echo/middleware/csrf_test.go

package middleware

import (
	"net/http"
	"net/http/httptest"
	"net/url"
	"strings"
	"testing"

	"github.com/labstack/echo/v4"
	"github.com/labstack/gommon/random"
	"github.com/stretchr/testify/assert"
)

func TestCSRF_tokenExtractors(t *testing.T) {
	var testCases = []struct {
		name              string
		whenTokenLookup   string
		whenCookieName    string
		givenCSRFCookie   string
		givenMethod       string
		givenQueryTokens  map[string][]string
		givenFormTokens   map[string][]string
		givenHeaderTokens map[string][]string
		expectError       string
	}{
		{
			name:            "ok, multiple token lookups sources, succeeds on last one",
			whenTokenLookup: "header:X-CSRF-Token,form:csrf",
			givenCSRFCookie: "token",
			givenMethod:     http.MethodPost,
			givenHeaderTokens: map[string][]string{
				echo.HeaderXCSRFToken: {"invalid_token"},
			},
			givenFormTokens: map[string][]string{
				"csrf": {"token"},
			},
		},
		{
			name:            "ok, token from POST form",
			whenTokenLookup: "form:csrf",
			givenCSRFCookie: "token",
			givenMethod:     http.MethodPost,
			givenFormTokens: map[string][]string{
				"csrf": {"token"},
			},
		},
		{
			name:            "ok, token from POST form, second token passes",
			whenTokenLookup: "form:csrf",
			givenCSRFCookie: "token",
			givenMethod:     http.MethodPost,
			givenFormTokens: map[string][]string{
				"csrf": {"invalid", "token"},
			},
		},
		{
			name:            "nok, invalid token from POST form",
			whenTokenLookup: "form:csrf",
			givenCSRFCookie: "token",
			givenMethod:     http.MethodPost,
			givenFormTokens: map[string][]string{
				"csrf": {"invalid_token"},
			},
			expectError: "code=403, message=invalid csrf token",
		},
		{
			name:            "nok, missing token from POST form",
			whenTokenLookup: "form:csrf",
			givenCSRFCookie: "token",
			givenMethod:     http.MethodPost,
			givenFormTokens: map[string][]string{},
			expectError:     "code=400, message=missing csrf token in the form parameter",
		},
		{
			name:            "ok, token from POST header",
			whenTokenLookup: "", // will use defaults
			givenCSRFCookie: "token",
			givenMethod:     http.MethodPost,
			givenHeaderTokens: map[string][]string{
				echo.HeaderXCSRFToken: {"token"},
			},
		},
		{
			name:            "ok, token from POST header, second token passes",
			whenTokenLookup: "header:" + echo.HeaderXCSRFToken,
			givenCSRFCookie: "token",
			givenMethod:     http.MethodPost,
			givenHeaderTokens: map[string][]string{
				echo.HeaderXCSRFToken: {"invalid", "token"},
			},
		},
		{
			name:            "nok, invalid token from POST header",
			whenTokenLookup: "header:" + echo.HeaderXCSRFToken,
			givenCSRFCookie: "token",
			givenMethod:     http.MethodPost,
			givenHeaderTokens: map[string][]string{
				echo.HeaderXCSRFToken: {"invalid_token"},
			},
			expectError: "code=403, message=invalid csrf token",
		},
		{
			name:              "nok, missing token from POST header",
			whenTokenLookup:   "header:" + echo.HeaderXCSRFToken,
			givenCSRFCookie:   "token",
			givenMethod:       http.MethodPost,
			givenHeaderTokens: map[string][]string{},
			expectError:       "code=400, message=missing csrf token in request header",
		},
		{
			name:            "ok, token from PUT query param",
			whenTokenLookup: "query:csrf-param",
			givenCSRFCookie: "token",
			givenMethod:     http.MethodPut,
			givenQueryTokens: map[string][]string{
				"csrf-param": {"token"},
			},
		},
		{
			name:            "ok, token from PUT query form, second token passes",
			whenTokenLookup: "query:csrf",
			givenCSRFCookie: "token",
			givenMethod:     http.MethodPut,
			givenQueryTokens: map[string][]string{
				"csrf": {"invalid", "token"},
			},
		},
		{
			name:            "nok, invalid token from PUT query form",
			whenTokenLookup: "query:csrf",
			givenCSRFCookie: "token",
			givenMethod:     http.MethodPut,
			givenQueryTokens: map[string][]string{
				"csrf": {"invalid_token"},
			},
			expectError: "code=403, message=invalid csrf token",
		},
		{
			name:             "nok, missing token from PUT query form",
			whenTokenLookup:  "query:csrf",
			givenCSRFCookie:  "token",
			givenMethod:      http.MethodPut,
			givenQueryTokens: map[string][]string{},
			expectError:      "code=400, message=missing csrf token in the query string",
		},
	}

	for _, tc := range testCases {
		t.Run(tc.name, func(t *testing.T) {
			e := echo.New()

			q := make(url.Values)
			for queryParam, values := range tc.givenQueryTokens {
				for _, v := range values {
					q.Add(queryParam, v)
				}
			}

			f := make(url.Values)
			for formKey, values := range tc.givenFormTokens {
				for _, v := range values {
					f.Add(formKey, v)
				}
			}

			var req *http.Request
			switch tc.givenMethod {
			case http.MethodGet:
				req = httptest.NewRequest(http.MethodGet, "/?"+q.Encode(), nil)
			case http.MethodPost, http.MethodPut:
				req = httptest.NewRequest(http.MethodPost, "/?"+q.Encode(), strings.NewReader(f.Encode()))
				req.Header.Add(echo.HeaderContentType, echo.MIMEApplicationForm)
			}

			for header, values := range tc.givenHeaderTokens {
				for _, v := range values {
					req.Header.Add(header, v)
				}
			}

			if tc.givenCSRFCookie != "" {
				req.Header.Set(echo.HeaderCookie, "_csrf="+tc.givenCSRFCookie)
			}

			rec := httptest.NewRecorder()
			c := e.NewContext(req, rec)

			csrf := CSRFWithConfig(CSRFConfig{
				TokenLookup: tc.whenTokenLookup,
				CookieName:  tc.whenCookieName,
			})

			h := csrf(func(c echo.Context) error {
				return c.String(http.StatusOK, "test")
			})

			err := h(c)
			if tc.expectError != "" {
				assert.EqualError(t, err, tc.expectError)
			} else {
				assert.NoError(t, err)
			}
		})
	}
}

func TestCSRF(t *testing.T) {
	e := echo.New()
	req := httptest.NewRequest(http.MethodGet, "/", nil)
	rec := httptest.NewRecorder()
	c := e.NewContext(req, rec)
	csrf := CSRF()
	h := csrf(func(c echo.Context) error {
		return c.String(http.StatusOK, "test")
	})

	// Generate CSRF token
	h(c)
	assert.Contains(t, rec.Header().Get(echo.HeaderSetCookie), "_csrf")

	// Without CSRF cookie
	req = httptest.NewRequest(http.MethodPost, "/", nil)
	rec = httptest.NewRecorder()
	c = e.NewContext(req, rec)
	assert.Error(t, h(c))

	// Empty/invalid CSRF token
	req = httptest.NewRequest(http.MethodPost, "/", nil)
	rec = httptest.NewRecorder()
	c = e.NewContext(req, rec)
	req.Header.Set(echo.HeaderXCSRFToken, "")
	assert.Error(t, h(c))

	// Valid CSRF token
	token := random.String(32)
	req.Header.Set(echo.HeaderCookie, "_csrf="+token)
	req.Header.Set(echo.HeaderXCSRFToken, token)
	if assert.NoError(t, h(c)) {
		assert.Equal(t, http.StatusOK, rec.Code)
	}
}

func TestCSRFSetSameSiteMode(t *testing.T) {
	e := echo.New()
	req := httptest.NewRequest(http.MethodGet, "/", nil)
	rec := httptest.NewRecorder()
	c := e.NewContext(req, rec)

	csrf := CSRFWithConfig(CSRFConfig{
		CookieSameSite: http.SameSiteStrictMode,
	})

	h := csrf(func(c echo.Context) error {
		return c.String(http.StatusOK, "test")
	})

	r := h(c)
	assert.NoError(t, r)
	assert.Regexp(t, "SameSite=Strict", rec.Header()["Set-Cookie"])
}

func TestCSRFWithoutSameSiteMode(t *testing.T) {
	e := echo.New()
	req := httptest.NewRequest(http.MethodGet, "/", nil)
	rec := httptest.NewRecorder()
	c := e.NewContext(req, rec)

	csrf := CSRFWithConfig(CSRFConfig{})

	h := csrf(func(c echo.Context) error {
		return c.String(http.StatusOK, "test")
	})

	r := h(c)
	assert.NoError(t, r)
	assert.NotRegexp(t, "SameSite=", rec.Header()["Set-Cookie"])
}

func TestCSRFWithSameSiteDefaultMode(t *testing.T) {
	e := echo.New()
	req := httptest.NewRequest(http.MethodGet, "/", nil)
	rec := httptest.NewRecorder()
	c := e.NewContext(req, rec)

	csrf := CSRFWithConfig(CSRFConfig{
		CookieSameSite: http.SameSiteDefaultMode,
	})

	h := csrf(func(c echo.Context) error {
		return c.String(http.StatusOK, "test")
	})

	r := h(c)
	assert.NoError(t, r)
	assert.NotRegexp(t, "SameSite=", rec.Header()["Set-Cookie"])
}

func TestCSRFWithSameSiteModeNone(t *testing.T) {
	e := echo.New()
	req := httptest.NewRequest(http.MethodGet, "/", nil)
	rec := httptest.NewRecorder()
	c := e.NewContext(req, rec)

	csrf := CSRFWithConfig(CSRFConfig{
		CookieSameSite: http.SameSiteNoneMode,
	})

	h := csrf(func(c echo.Context) error {
		return c.String(http.StatusOK, "test")
	})

	r := h(c)
	assert.NoError(t, r)
	assert.Regexp(t, "SameSite=None", rec.Header()["Set-Cookie"])
	assert.Regexp(t, "Secure", rec.Header()["Set-Cookie"])
}

func TestCSRFConfig_skipper(t *testing.T) {
	var testCases = []struct {
		name          string
		whenSkip      bool
		expectCookies int
	}{
		{
			name:          "do skip",
			whenSkip:      true,
			expectCookies: 0,
		},
		{
			name:          "do not skip",
			whenSkip:      false,
			expectCookies: 1,
		},
	}

	for _, tc := range testCases {
		t.Run(tc.name, func(t *testing.T) {
			e := echo.New()
			req := httptest.NewRequest(http.MethodGet, "/", nil)
			rec := httptest.NewRecorder()
			c := e.NewContext(req, rec)

			csrf := CSRFWithConfig(CSRFConfig{
				Skipper: func(c echo.Context) bool {
					return tc.whenSkip
				},
			})

			h := csrf(func(c echo.Context) error {
				return c.String(http.StatusOK, "test")
			})

			r := h(c)
			assert.NoError(t, r)
			cookie := rec.Header()["Set-Cookie"]
			assert.Len(t, cookie, tc.expectCookies)
		})
	}
}
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00			`package middleware`

			`import (`
			`"net/http"`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`"net/http/httptest"`
More coverage and better response adapter for standard/response Signed-off-by: Vishal Rana <vr@labstack.com> 2016-06-07 07:27:36 +02:00			`"net/url"`
			`"strings"`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00			`"testing"`

Introduced Go module support as v4, removed obsolete CloseNotifier() mechanism This reintroduces support for Go modules, as v4. CloseNotifier() is removed as it has been obsoleted, see https://golang.org/doc/go1.11#net/http It was already NOT working (not sending signals) as of 1.11 the functionality was gone, we merely deleted the functions that exposed it. If anyone still relies on it they should migrate to using `c.Request().Context().Done()` instead. Closes #1268, #1255 2019-01-30 12:56:56 +02:00			`"github.com/labstack/echo/v4"`
Using random string from gommon Signed-off-by: Vishal Rana <vr@labstack.com> 2016-07-19 08:24:50 +02:00			`"github.com/labstack/gommon/random"`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00			`"github.com/stretchr/testify/assert"`
			`)`

JWT, KeyAuth, CSRF multivalue extractors (#2060) * CSRF, JWT, KeyAuth middleware support for multivalue value extractors * Add flag to JWT and KeyAuth middleware to allow continuing execution `next(c)` when error handler decides to swallow the error (returns nil). 2022-01-24 22:03:45 +02:00			`func TestCSRF_tokenExtractors(t *testing.T) {`
			`var testCases = []struct {`
			`name string`
			`whenTokenLookup string`
			`whenCookieName string`
			`givenCSRFCookie string`
			`givenMethod string`
			`givenQueryTokens map[string][]string`
			`givenFormTokens map[string][]string`
			`givenHeaderTokens map[string][]string`
			`expectError string`
			`}{`
			`{`
			`name: "ok, multiple token lookups sources, succeeds on last one",`
			`whenTokenLookup: "header:X-CSRF-Token,form:csrf",`
			`givenCSRFCookie: "token",`
			`givenMethod: http.MethodPost,`
			`givenHeaderTokens: map[string][]string{`
			`echo.HeaderXCSRFToken: {"invalid_token"},`
			`},`
			`givenFormTokens: map[string][]string{`
			`"csrf": {"token"},`
			`},`
			`},`
			`{`
			`name: "ok, token from POST form",`
			`whenTokenLookup: "form:csrf",`
			`givenCSRFCookie: "token",`
			`givenMethod: http.MethodPost,`
			`givenFormTokens: map[string][]string{`
			`"csrf": {"token"},`
			`},`
			`},`
			`{`
			`name: "ok, token from POST form, second token passes",`
			`whenTokenLookup: "form:csrf",`
			`givenCSRFCookie: "token",`
			`givenMethod: http.MethodPost,`
			`givenFormTokens: map[string][]string{`
			`"csrf": {"invalid", "token"},`
			`},`
			`},`
			`{`
			`name: "nok, invalid token from POST form",`
			`whenTokenLookup: "form:csrf",`
			`givenCSRFCookie: "token",`
			`givenMethod: http.MethodPost,`
			`givenFormTokens: map[string][]string{`
			`"csrf": {"invalid_token"},`
			`},`
			`expectError: "code=403, message=invalid csrf token",`
			`},`
			`{`
			`name: "nok, missing token from POST form",`
			`whenTokenLookup: "form:csrf",`
			`givenCSRFCookie: "token",`
			`givenMethod: http.MethodPost,`
			`givenFormTokens: map[string][]string{},`
			`expectError: "code=400, message=missing csrf token in the form parameter",`
			`},`
			`{`
			`name: "ok, token from POST header",`
			`whenTokenLookup: "", // will use defaults`
			`givenCSRFCookie: "token",`
			`givenMethod: http.MethodPost,`
			`givenHeaderTokens: map[string][]string{`
			`echo.HeaderXCSRFToken: {"token"},`
			`},`
			`},`
			`{`
			`name: "ok, token from POST header, second token passes",`
			`whenTokenLookup: "header:" + echo.HeaderXCSRFToken,`
			`givenCSRFCookie: "token",`
			`givenMethod: http.MethodPost,`
			`givenHeaderTokens: map[string][]string{`
			`echo.HeaderXCSRFToken: {"invalid", "token"},`
			`},`
			`},`
			`{`
			`name: "nok, invalid token from POST header",`
			`whenTokenLookup: "header:" + echo.HeaderXCSRFToken,`
			`givenCSRFCookie: "token",`
			`givenMethod: http.MethodPost,`
			`givenHeaderTokens: map[string][]string{`
			`echo.HeaderXCSRFToken: {"invalid_token"},`
			`},`
			`expectError: "code=403, message=invalid csrf token",`
			`},`
			`{`
			`name: "nok, missing token from POST header",`
			`whenTokenLookup: "header:" + echo.HeaderXCSRFToken,`
			`givenCSRFCookie: "token",`
			`givenMethod: http.MethodPost,`
			`givenHeaderTokens: map[string][]string{},`
			`expectError: "code=400, message=missing csrf token in request header",`
			`},`
			`{`
			`name: "ok, token from PUT query param",`
			`whenTokenLookup: "query:csrf-param",`
			`givenCSRFCookie: "token",`
			`givenMethod: http.MethodPut,`
			`givenQueryTokens: map[string][]string{`
			`"csrf-param": {"token"},`
			`},`
			`},`
			`{`
			`name: "ok, token from PUT query form, second token passes",`
			`whenTokenLookup: "query:csrf",`
			`givenCSRFCookie: "token",`
			`givenMethod: http.MethodPut,`
			`givenQueryTokens: map[string][]string{`
			`"csrf": {"invalid", "token"},`
			`},`
			`},`
			`{`
			`name: "nok, invalid token from PUT query form",`
			`whenTokenLookup: "query:csrf",`
			`givenCSRFCookie: "token",`
			`givenMethod: http.MethodPut,`
			`givenQueryTokens: map[string][]string{`
			`"csrf": {"invalid_token"},`
			`},`
			`expectError: "code=403, message=invalid csrf token",`
			`},`
			`{`
			`name: "nok, missing token from PUT query form",`
			`whenTokenLookup: "query:csrf",`
			`givenCSRFCookie: "token",`
			`givenMethod: http.MethodPut,`
			`givenQueryTokens: map[string][]string{},`
			`expectError: "code=400, message=missing csrf token in the query string",`
			`},`
			`}`

			`for _, tc := range testCases {`
			`t.Run(tc.name, func(t *testing.T) {`
			`e := echo.New()`

			`q := make(url.Values)`
			`for queryParam, values := range tc.givenQueryTokens {`
			`for _, v := range values {`
			`q.Add(queryParam, v)`
			`}`
			`}`

			`f := make(url.Values)`
			`for formKey, values := range tc.givenFormTokens {`
			`for _, v := range values {`
			`f.Add(formKey, v)`
			`}`
			`}`

			`var req *http.Request`
			`switch tc.givenMethod {`
			`case http.MethodGet:`
			`req = httptest.NewRequest(http.MethodGet, "/?"+q.Encode(), nil)`
			`case http.MethodPost, http.MethodPut:`
			`req = httptest.NewRequest(http.MethodPost, "/?"+q.Encode(), strings.NewReader(f.Encode()))`
			`req.Header.Add(echo.HeaderContentType, echo.MIMEApplicationForm)`
			`}`

			`for header, values := range tc.givenHeaderTokens {`
			`for _, v := range values {`
			`req.Header.Add(header, v)`
			`}`
			`}`

			`if tc.givenCSRFCookie != "" {`
			`req.Header.Set(echo.HeaderCookie, "_csrf="+tc.givenCSRFCookie)`
			`}`

			`rec := httptest.NewRecorder()`
			`c := e.NewContext(req, rec)`

			`csrf := CSRFWithConfig(CSRFConfig{`
			`TokenLookup: tc.whenTokenLookup,`
			`CookieName: tc.whenCookieName,`
			`})`

			`h := csrf(func(c echo.Context) error {`
			`return c.String(http.StatusOK, "test")`
			`})`

			`err := h(c)`
			`if tc.expectError != "" {`
			`assert.EqualError(t, err, tc.expectError)`
			`} else {`
			`assert.NoError(t, err)`
			`}`
			`})`
			`}`
			`}`

Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00			`func TestCSRF(t *testing.T) {`
			`e := echo.New()`
Replace http constants with stdlib ones, i.e.: http.MethodGet instead of echo.GET (#1205) 2018-10-14 17:16:58 +02:00			`req := httptest.NewRequest(http.MethodGet, "/", nil)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`rec := httptest.NewRecorder()`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00			`c := e.NewContext(req, rec)`
JWT, KeyAuth, CSRF multivalue extractors (#2060) * CSRF, JWT, KeyAuth middleware support for multivalue value extractors * Add flag to JWT and KeyAuth middleware to allow continuing execution `next(c)` when error handler decides to swallow the error (returns nil). 2022-01-24 22:03:45 +02:00			`csrf := CSRF()`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00			`h := csrf(func(c echo.Context) error {`
			`return c.String(http.StatusOK, "test")`
			`})`

			`// Generate CSRF token`
			`h(c)`
Fixed #597 (#598) Signed-off-by: Vishal Rana <vr@labstack.com> 2016-07-14 01:55:46 +02:00			`assert.Contains(t, rec.Header().Get(echo.HeaderSetCookie), "_csrf")`

			`// Without CSRF cookie`
Replace http constants with stdlib ones, i.e.: http.MethodGet instead of echo.GET (#1205) 2018-10-14 17:16:58 +02:00			`req = httptest.NewRequest(http.MethodPost, "/", nil)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`rec = httptest.NewRecorder()`
Fixed #597 (#598) Signed-off-by: Vishal Rana <vr@labstack.com> 2016-07-14 01:55:46 +02:00			`c = e.NewContext(req, rec)`
			`assert.Error(t, h(c))`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00
			`// Empty/invalid CSRF token`
Replace http constants with stdlib ones, i.e.: http.MethodGet instead of echo.GET (#1205) 2018-10-14 17:16:58 +02:00			`req = httptest.NewRequest(http.MethodPost, "/", nil)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`rec = httptest.NewRecorder()`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00			`c = e.NewContext(req, rec)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`req.Header.Set(echo.HeaderXCSRFToken, "")`
Fixed #597 (#598) Signed-off-by: Vishal Rana <vr@labstack.com> 2016-07-14 01:55:46 +02:00			`assert.Error(t, h(c))`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00
			`// Valid CSRF token`
JWT, KeyAuth, CSRF multivalue extractors (#2060) * CSRF, JWT, KeyAuth middleware support for multivalue value extractors * Add flag to JWT and KeyAuth middleware to allow continuing execution `next(c)` when error handler decides to swallow the error (returns nil). 2022-01-24 22:03:45 +02:00			`token := random.String(32)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`req.Header.Set(echo.HeaderCookie, "_csrf="+token)`
			`req.Header.Set(echo.HeaderXCSRFToken, token)`
More coverage and better response adapter for standard/response Signed-off-by: Vishal Rana <vr@labstack.com> 2016-06-07 07:27:36 +02:00			`if assert.NoError(t, h(c)) {`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`assert.Equal(t, http.StatusOK, rec.Code)`
More coverage and better response adapter for standard/response Signed-off-by: Vishal Rana <vr@labstack.com> 2016-06-07 07:27:36 +02:00			`}`
			`}`

Fix #1523 by adding SameSite mode for CSRF settings 2020-03-04 17:14:23 +02:00			`func TestCSRFSetSameSiteMode(t *testing.T) {`
			`e := echo.New()`
			`req := httptest.NewRequest(http.MethodGet, "/", nil)`
			`rec := httptest.NewRecorder()`
			`c := e.NewContext(req, rec)`

			`csrf := CSRFWithConfig(CSRFConfig{`
			`CookieSameSite: http.SameSiteStrictMode,`
			`})`

			`h := csrf(func(c echo.Context) error {`
			`return c.String(http.StatusOK, "test")`
			`})`

			`r := h(c)`
			`assert.NoError(t, r)`
			`assert.Regexp(t, "SameSite=Strict", rec.Header()["Set-Cookie"])`
			`}`

			`func TestCSRFWithoutSameSiteMode(t *testing.T) {`
			`e := echo.New()`
			`req := httptest.NewRequest(http.MethodGet, "/", nil)`
			`rec := httptest.NewRecorder()`
			`c := e.NewContext(req, rec)`

			`csrf := CSRFWithConfig(CSRFConfig{})`

			`h := csrf(func(c echo.Context) error {`
			`return c.String(http.StatusOK, "test")`
			`})`

			`r := h(c)`
			`assert.NoError(t, r)`
			`assert.NotRegexp(t, "SameSite=", rec.Header()["Set-Cookie"])`
			`}`
Fix #1523 by adding secure cookie if SameSite mode is None 2020-12-03 09:21:31 +02:00
			`func TestCSRFWithSameSiteDefaultMode(t *testing.T) {`
			`e := echo.New()`
			`req := httptest.NewRequest(http.MethodGet, "/", nil)`
			`rec := httptest.NewRecorder()`
			`c := e.NewContext(req, rec)`

			`csrf := CSRFWithConfig(CSRFConfig{`
			`CookieSameSite: http.SameSiteDefaultMode,`
			`})`

			`h := csrf(func(c echo.Context) error {`
			`return c.String(http.StatusOK, "test")`
			`})`

			`r := h(c)`
			`assert.NoError(t, r)`
			`assert.NotRegexp(t, "SameSite=", rec.Header()["Set-Cookie"])`
			`}`
Add Go 1.16 to CI and drop 1.12 specific code (#1850) * Correct incorrect years in CHANGELOG.md * CI tests with last 4 versions. Remove 1.12 and below specific code * Rename proxy test 2021-04-16 11:38:12 +02:00
			`func TestCSRFWithSameSiteModeNone(t *testing.T) {`
			`e := echo.New()`
			`req := httptest.NewRequest(http.MethodGet, "/", nil)`
			`rec := httptest.NewRecorder()`
			`c := e.NewContext(req, rec)`

			`csrf := CSRFWithConfig(CSRFConfig{`
			`CookieSameSite: http.SameSiteNoneMode,`
			`})`

			`h := csrf(func(c echo.Context) error {`
			`return c.String(http.StatusOK, "test")`
			`})`

			`r := h(c)`
			`assert.NoError(t, r)`
			`assert.Regexp(t, "SameSite=None", rec.Header()["Set-Cookie"])`
			`assert.Regexp(t, "Secure", rec.Header()["Set-Cookie"])`
			`}`
JWT, KeyAuth, CSRF multivalue extractors (#2060) * CSRF, JWT, KeyAuth middleware support for multivalue value extractors * Add flag to JWT and KeyAuth middleware to allow continuing execution `next(c)` when error handler decides to swallow the error (returns nil). 2022-01-24 22:03:45 +02:00
			`func TestCSRFConfig_skipper(t *testing.T) {`
			`var testCases = []struct {`
			`name string`
			`whenSkip bool`
			`expectCookies int`
			`}{`
			`{`
			`name: "do skip",`
			`whenSkip: true,`
			`expectCookies: 0,`
			`},`
			`{`
			`name: "do not skip",`
			`whenSkip: false,`
			`expectCookies: 1,`
			`},`
			`}`

			`for _, tc := range testCases {`
			`t.Run(tc.name, func(t *testing.T) {`
			`e := echo.New()`
			`req := httptest.NewRequest(http.MethodGet, "/", nil)`
			`rec := httptest.NewRecorder()`
			`c := e.NewContext(req, rec)`

			`csrf := CSRFWithConfig(CSRFConfig{`
			`Skipper: func(c echo.Context) bool {`
			`return tc.whenSkip`
			`},`
			`})`

			`h := csrf(func(c echo.Context) error {`
			`return c.String(http.StatusOK, "test")`
			`})`

			`r := h(c)`
			`assert.NoError(t, r)`
			`cookie := rec.Header()["Set-Cookie"]`
			`assert.Len(t, cookie, tc.expectCookies)`
			`})`
			`}`
			`}`