/
plugin_csrf_defender_with_options.t
87 lines (69 loc) · 1.89 KB
/
plugin_csrf_defender_with_options.t
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
use strict;
use warnings;
use Test::More;
{
package TestApp;
use Ark;
use_plugins qw/
Session
Session::State::Cookie
Session::Store::Memory
CSRFDefender
/;
config 'Plugin::Session::State::Cookie' => {
cookie_expires => '+3d',
};
config 'Plugin::CSRFDefender' => {
error_code => 400,
error_output => 'ERROR!',
validate_only => 1,
};
package TestApp::Controller::Root;
use Ark 'Controller';
has '+namespace' => default => '';
sub test_set :Local {
my ($self, $c) = @_;
$c->session->set('csrf_token', 'dummy');
}
sub test_get :Local {
my ($self, $c) = @_;
$c->session->remove('csrf_token');
$c->res->body('<form></form>');
}
sub raise_error :Local {
my ($self, $c) = @_;
if (!$c->validate_csrf_token) {
$c->forward_csrf_error;
$c->detach;
}
$c->res->body('OK');
}
}
use Ark::Test 'TestApp',
components => [qw/Controller::Root/],
reuse_connection => 1;
# set dummy token
ctx_get '/test_set';
subtest 'validate_ok' => sub {
for my $method (qw(GET POST PUT DELETE)) {
my ($res, $c) = ctx_request($method => '/test_set?csrf_token=dummy');
is $c->validate_csrf_token, 1;
}
};
subtest 'validate NG' => sub {
for my $method (qw(POST PUT DELETE)) {
my ($res, $c) = ctx_request($method => '/test_set?csrf_token=fuga');
ok !$c->validate_csrf_token;
is $c->res->code, 200;
}
for my $method (qw(POST PUT DELETE)) {
my ($res, $c) = ctx_request($method => '/raise_error?csrf_token=fuga');
ok !$c->validate_csrf_token;
is $c->res->content, 'ERROR!';
is $c->res->code, 400;
}
my $c = ctx_get '/raise_error';
is $c->res->code, 200;
is $c->res->content, 'OK';
};
done_testing;