1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
package web
import (
"net/http"
"net/http/httptest"
"strings"
"testing"
"adammathes.com/neko/config"
)
func TestCSRFLoginWithFormToken(t *testing.T) {
pw := "secret"
originalPw := config.Config.DigestPassword
defer func() { config.Config.DigestPassword = originalPw }()
config.Config.DigestPassword = pw
mux := http.NewServeMux()
mux.HandleFunc("/login/", loginHandler)
mux.HandleFunc("/other", func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
})
handler := CSRFMiddleware(&config.Config, mux)
// Step 1: GET /login/ to obtain the CSRF token cookie
getReq := httptest.NewRequest("GET", "/login/", nil)
getRR := httptest.NewRecorder()
handler.ServeHTTP(getRR, getReq)
var csrfToken string
for _, c := range getRR.Result().Cookies() {
if c.Name == "csrf_token" {
csrfToken = c.Value
break
}
}
if csrfToken == "" {
t.Fatal("Expected csrf_token cookie to be set on GET /login/")
}
// Test 1: POST /login/ with CSRF token in form field should succeed
body := "password=" + pw + "&csrf_token=" + csrfToken
req := httptest.NewRequest("POST", "/login/", strings.NewReader(body))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrfToken})
rr := httptest.NewRecorder()
handler.ServeHTTP(rr, req)
if rr.Code != http.StatusSeeOther {
t.Errorf("Expected 303 Redirect on successful login with CSRF token, got %d", rr.Code)
}
// Test 2: POST /login/ without CSRF token should be rejected
req2 := httptest.NewRequest("POST", "/login/", strings.NewReader("password="+pw))
req2.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr2 := httptest.NewRecorder()
handler.ServeHTTP(rr2, req2)
if rr2.Code != http.StatusForbidden {
t.Errorf("Expected 403 Forbidden for POST /login/ without CSRF token, got %d", rr2.Code)
}
// Test 3: POST /other without CSRF token should fail
req3 := httptest.NewRequest("POST", "/other", nil)
rr3 := httptest.NewRecorder()
handler.ServeHTTP(rr3, req3)
if rr3.Code != http.StatusForbidden {
t.Errorf("Expected 403 Forbidden for POST /other, got %d", rr3.Code)
}
// Test 4: POST /other with CSRF token in header should succeed
req4 := httptest.NewRequest("POST", "/other", nil)
req4.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrfToken})
req4.Header.Set("X-CSRF-Token", csrfToken)
rr4 := httptest.NewRecorder()
handler.ServeHTTP(rr4, req4)
if rr4.Code == http.StatusForbidden {
t.Errorf("Expected POST /other with valid CSRF header to succeed, got 403")
}
}
|
