/jsonrpc_core/src/Plugin/jsonrpc/Method/Plugins.php
+++ b/modules/jsonrpc_core/src/Plugin/jsonrpc/Method/Plugins.php
@@ -7,8 +7,9 @@ namespace Drupal\jsonrpc_core\Plugin\jsonrpc\Method;
 use Drupal\Component\Plugin\PluginManagerInterface;
 use Drupal\jsonrpc\Exception\JsonRpcException;
 use Drupal\jsonrpc\HandlerInterface;
-use Drupal\jsonrpc\Object\Error;
-use Drupal\jsonrpc\Object\ParameterBag;
+use Drupal\jsonrpc\JsonRpcObject\Error;
+use Drupal\jsonrpc\JsonRpcObject\ParameterBag;
+use Drupal\jsonrpc\MethodInterface;
 use Drupal\jsonrpc\Plugin\JsonRpcMethodBase;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\DependencyInjection\Exception\ServiceNotFoundException;
@@ -24,33 +25,29 @@ use Symfony\Component\DependencyInjection\Exception\ServiceNotFoundException;
 *     "page" = @JsonRpcParameterDefinition(factory = "\Drupal\jsonrpc\ParameterFactory\PaginationParameterFactory"),
 *     "service" = @JsonRpcParameterDefinition(
 *       schema={"type"="string"},
- *       required=true
+ *       required=true,
+ *       description=@Translation("The service to list plugins for.")
 *     ),
 *   }
 * )
 */
 class Plugins extends JsonRpcMethodBase {

-  /**
-   * A plugin manager.
-   *
-   * @var \Drupal\Component\Plugin\PluginManagerInterface
-   */
-  protected $pluginManager;
-
-  /**
-   * {@inheritdoc}
-   */
-  public function __construct(array $configuration, $plugin_id, $plugin_definition, PluginManagerInterface $plugin_manager) {
+  public function __construct(
+    array $configuration,
+    string $plugin_id,
+    MethodInterface $plugin_definition,
+    protected PluginManagerInterface $pluginManager,
+  ) {
    parent::__construct($configuration, $plugin_id, $plugin_definition);
-    $this->pluginManager = $plugin_manager;
  }

  /**
   * {@inheritdoc}
   */
-  public static function create(ContainerInterface $container, array $configuration, $plugin_id, $plugin_definition) {
-    /** @var \Drupal\jsonrpc\Object\Request $request */
+  #[\Override]
+  public static function create(ContainerInterface $container, array $configuration, $plugin_id, $plugin_definition): static {
+    /** @var \Drupal\jsonrpc\JsonRpcObject\Request $request */
    $request = $configuration[HandlerInterface::JSONRPC_REQUEST_KEY];
    /** @var \Drupal\Component\Plugin\PluginManagerInterface $plugin_manager */
    try {
@@ -67,7 +64,8 @@ class Plugins extends JsonRpcMethodBase {
   *
   * @throws \Drupal\jsonrpc\Exception\JsonRpcException
   */
-  public function execute(ParameterBag $params) {
+  #[\Override]
+  public function execute(ParameterBag $params): array {
    $pager = $params->get('page');
    $definitions = $this->pluginManager->getDefinitions();
    foreach ($definitions as $definition) {
@@ -84,7 +82,8 @@ class Plugins extends JsonRpcMethodBase {
  /**
   * {@inheritdoc}
   */
-  public static function outputSchema() {
+  #[\Override]
+  public static function outputSchema(): array {
    return [
      'type' => 'object',
      'patternProperties' => [

--- a/modules/jsonrpc_core/src/Plugin/jsonrpc/Method/RouteBuilder.php
+++ b/modules/jsonrpc_core/src/Plugin/jsonrpc/Method/RouteBuilder.php
@@ -5,7 +5,8 @@ declare(strict_types=1);
 namespace Drupal\jsonrpc_core\Plugin\jsonrpc\Method;

 use Drupal\Core\Routing\RouteBuilderInterface;
-use Drupal\jsonrpc\Object\ParameterBag;
+use Drupal\jsonrpc\JsonRpcObject\ParameterBag;
+use Drupal\jsonrpc\MethodInterface;
 use Drupal\jsonrpc\Plugin\JsonRpcMethodBase;
 use Symfony\Component\DependencyInjection\ContainerInterface;

@@ -20,25 +21,20 @@ use Symfony\Component\DependencyInjection\ContainerInterface;
 */
 class RouteBuilder extends JsonRpcMethodBase {

