Navigation Menu

Skip to content

Commit

Permalink
Automatically append CSRF tokens to requests.
Browse files Browse the repository at this point in the history 
Add the cookie and POST data to requests if they are not already
defined. This lets developers focus on application code and not worry
about passing CSRF token validation.

Refs #7004
  • Loading branch information
@markstory
markstory committed Oct 7, 2015
1 parent 7df65e6 commit 0eb0457
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 1 deletion.
9 changes: 9 additions & 0 deletions src/TestSuite/IntegrationTestCase.php
View file
Expand Up @@ -21,6 +21,7 @@
use Cake\Routing\Router;
use Cake\TestSuite\Stub\Response;
use Cake\Utility\Hash;
use Cake\Utility\Text;
use Exception;
use PHPUnit_Exception;

Expand Down Expand Up @@ -344,6 +345,14 @@ protected function _buildRequest($url, $method, $data)
$session = Session::create($sessionConfig);
$session->write($this->_session);

$token = Text::uuid();
if ($method !== 'GET' && !isset($data['_csrfToken'])) {
$data['_csrfToken'] = $token;
}
if (!isset($this->_cookie['csrfToken'])) {
$this->_cookie['csrfToken'] = $token;
}

list ($url, $query) = $this->_url($url);
$props = [
'url' => $url,
Expand Down
26 changes: 25 additions & 1 deletion tests/TestCase/TestSuite/IntegrationTestCaseTest.php
View file
Expand Up @@ -66,12 +66,36 @@ public function testRequestBuilding()

$this->assertEquals('abc123', $request->header('X-CSRF-Token'));
$this->assertEquals('tasks/add', $request->url);
$this->assertEquals(['split_token' => 'def345'], $request->cookies);
$this->assertArrayHasKey('split_token', $request->cookies);
$this->assertEquals('def345', $request->cookies['split_token']);
$this->assertEquals(['id' => '1', 'username' => 'mark'], $request->session()->read('User'));
$this->assertEquals('foo', $request->env('PHP_AUTH_USER'));
$this->assertEquals('bar', $request->env('PHP_AUTH_PW'));
}

/**
* Test request building adds csrf tokens
*
* @return void
*/
public function testRequestBuildingCsrfTokens()
{
$request = $this->_buildRequest('/tasks/add', 'POST', ['title' => 'First post']);

$this->assertArrayHasKey('csrfToken', $request->cookies);
$this->assertArrayHasKey('_csrfToken', $request->data);
$this->assertSame($request->cookies['csrfToken'], $request->data['_csrfToken']);

$this->cookie('csrfToken', '');
$request = $this->_buildRequest('/tasks/add', 'POST', [
'_csrfToken' => 'fale',
'title' => 'First post'
]);

$this->assertSame('', $request->cookies['csrfToken']);
$this->assertSame('fale', $request->data['_csrfToken']);
}

/**
* Test building a request, with query parameters
*
Expand Down

0 comments on commit 0eb0457

Please sign in to comment.