2016-05-12 17:45:00 -07:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
|
|
import (
|
2020-12-03 10:21:31 +03:00
|
|
|
"fmt"
|
2016-05-12 17:45:00 -07:00
|
|
|
"net/http"
|
2016-09-22 22:53:44 -07:00
|
|
|
"net/http/httptest"
|
2016-06-06 22:27:36 -07:00
|
|
|
"net/url"
|
|
|
|
|
"strings"
|
2016-05-12 17:45:00 -07:00
|
|
|
"testing"
|
|
|
|
|
|
2019-01-30 12:56:56 +02:00
|
|
|
"github.com/labstack/echo/v4"
|
2016-05-12 17:45:00 -07:00
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestCSRF(t *testing.T) {
|
2021-07-15 23:34:01 +03:00
|
|
|
e := echo.New()
|
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
|
|
|
rec := httptest.NewRecorder()
|
|
|
|
|
c := e.NewContext(req, rec)
|
|
|
|
|
csrf := CSRF()
|
|
|
|
|
h := csrf(func(c echo.Context) error {
|
|
|
|
|
return c.String(http.StatusOK, "test")
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// Generate CSRF token
|
|
|
|
|
h(c)
|
|
|
|
|
assert.Contains(t, rec.Header().Get(echo.HeaderSetCookie), "_csrf")
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestMustCSRFWithConfig(t *testing.T) {
|
2016-05-12 17:45:00 -07:00
|
|
|
e := echo.New()
|
2018-10-14 17:16:58 +02:00
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
2016-09-22 22:53:44 -07:00
|
|
|
rec := httptest.NewRecorder()
|
2016-05-12 17:45:00 -07:00
|
|
|
c := e.NewContext(req, rec)
|
2016-06-06 22:27:36 -07:00
|
|
|
csrf := CSRFWithConfig(CSRFConfig{
|
2016-07-16 20:13:27 -07:00
|
|
|
TokenLength: 16,
|
2016-06-06 22:27:36 -07:00
|
|
|
})
|
2016-05-12 17:45:00 -07:00
|
|
|
h := csrf(func(c echo.Context) error {
|
|
|
|
|
return c.String(http.StatusOK, "test")
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// Generate CSRF token
|
|
|
|
|
h(c)
|
2016-07-13 16:55:46 -07:00
|
|
|
assert.Contains(t, rec.Header().Get(echo.HeaderSetCookie), "_csrf")
|
|
|
|
|
|
|
|
|
|
// Without CSRF cookie
|
2018-10-14 17:16:58 +02:00
|
|
|
req = httptest.NewRequest(http.MethodPost, "/", nil)
|
2016-09-22 22:53:44 -07:00
|
|
|
rec = httptest.NewRecorder()
|
2016-07-13 16:55:46 -07:00
|
|
|
c = e.NewContext(req, rec)
|
|
|
|
|
assert.Error(t, h(c))
|
2016-05-12 17:45:00 -07:00
|
|
|
|
|
|
|
|
// Empty/invalid CSRF token
|
2018-10-14 17:16:58 +02:00
|
|
|
req = httptest.NewRequest(http.MethodPost, "/", nil)
|
2016-09-22 22:53:44 -07:00
|
|
|
rec = httptest.NewRecorder()
|
2016-05-12 17:45:00 -07:00
|
|
|
c = e.NewContext(req, rec)
|
2016-09-22 22:53:44 -07:00
|
|
|
req.Header.Set(echo.HeaderXCSRFToken, "")
|
2016-07-13 16:55:46 -07:00
|
|
|
assert.Error(t, h(c))
|
2016-05-12 17:45:00 -07:00
|
|
|
|
|
|
|
|
// Valid CSRF token
|
2021-07-15 23:34:01 +03:00
|
|
|
token := randomString(16)
|
2016-09-22 22:53:44 -07:00
|
|
|
req.Header.Set(echo.HeaderCookie, "_csrf="+token)
|
|
|
|
|
req.Header.Set(echo.HeaderXCSRFToken, token)
|
2016-06-06 22:27:36 -07:00
|
|
|
if assert.NoError(t, h(c)) {
|
2016-09-22 22:53:44 -07:00
|
|
|
assert.Equal(t, http.StatusOK, rec.Code)
|
2016-06-06 22:27:36 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestCSRFTokenFromForm(t *testing.T) {
|
|
|
|
|
f := make(url.Values)
|
|
|
|
|
f.Set("csrf", "token")
|
|
|
|
|
e := echo.New()
|
2018-10-14 17:16:58 +02:00
|
|
|
req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(f.Encode()))
|
2016-09-22 22:53:44 -07:00
|
|
|
req.Header.Add(echo.HeaderContentType, echo.MIMEApplicationForm)
|
2016-06-06 22:27:36 -07:00
|
|
|
c := e.NewContext(req, nil)
|
|
|
|
|
token, err := csrfTokenFromForm("csrf")(c)
|
|
|
|
|
if assert.NoError(t, err) {
|
|
|
|
|
assert.Equal(t, "token", token)
|
|
|
|
|
}
|
2017-04-01 13:29:12 -03:00
|
|
|
_, err = csrfTokenFromForm("invalid")(c)
|
2016-06-06 22:27:36 -07:00
|
|
|
assert.Error(t, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestCSRFTokenFromQuery(t *testing.T) {
|
|
|
|
|
q := make(url.Values)
|
|
|
|
|
q.Set("csrf", "token")
|
|
|
|
|
e := echo.New()
|
2018-10-14 17:16:58 +02:00
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
2016-09-22 22:53:44 -07:00
|
|
|
req.Header.Add(echo.HeaderContentType, echo.MIMEApplicationForm)
|
2017-12-28 10:41:13 -08:00
|
|
|
req.URL.RawQuery = q.Encode()
|
2016-06-06 22:27:36 -07:00
|
|
|
c := e.NewContext(req, nil)
|
|
|
|
|
token, err := csrfTokenFromQuery("csrf")(c)
|
|
|
|
|
if assert.NoError(t, err) {
|
|
|
|
|
assert.Equal(t, "token", token)
|
|
|
|
|
}
|
2017-04-01 13:29:12 -03:00
|
|
|
_, err = csrfTokenFromQuery("invalid")(c)
|
2016-06-06 22:27:36 -07:00
|
|
|
assert.Error(t, err)
|
|
|
|
|
csrfTokenFromQuery("csrf")
|
2016-05-12 17:45:00 -07:00
|
|
|
}
|
2020-03-04 18:14:23 +03:00
|
|
|
|
|
|
|
|
func TestCSRFSetSameSiteMode(t *testing.T) {
|
|
|
|
|
e := echo.New()
|
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
|
|
|
rec := httptest.NewRecorder()
|
|
|
|
|
c := e.NewContext(req, rec)
|
|
|
|
|
|
|
|
|
|
csrf := CSRFWithConfig(CSRFConfig{
|
|
|
|
|
CookieSameSite: http.SameSiteStrictMode,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
h := csrf(func(c echo.Context) error {
|
|
|
|
|
return c.String(http.StatusOK, "test")
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
r := h(c)
|
|
|
|
|
assert.NoError(t, r)
|
|
|
|
|
assert.Regexp(t, "SameSite=Strict", rec.Header()["Set-Cookie"])
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestCSRFWithoutSameSiteMode(t *testing.T) {
|
|
|
|
|
e := echo.New()
|
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
|
|
|
rec := httptest.NewRecorder()
|
|
|
|
|
c := e.NewContext(req, rec)
|
|
|
|
|
|
|
|
|
|
csrf := CSRFWithConfig(CSRFConfig{})
|
|
|
|
|
|
|
|
|
|
h := csrf(func(c echo.Context) error {
|
|
|
|
|
return c.String(http.StatusOK, "test")
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
r := h(c)
|
|
|
|
|
assert.NoError(t, r)
|
|
|
|
|
assert.NotRegexp(t, "SameSite=", rec.Header()["Set-Cookie"])
|
|
|
|
|
}
|
2020-12-03 10:21:31 +03:00
|
|
|
|
|
|
|
|
func TestCSRFWithSameSiteDefaultMode(t *testing.T) {
|
|
|
|
|
e := echo.New()
|
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
|
|
|
rec := httptest.NewRecorder()
|
|
|
|
|
c := e.NewContext(req, rec)
|
|
|
|
|
|
|
|
|
|
csrf := CSRFWithConfig(CSRFConfig{
|
|
|
|
|
CookieSameSite: http.SameSiteDefaultMode,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
h := csrf(func(c echo.Context) error {
|
|
|
|
|
return c.String(http.StatusOK, "test")
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
r := h(c)
|
|
|
|
|
assert.NoError(t, r)
|
|
|
|
|
fmt.Println(rec.Header()["Set-Cookie"])
|
|
|
|
|
assert.NotRegexp(t, "SameSite=", rec.Header()["Set-Cookie"])
|
|
|
|
|
}
|
2021-04-16 12:38:12 +03:00
|
|
|
|
|
|
|
|
func TestCSRFWithSameSiteModeNone(t *testing.T) {
|
|
|
|
|
e := echo.New()
|
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
|
|
|
rec := httptest.NewRecorder()
|
|
|
|
|
c := e.NewContext(req, rec)
|
|
|
|
|
|
2021-07-15 23:34:01 +03:00
|
|
|
csrf, err := CSRFConfig{
|
2021-04-16 12:38:12 +03:00
|
|
|
CookieSameSite: http.SameSiteNoneMode,
|
2021-07-15 23:34:01 +03:00
|
|
|
}.ToMiddleware()
|
|
|
|
|
assert.NoError(t, err)
|
2021-04-16 12:38:12 +03:00
|
|
|
|
|
|
|
|
h := csrf(func(c echo.Context) error {
|
|
|
|
|
return c.String(http.StatusOK, "test")
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
r := h(c)
|
|
|
|
|
assert.NoError(t, r)
|
|
|
|
|
assert.Regexp(t, "SameSite=None", rec.Header()["Set-Cookie"])
|
|
|
|
|
assert.Regexp(t, "Secure", rec.Header()["Set-Cookie"])
|
|
|
|
|
}
|
