fiber/middleware/csrf/csrf_test.go

package csrf

import (
	"net/http/httptest"
	"strings"
	"testing"

	"github.com/gofiber/fiber/v2"
	"github.com/gofiber/fiber/v2/utils"
	"github.com/valyala/fasthttp"
)

func Test_CSRF(t *testing.T) {
	app := fiber.New()

	app.Use(New())

	app.Post("/", func(c *fiber.Ctx) error {
		return c.SendStatus(fiber.StatusOK)
	})

	h := app.Handler()
	ctx := &fasthttp.RequestCtx{}

	// Generate CSRF token
	ctx.Request.Header.SetMethod("GET")
	h(ctx)
	utils.AssertEqual(t, true, strings.Contains(string(ctx.Response.Header.Peek(fiber.HeaderSetCookie)), "_csrf"))

	// Without CSRF cookie
	ctx.Request.Reset()
	ctx.Response.Reset()
	ctx.Request.Header.SetMethod("POST")
	h(ctx)
	utils.AssertEqual(t, 403, ctx.Response.StatusCode())

	// Empty/invalid CSRF token
	ctx.Request.Reset()
	ctx.Response.Reset()
	ctx.Request.Header.SetMethod("POST")
	ctx.Request.Header.Set("X-CSRF-Token", "johndoe")
	h(ctx)
	utils.AssertEqual(t, 403, ctx.Response.StatusCode())

	// Valid CSRF token
	token := utils.UUID()
	ctx.Request.Reset()
	ctx.Response.Reset()
	ctx.Request.Header.SetMethod("POST")
	ctx.Request.Header.Set(fiber.HeaderCookie, "_csrf="+token)
	ctx.Request.Header.Set("X-CSRF-Token", token)
	h(ctx)
	utils.AssertEqual(t, 200, ctx.Response.StatusCode())
}

// go test -run Test_CSRF_Next
func Test_CSRF_Next(t *testing.T) {
	app := fiber.New(fiber.Config{
		DisableStartupMessage: true,
	})
	app.Use(New(Config{
		Next: func(_ *fiber.Ctx) bool {
			return true
		},
	}))

	resp, err := app.Test(httptest.NewRequest("GET", "/", nil))
	utils.AssertEqual(t, nil, err)
	utils.AssertEqual(t, fiber.StatusNotFound, resp.StatusCode)
}
⚡ v2 2020-09-13 11:20:11 +02:00			`package csrf`
⚡ v2 2020-09-14 05:47:17 +02:00
			`import (`
👷 improve mw test cases add Next test case 2020-09-16 09:44:05 +08:00			`"net/http/httptest"`
⚡ v2 2020-09-14 05:47:17 +02:00			`"strings"`
			`"testing"`

			`"github.com/gofiber/fiber/v2"`
🙌 make utils public Co-Authored-By: RW <7063188+ReneWerner87@users.noreply.github.com> 2020-09-14 12:12:29 +02:00			`"github.com/gofiber/fiber/v2/utils"`
⚡ v2 2020-09-14 05:47:17 +02:00			`"github.com/valyala/fasthttp"`
			`)`

			`func Test_CSRF(t *testing.T) {`
			`app := fiber.New()`

			`app.Use(New())`

			`app.Post("/", func(c *fiber.Ctx) error {`
			`return c.SendStatus(fiber.StatusOK)`
			`})`

			`h := app.Handler()`
			`ctx := &fasthttp.RequestCtx{}`

			`// Generate CSRF token`
			`ctx.Request.Header.SetMethod("GET")`
			`h(ctx)`
			`utils.AssertEqual(t, true, strings.Contains(string(ctx.Response.Header.Peek(fiber.HeaderSetCookie)), "_csrf"))`

			`// Without CSRF cookie`
			`ctx.Request.Reset()`
			`ctx.Response.Reset()`
			`ctx.Request.Header.SetMethod("POST")`
			`h(ctx)`
			`utils.AssertEqual(t, 403, ctx.Response.StatusCode())`

			`// Empty/invalid CSRF token`
			`ctx.Request.Reset()`
			`ctx.Response.Reset()`
			`ctx.Request.Header.SetMethod("POST")`
			`ctx.Request.Header.Set("X-CSRF-Token", "johndoe")`
			`h(ctx)`
			`utils.AssertEqual(t, 403, ctx.Response.StatusCode())`

			`// Valid CSRF token`
			`token := utils.UUID()`
			`ctx.Request.Reset()`
			`ctx.Response.Reset()`
			`ctx.Request.Header.SetMethod("POST")`
			`ctx.Request.Header.Set(fiber.HeaderCookie, "_csrf="+token)`
			`ctx.Request.Header.Set("X-CSRF-Token", token)`
			`h(ctx)`
			`utils.AssertEqual(t, 200, ctx.Response.StatusCode())`
			`}`
👷 improve mw test cases add Next test case 2020-09-16 09:44:05 +08:00
			`// go test -run Test_CSRF_Next`
			`func Test_CSRF_Next(t *testing.T) {`
			`app := fiber.New(fiber.Config{`
			`DisableStartupMessage: true,`
			`})`
			`app.Use(New(Config{`
			`Next: func(_ *fiber.Ctx) bool {`
			`return true`
			`},`
			`}))`

			`resp, err := app.Test(httptest.NewRequest("GET", "/", nil))`
			`utils.AssertEqual(t, nil, err)`
			`utils.AssertEqual(t, fiber.StatusNotFound, resp.StatusCode)`
			`}`