go/echo
1
0
Fork 0
mirror of https://github.com/labstack/echo.git synced 2025-07-15 01:34:53 +02:00
Code Issues Releases Activity

Fix #1523 by adding SameSite mode for CSRF settings

Browse Source
This commit is contained in:
Vadim Sabirov
2020-03-04 18:14:23 +03:00
parent 3e8a797db0
commit 8b2c77b107
2 changed files with 53 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
middleware/csrf_test.go
View File

@ -81,3 +81,39 @@ func TestCSRFTokenFromQuery(t *testing.T) {
assert.Error(t, err)
csrfTokenFromQuery("csrf")
}
func TestCSRFSetSameSiteMode(t *testing.T) {
e := echo.New()
req := httptest.NewRequest(http.MethodGet, "/", nil)
rec := httptest.NewRecorder()
c := e.NewContext(req, rec)
csrf := CSRFWithConfig(CSRFConfig{
CookieSameSite: http.SameSiteStrictMode,
})
h := csrf(func(c echo.Context) error {
return c.String(http.StatusOK, "test")
})
r := h(c)
assert.NoError(t, r)
assert.Regexp(t, "SameSite=Strict", rec.Header()["Set-Cookie"])
}
func TestCSRFWithoutSameSiteMode(t *testing.T) {
e := echo.New()
req := httptest.NewRequest(http.MethodGet, "/", nil)
rec := httptest.NewRecorder()
c := e.NewContext(req, rec)
csrf := CSRFWithConfig(CSRFConfig{})
h := csrf(func(c echo.Context) error {
return c.String(http.StatusOK, "test")
})
r := h(c)
assert.NoError(t, r)
assert.NotRegexp(t, "SameSite=", rec.Header()["Set-Cookie"])
}