Added CSRF Extender (#2095)

2025-07-30 21:20:24 +02:00 · 2020-04-03 15:32:18 -04:00
parent ecdd7a2b49
commit 0d57820b50
6 changed files with 193 additions and 2 deletions
--- a/tests/integration/api/authentication/WithTokenTest.php
+++ b/tests/integration/api/authentication/WithTokenTest.php
@@ -43,7 +43,7 @@ class WithTokenTest extends TestCase
                        'password' => 'too-obscure'
                    ],
                ]
-            )->withAttribute('bypassCsrfToken', true)
+            )
        );

        $this->assertEquals(200, $response->getStatusCode());
@@ -75,7 +75,7 @@ class WithTokenTest extends TestCase
                        'password' => 'too-incorrect'
                    ],
                ]
-            )->withAttribute('bypassCsrfToken', true)
+            )
        );

        // HTTP 401 signals an authentication problem
--- a/tests/integration/extenders/CsrfTest.php
+++ b/tests/integration/extenders/CsrfTest.php
@@ -0,0 +1,114 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\Tests\integration\extenders;
+
+use Flarum\Extend;
+use Flarum\Tests\integration\TestCase;
+use Flarum\User\User;
+
+class CsrfTest extends TestCase
+{
+    protected $testUser = [
+        'username' => 'test',
+        'password' => 'too-obscure',
+        'email' => 'test@machine.local',
+    ];
+
+    protected function prepDb()
+    {
+        $this->prepareDatabase([
+            'users' => [],
+        ]);
+    }
+
+    /**
+     * @test
+     */
+    public function create_user_post_needs_csrf_token_by_default()
+    {
+        $this->prepDb();
+
+        $response = $this->send(
+            $this->request('POST', '/api/users', [
+                'json' => [
+                    'data' => [
+                        'attributes' => $this->testUser
+                    ]
+                ],
+            ])
+        );
+
+        $this->assertEquals(400, $response->getStatusCode());
+    }
+
+    /**
+     * @test
+     */
+    public function create_user_post_doesnt_need_csrf_token_if_whitelisted()
+    {
+        $this->extend(
+            (new Extend\Csrf)
+                ->exemptPath('/api/users')
+        );
+
+        $this->prepDb();
+
+        $response = $this->send(
+            $this->request('POST', '/api/users', [
+                'json' => [
+                    'data' => [
+                        'attributes' => $this->testUser
+                    ]
+                ],
+            ])
+        );
+
+        $this->assertEquals(201, $response->getStatusCode());
+
+        $user = User::where('username', $this->testUser['username'])->firstOrFail();
+
+        $this->assertEquals(0, $user->is_email_confirmed);
+        $this->assertEquals($this->testUser['username'], $user->username);
+        $this->assertEquals($this->testUser['email'], $user->email);
+    }
+
+    /**
+     * @test
+     */
+    public function post_to_unknown_route_will_cause_400_error_without_csrf_override()
+    {
+        $this->prepDb();
+
+        $response = $this->send(
+            $this->request('POST', '/api/fake/route/i/made/up')
+        );
+
+        $this->assertEquals(400, $response->getStatusCode());
+    }
+
+    /**
+     * @test
+     */
+    public function csrf_matches_wildcards_properly()
+    {
+        $this->extend(
+            (new Extend\Csrf)
+                ->exemptPath('/api/fake/*/up')
+        );
+
+        $this->prepDb();
+
+        $response = $this->send(
+            $this->request('POST', '/api/fake/route/i/made/up')
+        );
+
+        $this->assertEquals(404, $response->getStatusCode());
+    }
+}