gitea/tests/integration/csrf_test.go

// Copyright 2017 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package integration

import (
	"net/http"
	"strings"
	"testing"

	"code.gitea.io/gitea/models/unittest"
	user_model "code.gitea.io/gitea/models/user"
	"code.gitea.io/gitea/modules/setting"
	"code.gitea.io/gitea/tests"

	"github.com/stretchr/testify/assert"
)

func TestCsrfProtection(t *testing.T) {
	defer tests.PrepareTestEnv(t)()

	// test web form csrf via form
	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
	session := loginUser(t, user.Name)
	req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
		"_csrf": "fake_csrf",
	})
	session.MakeRequest(t, req, http.StatusSeeOther)

	resp := session.MakeRequest(t, req, http.StatusSeeOther)
	loc := resp.Header().Get("Location")
	assert.Equal(t, setting.AppSubURL+"/", loc)
	resp = session.MakeRequest(t, NewRequest(t, "GET", loc), http.StatusOK)
	htmlDoc := NewHTMLParser(t, resp.Body)
	assert.Equal(t, "Bad Request: invalid CSRF token",
		strings.TrimSpace(htmlDoc.doc.Find(".ui.message").Text()),
	)

	// test web form csrf via header. TODO: should use an UI api to test
	req = NewRequest(t, "POST", "/user/settings")
	req.Header.Add("X-Csrf-Token", "fake_csrf")
	session.MakeRequest(t, req, http.StatusSeeOther)

	resp = session.MakeRequest(t, req, http.StatusSeeOther)
	loc = resp.Header().Get("Location")
	assert.Equal(t, setting.AppSubURL+"/", loc)
	resp = session.MakeRequest(t, NewRequest(t, "GET", loc), http.StatusOK)
	htmlDoc = NewHTMLParser(t, resp.Body)
	assert.Equal(t, "Bad Request: invalid CSRF token",
		strings.TrimSpace(htmlDoc.doc.Find(".ui.message").Text()),
	)
}
Refactor CSRF protection modules, make sure CSRF tokens can be up-to-date. (#19337) Do a refactoring to the CSRF related code, remove most unnecessary functions. Parse the generated token's issue time, regenerate the token every a few minutes. 2022-04-08 01:21:05 -04:00			`// Copyright 2017 The Gitea Authors. All rights reserved.`
Implement FSFE REUSE for golang files (#21840) Change all license headers to comply with REUSE specification. Fix #16132 Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github> Co-authored-by: John Olheiser <john.olheiser@gmail.com> 2022-11-27 13:20:29 -05:00			`// SPDX-License-Identifier: MIT`
Refactor CSRF protection modules, make sure CSRF tokens can be up-to-date. (#19337) Do a refactoring to the CSRF related code, remove most unnecessary functions. Parse the generated token's issue time, regenerate the token every a few minutes. 2022-04-08 01:21:05 -04:00
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs 2022-09-02 15:18:23 -04:00			`package integration`
Refactor CSRF protection modules, make sure CSRF tokens can be up-to-date. (#19337) Do a refactoring to the CSRF related code, remove most unnecessary functions. Parse the generated token's issue time, regenerate the token every a few minutes. 2022-04-08 01:21:05 -04:00
			`import (`
			`"net/http"`
			`"strings"`
			`"testing"`

			`"code.gitea.io/gitea/models/unittest"`
			`user_model "code.gitea.io/gitea/models/user"`
			`"code.gitea.io/gitea/modules/setting"`
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs 2022-09-02 15:18:23 -04:00			`"code.gitea.io/gitea/tests"`
Refactor CSRF protection modules, make sure CSRF tokens can be up-to-date. (#19337) Do a refactoring to the CSRF related code, remove most unnecessary functions. Parse the generated token's issue time, regenerate the token every a few minutes. 2022-04-08 01:21:05 -04:00
			`"github.com/stretchr/testify/assert"`
			`)`

			`func TestCsrfProtection(t *testing.T) {`
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs 2022-09-02 15:18:23 -04:00			`defer tests.PrepareTestEnv(t)()`
Refactor CSRF protection modules, make sure CSRF tokens can be up-to-date. (#19337) Do a refactoring to the CSRF related code, remove most unnecessary functions. Parse the generated token's issue time, regenerate the token every a few minutes. 2022-04-08 01:21:05 -04:00
			`// test web form csrf via form`
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net> 2022-08-15 22:22:25 -04:00			`user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})`
Refactor CSRF protection modules, make sure CSRF tokens can be up-to-date. (#19337) Do a refactoring to the CSRF related code, remove most unnecessary functions. Parse the generated token's issue time, regenerate the token every a few minutes. 2022-04-08 01:21:05 -04:00			`session := loginUser(t, user.Name)`
			`req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{`
			`"_csrf": "fake_csrf",`
			`})`
			`session.MakeRequest(t, req, http.StatusSeeOther)`

			`resp := session.MakeRequest(t, req, http.StatusSeeOther)`
			`loc := resp.Header().Get("Location")`
			`assert.Equal(t, setting.AppSubURL+"/", loc)`
			`resp = session.MakeRequest(t, NewRequest(t, "GET", loc), http.StatusOK)`
			`htmlDoc := NewHTMLParser(t, resp.Body)`
			`assert.Equal(t, "Bad Request: invalid CSRF token",`
			`strings.TrimSpace(htmlDoc.doc.Find(".ui.message").Text()),`
			`)`

			`// test web form csrf via header. TODO: should use an UI api to test`
			`req = NewRequest(t, "POST", "/user/settings")`
			`req.Header.Add("X-Csrf-Token", "fake_csrf")`
			`session.MakeRequest(t, req, http.StatusSeeOther)`

			`resp = session.MakeRequest(t, req, http.StatusSeeOther)`
			`loc = resp.Header().Get("Location")`
			`assert.Equal(t, setting.AppSubURL+"/", loc)`
			`resp = session.MakeRequest(t, NewRequest(t, "GET", loc), http.StatusOK)`
			`htmlDoc = NewHTMLParser(t, resp.Body)`
			`assert.Equal(t, "Bad Request: invalid CSRF token",`
			`strings.TrimSpace(htmlDoc.doc.Find(".ui.message").Text()),`
			`)`
			`}`