class PerFormTokensControllerTest
Public Instance Methods
setup()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 779 def setup @old_request_forgery_protection_token = ActionController::Base.request_forgery_protection_token ActionController::Base.request_forgery_protection_token = :custom_authenticity_token end
teardown()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 784 def teardown ActionController::Base.request_forgery_protection_token = @old_request_forgery_protection_token end
test_accepts_global_csrf_token()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 882 def test_accepts_global_csrf_token get :index token = @controller.send(:form_authenticity_token) # This is required because PATH_INFO isn't reset between requests. @request.env["PATH_INFO"] = "/per_form_tokens/post_one" assert_nothing_raised do post :post_one, params: { custom_authenticity_token: token } end assert_response :success end
test_accepts_token_for_correct_path_and_method()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 795 def test_accepts_token_for_correct_path_and_method get :index form_token = assert_presence_and_fetch_form_csrf_token assert_matches_session_token_on_server form_token # This is required because PATH_INFO isn't reset between requests. @request.env["PATH_INFO"] = "/per_form_tokens/post_one" assert_nothing_raised do post :post_one, params: { custom_authenticity_token: form_token } end assert_response :success end
test_ignores_origin_during_generation()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 923 def test_ignores_origin_during_generation get :index, params: { form_path: "https://example.com/per_form_tokens/post_one/" } form_token = assert_presence_and_fetch_form_csrf_token # This is required because PATH_INFO isn't reset between requests. @request.env["PATH_INFO"] = "/per_form_tokens/post_one" assert_nothing_raised do post :post_one, params: { custom_authenticity_token: form_token } end assert_response :success end
test_ignores_params()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 895 def test_ignores_params get :index, params: { form_path: "/per_form_tokens/post_one?foo=bar" } form_token = assert_presence_and_fetch_form_csrf_token assert_matches_session_token_on_server form_token # This is required because PATH_INFO isn't reset between requests. @request.env["PATH_INFO"] = "/per_form_tokens/post_one?foo=baz" assert_nothing_raised do post :post_one, params: { custom_authenticity_token: form_token, baz: "foo" } end assert_response :success end
test_ignores_trailing_slash_during_generation()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 910 def test_ignores_trailing_slash_during_generation get :index, params: { form_path: "/per_form_tokens/post_one/" } form_token = assert_presence_and_fetch_form_csrf_token # This is required because PATH_INFO isn't reset between requests. @request.env["PATH_INFO"] = "/per_form_tokens/post_one" assert_nothing_raised do post :post_one, params: { custom_authenticity_token: form_token } end assert_response :success end
test_ignores_trailing_slash_during_validation()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 936 def test_ignores_trailing_slash_during_validation get :index form_token = assert_presence_and_fetch_form_csrf_token # This is required because PATH_INFO isn't reset between requests. @request.env["PATH_INFO"] = "/per_form_tokens/post_one/" assert_nothing_raised do post :post_one, params: { custom_authenticity_token: form_token } end assert_response :success end
test_method_is_case_insensitive()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 949 def test_method_is_case_insensitive get :index, params: { form_method: "POST" } form_token = assert_presence_and_fetch_form_csrf_token # This is required because PATH_INFO isn't reset between requests. @request.env["PATH_INFO"] = "/per_form_tokens/post_one/" assert_nothing_raised do post :post_one, params: { custom_authenticity_token: form_token } end assert_response :success end
test_per_form_token_is_same_size_as_global_token()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 788 def test_per_form_token_is_same_size_as_global_token get :index expected = ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH actual = @controller.send(:per_form_csrf_token, session, "/path", "post").size assert_equal expected, actual end
test_rejects_token_for_incorrect_method()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 824 def test_rejects_token_for_incorrect_method get :index form_token = assert_presence_and_fetch_form_csrf_token assert_matches_session_token_on_server form_token # This is required because PATH_INFO isn't reset between requests. @request.env["PATH_INFO"] = "/per_form_tokens/post_one" assert_raises(ActionController::InvalidAuthenticityToken) do patch :post_one, params: { custom_authenticity_token: form_token } end end
test_rejects_token_for_incorrect_path()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 810 def test_rejects_token_for_incorrect_path get :index form_token = assert_presence_and_fetch_form_csrf_token assert_matches_session_token_on_server form_token # This is required because PATH_INFO isn't reset between requests. @request.env["PATH_INFO"] = "/per_form_tokens/post_two" assert_raises(ActionController::InvalidAuthenticityToken) do post :post_two, params: { custom_authenticity_token: form_token } end end
Private Instance Methods
assert_matches_session_token_on_server(form_token, method = "post")
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 970 def assert_matches_session_token_on_server(form_token, method = "post") actual = @controller.send(:unmask_token, Base64.strict_decode64(form_token)) expected = @controller.send(:per_form_csrf_token, session, "/per_form_tokens/post_one", method) assert_equal expected, actual end
assert_presence_and_fetch_form_csrf_token()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 962 def assert_presence_and_fetch_form_csrf_token assert_select 'input[name="custom_authenticity_token"]' do |input| form_csrf_token = input.first["value"] assert_not_nil form_csrf_token return form_csrf_token end end