Merge pull request #1489 from sharelatex/spd-mendeley-csrf

Enforce use of csrf token in Mendeley / tpr OAuth

GitOrigin-RevId: b615ee195442123e0cd8ff19a864909ac2e6496d

services/web/app/coffee/infrastructure/Csrf.coffee

@@ -42,3 +42,15 @@ module.exports = class Csrf
 		# run a dummy csrf check to see if it returns an error
 		csrf req, null, (err) ->
 			cb(!err?)
+
+	@validateToken: (token, session, cb = (valid)->) ->
+		return cb(false) unless token?
+		# run a dummy csrf check to see if it returns an error
+		# use this to simulate a csrf check regardless of req method, headers &c.
+		req =
+			body:
+				_csrf: token
+			headers: {}
+			method: 'POST'
+			session: session
+		Csrf.validateRequest(req, cb)

services/web/test/unit/coffee/infrastructure/CsrfTests.coffee

@@ -89,3 +89,26 @@ describe "Csrf", ->
 				@cb = sinon.stub()
 				@Csrf.validateRequest(@req, @cb)
 				expect(@cb.calledWith(true)).to.equal true
+
+	describe 'validateToken', ->
+		describe 'when the request is invalid', ->
+			it 'calls the callback with `false`', ->
+				@cb = sinon.stub()
+				@Csrf.validateToken('token', {}, @cb)
+				expect(@cb.calledWith(false)).to.equal true
+
+		describe 'when the request is valid', ->
+			it 'calls the callback with `true`', ->
+				@Csrf = SandboxedModule.require modulePath, requires:
+					csurf: @csurf = sinon.stub().returns(@csurf_csrf = sinon.stub().callsArg(2))
+				@cb = sinon.stub()
+				@Csrf.validateToken('goodtoken', {}, @cb)
+				expect(@cb.calledWith(true)).to.equal true
+
+		describe 'when there is no token', ->
+			it 'calls the callback with `false`', ->
+				@Csrf = SandboxedModule.require modulePath, requires:
+					csurf: @csurf = sinon.stub().returns(@csurf_csrf = sinon.stub().callsArg(2))
+				@cb = sinon.stub()
+				@Csrf.validateToken(null, {}, @cb)
+				expect(@cb.calledWith(false)).to.equal true