Skip to content
Permalink
Browse files

Add valid + invalid tests for CSRF tokens.

  • Loading branch information...
markstory committed Nov 6, 2013
1 parent 0e21687 commit 9d62f2d16678b12cddaf9130aaa16e265a4fd604
Showing with 94 additions and 0 deletions.
  1. +94 −0 Cake/Test/TestCase/Controller/Component/CsrfComponentTest.php
@@ -68,6 +68,100 @@ public function testSettingCookie() {
$this->assertNotEmpty($cookie, 'Should set a token.');
$this->assertRegExp('/^[a-f0-9]+$/', $cookie['value'], 'Should look like a hash.');
$this->assertEquals(0, $cookie['expiry'], 'session duration.');
$this->assertEquals('/dir', $cookie['path'], 'session path.');
}
/**
* Data provider for HTTP method tests.
*
* @return void
*/
public static function httpMethodProvider() {
return [
['PATCH'], ['PUT'], ['POST'], ['DELETE']
];
}
/**
* Test that the X-CSRF-Token works with the various http methods.
*
* @dataProvider httpMethodProvider
* @return void
*/
public function testValidTokenInHeader($method) {
$_SERVER['REQUEST_METHOD'] = $method;
$_SERVER['HTTP_X_CSRF_TOKEN'] = 'testing123';
$controller = $this->getMock('Cake\Controller\Controller');
$controller->request = new Request(['cookies' => ['csrfToken' => 'testing123']]);
$controller->response = new Response();
$event = new Event('Controller.startup', $controller);
$result = $this->component->startUp($event);
$this->assertNull($result, 'No exception means valid.');
}
/**
* Test that the X-CSRF-Token works with the various http methods.
*
* @dataProvider httpMethodProvider
* @expectedException Cake\Error\ForbiddenException
* @return void
*/
public function testInvalidTokenInHeader($method) {
$_SERVER['REQUEST_METHOD'] = $method;
$_SERVER['HTTP_X_CSRF_TOKEN'] = 'nope';
$controller = $this->getMock('Cake\Controller\Controller');
$controller->request = new Request([
'cookies' => ['csrfToken' => 'testing123']
]);
$controller->response = new Response();
$event = new Event('Controller.startup', $controller);
$this->component->startUp($event);
}
/**
* Test that request data works with the various http methods.
*
* @dataProvider httpMethodProvider
* @return void
*/
public function testValidTokenRequestData($method) {
$_SERVER['REQUEST_METHOD'] = $method;
$controller = $this->getMock('Cake\Controller\Controller');
$controller->request = new Request([
'post' => ['_csrfToken' => 'testing123'],
'cookies' => ['csrfToken' => 'testing123']
]);
$controller->response = new Response();
$event = new Event('Controller.startup', $controller);
$result = $this->component->startUp($event);
$this->assertNull($result, 'No exception means valid.');
}
/**
* Test that request data works with the various http methods.
*
* @dataProvider httpMethodProvider
* @expectedException Cake\Error\ForbiddenException
* @return void
*/
public function testInvalidTokenRequestData($method) {
$_SERVER['REQUEST_METHOD'] = $method;
$controller = $this->getMock('Cake\Controller\Controller');
$controller->request = new Request([
'post' => ['_csrfToken' => 'nope'],
'cookies' => ['csrfToken' => 'testing123']
]);
$controller->response = new Response();
$event = new Event('Controller.startup', $controller);
$this->component->startUp($event);
}
}

0 comments on commit 9d62f2d

Please sign in to comment.
You can’t perform that action at this time.