Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: pass csrf_token into calls to /register/abort, #11017
  • Loading branch information
julianlam committed Nov 9, 2022
1 parent 55a197a commit 2f9d8c3
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 5 deletions.
2 changes: 1 addition & 1 deletion test/api.js
Expand Up @@ -485,7 +485,7 @@ describe('API', async () => {
const affectedPaths = ['GET /api/user/{userslug}/edit/email'];
if (affectedPaths.includes(`${method.toUpperCase()} ${path}`)) {
await request({
uri: `${nconf.get('url')}/register/abort`,
uri: `${nconf.get('url')}/register/abort?_csrf=${csrfToken}`,
method: 'POST',
jar,
simple: false,
Expand Down
6 changes: 4 additions & 2 deletions test/controllers.js
Expand Up @@ -1237,8 +1237,10 @@ describe('Controllers', () => {

describe('account pages', () => {
let jar;
let csrf_token;

before(async () => {
({ jar } = await helpers.loginUser('foo', 'barbar'));
({ jar, csrf_token } = await helpers.loginUser('foo', 'barbar'));
});

it('should redirect to account page with logged in user', (done) => {
Expand Down Expand Up @@ -1802,7 +1804,7 @@ describe('Controllers', () => {
assert.strictEqual(res.body, '/register/complete');

await requestAsync({
uri: `${nconf.get('url')}/register/abort`,
uri: `${nconf.get('url')}/register/abort?_csrf=${csrf_token}`,
method: 'post',
jar,
simple: false,
Expand Down
5 changes: 3 additions & 2 deletions test/user.js
Expand Up @@ -814,6 +814,7 @@ describe('User', () => {
describe('profile methods', () => {
let uid;
let jar;
let csrf_token;

before(async () => {
const newUid = await User.create({ username: 'updateprofile', email: 'update@me.com', password: '123456' });
Expand All @@ -822,7 +823,7 @@ describe('User', () => {
await User.setUserField(uid, 'email', 'update@me.com');
await User.email.confirmByUid(uid);

({ jar } = await helpers.loginUser('updateprofile', '123456'));
({ jar, csrf_token } = await helpers.loginUser('updateprofile', '123456'));
});

it('should return error if not logged in', async () => {
Expand Down Expand Up @@ -1287,7 +1288,7 @@ describe('User', () => {

// Accessing this page will mark the user's account as needing an updated email, below code undo's.
await requestAsync({
uri: `${nconf.get('url')}/register/abort`,
uri: `${nconf.get('url')}/register/abort?_csrf=${csrf_token}`,
jar,
method: 'POST',
simple: false,
Expand Down

0 comments on commit 2f9d8c3

Please sign in to comment.