[03/39] couchdb commit: updated refs/heads/developer-preview-2.0 to 3ac3db6

[kx...@apache.org]

CSRF tests

COUCHDB-2762


Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/09b9a722
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/09b9a722
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/09b9a722

Branch: refs/heads/developer-preview-2.0
Commit: 09b9a722fe4c297eff7041b3426f8e067b921b25
Parents: 0c579b9
Author: Robert Newson <rn...@apache.org>
Authored: Tue Aug 4 11:53:25 2015 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Wed Aug 5 14:15:01 2015 +0100

----------------------------------------------------------------------
 test/javascript/tests/csrf.js | 54 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb/blob/09b9a722/test/javascript/tests/csrf.js
----------------------------------------------------------------------
diff --git a/test/javascript/tests/csrf.js b/test/javascript/tests/csrf.js
new file mode 100644
index 0000000..9baef82
--- /dev/null
+++ b/test/javascript/tests/csrf.js
@@ -0,0 +1,54 @@
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not
+// use this file except in compliance with the License. You may obtain a copy of
+// the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations under
+// the License.
+
+couchTests.csrf = function(debug) {
+  if (debug) debugger;
+
+  // Handy function to cause CouchDB to delete the CSRF cookie
+  var deleteCsrf = function() {
+    var xhr = CouchDB.request("GET", "/",
+                              {headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}});
+    TEquals(403, xhr.status);
+  };
+
+  // Shouldn't receive header if we didn't ask for it
+  var xhr = CouchDB.request("GET", "/");
+  TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Didn't ask for CSRF");
+  TEquals(200, xhr.status);
+
+  // Matching but invalid cookie/header should 403
+  xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}});
+  TEquals(403, xhr.status);
+  TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent invalid cookie and header");
+
+  // Can I acquire a CouchDB-CSRF cookie?
+  xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'true'}});
+  var cookie = xhr.getResponseHeader("Set-Cookie").match('^CouchDB-CSRF=([^;]+)');
+  T(cookie, "Should receive cookie");
+
+  // If I have a cookie, do I get a 403 if I don't send the header?
+  xhr = CouchDB.request("GET", "/");
+  TEquals(403, xhr.status);
+  TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We didn't send the header");
+
+  // If I have a cookie, do I get a 200 if I send a matching header?
+  xhr = CouchDB.request("GET", "/", {headers: {"X-CouchDB-CSRF": cookie[1]}});
+  TEquals(200, xhr.status);
+  TEquals("true", xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Server should have sent this");
+
+  // How about the wrong header?
+  xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'foo'}});
+  TEquals(403, xhr.status);
+  TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent a mismatched header");
+
+  deleteCsrf();
+};