mirror of
https://github.com/overleaf/overleaf.git
synced 2024-11-21 20:47:08 -05:00
Merge branch 'ho-csrf-acceptence-tests'
This commit is contained in:
Henry Oswald
commit
a7217f1d37
2 changed files with 71 additions and 1 deletions
|
|
@ -69,6 +69,65 @@ describe "LoginRateLimit", ->
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
describe "CSRF protection", ->
|
||||||
|
|
||||||
|
beforeEach ->
|
||||||
|
@user = new User()
|
||||||
|
@email = "test+#{Math.random()}@example.com"
|
||||||
|
@password = "password11"
|
||||||
|
|
||||||
|
afterEach ->
|
||||||
|
@user.full_delete_user(@email)
|
||||||
|
|
||||||
|
|
||||||
|
it 'should register with the csrf token', (done) ->
|
||||||
|
@user.request.get '/login', (err, res, body) =>
|
||||||
|
@user.getCsrfToken (error) =>
|
||||||
|
@user.request.post {
|
||||||
|
url: "/register"
|
||||||
|
json:
|
||||||
|
email: @email
|
||||||
|
password: @password
|
||||||
|
headers:{
|
||||||
|
"x-csrf-token": @user.csrfToken
|
||||||
|
}
|
||||||
|
}, (error, response, body) =>
|
||||||
|
expect(err?).to.equal false
|
||||||
|
expect(response.statusCode).to.equal 200
|
||||||
|
done()
|
||||||
|
|
||||||
|
it 'should fail with no csrf token', (done) ->
|
||||||
|
@user.request.get '/login', (err, res, body) =>
|
||||||
|
@user.getCsrfToken (error) =>
|
||||||
|
@user.request.post {
|
||||||
|
url: "/register"
|
||||||
|
json:
|
||||||
|
email: @email
|
||||||
|
password: @password
|
||||||
|
headers:{
|
||||||
|
"x-csrf-token": ""
|
||||||
|
}
|
||||||
|
}, (error, response, body) =>
|
||||||
|
expect(response.statusCode).to.equal 403
|
||||||
|
done()
|
||||||
|
|
||||||
|
it 'should fail with a stale csrf token', (done) ->
|
||||||
|
@user.request.get '/login', (err, res, body) =>
|
||||||
|
@user.getCsrfToken (error) =>
|
||||||
|
oldCsrfToken = @user.csrfToken
|
||||||
|
@user.request.get '/logout', (err, res, body) =>
|
||||||
|
@user.request.post {
|
||||||
|
url: "/register"
|
||||||
|
json:
|
||||||
|
email: @email
|
||||||
|
password: @password
|
||||||
|
headers:{
|
||||||
|
"x-csrf-token": oldCsrfToken
|
||||||
|
}
|
||||||
|
}, (error, response, body) =>
|
||||||
|
expect(response.statusCode).to.equal 403
|
||||||
|
done()
|
||||||
|
|
||||||
describe "LoginViaRegistration", ->
|
describe "LoginViaRegistration", ->
|
||||||
|
|
||||||
before (done) ->
|
before (done) ->
|
||||||
|
|
|
||||||
|
|
@ -83,6 +83,16 @@ class User
|
||||||
features = settings.defaultFeatures
|
features = settings.defaultFeatures
|
||||||
db.users.update {_id: ObjectId(@id)}, { $set: { features: features }}, callback
|
db.users.update {_id: ObjectId(@id)}, { $set: { features: features }}, callback
|
||||||
|
|
||||||
|
full_delete_user: (email, callback = (error) ->) ->
|
||||||
|
db.users.findOne {email: email}, (error, user) =>
|
||||||
|
if !user?
|
||||||
|
return callback()
|
||||||
|
user_id = user._id
|
||||||
|
db.projects.remove owner_ref:ObjectId(user_id), {multi:true}, (err)->
|
||||||
|
if err?
|
||||||
|
callback(err)
|
||||||
|
db.users.remove {_id: ObjectId(user_id)}, callback
|
||||||
|
|
||||||
createProject: (name, callback = (error, project_id) ->) ->
|
createProject: (name, callback = (error, project_id) ->) ->
|
||||||
@request.post {
|
@request.post {
|
||||||
url: "/project/new",
|
url: "/project/new",
|
||||||
|
|
@ -136,9 +146,10 @@ class User
|
||||||
csrfMatches = body.match("window.csrfToken = \"(.*?)\";")
|
csrfMatches = body.match("window.csrfToken = \"(.*?)\";")
|
||||||
if !csrfMatches?
|
if !csrfMatches?
|
||||||
return callback(new Error("no csrf token found"))
|
return callback(new Error("no csrf token found"))
|
||||||
|
@csrfToken = csrfMatches[1]
|
||||||
@request = @request.defaults({
|
@request = @request.defaults({
|
||||||
headers:
|
headers:
|
||||||
"x-csrf-token": csrfMatches[1]
|
"x-csrf-token": @csrfToken
|
||||||
})
|
})
|
||||||
callback()
|
callback()
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue