swaf/test/CsrfProtectionComponent.test.ts

97 lines
3.1 KiB
TypeScript
Raw Permalink Normal View History

import supertest from "supertest";
import CsrfProtectionComponent from "../src/components/CsrfProtectionComponent.js";
import Controller from "../src/Controller.js";
import TestApp from "../src/TestApp.js";
import useApp from "./_app.js";
let app: TestApp;
useApp(async (addr, port) => {
return app = new class extends TestApp {
protected async init(): Promise<void> {
this.use(new class extends Controller {
public routes(): void {
this.get('/', (req, res) => {
res.send(this.getApp().as(CsrfProtectionComponent).getSessionCsrfToken(req.getSession()));
}, 'csrf_test');
this.post('/', (req, res) => {
res.json({
status: 'ok',
});
}, 'csrf_test');
}
}());
await super.init();
}
2021-11-08 00:52:33 +01:00
}('test', addr, port, true, false);
});
describe('Test CSRF protection', () => {
let cookies: string[];
let csrf: string;
test('no csrf token should be in session at first', (done) => {
const agent = supertest(app.getExpressApp());
agent.post('/')
.accept('json')
2020-10-01 14:01:35 +02:00
.expect(401)
.then(res => {
expect(res.text).toContain(`You weren't assigned any CSRF token.`);
cookies = res.get('Set-Cookie') || [];
agent.get('/')
.set('Cookie', cookies)
2020-10-01 14:01:35 +02:00
.expect(200)
.then(res => {
csrf = res.text;
done();
2020-10-01 14:01:35 +02:00
}).catch(done.fail);
}).catch(done.fail);
});
test('sending no csrf token should fail', (done) => {
expect(cookies).toBeDefined();
const agent = supertest(app.getExpressApp());
agent.post('/')
.accept('json')
.set('Cookie', cookies)
.expect(401)
2020-10-01 14:01:35 +02:00
.then((res) => {
expect(res.text).toContain(`You didn't provide any CSRF token.`);
done();
2020-10-01 14:01:35 +02:00
}).catch(done.fail);
});
test('sending an invalid csrf token should fail', (done) => {
expect(cookies).toBeDefined();
const agent = supertest(app.getExpressApp());
agent.post('/')
.accept('json')
.set('Cookie', cookies)
.set('Content-Type', 'application/json')
.send({csrf: 'not_a_valid_csrf'})
2020-10-01 14:01:35 +02:00
.expect(401)
.then(res => {
expect(res.text).toContain(`Tokens don't match.`);
done();
2020-10-01 14:01:35 +02:00
}).catch(done.fail);
});
test('sending a valid csrf token should success', (done) => {
expect(cookies).toBeDefined();
const agent = supertest(app.getExpressApp());
agent.post('/')
.set('Cookie', cookies)
.set('Content-Type', 'application/json')
.send({csrf: csrf})
2020-10-01 14:01:35 +02:00
.expect(200)
.then(() => done())
.catch(done.fail);
});
});