Add a request spec exercising XSRF-TOKEN continuity across common multi-request logout flows

jordanhiltunen · jordanhiltunen · commit 928ca2652ec9 · 2024-05-27T11:19:48.000-04:00
diff --git a/spec/dummy/app/controllers/inertia_session_continuity_test_controller.rb b/spec/dummy/app/controllers/inertia_session_continuity_test_controller.rb
@@ -0,0 +1,15 @@
+class InertiaSessionContinuityTestController < ApplicationController
+  def initialize_session
+    render inertia: 'TestNewSessionComponent'
+  end
+
+  def submit_form_to_test_csrf
+    render inertia: 'TestComponent'
+  end
+
+  def clear_session
+    session.clear
+
+    return redirect_to initialize_session_path
+  end
+end
diff --git a/spec/dummy/config/routes.rb b/spec/dummy/config/routes.rb
@@ -41,4 +41,8 @@
   get 'merge_instance_props' => 'inertia_merge_instance_props#merge_instance_props'
 
   get 'lamda_shared_props' => 'inertia_lambda_shared_props#lamda_shared_props'
+
+  get 'initialize_session' => 'inertia_session_continuity_test#initialize_session'
+  post 'submit_form_to_test_csrf' => 'inertia_session_continuity_test#submit_form_to_test_csrf'
+  delete 'clear_session' => 'inertia_session_continuity_test#clear_session'
 end
diff --git a/spec/inertia/request_spec.rb b/spec/inertia/request_spec.rb
@@ -131,5 +131,27 @@
         it { is_expected.to be_nil }
       end
     end
+
+    it 'sets the XSRF-TOKEN cookie after the session is cleared during an inertia call' do
+      with_forgery_protection do
+        get initialize_session_path
+        expect(response).to have_http_status(:ok)
+        initial_xsrf_token_cookie = response.cookies['XSRF-TOKEN']
+
+        post submit_form_to_test_csrf_path, headers: { 'X-Inertia' => true, 'X-XSRF-Token' => initial_xsrf_token_cookie }
+        expect(response).to have_http_status(:ok)
+
+        delete clear_session_path, headers: { 'X-Inertia' => true, 'X-XSRF-Token' => initial_xsrf_token_cookie }
+        expect(response).to have_http_status(:see_other)
+        expect(response.headers['Location']).to eq('http://www.example.com/initialize_session')
+
+        post_logout_xsrf_token_cookie = response.cookies['XSRF-TOKEN']
+        expect(post_logout_xsrf_token_cookie).not_to be_nil
+        expect(post_logout_xsrf_token_cookie).not_to eq(initial_xsrf_token_cookie)
+
+        post submit_form_to_test_csrf_path, headers: { 'X-Inertia' => true, 'X-XSRF-Token' => post_logout_xsrf_token_cookie }
+        expect(response).to have_http_status(:ok)
+      end
+    end
   end
 end
