From 239da7f642daf034e78cbc184832a16aa01b9a9d Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Mon, 20 Jun 2011 09:16:44 +0200
Subject: [PATCH] spects for token checks

---
 .../spec/authenticity_token_spec.rb           | 34 +++++++++++++++----
 rack-protection/spec/form_token_spec.rb       | 32 ++++++++++++++---
 rack-protection/spec/spec_helper.rb           | 25 ++++++++++++--
 3 files changed, 78 insertions(+), 13 deletions(-)

diff --git a/rack-protection/spec/authenticity_token_spec.rb b/rack-protection/spec/authenticity_token_spec.rb
index b7a92d2d..7758e262 100644
--- a/rack-protection/spec/authenticity_token_spec.rb
+++ b/rack-protection/spec/authenticity_token_spec.rb
@@ -2,10 +2,32 @@ require File.expand_path('../spec_helper.rb', __FILE__)
 
 describe Rack::Protection::AuthenticityToken do
   it_behaves_like "any rack application"
-  it "denies post requests without any token"
-  it "accepts post requests with correct X-CSRF-Token header"
-  it "denies post requests with wrong X-CSRF-Token header"
-  it "accepts post form requests with correct authenticity_token field"
-  it "denies post form requests with wrong authenticity_token field"
-  it "prevents ajax requests without a valid token"
+
+  it "denies post requests without any token" do
+    post('/').should_not be_ok
+  end
+
+  it "accepts post requests with correct X-CSRF-Token header" do
+    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
+    last_response.should be_ok
+  end
+
+  it "denies post requests with wrong X-CSRF-Token header" do
+    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
+    last_response.should_not be_ok
+  end
+
+  it "accepts post form requests with correct authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"})
+    last_response.should be_ok
+  end
+
+  it "denies post form requests with wrong authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"})
+    last_response.should_not be_ok
+  end
+
+  it "prevents ajax requests without a valid token" do
+    post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should_not be_ok
+  end
 end
diff --git a/rack-protection/spec/form_token_spec.rb b/rack-protection/spec/form_token_spec.rb
index dfdf15e3..0c4aa371 100644
--- a/rack-protection/spec/form_token_spec.rb
+++ b/rack-protection/spec/form_token_spec.rb
@@ -2,8 +2,32 @@ require File.expand_path('../spec_helper.rb', __FILE__)
 
 describe Rack::Protection::FormToken do
   it_behaves_like "any rack application"
-  it "denies post form requests without any token"
-  it "accepts post form requests with correct authenticity_token field"
-  it "denies post form requests with wrong authenticity_token field"
-  it "accepts ajax requests without a valid token"
+
+  it "denies post requests without any token" do
+    post('/').should_not be_ok
+  end
+
+  it "accepts post requests with correct X-CSRF-Token header" do
+    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
+    last_response.should be_ok
+  end
+
+  it "denies post requests with wrong X-CSRF-Token header" do
+    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
+    last_response.should_not be_ok
+  end
+
+  it "accepts post form requests with correct authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"})
+    last_response.should be_ok
+  end
+
+  it "denies post form requests with wrong authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"})
+    last_response.should_not be_ok
+  end
+
+  it "accepts ajax requests without a valid token" do
+    post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should be_ok
+  end
 end
diff --git a/rack-protection/spec/spec_helper.rb b/rack-protection/spec/spec_helper.rb
index 1b7a9603..4b8426bb 100644
--- a/rack-protection/spec/spec_helper.rb
+++ b/rack-protection/spec/spec_helper.rb
@@ -1,6 +1,25 @@
 require 'rack/protection'
 require 'rack/test'
 require 'forwardable'
+require 'stringio'
+
+if defined? Gem.loaded_specs and Gem.loaded_specs.include? 'rack'
+  version = Gem.loaded_specs['rack'].version.to_s
+else
+  version = Rack.release + '.0'
+end
+
+if version == "1.3"
+  Rack::Session::Abstract::ID.class_eval do
+    private
+    def prepare_session(env)
+      session_was                  = env[ENV_SESSION_KEY]
+      env[ENV_SESSION_KEY]         = SessionHash.new(self, env)
+      env[ENV_SESSION_OPTIONS_KEY] = OptionsHash.new(self, env, @default_options)
+      env[ENV_SESSION_KEY].merge! session_was if session_was
+    end
+  end
+end
 
 module DummyApp
   def self.call(env)
@@ -25,7 +44,7 @@ module TestHelpers
       klass = described_class
       mock_app do
         use Rack::Head
-        use Rack::Session::Cookie
+        use(Rack::Config) { |e| e['rack.session'] ||= {}}
         use klass
         run app
       end
@@ -99,7 +118,7 @@ shared_examples_for 'any rack application' do
 
     mock_app do
       use Rack::Head
-      use Rack::Session::Cookie
+      use(Rack::Config) { |e| e['rack.session'] ||= {}}
       use detector
       use klass
       run DummyApp
@@ -126,7 +145,7 @@ shared_examples_for 'any rack application' do
 
     mock_app do
       use Rack::Head
-      use Rack::Session::Cookie
+      use(Rack::Config) { |e| e['rack.session'] ||= {}}
       use detector
       use klass
       use changer