-
-
Notifications
You must be signed in to change notification settings - Fork 137
/
spa-and-api.stateless.spec.ts
81 lines (69 loc) 路 1.83 KB
/
spa-and-api.stateless.spec.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
// 3p
import * as request from 'supertest';
// FoalTS
import {
controller,
createApp,
HttpResponseCreated,
HttpResponseOK,
Post,
} from '@foal/core';
import { CsrfTokenRequired, getCsrfToken, setCsrfCookie } from '@foal/csrf';
describe('[CSRF|spa and api|stateless] Users', () => {
let app;
let csrfToken: string;
class AuthController {
@Post('/login')
async login() {
const response = new HttpResponseOK();
setCsrfCookie(response, await getCsrfToken());
return response;
}
}
@CsrfTokenRequired({ doubleSubmitCookie: true })
class ApiController {
@Post('/products')
createProduct() {
return new HttpResponseCreated();
}
}
class AppController {
subControllers = [
AuthController,
controller('/api', ApiController),
];
}
before(async () => {
process.env.SETTINGS_CSRF_SECRET = 'csrf-secret';
// Custom CSRF cookie name
process.env.SETTINGS_CSRF_COOKIE_NAME = '_csrf';
app = createApp(AppController);
});
after(async () => {
delete process.env.SETTINGS_CSRF_SECRET;
delete process.env.SETTINGS_CSRF_COOKIE_NAME;
});
it('can log in and get a CSRF token.', () => {
return request(app)
.post('/login')
.expect(200)
.then(response => {
const cookies = response.header['set-cookie'];
csrfToken = cookies[0].split('_csrf=')[1].split(';')[0];
});
});
it('cannot access POST routes with no CSRF token.', () => {
return request(app)
.post('/api/products')
.set('Cookie', [`_csrf=${csrfToken}`])
.expect(403)
.expect('Bad csrf token.');
});
it('can access POST routes with the CSRF token.', () => {
return request(app)
.post('/api/products')
.set('Cookie', [`_csrf=${csrfToken}`])
.set('X-CSRF-TOKEN', csrfToken)
.expect(201);
});
});