spects for token checks
This commit is contained in:
Konstantin Haase
parent
f644adcbeb
commit
239da7f642
|
|
@ -2,10 +2,32 @@ require File.expand_path('../spec_helper.rb', __FILE__)
|
|||
|
||||
describe Rack::Protection::AuthenticityToken do
|
||||
it_behaves_like "any rack application"
|
||||
it "denies post requests without any token"
|
||||
it "accepts post requests with correct X-CSRF-Token header"
|
||||
it "denies post requests with wrong X-CSRF-Token header"
|
||||
it "accepts post form requests with correct authenticity_token field"
|
||||
it "denies post form requests with wrong authenticity_token field"
|
||||
it "prevents ajax requests without a valid token"
|
||||
|
||||
it "denies post requests without any token" do
|
||||
post('/').should_not be_ok
|
||||
end
|
||||
|
||||
it "accepts post requests with correct X-CSRF-Token header" do
|
||||
post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
|
||||
last_response.should be_ok
|
||||
end
|
||||
|
||||
it "denies post requests with wrong X-CSRF-Token header" do
|
||||
post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
|
||||
last_response.should_not be_ok
|
||||
end
|
||||
|
||||
it "accepts post form requests with correct authenticity_token field" do
|
||||
post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"})
|
||||
last_response.should be_ok
|
||||
end
|
||||
|
||||
it "denies post form requests with wrong authenticity_token field" do
|
||||
post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"})
|
||||
last_response.should_not be_ok
|
||||
end
|
||||
|
||||
it "prevents ajax requests without a valid token" do
|
||||
post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should_not be_ok
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -2,8 +2,32 @@ require File.expand_path('../spec_helper.rb', __FILE__)
|
|||
|
||||
describe Rack::Protection::FormToken do
|
||||
it_behaves_like "any rack application"
|
||||
it "denies post form requests without any token"
|
||||
it "accepts post form requests with correct authenticity_token field"
|
||||
it "denies post form requests with wrong authenticity_token field"
|
||||
it "accepts ajax requests without a valid token"
|
||||
|
||||
it "denies post requests without any token" do
|
||||
post('/').should_not be_ok
|
||||
end
|
||||
|
||||
it "accepts post requests with correct X-CSRF-Token header" do
|
||||
post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
|
||||
last_response.should be_ok
|
||||
end
|
||||
|
||||
it "denies post requests with wrong X-CSRF-Token header" do
|
||||
post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
|
||||
last_response.should_not be_ok
|
||||
end
|
||||
|
||||
it "accepts post form requests with correct authenticity_token field" do
|
||||
post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"})
|
||||
last_response.should be_ok
|
||||
end
|
||||
|
||||
it "denies post form requests with wrong authenticity_token field" do
|
||||
post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"})
|
||||
last_response.should_not be_ok
|
||||
end
|
||||
|
||||
it "accepts ajax requests without a valid token" do
|
||||
post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should be_ok
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -1,6 +1,25 @@
|
|||
require 'rack/protection'
|
||||
require 'rack/test'
|
||||
require 'forwardable'
|
||||
require 'stringio'
|
||||
|
||||
if defined? Gem.loaded_specs and Gem.loaded_specs.include? 'rack'
|
||||
version = Gem.loaded_specs['rack'].version.to_s
|
||||
else
|
||||
version = Rack.release + '.0'
|
||||
end
|
||||
|
||||
if version == "1.3"
|
||||
Rack::Session::Abstract::ID.class_eval do
|
||||
private
|
||||
def prepare_session(env)
|
||||
session_was = env[ENV_SESSION_KEY]
|
||||
env[ENV_SESSION_KEY] = SessionHash.new(self, env)
|
||||
env[ENV_SESSION_OPTIONS_KEY] = OptionsHash.new(self, env, @default_options)
|
||||
env[ENV_SESSION_KEY].merge! session_was if session_was
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
module DummyApp
|
||||
def self.call(env)
|
||||
|
|
@ -25,7 +44,7 @@ module TestHelpers
|
|||
klass = described_class
|
||||
mock_app do
|
||||
use Rack::Head
|
||||
use Rack::Session::Cookie
|
||||
use(Rack::Config) { |e| e['rack.session'] ||= {}}
|
||||
use klass
|
||||
run app
|
||||
end
|
||||
|
|
@ -99,7 +118,7 @@ shared_examples_for 'any rack application' do
|
|||
|
||||
mock_app do
|
||||
use Rack::Head
|
||||
use Rack::Session::Cookie
|
||||
use(Rack::Config) { |e| e['rack.session'] ||= {}}
|
||||
use detector
|
||||
use klass
|
||||
run DummyApp
|
||||
|
|
@ -126,7 +145,7 @@ shared_examples_for 'any rack application' do
|
|||
|
||||
mock_app do
|
||||
use Rack::Head
|
||||
use Rack::Session::Cookie
|
||||
use(Rack::Config) { |e| e['rack.session'] ||= {}}
|
||||
use detector
|
||||
use klass
|
||||
use changer
|
||||
|
|
|
|||
Loading…
Reference in New Issue