Skip to content
This repository has been archived by the owner on May 16, 2021. It is now read-only.

Commit

Permalink
pending specs for remote token
Browse files Browse the repository at this point in the history
  • Loading branch information
@rkh
rkh committed Jun 20, 2011
1 parent ef5add5 commit 6b16b40
Showing 1 changed file with 37 additions and 7 deletions.
44 changes: 37 additions & 7 deletions spec/remote_token_spec.rb
View file
Expand Up @@ -2,11 +2,41 @@

describe Rack::Protection::RemoteToken do
it_behaves_like "any rack application"
it "accepts post requests with no referrer"
it "accepts post requests with a local referrer"
it "denies post requests with a remote referrer and no token"
it "accepts post requests with a remote referrer and correct X-CSRF-Token header"
it "denies post requests with a remote referrer and wrong X-CSRF-Token header"
it "accepts post form requests with a remote referrer and correct authenticity_token field"
it "denies post form requests with a remote referrer and wrong authenticity_token field"

it "accepts post requests with no referrer" do
post('/').should be_ok
end

it "accepts post requests with a local referrer" do
post('/', {}, 'HTTP_REFERER' => '/').should be_ok
end

it "denies post requests with a remote referrer and no token" do
post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
last_response.should_not be_ok
end

it "accepts post requests with a remote referrer and correct X-CSRF-Token header" do
post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org',
'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
last_response.should be_ok
end

it "denies post requests with a remote referrer and wrong X-CSRF-Token header" do
post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org',
'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
last_response.should_not be_ok
end

it "accepts post form requests with a remote referrer and correct authenticity_token field" do
post('/', {"authenticity_token" => "a"}, 'HTTP_REFERER' => 'http://example.com/foo',
'HTTP_HOST' => 'example.org', 'rack.session' => {:csrf => "a"})
last_response.should be_ok
end

it "denies post form requests with a remote referrer and wrong authenticity_token field" do
post('/', {"authenticity_token" => "a"}, 'HTTP_REFERER' => 'http://example.com/foo',
'HTTP_HOST' => 'example.org', 'rack.session' => {:csrf => "b"})
last_response.should_not be_ok
end
end

0 comments on commit 6b16b40

Please sign in to comment.