-
-
Notifications
You must be signed in to change notification settings - Fork 3
/
csrf_test.go
116 lines (92 loc) · 2.65 KB
/
csrf_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
package csrf_test
import (
"net/http"
"os"
"testing"
"github.com/gobuffalo/buffalo"
"github.com/gobuffalo/buffalo/render"
"github.com/gobuffalo/envy"
"github.com/gobuffalo/httptest"
csrf "github.com/gobuffalo/mw-csrf"
"github.com/stretchr/testify/require"
)
func TestMain(m *testing.M) {
env := envy.Get("GO_ENV", "development")
envy.Set("GO_ENV", "development")
defer envy.Set("GO_ENV", env)
os.Exit(m.Run())
}
type csrfForm struct {
AuthenticityToken string `form:"authenticity_token"`
}
func ctCSRFApp() *buffalo.App {
h := func(c buffalo.Context) error {
if at := c.Value("authenticity_token"); at != nil {
return c.Render(200, render.String(at.(string)))
}
return c.Render(420, nil)
}
a := buffalo.New(buffalo.Options{})
a.Use(csrf.New)
a.GET("/csrf", h)
a.POST("/csrf", h)
return a
}
func Test_CSRFOnIdempotentAction(t *testing.T) {
r := require.New(t)
w := httptest.New(ctCSRFApp())
res := w.HTML("/csrf").Get()
r.Equal(200, res.Code)
}
func Test_CSRFOnJSONRequest(t *testing.T) {
r := require.New(t)
w := httptest.New(ctCSRFApp())
// Test missing token case
res := w.HTML("/csrf").Post("")
r.Equal(http.StatusForbidden, res.Code)
r.Contains(res.Body.String(), "CSRF token not found in request")
rs := w.JSON("/csrf").Post("")
r.Equal(http.StatusForbidden, rs.Code)
r.Contains(res.Body.String(), "CSRF token not found in request")
}
func Test_CSRF_TestMode(t *testing.T) {
r := require.New(t)
env := envy.Get("GO_ENV", "development")
envy.Set("GO_ENV", "test")
defer envy.Set("GO_ENV", env)
w := httptest.New(ctCSRFApp())
// Test missing token case
res := w.HTML("/csrf").Post("")
r.Equal(200, res.Code)
rs := w.JSON("/csrf").Post("")
r.Equal(200, rs.Code)
}
func Test_CSRFOnEditingAction(t *testing.T) {
r := require.New(t)
w := httptest.New(ctCSRFApp())
// Test missing token case
res := w.HTML("/csrf").Post("")
r.Equal(http.StatusForbidden, res.Code)
r.Contains(res.Body.String(), "CSRF token not found in request")
// Test provided bad token through Header case
req := w.HTML("/csrf")
req.Headers["X-CSRF-Token"] = "test-token"
res = req.Post("")
r.Equal(http.StatusForbidden, res.Code)
r.Contains(res.Body.String(), "CSRF token not found in request")
// Test provided good token through Header case
res = w.HTML("/csrf").Get()
r.Equal(200, res.Code)
token := res.Body.String()
req = w.HTML("/csrf")
req.Headers["X-CSRF-Token"] = token
res = req.Post("")
r.Equal(200, res.Code)
// Test provided good token through form case
res = w.HTML("/csrf").Get()
r.Equal(200, res.Code)
token = res.Body.String()
req = w.HTML("/csrf")
res = req.Post(csrfForm{AuthenticityToken: token})
r.Equal(200, res.Code)
}