mirror of
https://github.com/sinatra/sinatra
synced 2023-03-27 23:18:01 -04:00
spects for token checks
This commit is contained in:
Konstantin Haase
parent
f644adcbeb
commit
239da7f642
3 changed files with 78 additions and 13 deletions
|
|
@ -2,10 +2,32 @@ require File.expand_path('../spec_helper.rb', __FILE__)
|
||||||
|
|
||||||
describe Rack::Protection::AuthenticityToken do
|
describe Rack::Protection::AuthenticityToken do
|
||||||
it_behaves_like "any rack application"
|
it_behaves_like "any rack application"
|
||||||
it "denies post requests without any token"
|
|
||||||
it "accepts post requests with correct X-CSRF-Token header"
|
it "denies post requests without any token" do
|
||||||
it "denies post requests with wrong X-CSRF-Token header"
|
post('/').should_not be_ok
|
||||||
it "accepts post form requests with correct authenticity_token field"
|
end
|
||||||
it "denies post form requests with wrong authenticity_token field"
|
|
||||||
it "prevents ajax requests without a valid token"
|
it "accepts post requests with correct X-CSRF-Token header" do
|
||||||
|
post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
|
||||||
|
last_response.should be_ok
|
||||||
|
end
|
||||||
|
|
||||||
|
it "denies post requests with wrong X-CSRF-Token header" do
|
||||||
|
post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
|
||||||
|
last_response.should_not be_ok
|
||||||
|
end
|
||||||
|
|
||||||
|
it "accepts post form requests with correct authenticity_token field" do
|
||||||
|
post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"})
|
||||||
|
last_response.should be_ok
|
||||||
|
end
|
||||||
|
|
||||||
|
it "denies post form requests with wrong authenticity_token field" do
|
||||||
|
post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"})
|
||||||
|
last_response.should_not be_ok
|
||||||
|
end
|
||||||
|
|
||||||
|
it "prevents ajax requests without a valid token" do
|
||||||
|
post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should_not be_ok
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -2,8 +2,32 @@ require File.expand_path('../spec_helper.rb', __FILE__)
|
||||||
|
|
||||||
describe Rack::Protection::FormToken do
|
describe Rack::Protection::FormToken do
|
||||||
it_behaves_like "any rack application"
|
it_behaves_like "any rack application"
|
||||||
it "denies post form requests without any token"
|
|
||||||
it "accepts post form requests with correct authenticity_token field"
|
it "denies post requests without any token" do
|
||||||
it "denies post form requests with wrong authenticity_token field"
|
post('/').should_not be_ok
|
||||||
it "accepts ajax requests without a valid token"
|
end
|
||||||
|
|
||||||
|
it "accepts post requests with correct X-CSRF-Token header" do
|
||||||
|
post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
|
||||||
|
last_response.should be_ok
|
||||||
|
end
|
||||||
|
|
||||||
|
it "denies post requests with wrong X-CSRF-Token header" do
|
||||||
|
post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
|
||||||
|
last_response.should_not be_ok
|
||||||
|
end
|
||||||
|
|
||||||
|
it "accepts post form requests with correct authenticity_token field" do
|
||||||
|
post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"})
|
||||||
|
last_response.should be_ok
|
||||||
|
end
|
||||||
|
|
||||||
|
it "denies post form requests with wrong authenticity_token field" do
|
||||||
|
post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"})
|
||||||
|
last_response.should_not be_ok
|
||||||
|
end
|
||||||
|
|
||||||
|
it "accepts ajax requests without a valid token" do
|
||||||
|
post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should be_ok
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,25 @@
|
||||||
require 'rack/protection'
|
require 'rack/protection'
|
||||||
require 'rack/test'
|
require 'rack/test'
|
||||||
require 'forwardable'
|
require 'forwardable'
|
||||||
|
require 'stringio'
|
||||||
|
|
||||||
|
if defined? Gem.loaded_specs and Gem.loaded_specs.include? 'rack'
|
||||||
|
version = Gem.loaded_specs['rack'].version.to_s
|
||||||
|
else
|
||||||
|
version = Rack.release + '.0'
|
||||||
|
end
|
||||||
|
|
||||||
|
if version == "1.3"
|
||||||
|
Rack::Session::Abstract::ID.class_eval do
|
||||||
|
private
|
||||||
|
def prepare_session(env)
|
||||||
|
session_was = env[ENV_SESSION_KEY]
|
||||||
|
env[ENV_SESSION_KEY] = SessionHash.new(self, env)
|
||||||
|
env[ENV_SESSION_OPTIONS_KEY] = OptionsHash.new(self, env, @default_options)
|
||||||
|
env[ENV_SESSION_KEY].merge! session_was if session_was
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
module DummyApp
|
module DummyApp
|
||||||
def self.call(env)
|
def self.call(env)
|
||||||
|
|
@ -25,7 +44,7 @@ module TestHelpers
|
||||||
klass = described_class
|
klass = described_class
|
||||||
mock_app do
|
mock_app do
|
||||||
use Rack::Head
|
use Rack::Head
|
||||||
use Rack::Session::Cookie
|
use(Rack::Config) { |e| e['rack.session'] ||= {}}
|
||||||
use klass
|
use klass
|
||||||
run app
|
run app
|
||||||
end
|
end
|
||||||
|
|
@ -99,7 +118,7 @@ shared_examples_for 'any rack application' do
|
||||||
|
|
||||||
mock_app do
|
mock_app do
|
||||||
use Rack::Head
|
use Rack::Head
|
||||||
use Rack::Session::Cookie
|
use(Rack::Config) { |e| e['rack.session'] ||= {}}
|
||||||
use detector
|
use detector
|
||||||
use klass
|
use klass
|
||||||
run DummyApp
|
run DummyApp
|
||||||
|
|
@ -126,7 +145,7 @@ shared_examples_for 'any rack application' do
|
||||||
|
|
||||||
mock_app do
|
mock_app do
|
||||||
use Rack::Head
|
use Rack::Head
|
||||||
use Rack::Session::Cookie
|
use(Rack::Config) { |e| e['rack.session'] ||= {}}
|
||||||
use detector
|
use detector
|
||||||
use klass
|
use klass
|
||||||
use changer
|
use changer
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue