Merge branch 'ho-csrf-acceptence-tests'

2024-11-21 20:47:08 -05:00 · 2017-09-15 13:50:17 +01:00 · 2017-09-15 13:50:17 +01:00 · a7217f1d37
commit a7217f1d37
parent adf211a226 d4b0c740c2
2 changed files with 71 additions and 1 deletions
--- a/services/web/test/acceptance/coffee/RegistrationTests.coffee
+++ b/services/web/test/acceptance/coffee/RegistrationTests.coffee
@ -69,6 +69,65 @@ describe "LoginRateLimit", ->
 			)


+describe "CSRF protection", ->
+
+	beforeEach ->
+		@user = new User()
+		@email = "test+#{Math.random()}@example.com"
+		@password = "password11"
+
+	afterEach ->
+		@user.full_delete_user(@email)
+		
+
+	it 'should register with the csrf token', (done) ->
+		@user.request.get '/login', (err, res, body) =>
+			@user.getCsrfToken (error) =>
+				@user.request.post {
+					url: "/register"
+					json:
+						email: @email
+						password: @password
+					headers:{
+						"x-csrf-token": @user.csrfToken
+					}
+				}, (error, response, body) =>
+					expect(err?).to.equal false
+					expect(response.statusCode).to.equal 200
+					done()
+
+	it 'should fail with no csrf token', (done) ->
+		@user.request.get '/login', (err, res, body) =>
+			@user.getCsrfToken (error) =>
+				@user.request.post {
+					url: "/register"
+					json:
+						email: @email
+						password: @password
+					headers:{
+						"x-csrf-token": ""
+					}
+				}, (error, response, body) =>
+					expect(response.statusCode).to.equal 403
+					done()
+
+	it 'should fail with a stale csrf token', (done) ->
+		@user.request.get '/login', (err, res, body) =>
+			@user.getCsrfToken (error) =>
+				oldCsrfToken = @user.csrfToken
+				@user.request.get '/logout', (err, res, body) =>
+					@user.request.post {
+						url: "/register"
+						json:
+							email: @email
+							password: @password
+						headers:{
+							"x-csrf-token": oldCsrfToken
+						}
+					}, (error, response, body) =>
+						expect(response.statusCode).to.equal 403
+						done()
+
 describe "LoginViaRegistration", ->

 	before (done) ->
--- a/services/web/test/acceptance/coffee/helpers/User.coffee
+++ b/services/web/test/acceptance/coffee/helpers/User.coffee
@ -83,6 +83,16 @@ class User
 		features = settings.defaultFeatures
 		db.users.update {_id: ObjectId(@id)}, { $set: { features: features }}, callback

+	full_delete_user: (email, callback = (error) ->) ->
+		db.users.findOne {email: email}, (error, user) =>
+			if !user?
+				return callback()
+			user_id = user._id
+			db.projects.remove owner_ref:ObjectId(user_id), {multi:true}, (err)->
+				if err? 
+					callback(err)
+				db.users.remove {_id: ObjectId(user_id)}, callback
+
 	createProject: (name, callback = (error, project_id) ->) ->
 		@request.post {
 			url: "/project/new",
@ -136,9 +146,10 @@ class User
 			csrfMatches = body.match("window.csrfToken = \"(.*?)\";")
 			if !csrfMatches?
 				return callback(new Error("no csrf token found"))
+			@csrfToken = csrfMatches[1]
 			@request = @request.defaults({
 				headers:
-					"x-csrf-token": csrfMatches[1]
+					"x-csrf-token": @csrfToken
 			})
 			callback()