You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by kx...@apache.org on 2015/09/28 16:49:50 UTC
[21/39] couchdb commit: updated refs/heads/developer-preview-2.0 to
3ac3db6
Adapt csrf test to hit form data endpoint
COUCHDB-2797
Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/315832d4
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/315832d4
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/315832d4
Branch: refs/heads/developer-preview-2.0
Commit: 315832d4dbc402347e4154eaf17b20587bbb6ea0
Parents: 93cc067
Author: Robert Newson <rn...@apache.org>
Authored: Thu Sep 3 22:06:58 2015 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Thu Sep 3 22:06:58 2015 +0100
----------------------------------------------------------------------
test/javascript/tests/csrf.js | 43 ++++++++++++++++++++++++++++----------
1 file changed, 32 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb/blob/315832d4/test/javascript/tests/csrf.js
----------------------------------------------------------------------
diff --git a/test/javascript/tests/csrf.js b/test/javascript/tests/csrf.js
index 9799d6f..e16e78b 100644
--- a/test/javascript/tests/csrf.js
+++ b/test/javascript/tests/csrf.js
@@ -19,21 +19,26 @@ couchTests.csrf = function(debug) {
// Handy function to cause CouchDB to delete the CSRF cookie
var deleteCsrf = function() {
- var xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {
- body: '{"keys": []}',
- headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}});
+ var xhr = CouchDB.request("POST", "/_session", {
+ body: 'name=foo&password=bar',
+ headers: {'X-CouchDB-CSRF': 'foo',
+ 'Content-Type': 'application/x-www-form-urlencoded',
+ 'Cookie': 'CouchDB-CSRF=foo'}});
TEquals(403, xhr.status);
};
+ var testFun = function () {
// Shouldn't receive header if we didn't ask for it
var xhr = CouchDB.request("GET", "/");
TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Didn't ask for CSRF");
TEquals(200, xhr.status);
// Matching but invalid cookie/header should 403
- xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {
- body: '{"keys": []}',
- headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}});
+ xhr = CouchDB.request("POST", "/_session", {
+ body: 'name=foo&password=bar',
+ headers: {'X-CouchDB-CSRF': 'foo',
+ 'Content-Type': 'application/x-www-form-urlencoded',
+ 'Cookie': 'CouchDB-CSRF=foo'}});
TEquals(403, xhr.status);
TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent invalid cookie and header");
@@ -43,21 +48,37 @@ couchTests.csrf = function(debug) {
T(cookie, "Should receive cookie");
// If I have a cookie, do I get a 403 if I don't send the header?
- xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}'});
+ xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar',
+ headers: {'Content-Type':
+ 'application/x-www-form-urlencoded'}});
TEquals(403, xhr.status);
TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We didn't send the header");
// If I have a cookie, do I get a 200 if I send a matching header?
- xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}',
- headers: {"X-CouchDB-CSRF": cookie[1]}});
+ xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar',
+ headers: {"X-CouchDB-CSRF": cookie[1],
+ 'Content-Type': 'application/x-www-form-urlencoded'}});
TEquals(200, xhr.status);
TEquals("true", xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Server should have sent this");
// How about the wrong header?
- xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}',
- headers: {'X-CouchDB-CSRF': 'foo'}});
+ xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar',
+ headers: {'X-CouchDB-CSRF': 'foo',
+ 'Content-Type': 'application/x-www-form-urlencoded'}});
TEquals(403, xhr.status);
TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent a mismatched header");
deleteCsrf();
+ };
+
+ run_on_modified_server(
+ [
+ {section: "couch_httpd_auth",
+ key: "iterations", value: "1"},
+ {section: "admins",
+ key: "foo", value: "bar"}
+ ],
+ testFun
+ );
+
};