class PerFormTokensControllerTest

Public Instance Methods

setup() click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 779
def setup
  @old_request_forgery_protection_token = ActionController::Base.request_forgery_protection_token
  ActionController::Base.request_forgery_protection_token = :custom_authenticity_token
end
teardown() click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 784
def teardown
  ActionController::Base.request_forgery_protection_token = @old_request_forgery_protection_token
end
test_accepts_global_csrf_token() click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 882
def test_accepts_global_csrf_token
  get :index

  token = @controller.send(:form_authenticity_token)

  # This is required because PATH_INFO isn't reset between requests.
  @request.env["PATH_INFO"] = "/per_form_tokens/post_one"
  assert_nothing_raised do
    post :post_one, params: { custom_authenticity_token: token }
  end
  assert_response :success
end
test_accepts_token_for_correct_path_and_method() click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 795
def test_accepts_token_for_correct_path_and_method
  get :index

  form_token = assert_presence_and_fetch_form_csrf_token

  assert_matches_session_token_on_server form_token

  # This is required because PATH_INFO isn't reset between requests.
  @request.env["PATH_INFO"] = "/per_form_tokens/post_one"
  assert_nothing_raised do
    post :post_one, params: { custom_authenticity_token: form_token }
  end
  assert_response :success
end
test_ignores_origin_during_generation() click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 923
def test_ignores_origin_during_generation
  get :index, params: { form_path: "https://example.com/per_form_tokens/post_one/" }

  form_token = assert_presence_and_fetch_form_csrf_token

  # This is required because PATH_INFO isn't reset between requests.
  @request.env["PATH_INFO"] = "/per_form_tokens/post_one"
  assert_nothing_raised do
    post :post_one, params: { custom_authenticity_token: form_token }
  end
  assert_response :success
end
test_ignores_params() click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 895
def test_ignores_params
  get :index, params: { form_path: "/per_form_tokens/post_one?foo=bar" }

  form_token = assert_presence_and_fetch_form_csrf_token

  assert_matches_session_token_on_server form_token

  # This is required because PATH_INFO isn't reset between requests.
  @request.env["PATH_INFO"] = "/per_form_tokens/post_one?foo=baz"
  assert_nothing_raised do
    post :post_one, params: { custom_authenticity_token: form_token, baz: "foo" }
  end
  assert_response :success
end
test_ignores_trailing_slash_during_generation() click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 910
def test_ignores_trailing_slash_during_generation
  get :index, params: { form_path: "/per_form_tokens/post_one/" }

  form_token = assert_presence_and_fetch_form_csrf_token

  # This is required because PATH_INFO isn't reset between requests.
  @request.env["PATH_INFO"] = "/per_form_tokens/post_one"
  assert_nothing_raised do
    post :post_one, params: { custom_authenticity_token: form_token }
  end
  assert_response :success
end
test_ignores_trailing_slash_during_validation() click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 936
def test_ignores_trailing_slash_during_validation
  get :index

  form_token = assert_presence_and_fetch_form_csrf_token

  # This is required because PATH_INFO isn't reset between requests.
  @request.env["PATH_INFO"] = "/per_form_tokens/post_one/"
  assert_nothing_raised do
    post :post_one, params: { custom_authenticity_token: form_token }
  end
  assert_response :success
end
test_method_is_case_insensitive() click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 949
def test_method_is_case_insensitive
  get :index, params: { form_method: "POST" }

  form_token = assert_presence_and_fetch_form_csrf_token
  # This is required because PATH_INFO isn't reset between requests.
  @request.env["PATH_INFO"] = "/per_form_tokens/post_one/"
  assert_nothing_raised do
    post :post_one, params: { custom_authenticity_token: form_token }
  end
  assert_response :success
end
test_per_form_token_is_same_size_as_global_token() click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 788
def test_per_form_token_is_same_size_as_global_token
  get :index
  expected = ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH
  actual = @controller.send(:per_form_csrf_token, session, "/path", "post").size
  assert_equal expected, actual
end
test_rejects_token_for_incorrect_method() click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 824
def test_rejects_token_for_incorrect_method
  get :index

  form_token = assert_presence_and_fetch_form_csrf_token

  assert_matches_session_token_on_server form_token

  # This is required because PATH_INFO isn't reset between requests.
  @request.env["PATH_INFO"] = "/per_form_tokens/post_one"
  assert_raises(ActionController::InvalidAuthenticityToken) do
    patch :post_one, params: { custom_authenticity_token: form_token }
  end
end
test_rejects_token_for_incorrect_method_button_to() click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 838
def test_rejects_token_for_incorrect_method_button_to
  get :button_to, params: { form_method: "delete" }

  form_token = assert_presence_and_fetch_form_csrf_token

  assert_matches_session_token_on_server form_token, "delete"

  # This is required because PATH_INFO isn't reset between requests.
  @request.env["PATH_INFO"] = "/per_form_tokens/post_one"
  assert_raises(ActionController::InvalidAuthenticityToken) do
    patch :post_one, params: { custom_authenticity_token: form_token }
  end
end
test_rejects_token_for_incorrect_path() click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 810
def test_rejects_token_for_incorrect_path
  get :index

  form_token = assert_presence_and_fetch_form_csrf_token

  assert_matches_session_token_on_server form_token

  # This is required because PATH_INFO isn't reset between requests.
  @request.env["PATH_INFO"] = "/per_form_tokens/post_two"
  assert_raises(ActionController::InvalidAuthenticityToken) do
    post :post_two, params: { custom_authenticity_token: form_token }
  end
end

Private Instance Methods

assert_matches_session_token_on_server(form_token, method = "post") click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 970
def assert_matches_session_token_on_server(form_token, method = "post")
  actual = @controller.send(:unmask_token, Base64.strict_decode64(form_token))
  expected = @controller.send(:per_form_csrf_token, session, "/per_form_tokens/post_one", method)
  assert_equal expected, actual
end
assert_presence_and_fetch_form_csrf_token() click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 962
def assert_presence_and_fetch_form_csrf_token
  assert_select 'input[name="custom_authenticity_token"]' do |input|
    form_csrf_token = input.first["value"]
    assert_not_nil form_csrf_token
    return form_csrf_token
  end
end