Permalink
Browse files

Added test for csrf stuff.

  • Loading branch information...
1 parent 66c6cb4 commit ce595808509a4d697ff63832317ed4cd12df1421 @zk committed Feb 1, 2011
Showing with 3,000 additions and 24 deletions.
  1. +2,928 −0 docs/uberdoc.html
  2. +4 −2 project.clj
  3. +0 −1 src/nsfw/core.clj
  4. +16 −6 src/nsfw/csrf.clj
  5. +2 −0 src/nsfw/mongo.clj
  6. +10 −0 src/nsfw/preferences.clj
  7. +18 −0 src/nsfw/user_prefs.clj
  8. +11 −5 src/nsfw/util.clj
  9. +0 −5 src/routes.clj
  10. +11 −5 test/nsfw/test/csrf.clj
View
Oops, something went wrong.
View
@@ -7,7 +7,9 @@
[clj-stacktrace "0.2.0"]
[hiccup "0.3.0"]
[org.danlarkin/clojure-json "1.2-SNAPSHOT"]
- [fleet "0.9.3"]]
- :dev-dependencies [[swank-clojure "1.2.0"]])
+ [fleet "0.9.3"]
+ [congomongo "0.1.3-SNAPSHOT"]]
+ :dev-dependencies [[swank-clojure "1.2.0"]
+ [marginalia "0.5.0-alpha"]])
View
@@ -1 +0,0 @@
-(ns nsfw.core)
View
@@ -1,6 +1,14 @@
(ns nsfw.csrf
- (:use [nsfw.util]))
+ "Middleware and utilities to prevent cross-site request forgery attacks.
+
+ Usage:
+ Add the wrap-bind-csrf middleware to your request chain. `wrap-bind-csrf`
+ will bind *csrf-token* to a new token, and then add that token to `{:session {:csrf-token}}`
+ on the next response.
+
+ From that point forward the csrf-token can be accessed through `current`."
+ (:use [nsfw.util]))
;; Used in the middleware to bind the current csrf token for
;; use through (current) by actions and templates.
@@ -9,11 +17,11 @@
(defn gen-token []
(sha1-str (str (java.util.UUID/randomUUID))))
-(defn insert-token [resp]
+(defn insert-token [resp token]
(let [ses (get resp :session {})]
(assoc resp
:session (assoc ses
- :csrf-token (gen-token)))))
+ :csrf-token token))))
(defn pull [req]
(-> req
@@ -25,6 +33,8 @@
(defn wrap-bind-csrf [handler]
(fn [req]
- (binding [*csrf-token* (pull req)]
- (handler req))))
-
+ (if-let [token (current)]
+ (binding [*csrf-token* token]
+ (handler req))
+ (binding [*csrf-token* (gen-token)]
+ (insert-token (handler req) *csrf-token*)))))
View
@@ -0,0 +1,2 @@
+(ns nsfw.mongo
+ (:use [somnium.congomongo]))
@@ -0,0 +1,10 @@
+(ns nsfw.user-prefs)
+
+(def *user-prefs* {})
+
+(defn current [] *user-prefs*)
+
+(defn wrap-bind-user-prefs [handler defaults]
+ (fn [req]
+ (binding [*user-prefs* (merge defaults (:user-prefs (:session req)))]
+ (handler req))))
@@ -0,0 +1,18 @@
+(ns nsfw.user-prefs)
+
+(def *user-prefs* {})
+
+(defn current [] *user-prefs*)
+
+(defn wrap-bind [handler defaults]
+ (fn [req]
+ (binding [*user-prefs* (merge defaults (:user-prefs (:session req)))]
+ (handler req))))
+
+(defn update [resp req new-prefs]
+ (let [sess (get req :session {})
+ old-prefs (current)]
+ (assoc resp
+ :session
+ (assoc sess :user-prefs (merge old-prefs new-prefs)))))
+
View
@@ -2,7 +2,7 @@
(:use [hiccup core
[page-helpers :only (doctype)]])
(:require [clj-stacktrace.repl :as stacktrace]
- [clojure.string :as string]
+ [clojure.string :as str]
[ring.util.response :as resp]
[org.danlarkin.json :as json]))
@@ -12,7 +12,7 @@
"<pre>" (stacktrace/pst-str e) "</pre>"
- "<pre>" (string/replace (str req) #", " "\n") "</pre>"
+ "<pre>" (str/replace (str req) #", " "\n") "</pre>"
"</html></body>"))
(defn include-css
@@ -106,8 +106,8 @@
(defn grav-url-for [email & [_ size]]
(when email
(let [email (->> email
- (clojure.string/trim)
- (clojure.string/lower-case))
+ (str/trim)
+ (str/lower-case))
url (str "http://gravatar.com/avatar/" (md5-sum email))]
(if size
(str url "?s=" size)
@@ -135,8 +135,14 @@
(map #(Integer/toHexString (bit-and % 0xff)))
(apply str))))
+(defn uuid []
+ (-> (java.util.UUID/randomUUID)
+ (str)
+ (str/replace #"-" "")))
+
(defn html5 [& content]
(html
(doctype :html5)
[:html
- content]))
+ content]))
+
View
@@ -1,5 +0,0 @@
-(ns routes
- (:use [net.cgrand.moustache :only (app)]
- [nsfw.util :only (reload-handlers)]
- [hiccup.core]
- [clojure.contrib.json :only (json-str)]))
@@ -2,14 +2,20 @@
(:use [nsfw.csrf] :reload)
(:use [clojure.test]))
+(def req-without-token {:uri "/foo"})
+(def req-with-token {:uri "/foo" :session {:csrf-token (gen-token)}})
(deftest test-insert-token
- (is (:csrf-token (:session (insert-token {})))))
+ (is (:csrf-token (:session (insert-token {} (gen-token))))))
(deftest test-pull
- (let [req (insert-token {})
- token (:csrf-token (:session req))]
- (is (= token (pull req)))))
+ (let [token (:csrf-token (:session req-with-token))]
+ (is (= token (pull req-with-token)))))
(deftest test-wrap-bind-csrf
- (is ((wrap-bind-csrf (fn [req] (current))) {:session {:csrf-token (gen-token)}})))
+ (is ((wrap-bind-csrf
+ (fn [req] {:session {:csrf-token (current)}})) req-with-token))
+ (is (:csrf-token (:session ((wrap-bind-csrf (fn [req] {})) req-without-token)))))
+
+
+

0 comments on commit ce59580

Please sign in to comment.