added csrf acceptence tests

This commit is contained in:
Henry Oswald 2017-08-29 17:45:16 +01:00
parent 9c4dc40abf
commit d4b0c740c2
2 changed files with 72 additions and 1 deletions

View file

@ -69,6 +69,65 @@ describe "LoginRateLimit", ->
)
describe "CSRF protection", ->
beforeEach ->
@user = new User()
@email = "test+#{Math.random()}@example.com"
@password = "password11"
afterEach ->
@user.full_delete_user(@email)
it 'should register with the csrf token', (done) ->
@user.request.get '/login', (err, res, body) =>
@user.getCsrfToken (error) =>
@user.request.post {
url: "/register"
json:
email: @email
password: @password
headers:{
"x-csrf-token": @user.csrfToken
}
}, (error, response, body) =>
expect(err?).to.equal false
expect(response.statusCode).to.equal 200
done()
it 'should fail with no csrf token', (done) ->
@user.request.get '/login', (err, res, body) =>
@user.getCsrfToken (error) =>
@user.request.post {
url: "/register"
json:
email: @email
password: @password
headers:{
"x-csrf-token": ""
}
}, (error, response, body) =>
expect(response.statusCode).to.equal 403
done()
it 'should fail with a stale csrf token', (done) ->
@user.request.get '/login', (err, res, body) =>
@user.getCsrfToken (error) =>
oldCsrfToken = @user.csrfToken
@user.request.get '/logout', (err, res, body) =>
@user.request.post {
url: "/register"
json:
email: @email
password: @password
headers:{
"x-csrf-token": oldCsrfToken
}
}, (error, response, body) =>
expect(response.statusCode).to.equal 403
done()
describe "LoginViaRegistration", ->
before (done) ->

View file

@ -51,6 +51,17 @@ class User
ensure_admin: (callback = (error) ->) ->
db.users.update {_id: ObjectId(@id)}, { $set: { isAdmin: true }}, callback
full_delete_user: (email, callback = (error) ->) ->
db.users.findOne {email: email}, (error, user) =>
if !user?
return callback()
user_id = user._id
db.projects.remove owner_ref:ObjectId(user_id), {multi:true}, (err)->
if err?
callback(err)
db.users.remove {_id: ObjectId(user_id)}, callback
createProject: (name, callback = (error, project_id) ->) ->
@request.post {
url: "/project/new",
@ -104,9 +115,10 @@ class User
csrfMatches = body.match("window.csrfToken = \"(.*?)\";")
if !csrfMatches?
return callback(new Error("no csrf token found"))
@csrfToken = csrfMatches[1]
@request = @request.defaults({
headers:
"x-csrf-token": csrfMatches[1]
"x-csrf-token": @csrfToken
})
callback()