-  /**
-   * The route builder service.
-   *
-   * @var \Drupal\Core\Routing\RouteBuilderInterface
-   */
-  protected $routeBuilder;
-
-  /**
-   * {@inheritdoc}
-   */
-  public function __construct(array $configuration, string $plugin_id, $plugin_definition, RouteBuilderInterface $route_builder) {
+  public function __construct(
+    array $configuration,
+    string $plugin_id,
+    MethodInterface $plugin_definition,
+    protected RouteBuilderInterface $routeBuilder,
+  ) {
    parent::__construct($configuration, $plugin_id, $plugin_definition);
-    $this->routeBuilder = $route_builder;
  }

  /**
   * {@inheritdoc}
   */
-  public static function create(ContainerInterface $container, array $configuration, $plugin_id, $plugin_definition) {
+  #[\Override]
+  public static function create(ContainerInterface $container, array $configuration, $plugin_id, $plugin_definition): static {
    return new static(
      $configuration, $plugin_id, $plugin_definition,
      $container->get('router.builder')
@@ -48,14 +44,16 @@ class RouteBuilder extends JsonRpcMethodBase {
  /**
   * {@inheritdoc}
   */
-  public function execute(ParameterBag $params) {
+  #[\Override]
+  public function execute(ParameterBag $params): bool {
    return $this->routeBuilder->rebuild();
  }

  /**
   * {@inheritdoc}
   */
-  public static function outputSchema() {
+  #[\Override]
+  public static function outputSchema(): null {
    return NULL;
  }


--- a/modules/jsonrpc_core/src/Plugin/jsonrpc/Method/UserPermissionsBase.php
+++ b/modules/jsonrpc_core/src/Plugin/jsonrpc/Method/UserPermissionsBase.php
@@ -4,6 +4,7 @@ declare(strict_types=1);

 namespace Drupal\jsonrpc_core\Plugin\jsonrpc\Method;

+use Drupal\jsonrpc\MethodInterface;
 use Drupal\jsonrpc\Plugin\JsonRpcMethodBase;
 use Drupal\user\PermissionHandlerInterface;
 use Symfony\Component\DependencyInjection\ContainerInterface;
@@ -13,24 +14,22 @@ use Symfony\Component\DependencyInjection\ContainerInterface;
 */
 abstract class UserPermissionsBase extends JsonRpcMethodBase {

-  /**
-   * The permissions handler service.
-   *
-   * @var \Drupal\user\PermissionHandlerInterface
-   */
-  protected $permissions;
-
  /**
   * {@inheritdoc}
   */
-  public function __construct(array $configuration, string $plugin_id, $plugin_definition, PermissionHandlerInterface $user_permissions) {
+  public function __construct(
+    array $configuration,
+    string $plugin_id,
+    MethodInterface $plugin_definition,
+    protected PermissionHandlerInterface $permissions,
+  ) {
    parent::__construct($configuration, $plugin_id, $plugin_definition);
-    $this->permissions = $user_permissions;
  }

  /**
   * {@inheritdoc}
   */
+  #[\Override]
  public static function create(ContainerInterface $container, array $configuration, $plugin_id, $plugin_definition) {
    return new static(
      $configuration, $plugin_id, $plugin_definition,

--- a/modules/jsonrpc_core/tests/src/Functional/MaintenanceModeEnabledTest.php
+++ b/modules/jsonrpc_core/tests/src/Functional/MaintenanceModeEnabledTest.php
@@ -5,10 +5,13 @@ declare(strict_types=1);
 namespace Drupal\Tests\jsonrpc_core\Functional;

 use Drupal\Component\Serialization\Json;
+use Drupal\Core\Url;
 use Drupal\Tests\jsonrpc\Functional\JsonRpcTestBase;
+use Drupal\jsonrpc\Enum\JsonRpcSetting;
+use GuzzleHttp\RequestOptions;

 /**
- * Test turning the maintenance mode on or off using JSON RPC.
+ * Test turning the maintenance mode on or off using JSON-RPC.
 *
 * @group jsonrpc
 */
@@ -25,30 +28,48 @@ class MaintenanceModeEnabledTest extends JsonRpcTestBase {
  ];

  /**
-   * Tests enabling the maintenance mode.
+   * The POST request to enable maintenance mode.
+   *
+   * @var array
   */
-  public function testEnablingMaintenanceMode() {
+  protected array $enableRequest = [
+    'jsonrpc' => '2.0',
+    'method' => 'maintenance_mode.isEnabled',
+    'params' => [
+      'enabled' => TRUE,
+    ],
+    'id' => 'maintenance_mode_enabled',
+  ];

-    $enabled_request = [
-      'jsonrpc' => '2.0',
-      'method' => 'maintenance_mode.isEnabled',
-      'params' => [
-        'enabled' => TRUE,
-      ],
-      'id' => 'maintenance_mode_enabled',
-    ];
+  /**
+   * The POST request to disabled maintenance mode.
+   *
+   * @var array
+   */
+  protected array $disableRequest = [
+    'jsonrpc' => '2.0',
+    'method' => 'maintenance_mode.isEnabled',
+    'params' => [
+      'enabled' => FALSE,
+    ],
+    'id' => 'maintenance_mode_disabled',
+  ];

+  /**
+   * Tests enabling maintenance mode.
+   *
+   * @param \Drupal\jsonrpc\Enum\JsonRpcSetting $auth_method
+   *   The auth method to use for the test.
+   */
+  private function enableMaintenanceModeTestFlow(JsonRpcSetting $auth_method): void {
    // Assert that anonymous users are not able to enable the maintenance page.
-    $response = $this->postRpc($enabled_request);
-    $this->assertSame(401, $response->getStatusCode());
-
-    // Assign correct permission and login.
-    $account = $this->createUser(['administer site configuration'], NULL, TRUE);
+    $anon_response = $this->postRpc($this->enableRequest);
+    $this->assertSame(401, $anon_response->getStatusCode());

-    // Retry request with basic auth.
-    $response = $this->postRpc($enabled_request, $account);
-    $this->assertSame(200, $response->getStatusCode());
-    $parsed_body = Json::decode($response->getBody());
+    // Retry request with auth.
+    $auth_response = $this->postRpc($this->enableRequest, $this->adminUser, $auth_method);
+    $this->assertSame(200, $auth_response->getStatusCode());
+    $parsed_body = Json::decode($auth_response->getBody());
    $expected = [
      'jsonrpc' => '2.0',
      'id' => 'maintenance_mode_enabled',
@@ -57,22 +78,17 @@ class MaintenanceModeEnabledTest extends JsonRpcTestBase {
    $this->assertEquals($expected, $parsed_body);

    // Assert maintenance mode is enabled.
+    // If using cookie auth, we need to log out first because we are an admin.
+    if ($auth_method === JsonRpcSetting::Cookie) {
+      $this->drupalLogout();
+    }
    $this->drupalGet('/jsonrpc');
    $this->assertEquals('Site under maintenance', $this->cssSelect('main h1')[0]->getText());

    // Send request to disable maintenance mode.
-    $disabled_request = [
-      'jsonrpc' => '2.0',
-      'method' => 'maintenance_mode.isEnabled',
-      'params' => [
-        'enabled' => FALSE,
-      ],
-      'id' => 'maintenance_mode_disabled',
-    ];
-
-    $response = $this->postRpc($disabled_request, $account);
-    $this->assertSame(200, $response->getStatusCode());
-    $parsed_body = Json::decode($response->getBody());
+    $disabled_response = $this->postRpc($this->disableRequest, $this->adminUser, $auth_method);
+    $this->assertSame(200, $disabled_response->getStatusCode());
+    $parsed_body = Json::decode($disabled_response->getBody());
    $expected = [
      'jsonrpc' => '2.0',
      'id' => 'maintenance_mode_disabled',
@@ -81,8 +97,52 @@ class MaintenanceModeEnabledTest extends JsonRpcTestBase {
    $this->assertEquals($expected, $parsed_body);

    // Assert maintenance mode is disabled.
+    // If using cookie auth, we need to log out first because we are an admin.
+    if ($auth_method === JsonRpcSetting::Cookie) {
+      $this->drupalLogout();
+    }
    $this->drupalGet('/jsonrpc');
    $this->assertNotEquals('Site under maintenance', $this->cssSelect('main h1')[0]->getText());
  }

