Skip to content
This repository was archived by the owner on Oct 24, 2025. It is now read-only.

Commit 7e74bc9

Browse files
kijanowskikijanowski
committed
57 tests
1 parent fdbfc90 commit 7e74bc9

File tree

5 files changed

+1854
-0
lines changed

5 files changed

+1854
-0
lines changed

core/src/test/java/com/softwaremill/session/javadsl/CsrfDirectivesTest.java

Lines changed: 236 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,236 @@
1+
package com.softwaremill.session.javadsl;
2+
3+
import akka.http.javadsl.model.FormData;
4+
import akka.http.javadsl.model.HttpRequest;
5+
import akka.http.javadsl.model.HttpResponse;
6+
import akka.http.javadsl.model.StatusCodes;
7+
import akka.http.javadsl.model.headers.Cookie;
8+
import akka.http.javadsl.model.headers.HttpCookie;
9+
import akka.http.javadsl.model.headers.RawHeader;
10+
import akka.http.javadsl.server.Route;
11+
import akka.http.javadsl.testkit.TestRouteResult;
12+
import akka.japi.Pair;
13+
import com.softwaremill.session.CsrfCheckMode;
14+
import com.softwaremill.session.SessionContinuity;
15+
import com.softwaremill.session.SetSessionTransport;
16+
import org.junit.Assert;
17+
import org.junit.Test;
18+
19+
public class CsrfDirectivesTest extends HttpSessionAwareDirectivesTest {
20+
21+
protected Route buildRoute(HttpSessionAwareDirectives<String> testDirectives, SessionContinuity<String> oneOff, SessionContinuity<String> refreshable, SetSessionTransport sessionTransport, CsrfCheckMode<String> csrfCheckMode) {
22+
return route(
23+
testDirectives.randomTokenCsrfProtection(csrfCheckMode, () ->
24+
route(
25+
get(() ->
26+
path("site", () ->
27+
complete("ok")
28+
)
29+
),
30+
post(() ->
31+
route(
32+
path("login", () ->
33+
testDirectives.setNewCsrfToken(csrfCheckMode, () ->
34+
complete("ok"))),
35+
path("transfer_money", () ->
36+
complete("ok")
37+
)
38+
)
39+
)
40+
)
41+
)
42+
);
43+
44+
}
45+
46+
@Test
47+
public void shouldSetTheCsrfCookieOnTheFirstGetRequestOnly() {
48+
// given
49+
final Route route = createCsrfRouteWithCheckHeaderMode();
50+
51+
// when
52+
TestRouteResult testRouteResult = testRoute(route)
53+
.run(HttpRequest.GET("/site"));
54+
55+
// then
56+
testRouteResult
57+
.assertStatusCode(StatusCodes.OK)
58+
.assertEntity("ok");
59+
60+
// and
61+
HttpResponse response = testRouteResult.response();
62+
HttpCookie csrfCookie = getCsrfTokenCookieValues(response);
63+
Assert.assertNotNull(csrfCookie.value());
64+
65+
/* second request */
66+
// when
67+
TestRouteResult testRouteResult2 = testRoute(route)
68+
.run(HttpRequest.GET("/site")
69+
.addHeader(Cookie.create(csrfCookieName, csrfCookie.value()))
70+
);
71+
72+
// then
73+
testRouteResult2
74+
.assertStatusCode(StatusCodes.OK)
75+
.assertEntity("ok");
76+
77+
// and
78+
HttpResponse response2 = testRouteResult2.response();
79+
HttpCookie cookieValues2 = getCsrfTokenCookieValues(response2);
80+
Assert.assertNull(cookieValues2);
81+
82+
}
83+
84+
@Test
85+
public void shouldRejectRequestsIfTheCsrfCookieDoesNotMatchTheHeaderValue() {
86+
// given
87+
final Route route = createCsrfRouteWithCheckHeaderMode();
88+
89+
// when
90+
TestRouteResult testRouteResult = testRoute(route)
91+
.run(HttpRequest.GET("/site"));
92+
93+
// then
94+
testRouteResult
95+
.assertStatusCode(StatusCodes.OK);
96+
97+
// and
98+
HttpCookie csrfCookie = getCsrfTokenCookieValues(testRouteResult.response());
99+
100+
/* second request */
101+
// when
102+
TestRouteResult testRouteResult2 = testRoute(route)
103+
.run(HttpRequest.POST("/transfer_money")
104+
.addHeader(Cookie.create(csrfCookieName, csrfCookie.value()))
105+
.addHeader(RawHeader.create(csrfSubmittedName, "something else"))
106+
);
107+
108+
// then
109+
testRouteResult2
110+
.assertStatusCode(StatusCodes.FORBIDDEN);
111+
}
112+
113+
@Test
114+
public void shouldRejectRequestsIfTheCsrfCookieIsNotSet() {
115+
// given
116+
final Route route = createCsrfRouteWithCheckHeaderMode();
117+
118+
// when
119+
TestRouteResult testRouteResult = testRoute(route)
120+
.run(HttpRequest.GET("/site"));
121+
122+
// then
123+
testRouteResult
124+
.assertStatusCode(StatusCodes.OK);
125+
126+
/* second request */
127+
// when
128+
TestRouteResult testRouteResult2 = testRoute(route)
129+
.run(HttpRequest.POST("/transfer_money"));
130+
131+
// then
132+
testRouteResult2
133+
.assertStatusCode(StatusCodes.FORBIDDEN);
134+
135+
136+
}
137+
138+
@Test
139+
public void shouldAcceptRequestsIfTheCsrfCookieMatchesTheHeaderValue() {
140+
// given
141+
final Route route = createCsrfRouteWithCheckHeaderMode();
142+
143+
// when
144+
TestRouteResult testRouteResult = testRoute(route)
145+
.run(HttpRequest.GET("/site"));
146+
147+
// then
148+
testRouteResult
149+
.assertStatusCode(StatusCodes.OK);
150+
151+
// and
152+
HttpCookie csrfCookie = getCsrfTokenCookieValues(testRouteResult.response());
153+
154+
/* second request */
155+
// when
156+
TestRouteResult testRouteResult2 = testRoute(route)
157+
.run(HttpRequest.POST("/transfer_money")
158+
.addHeader(Cookie.create(csrfCookieName, csrfCookie.value()))
159+
.addHeader(RawHeader.create(csrfSubmittedName, csrfCookie.value()))
160+
);
161+
162+
// then
163+
testRouteResult2
164+
.assertStatusCode(StatusCodes.OK)
165+
.assertEntity("ok");
166+
167+
}
168+
169+
@Test
170+
public void shouldAcceptRequestsIfTheCsrfCookieMatchesTheFormFieldValue() {
171+
// given
172+
final Route route = createCsrfRouteWithCheckHeaderAndFormMode();
173+
174+
// when
175+
TestRouteResult testRouteResult = testRoute(route)
176+
.run(HttpRequest.GET("/site"));
177+
178+
// then
179+
testRouteResult
180+
.assertStatusCode(StatusCodes.OK);
181+
182+
// and
183+
HttpCookie csrfCookie = getCsrfTokenCookieValues(testRouteResult.response());
184+
185+
/* second request */
186+
// when
187+
final FormData formData = FormData.create(
188+
Pair.create(csrfSubmittedName, csrfCookie.value())
189+
);
190+
TestRouteResult testRouteResult2 = testRoute(route)
191+
.run(HttpRequest.POST("/transfer_money").withEntity(formData.toEntity())
192+
.addHeader(Cookie.create(csrfCookieName, csrfCookie.value()))
193+
);
194+
195+
// then
196+
testRouteResult2
197+
.assertStatusCode(StatusCodes.OK)
198+
.assertEntity("ok");
199+
}
200+
201+
@Test
202+
public void shouldSetANewCsrfCookieWhenRequested() {
203+
// given
204+
final Route route = createCsrfRouteWithCheckHeaderMode();
205+
206+
// when
207+
TestRouteResult testRouteResult = testRoute(route)
208+
.run(HttpRequest.GET("/site"));
209+
210+
// then
211+
testRouteResult
212+
.assertStatusCode(StatusCodes.OK);
213+
214+
// and
215+
HttpCookie csrfCookie = getCsrfTokenCookieValues(testRouteResult.response());
216+
217+
/* second request */
218+
// when
219+
TestRouteResult testRouteResult2 = testRoute(route)
220+
.run(HttpRequest.POST("/login")
221+
.addHeader(Cookie.create(csrfCookieName, csrfCookie.value()))
222+
.addHeader(RawHeader.create(csrfSubmittedName, csrfCookie.value()))
223+
);
224+
225+
// then
226+
testRouteResult2
227+
.assertStatusCode(StatusCodes.OK)
228+
.assertEntity("ok");
229+
230+
// and
231+
HttpCookie csrfCookie2 = getCsrfTokenCookieValues(testRouteResult2.response());
232+
Assert.assertNotEquals(csrfCookie.value(), csrfCookie2.value());
233+
234+
}
235+
236+
}

0 commit comments

Comments
 (0)