mirror of
https://github.com/overleaf/overleaf.git
synced 2024-11-21 20:47:08 -05:00
added csrf acceptence tests
This commit is contained in:
parent
9c4dc40abf
commit
d4b0c740c2
2 changed files with 72 additions and 1 deletions
|
@ -69,6 +69,65 @@ describe "LoginRateLimit", ->
|
|||
)
|
||||
|
||||
|
||||
describe "CSRF protection", ->
|
||||
|
||||
beforeEach ->
|
||||
@user = new User()
|
||||
@email = "test+#{Math.random()}@example.com"
|
||||
@password = "password11"
|
||||
|
||||
afterEach ->
|
||||
@user.full_delete_user(@email)
|
||||
|
||||
|
||||
it 'should register with the csrf token', (done) ->
|
||||
@user.request.get '/login', (err, res, body) =>
|
||||
@user.getCsrfToken (error) =>
|
||||
@user.request.post {
|
||||
url: "/register"
|
||||
json:
|
||||
email: @email
|
||||
password: @password
|
||||
headers:{
|
||||
"x-csrf-token": @user.csrfToken
|
||||
}
|
||||
}, (error, response, body) =>
|
||||
expect(err?).to.equal false
|
||||
expect(response.statusCode).to.equal 200
|
||||
done()
|
||||
|
||||
it 'should fail with no csrf token', (done) ->
|
||||
@user.request.get '/login', (err, res, body) =>
|
||||
@user.getCsrfToken (error) =>
|
||||
@user.request.post {
|
||||
url: "/register"
|
||||
json:
|
||||
email: @email
|
||||
password: @password
|
||||
headers:{
|
||||
"x-csrf-token": ""
|
||||
}
|
||||
}, (error, response, body) =>
|
||||
expect(response.statusCode).to.equal 403
|
||||
done()
|
||||
|
||||
it 'should fail with a stale csrf token', (done) ->
|
||||
@user.request.get '/login', (err, res, body) =>
|
||||
@user.getCsrfToken (error) =>
|
||||
oldCsrfToken = @user.csrfToken
|
||||
@user.request.get '/logout', (err, res, body) =>
|
||||
@user.request.post {
|
||||
url: "/register"
|
||||
json:
|
||||
email: @email
|
||||
password: @password
|
||||
headers:{
|
||||
"x-csrf-token": oldCsrfToken
|
||||
}
|
||||
}, (error, response, body) =>
|
||||
expect(response.statusCode).to.equal 403
|
||||
done()
|
||||
|
||||
describe "LoginViaRegistration", ->
|
||||
|
||||
before (done) ->
|
||||
|
|
|
@ -51,6 +51,17 @@ class User
|
|||
ensure_admin: (callback = (error) ->) ->
|
||||
db.users.update {_id: ObjectId(@id)}, { $set: { isAdmin: true }}, callback
|
||||
|
||||
|
||||
full_delete_user: (email, callback = (error) ->) ->
|
||||
db.users.findOne {email: email}, (error, user) =>
|
||||
if !user?
|
||||
return callback()
|
||||
user_id = user._id
|
||||
db.projects.remove owner_ref:ObjectId(user_id), {multi:true}, (err)->
|
||||
if err?
|
||||
callback(err)
|
||||
db.users.remove {_id: ObjectId(user_id)}, callback
|
||||
|
||||
createProject: (name, callback = (error, project_id) ->) ->
|
||||
@request.post {
|
||||
url: "/project/new",
|
||||
|
@ -104,9 +115,10 @@ class User
|
|||
csrfMatches = body.match("window.csrfToken = \"(.*?)\";")
|
||||
if !csrfMatches?
|
||||
return callback(new Error("no csrf token found"))
|
||||
@csrfToken = csrfMatches[1]
|
||||
@request = @request.defaults({
|
||||
headers:
|
||||
"x-csrf-token": csrfMatches[1]
|
||||
"x-csrf-token": @csrfToken
|
||||
})
|
||||
callback()
|
||||
|
||||
|
|
Loading…
Reference in a new issue