From e109c4bbfdc03b57a177eeea8162d998edd3f4ac Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Mon, 20 Jun 2011 15:47:43 +0200
Subject: [PATCH] pending specs for remote token

---
 rack-protection/spec/remote_token_spec.rb | 44 +++++++++++++++++++----
 1 file changed, 37 insertions(+), 7 deletions(-)

diff --git a/rack-protection/spec/remote_token_spec.rb b/rack-protection/spec/remote_token_spec.rb
index c9e2f7af..e1abf847 100644
--- a/rack-protection/spec/remote_token_spec.rb
+++ b/rack-protection/spec/remote_token_spec.rb
@@ -2,11 +2,41 @@ require File.expand_path('../spec_helper.rb', __FILE__)
 
 describe Rack::Protection::RemoteToken do
   it_behaves_like "any rack application"
-  it "accepts post requests with no referrer"
-  it "accepts post requests with a local referrer"
-  it "denies post requests with a remote referrer and no token"
-  it "accepts post requests with a remote referrer and correct X-CSRF-Token header"
-  it "denies post requests with a remote referrer and wrong X-CSRF-Token header"
-  it "accepts post form requests with a remote referrer and correct authenticity_token field"
-  it "denies post form requests with a remote referrer and wrong authenticity_token field"
+
+  it "accepts post requests with no referrer" do
+    post('/').should be_ok
+  end
+
+  it "accepts post requests with a local referrer" do
+    post('/', {}, 'HTTP_REFERER' => '/').should be_ok
+  end
+
+  it "denies post requests with a remote referrer and no token" do
+    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
+    last_response.should_not be_ok
+  end
+
+  it "accepts post requests with a remote referrer and correct X-CSRF-Token header" do
+    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org',
+      'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
+    last_response.should be_ok
+  end
+
+  it "denies post requests with a remote referrer and wrong X-CSRF-Token header" do
+    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org',
+      'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
+    last_response.should_not be_ok
+  end
+
+  it "accepts post form requests with a remote referrer and correct authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'HTTP_REFERER' => 'http://example.com/foo',
+      'HTTP_HOST' => 'example.org', 'rack.session' => {:csrf => "a"})
+    last_response.should be_ok
+  end
+
+  it "denies post form requests with a remote referrer and wrong authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'HTTP_REFERER' => 'http://example.com/foo',
+      'HTTP_HOST' => 'example.org', 'rack.session' => {:csrf => "b"})
+    last_response.should_not be_ok
+  end
 end