Skip to content
Snippets Groups Projects
Commit d65cbca2 authored by Henry Oswald's avatar Henry Oswald
Browse files

added csrf acceptence tests

parent e4afb11e
No related branches found
No related tags found
No related merge requests found
...@@ -69,6 +69,65 @@ describe "LoginRateLimit", -> ...@@ -69,6 +69,65 @@ describe "LoginRateLimit", ->
) )
describe "CSRF protection", ->
beforeEach ->
@user = new User()
@email = "test+#{Math.random()}@example.com"
@password = "password11"
afterEach ->
@user.full_delete_user(@email)
it 'should register with the csrf token', (done) ->
@user.request.get '/login', (err, res, body) =>
@user.getCsrfToken (error) =>
@user.request.post {
url: "/register"
json:
email: @email
password: @password
headers:{
"x-csrf-token": @user.csrfToken
}
}, (error, response, body) =>
expect(err?).to.equal false
expect(response.statusCode).to.equal 200
done()
it 'should fail with no csrf token', (done) ->
@user.request.get '/login', (err, res, body) =>
@user.getCsrfToken (error) =>
@user.request.post {
url: "/register"
json:
email: @email
password: @password
headers:{
"x-csrf-token": ""
}
}, (error, response, body) =>
expect(response.statusCode).to.equal 403
done()
it 'should fail with a stale csrf token', (done) ->
@user.request.get '/login', (err, res, body) =>
@user.getCsrfToken (error) =>
oldCsrfToken = @user.csrfToken
@user.request.get '/logout', (err, res, body) =>
@user.request.post {
url: "/register"
json:
email: @email
password: @password
headers:{
"x-csrf-token": oldCsrfToken
}
}, (error, response, body) =>
expect(response.statusCode).to.equal 403
done()
describe "LoginViaRegistration", -> describe "LoginViaRegistration", ->
before (done) -> before (done) ->
......
...@@ -51,6 +51,17 @@ class User ...@@ -51,6 +51,17 @@ class User
ensure_admin: (callback = (error) ->) -> ensure_admin: (callback = (error) ->) ->
db.users.update {_id: ObjectId(@id)}, { $set: { isAdmin: true }}, callback db.users.update {_id: ObjectId(@id)}, { $set: { isAdmin: true }}, callback
full_delete_user: (email, callback = (error) ->) ->
db.users.findOne {email: email}, (error, user) =>
if !user?
return callback()
user_id = user._id
db.projects.remove owner_ref:ObjectId(user_id), {multi:true}, (err)->
if err?
callback(err)
db.users.remove {_id: ObjectId(user_id)}, callback
createProject: (name, callback = (error, project_id) ->) -> createProject: (name, callback = (error, project_id) ->) ->
@request.post { @request.post {
url: "/project/new", url: "/project/new",
...@@ -104,9 +115,10 @@ class User ...@@ -104,9 +115,10 @@ class User
csrfMatches = body.match("window.csrfToken = \"(.*?)\";") csrfMatches = body.match("window.csrfToken = \"(.*?)\";")
if !csrfMatches? if !csrfMatches?
return callback(new Error("no csrf token found")) return callback(new Error("no csrf token found"))
@csrfToken = csrfMatches[1]
@request = @request.defaults({ @request = @request.defaults({
headers: headers:
"x-csrf-token": csrfMatches[1] "x-csrf-token": @csrfToken
}) })
callback() callback()
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment