echo/middleware/csrf_test.go

package middleware

import (
	"fmt"
	"net/http"
	"net/http/httptest"
	"net/url"
	"strings"
	"testing"

	"github.com/labstack/echo/v4"
	"github.com/labstack/gommon/random"
	"github.com/stretchr/testify/assert"
)

func TestCSRF(t *testing.T) {
	e := echo.New()
	req := httptest.NewRequest(http.MethodGet, "/", nil)
	rec := httptest.NewRecorder()
	c := e.NewContext(req, rec)
	csrf := CSRFWithConfig(CSRFConfig{
		TokenLength: 16,
	})
	h := csrf(func(c echo.Context) error {
		return c.String(http.StatusOK, "test")
	})

	// Generate CSRF token
	h(c)
	assert.Contains(t, rec.Header().Get(echo.HeaderSetCookie), "_csrf")

	// Without CSRF cookie
	req = httptest.NewRequest(http.MethodPost, "/", nil)
	rec = httptest.NewRecorder()
	c = e.NewContext(req, rec)
	assert.Error(t, h(c))

	// Empty/invalid CSRF token
	req = httptest.NewRequest(http.MethodPost, "/", nil)
	rec = httptest.NewRecorder()
	c = e.NewContext(req, rec)
	req.Header.Set(echo.HeaderXCSRFToken, "")
	assert.Error(t, h(c))

	// Valid CSRF token
	token := random.String(16)
	req.Header.Set(echo.HeaderCookie, "_csrf="+token)
	req.Header.Set(echo.HeaderXCSRFToken, token)
	if assert.NoError(t, h(c)) {
		assert.Equal(t, http.StatusOK, rec.Code)
	}
}

func TestCSRFTokenFromForm(t *testing.T) {
	f := make(url.Values)
	f.Set("csrf", "token")
	e := echo.New()
	req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(f.Encode()))
	req.Header.Add(echo.HeaderContentType, echo.MIMEApplicationForm)
	c := e.NewContext(req, nil)
	token, err := csrfTokenFromForm("csrf")(c)
	if assert.NoError(t, err) {
		assert.Equal(t, "token", token)
	}
	_, err = csrfTokenFromForm("invalid")(c)
	assert.Error(t, err)
}

func TestCSRFTokenFromQuery(t *testing.T) {
	q := make(url.Values)
	q.Set("csrf", "token")
	e := echo.New()
	req := httptest.NewRequest(http.MethodGet, "/", nil)
	req.Header.Add(echo.HeaderContentType, echo.MIMEApplicationForm)
	req.URL.RawQuery = q.Encode()
	c := e.NewContext(req, nil)
	token, err := csrfTokenFromQuery("csrf")(c)
	if assert.NoError(t, err) {
		assert.Equal(t, "token", token)
	}
	_, err = csrfTokenFromQuery("invalid")(c)
	assert.Error(t, err)
	csrfTokenFromQuery("csrf")
}

func TestCSRFSetSameSiteMode(t *testing.T) {
	e := echo.New()
	req := httptest.NewRequest(http.MethodGet, "/", nil)
	rec := httptest.NewRecorder()
	c := e.NewContext(req, rec)

	csrf := CSRFWithConfig(CSRFConfig{
		CookieSameSite: http.SameSiteStrictMode,
	})

	h := csrf(func(c echo.Context) error {
		return c.String(http.StatusOK, "test")
	})

	r := h(c)
	assert.NoError(t, r)
	assert.Regexp(t, "SameSite=Strict", rec.Header()["Set-Cookie"])
}

func TestCSRFWithoutSameSiteMode(t *testing.T) {
	e := echo.New()
	req := httptest.NewRequest(http.MethodGet, "/", nil)
	rec := httptest.NewRecorder()
	c := e.NewContext(req, rec)

	csrf := CSRFWithConfig(CSRFConfig{})

	h := csrf(func(c echo.Context) error {
		return c.String(http.StatusOK, "test")
	})

	r := h(c)
	assert.NoError(t, r)
	assert.NotRegexp(t, "SameSite=", rec.Header()["Set-Cookie"])
}

func TestCSRFWithSameSiteDefaultMode(t *testing.T) {
	e := echo.New()
	req := httptest.NewRequest(http.MethodGet, "/", nil)
	rec := httptest.NewRecorder()
	c := e.NewContext(req, rec)

	csrf := CSRFWithConfig(CSRFConfig{
		CookieSameSite: http.SameSiteDefaultMode,
	})

	h := csrf(func(c echo.Context) error {
		return c.String(http.StatusOK, "test")
	})

	r := h(c)
	assert.NoError(t, r)
	fmt.Println(rec.Header()["Set-Cookie"])
	assert.NotRegexp(t, "SameSite=", rec.Header()["Set-Cookie"])
}
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00			`package middleware`

			`import (`
Fix #1523 by adding secure cookie if SameSite mode is None 2020-12-03 09:21:31 +02:00			`"fmt"`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00			`"net/http"`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`"net/http/httptest"`
More coverage and better response adapter for standard/response Signed-off-by: Vishal Rana <vr@labstack.com> 2016-06-07 07:27:36 +02:00			`"net/url"`
			`"strings"`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00			`"testing"`

Introduced Go module support as v4, removed obsolete CloseNotifier() mechanism This reintroduces support for Go modules, as v4. CloseNotifier() is removed as it has been obsoleted, see https://golang.org/doc/go1.11#net/http It was already NOT working (not sending signals) as of 1.11 the functionality was gone, we merely deleted the functions that exposed it. If anyone still relies on it they should migrate to using `c.Request().Context().Done()` instead. Closes #1268, #1255 2019-01-30 12:56:56 +02:00			`"github.com/labstack/echo/v4"`
Using random string from gommon Signed-off-by: Vishal Rana <vr@labstack.com> 2016-07-19 08:24:50 +02:00			`"github.com/labstack/gommon/random"`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00			`"github.com/stretchr/testify/assert"`
			`)`

			`func TestCSRF(t *testing.T) {`
			`e := echo.New()`
Replace http constants with stdlib ones, i.e.: http.MethodGet instead of echo.GET (#1205) 2018-10-14 17:16:58 +02:00			`req := httptest.NewRequest(http.MethodGet, "/", nil)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`rec := httptest.NewRecorder()`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00			`c := e.NewContext(req, rec)`
More coverage and better response adapter for standard/response Signed-off-by: Vishal Rana <vr@labstack.com> 2016-06-07 07:27:36 +02:00			`csrf := CSRFWithConfig(CSRFConfig{`
Fixed #600 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-07-17 05:13:27 +02:00			`TokenLength: 16,`
More coverage and better response adapter for standard/response Signed-off-by: Vishal Rana <vr@labstack.com> 2016-06-07 07:27:36 +02:00			`})`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00			`h := csrf(func(c echo.Context) error {`
			`return c.String(http.StatusOK, "test")`
			`})`

			`// Generate CSRF token`
			`h(c)`
Fixed #597 (#598) Signed-off-by: Vishal Rana <vr@labstack.com> 2016-07-14 01:55:46 +02:00			`assert.Contains(t, rec.Header().Get(echo.HeaderSetCookie), "_csrf")`

			`// Without CSRF cookie`
Replace http constants with stdlib ones, i.e.: http.MethodGet instead of echo.GET (#1205) 2018-10-14 17:16:58 +02:00			`req = httptest.NewRequest(http.MethodPost, "/", nil)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`rec = httptest.NewRecorder()`
Fixed #597 (#598) Signed-off-by: Vishal Rana <vr@labstack.com> 2016-07-14 01:55:46 +02:00			`c = e.NewContext(req, rec)`
			`assert.Error(t, h(c))`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00
			`// Empty/invalid CSRF token`
Replace http constants with stdlib ones, i.e.: http.MethodGet instead of echo.GET (#1205) 2018-10-14 17:16:58 +02:00			`req = httptest.NewRequest(http.MethodPost, "/", nil)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`rec = httptest.NewRecorder()`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00			`c = e.NewContext(req, rec)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`req.Header.Set(echo.HeaderXCSRFToken, "")`
Fixed #597 (#598) Signed-off-by: Vishal Rana <vr@labstack.com> 2016-07-14 01:55:46 +02:00			`assert.Error(t, h(c))`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00
			`// Valid CSRF token`
Using random string from gommon Signed-off-by: Vishal Rana <vr@labstack.com> 2016-07-19 08:24:50 +02:00			`token := random.String(16)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`req.Header.Set(echo.HeaderCookie, "_csrf="+token)`
			`req.Header.Set(echo.HeaderXCSRFToken, token)`
More coverage and better response adapter for standard/response Signed-off-by: Vishal Rana <vr@labstack.com> 2016-06-07 07:27:36 +02:00			`if assert.NoError(t, h(c)) {`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`assert.Equal(t, http.StatusOK, rec.Code)`
More coverage and better response adapter for standard/response Signed-off-by: Vishal Rana <vr@labstack.com> 2016-06-07 07:27:36 +02:00			`}`
			`}`

			`func TestCSRFTokenFromForm(t *testing.T) {`
			`f := make(url.Values)`
			`f.Set("csrf", "token")`
			`e := echo.New()`
Replace http constants with stdlib ones, i.e.: http.MethodGet instead of echo.GET (#1205) 2018-10-14 17:16:58 +02:00			`req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(f.Encode()))`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`req.Header.Add(echo.HeaderContentType, echo.MIMEApplicationForm)`
More coverage and better response adapter for standard/response Signed-off-by: Vishal Rana <vr@labstack.com> 2016-06-07 07:27:36 +02:00			`c := e.NewContext(req, nil)`
			`token, err := csrfTokenFromForm("csrf")(c)`
			`if assert.NoError(t, err) {`
			`assert.Equal(t, "token", token)`
			`}`
Underscoring unnecessary variables on CSRF test (#836) 2017-04-01 18:29:12 +02:00			`_, err = csrfTokenFromForm("invalid")(c)`
More coverage and better response adapter for standard/response Signed-off-by: Vishal Rana <vr@labstack.com> 2016-06-07 07:27:36 +02:00			`assert.Error(t, err)`
			`}`

			`func TestCSRFTokenFromQuery(t *testing.T) {`
			`q := make(url.Values)`
			`q.Set("csrf", "token")`
			`e := echo.New()`
Replace http constants with stdlib ones, i.e.: http.MethodGet instead of echo.GET (#1205) 2018-10-14 17:16:58 +02:00			`req := httptest.NewRequest(http.MethodGet, "/", nil)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`req.Header.Add(echo.HeaderContentType, echo.MIMEApplicationForm)`
Fixed #990 Signed-off-by: Vishal Rana <vr@labstack.com> 2017-12-28 20:41:13 +02:00			`req.URL.RawQuery = q.Encode()`
More coverage and better response adapter for standard/response Signed-off-by: Vishal Rana <vr@labstack.com> 2016-06-07 07:27:36 +02:00			`c := e.NewContext(req, nil)`
			`token, err := csrfTokenFromQuery("csrf")(c)`
			`if assert.NoError(t, err) {`
			`assert.Equal(t, "token", token)`
			`}`
Underscoring unnecessary variables on CSRF test (#836) 2017-04-01 18:29:12 +02:00			`_, err = csrfTokenFromQuery("invalid")(c)`
More coverage and better response adapter for standard/response Signed-off-by: Vishal Rana <vr@labstack.com> 2016-06-07 07:27:36 +02:00			`assert.Error(t, err)`
			`csrfTokenFromQuery("csrf")`
Added CSRF middleware, #341. Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-13 02:45:00 +02:00			`}`
Fix #1523 by adding SameSite mode for CSRF settings 2020-03-04 17:14:23 +02:00
			`func TestCSRFSetSameSiteMode(t *testing.T) {`
			`e := echo.New()`
			`req := httptest.NewRequest(http.MethodGet, "/", nil)`
			`rec := httptest.NewRecorder()`
			`c := e.NewContext(req, rec)`

			`csrf := CSRFWithConfig(CSRFConfig{`
			`CookieSameSite: http.SameSiteStrictMode,`
			`})`

			`h := csrf(func(c echo.Context) error {`
			`return c.String(http.StatusOK, "test")`
			`})`

			`r := h(c)`
			`assert.NoError(t, r)`
			`assert.Regexp(t, "SameSite=Strict", rec.Header()["Set-Cookie"])`
			`}`

			`func TestCSRFWithoutSameSiteMode(t *testing.T) {`
			`e := echo.New()`
			`req := httptest.NewRequest(http.MethodGet, "/", nil)`
			`rec := httptest.NewRecorder()`
			`c := e.NewContext(req, rec)`

			`csrf := CSRFWithConfig(CSRFConfig{})`

			`h := csrf(func(c echo.Context) error {`
			`return c.String(http.StatusOK, "test")`
			`})`

			`r := h(c)`
			`assert.NoError(t, r)`
			`assert.NotRegexp(t, "SameSite=", rec.Header()["Set-Cookie"])`
			`}`
Fix #1523 by adding secure cookie if SameSite mode is None 2020-12-03 09:21:31 +02:00
			`func TestCSRFWithSameSiteDefaultMode(t *testing.T) {`
			`e := echo.New()`
			`req := httptest.NewRequest(http.MethodGet, "/", nil)`
			`rec := httptest.NewRecorder()`
			`c := e.NewContext(req, rec)`

			`csrf := CSRFWithConfig(CSRFConfig{`
			`CookieSameSite: http.SameSiteDefaultMode,`
			`})`

			`h := csrf(func(c echo.Context) error {`
			`return c.String(http.StatusOK, "test")`
			`})`

			`r := h(c)`
			`assert.NoError(t, r)`
			`fmt.Println(rec.Header()["Set-Cookie"])`
			`assert.NotRegexp(t, "SameSite=", rec.Header()["Set-Cookie"])`
			`}`