1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
|
package web
import (
"net/http"
"net/http/httptest"
"strings"
"testing"
"adammathes.com/neko/config"
)
func TestCSRFLoginWithFormToken(t *testing.T) {
pw := "secret"
originalPw := config.Config.DigestPassword
defer func() { config.Config.DigestPassword = originalPw }()
config.Config.DigestPassword = pw
mux := http.NewServeMux()
mux.HandleFunc("/login/", loginHandler)
mux.HandleFunc("/other", func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
})
handler := CSRFMiddleware(&config.Config, mux)
// Step 1: GET /login/ to obtain the CSRF token cookie
getReq := httptest.NewRequest("GET", "/login/", nil)
getRR := httptest.NewRecorder()
handler.ServeHTTP(getRR, getReq)
var csrfToken string
for _, c := range getRR.Result().Cookies() {
if c.Name == "csrf_token" {
csrfToken = c.Value
break
}
}
if csrfToken == "" {
t.Fatal("Expected csrf_token cookie to be set on GET /login/")
}
// Test 1: POST /login/ with CSRF token in form field should succeed
body := "password=" + pw + "&csrf_token=" + csrfToken
req := httptest.NewRequest("POST", "/login/", strings.NewReader(body))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrfToken})
rr := httptest.NewRecorder()
handler.ServeHTTP(rr, req)
if rr.Code != http.StatusSeeOther {
t.Errorf("Expected 303 Redirect on successful login with CSRF token, got %d", rr.Code)
}
// Test 2: POST /login/ without CSRF token should be rejected
req2 := httptest.NewRequest("POST", "/login/", strings.NewReader("password="+pw))
req2.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr2 := httptest.NewRecorder()
handler.ServeHTTP(rr2, req2)
if rr2.Code != http.StatusForbidden {
t.Errorf("Expected 403 Forbidden for POST /login/ without CSRF token, got %d", rr2.Code)
}
// Test 3: POST /other without CSRF token should fail
req3 := httptest.NewRequest("POST", "/other", nil)
rr3 := httptest.NewRecorder()
handler.ServeHTTP(rr3, req3)
if rr3.Code != http.StatusForbidden {
t.Errorf("Expected 403 Forbidden for POST /other, got %d", rr3.Code)
}
// Test 4: POST /other with CSRF token in header should succeed
req4 := httptest.NewRequest("POST", "/other", nil)
req4.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrfToken})
req4.Header.Set("X-CSRF-Token", csrfToken)
rr4 := httptest.NewRecorder()
handler.ServeHTTP(rr4, req4)
if rr4.Code == http.StatusForbidden {
t.Errorf("Expected POST /other with valid CSRF header to succeed, got 403")
}
}
func TestCSRFExcludedPaths(t *testing.T) {
originalPw := config.Config.DigestPassword
defer func() { config.Config.DigestPassword = originalPw }()
config.Config.DigestPassword = "secret"
mux := http.NewServeMux()
mux.HandleFunc("/api/login", apiLoginHandler)
mux.HandleFunc("/api/logout", apiLogoutHandler)
handler := CSRFMiddleware(&config.Config, mux)
// POST /api/login without CSRF token should succeed (excluded path)
req := httptest.NewRequest("POST", "/api/login", strings.NewReader("password=secret"))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
handler.ServeHTTP(rr, req)
if rr.Code == http.StatusForbidden {
t.Error("POST /api/login should be excluded from CSRF protection")
}
// POST /api/logout without CSRF token should succeed (excluded path)
req = httptest.NewRequest("POST", "/api/logout", nil)
rr = httptest.NewRecorder()
handler.ServeHTTP(rr, req)
if rr.Code == http.StatusForbidden {
t.Error("POST /api/logout should be excluded from CSRF protection")
}
}
func TestCSRFPutAndDeleteMethods(t *testing.T) {
cfg := &config.Settings{SecureCookies: false}
inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
})
handler := CSRFMiddleware(cfg, inner)
// GET to get a token
getReq := httptest.NewRequest("GET", "/", nil)
getRR := httptest.NewRecorder()
handler.ServeHTTP(getRR, getReq)
var csrfToken string
for _, c := range getRR.Result().Cookies() {
if c.Name == "csrf_token" {
csrfToken = c.Value
}
}
// PUT without token should fail
req := httptest.NewRequest("PUT", "/item/1", nil)
req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrfToken})
rr := httptest.NewRecorder()
handler.ServeHTTP(rr, req)
if rr.Code != http.StatusForbidden {
t.Errorf("PUT without CSRF token should return 403, got %d", rr.Code)
}
// DELETE without token should fail
req = httptest.NewRequest("DELETE", "/feed/1", nil)
req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrfToken})
rr = httptest.NewRecorder()
handler.ServeHTTP(rr, req)
if rr.Code != http.StatusForbidden {
t.Errorf("DELETE without CSRF token should return 403, got %d", rr.Code)
}
// PUT with valid token should succeed
req = httptest.NewRequest("PUT", "/item/1", nil)
req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrfToken})
req.Header.Set("X-CSRF-Token", csrfToken)
rr = httptest.NewRecorder()
handler.ServeHTTP(rr, req)
if rr.Code != http.StatusOK {
t.Errorf("PUT with valid CSRF token should succeed, got %d", rr.Code)
}
// DELETE with valid token should succeed
req = httptest.NewRequest("DELETE", "/feed/1", nil)
req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrfToken})
req.Header.Set("X-CSRF-Token", csrfToken)
rr = httptest.NewRecorder()
handler.ServeHTTP(rr, req)
if rr.Code != http.StatusOK {
t.Errorf("DELETE with valid CSRF token should succeed, got %d", rr.Code)
}
}
|
