Skip to content
Snippets Groups Projects
Commit 46b41187 authored by Shane Kilkelly's avatar Shane Kilkelly
Browse files

add csrf acceptance test

parent 34095bc4
Branches meta-export
No related tags found
No related merge requests found
......@@ -15,6 +15,36 @@ describe "Sessions", ->
(cb) => @user1.logout cb
], done
describe "csrf invalidation", ->
before ->
@token = null
it 'should not accept csrf token from a previous session', (done) ->
async.series(
[
(cb) => @user1.login cb
, (cb) =>
@user1.getCsrfToken (err, token) =>
@token = token
cb()
, (cb) => @user1.logout cb
, (cb) => @user1.login cb
, (cb) =>
request.post {
url: "/project/new",
json:
projectName: "Shouldn't be created"
headers:
"x-csrf-token": @token
}, (error, response, body) ->
expect(error).to.not.exist
expect(response.statusCode).to.equal 403
cb()
], (err, result) =>
expect(err).to.not.exist
done()
)
describe "one session", ->
it "should have one session in UserSessions set", (done) ->
......
......@@ -128,7 +128,7 @@ class User
return callback(error) if error?
callback(null)
getCsrfToken: (callback = (error) ->) ->
getCsrfToken: (callback = (error, token) ->) ->
@request.get {
url: "/register"
}, (err, response, body) =>
......@@ -140,7 +140,7 @@ class User
headers:
"x-csrf-token": csrfMatches[1]
})
callback()
callback(null, csrfMatches[1])
changePassword: (callback = (error) ->) ->
@getCsrfToken (error) =>
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment