2016-06-28 22:50:43 +00:00
|
|
|
require "../spec_helper"
|
|
|
|
|
|
|
|
describe "Kemal::Middleware::CSRF" do
|
|
|
|
|
|
|
|
it "sends GETs to next handler" do
|
|
|
|
handler = Kemal::Middleware::CSRF.new
|
|
|
|
request = HTTP::Request.new("GET", "/")
|
|
|
|
io_with_context = create_request_and_return_io(handler, request)
|
|
|
|
client_response = HTTP::Client::Response.from_io(io_with_context, decompress: false)
|
|
|
|
client_response.status_code.should eq 404
|
|
|
|
end
|
|
|
|
|
|
|
|
it "blocks POSTs without the token" do
|
|
|
|
handler = Kemal::Middleware::CSRF.new
|
|
|
|
request = HTTP::Request.new("POST", "/")
|
|
|
|
io_with_context = create_request_and_return_io(handler, request)
|
|
|
|
client_response = HTTP::Client::Response.from_io(io_with_context, decompress: false)
|
|
|
|
client_response.status_code.should eq 403
|
|
|
|
end
|
|
|
|
|
|
|
|
it "allows POSTs with the correct token in FORM submit" do
|
|
|
|
handler = Kemal::Middleware::CSRF.new
|
|
|
|
request = HTTP::Request.new("POST", "/",
|
|
|
|
body: "authenticity_token=cemal&hasan=lamec",
|
|
|
|
headers: HTTP::Headers{"Content-Type" => "application/x-www-form-urlencoded"})
|
|
|
|
io, context = process_request(handler, request)
|
|
|
|
client_response = HTTP::Client::Response.from_io(io, decompress: false)
|
|
|
|
client_response.status_code.should eq 403
|
|
|
|
|
|
|
|
current_token = context.session["csrf"]
|
|
|
|
|
|
|
|
handler = Kemal::Middleware::CSRF.new
|
|
|
|
request = HTTP::Request.new("POST", "/",
|
|
|
|
body: "authenticity_token=#{current_token}&hasan=lamec",
|
|
|
|
headers: HTTP::Headers{"Content-Type" => "application/x-www-form-urlencoded",
|
|
|
|
"Set-Cookie" => client_response.headers["Set-Cookie"]})
|
|
|
|
io, context = process_request(handler, request)
|
|
|
|
client_response = HTTP::Client::Response.from_io(io, decompress: false)
|
|
|
|
client_response.status_code.should eq 404
|
|
|
|
end
|
|
|
|
|
|
|
|
it "allows POSTs with the correct token in HTTP header" do
|
|
|
|
handler = Kemal::Middleware::CSRF.new
|
|
|
|
request = HTTP::Request.new("POST", "/",
|
|
|
|
body: "hasan=lamec",
|
|
|
|
headers: HTTP::Headers{"Content-Type" => "application/x-www-form-urlencoded"})
|
|
|
|
io, context = process_request(handler, request)
|
|
|
|
client_response = HTTP::Client::Response.from_io(io, decompress: false)
|
|
|
|
client_response.status_code.should eq 403
|
|
|
|
|
|
|
|
current_token = context.session["csrf"]
|
|
|
|
|
|
|
|
handler = Kemal::Middleware::CSRF.new
|
|
|
|
request = HTTP::Request.new("POST", "/",
|
|
|
|
body: "hasan=lamec",
|
|
|
|
headers: HTTP::Headers{"Content-Type" => "application/x-www-form-urlencoded",
|
|
|
|
"Set-Cookie" => client_response.headers["Set-Cookie"],
|
2016-06-29 21:52:47 +00:00
|
|
|
"x-csrf-token" => current_token })
|
2016-06-28 22:50:43 +00:00
|
|
|
io, context = process_request(handler, request)
|
|
|
|
client_response = HTTP::Client::Response.from_io(io, decompress: false)
|
|
|
|
client_response.status_code.should eq 404
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def process_request(handler, request)
|
|
|
|
io = MemoryIO.new
|
|
|
|
response = HTTP::Server::Response.new(io)
|
|
|
|
context = HTTP::Server::Context.new(request, response)
|
|
|
|
handler.call(context)
|
|
|
|
response.close
|
|
|
|
io.rewind
|
|
|
|
{io, context}
|
|
|
|
end
|