+  /**
+   * Tests enabling maintenance mode with basic auth.
+   */
+  public function testEnablingMaintenanceModeBasicAuth(): void {
+    $this->enableBasicAuth();
+    $this->enableMaintenanceModeTestFlow(JsonRpcSetting::BasicAuth);
+  }
+
+  /**
+   * Tests enabling maintenance mode with cookie auth.
+   */
+  public function testEnablingMaintenanceModeCookie(): void {
+    $this->enableCookieAuth();
+    $this->enableMaintenanceModeTestFlow(JsonRpcSetting::Cookie);
+  }
+
+  /**
+   * Tests that enabling maintenance mode by cookie requires a CSRF token.
+   */
+  public function testEnablingMaintenanceModeCookieNoCsrfToken(): void {
+    $this->enableCookieAuth();
+
+    $url = $this->buildUrl(Url::fromRoute('jsonrpc.handler'));
+    $request_options = [
+      RequestOptions::HTTP_ERRORS => FALSE,
+      RequestOptions::ALLOW_REDIRECTS => FALSE,
+      RequestOptions::JSON => $this->enableRequest,
+    ];
+
+    // For cookies, we need to log in get the cookie.
+    $this->drupalLogin($this->adminUser);
+    // Include cookies, but do not include a CSRF token.
+    $request_options[RequestOptions::COOKIES] = $this->getSessionCookies();
+
+    $client = $this->getHttpClient();
+    $no_csrf_token_response = $client->request('POST', $url, $request_options);
+
+    $this->assertSame(403, $no_csrf_token_response->getStatusCode());
+  }
+
 }
--- a/modules/jsonrpc_core/tests/src/Functional/PluginsTest.php
+++ b/modules/jsonrpc_core/tests/src/Functional/PluginsTest.php
@@ -6,6 +6,7 @@ namespace Drupal\Tests\jsonrpc_core\Functional;

 use Drupal\Component\Serialization\Json;
 use Drupal\Tests\jsonrpc\Functional\JsonRpcTestBase;
+use Drupal\jsonrpc\Enum\JsonRpcSetting;

 /**
 * Test turning the maintenance mode on or off using JSON RPC.
@@ -27,8 +28,11 @@ class PluginsTest extends JsonRpcTestBase {

  /**
   * Tests the plugin list.
+   *
+   * @param \Drupal\jsonrpc\Enum\JsonRpcSetting $auth_method
+   *   The auth method to use for the test.
   */
-  public function testPlugins() {
+  public function pluginTestFlow(JsonRpcSetting $auth_method): void {
    // 1. Test without a pager.
    $rpc_request = [
      'jsonrpc' => '2.0',
@@ -43,11 +47,8 @@ class PluginsTest extends JsonRpcTestBase {
    $response = $this->getRpc($rpc_request);
    $this->assertSame(401, $response->getStatusCode());

-    // Assign correct permission and login.
-    $account = $this->createUser(['administer site configuration'], NULL, TRUE);
-
    // Retry request with auth.
-    $response = $this->getRpc($rpc_request, $account);
+    $response = $this->getRpc($rpc_request, $this->adminUser, $auth_method);
    $this->assertSame(200, $response->getStatusCode());
    $parsed_body = Json::decode($response->getBody());
    $this->assertArrayHasKey('result', $parsed_body, 'Could not find results');
@@ -64,7 +65,7 @@ class PluginsTest extends JsonRpcTestBase {
        'page' => ['limit' => 2, 'offset' => 1],
      ],
    ];
-    $response = $this->getRpc($rpc_request, $account);
+    $response = $this->getRpc($rpc_request, $this->adminUser, $auth_method);
    $this->assertSame(200, $response->getStatusCode());
    $parsed_body = Json::decode($response->getBody());
    $this->assertCount(2, $parsed_body['result']);
@@ -79,7 +80,7 @@ class PluginsTest extends JsonRpcTestBase {
        'page' => ['limit' => 2, 'offset' => 1],
      ],
    ];
-    $response = $this->getRpc($rpc_request, $account);
+    $response = $this->getRpc($rpc_request, $this->adminUser, $auth_method);
    $this->assertSame(400, $response->getStatusCode());
    $parsed_body = Json::decode($response->getBody());
    $expected = [
@@ -94,4 +95,20 @@ class PluginsTest extends JsonRpcTestBase {
    $this->assertEquals($expected, $parsed_body);
  }

+  /**
+   * Tests the plugin list with basic auth.
+   */
+  public function testPluginListBasicAuth(): void {
+    $this->enableBasicAuth();
+    $this->pluginTestFlow(JsonRpcSetting::BasicAuth);
+  }
+
+  /**
+   * Tests the plugin list with cookie auth.
+   */
+  public function testPluginListCookie(): void {
+    $this->enableCookieAuth();
+    $this->pluginTestFlow(JsonRpcSetting::Cookie);
+  }
+
 }
--- a/modules/jsonrpc_core/tests/src/Kernel/JsonRpcCoreInstallTest.php
+++ b/modules/jsonrpc_core/tests/src/Kernel/JsonRpcCoreInstallTest.php
@@ -13,7 +13,7 @@ use Drupal\KernelTests\KernelTestBase;
 */
 class JsonRpcCoreInstallTest extends KernelTestBase {

-  private const MODULE_NAME = 'jsonrpc_core';
+  private const string MODULE_NAME = 'jsonrpc_core';

  /**
   * Test that the module can be installed and uninstalled.
No results found