-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathserver_csrf_test.go
More file actions
146 lines (117 loc) · 3.62 KB
/
server_csrf_test.go
File metadata and controls
146 lines (117 loc) · 3.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
package diecast
import (
"bytes"
"io"
"net/http"
"net/http/httptest"
"testing"
"github.com/ghetzel/testify/require"
)
func TestCsrfRequest(t *testing.T) {
var assert = require.New(t)
var csrf = new(CSRF)
var req = httptest.NewRequest(`GET`, `/`, nil)
var w = httptest.NewRecorder()
assert.True(csrf.Handle(w, req))
assert.Empty(csrftoken(req))
assert.Equal(http.StatusOK, w.Code)
assert.Equal(``, w.Result().Header.Get(DefaultCsrfHeaderName))
}
func TestCsrfRequestEnabled(t *testing.T) {
var assert = require.New(t)
var csrf = &CSRF{
Enable: true,
}
var req = httptest.NewRequest(`GET`, `/`, nil)
var w = httptest.NewRecorder()
assert.True(csrf.Handle(w, req))
assert.Equal(http.StatusOK, w.Code)
assert.Equal(
csrftoken(req),
w.Result().Header.Get(DefaultCsrfHeaderName),
)
}
func TestCsrfPostInvalid(t *testing.T) {
var assert = require.New(t)
var csrf = &CSRF{
Enable: true,
}
// try a bare POST (no token)
// ----------------------------------------------------------------------
var req = httptest.NewRequest(`POST`, `/thing`, nil)
var w = httptest.NewRecorder()
assert.False(csrf.Handle(w, req))
assert.Equal(http.StatusBadRequest, w.Code)
}
func TestCsrfPostInvalidNoCookie(t *testing.T) {
var assert = require.New(t)
var csrf = &CSRF{
Enable: true,
}
// now add the token (header, no cookie)
// ----------------------------------------------------------------------
var req = httptest.NewRequest(`POST`, `/thing`, nil)
req.Header.Set(DefaultCsrfHeaderName, `abc123`)
var w = httptest.NewRecorder()
assert.False(csrf.Handle(w, req))
assert.Equal(http.StatusBadRequest, w.Code)
}
func TestCsrfPostValid(t *testing.T) {
var assert = require.New(t)
var csrf = &CSRF{
Enable: true,
}
// now add the token (header, cookie w/ same value)
// ----------------------------------------------------------------------
var req = httptest.NewRequest(`POST`, `/thing`, nil)
req.Header.Set(DefaultCsrfHeaderName, `abc123`)
req.AddCookie(&http.Cookie{
Name: DefaultCsrfCookieName,
Value: `abc123`,
})
var w = httptest.NewRecorder()
assert.True(csrf.Handle(w, req))
assert.Equal(http.StatusOK, w.Code)
}
func TestCsrfInvalidWrongCookie(t *testing.T) {
var assert = require.New(t)
var csrf = &CSRF{
Enable: true,
}
// now add the token (header, cookie w/ different value)
// ----------------------------------------------------------------------
var req = httptest.NewRequest(`POST`, `/thing`, nil)
req.Header.Set(DefaultCsrfHeaderName, `abc123`)
req.AddCookie(&http.Cookie{
Name: DefaultCsrfCookieName,
Value: `potato`,
})
var w = httptest.NewRecorder()
assert.False(csrf.Handle(w, req))
assert.Equal(http.StatusBadRequest, w.Code)
}
func TestCsrfPostValidRequestBodyIntact(t *testing.T) {
var assert = require.New(t)
var csrf = &CSRF{
Enable: true,
}
var body = bytes.NewBufferString("everything is very okay")
// now add the token (header, cookie w/ same value)
// ----------------------------------------------------------------------
var req = httptest.NewRequest(`POST`, `/thing`, body)
req.Header.Set(DefaultCsrfHeaderName, `abc123`)
req.AddCookie(&http.Cookie{
Name: DefaultCsrfCookieName,
Value: `abc123`,
})
var w = httptest.NewRecorder()
assert.True(csrf.Handle(w, req))
assert.Equal(http.StatusOK, w.Code)
reqbody, err := io.ReadAll(req.Body)
assert.NoError(err)
// the request body should still contain everything it had
assert.Equal(`everything is very okay`, string(reqbody))
// utilizing the "abc123" token should have forced a new token
assert.NotEqual(`abc123`, csrftoken(req))
assert.Equal(csrftoken(req), w.Result().Header.Get(DefaultCsrfHeaderName))
}