peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-13 06:20:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
jojo/tests/integration/create_no_session_test.go
Gusted a4642af51a feat: replace cross origin protection (#9830) 
Replace the anti-CSRF token with a [cross origin protection by Go](https://go.dev/doc/go1.25#nethttppkgnethttp) that uses a stateless way of verifying if a request was cross origin or not. This allows is to remove al lot of code and replace it with a few lines of code and we no longer have to hand roll this protection. The new protection uses indicators by the browser itself that indicate if the request is cross-origin, thus we no longer have to take care of ensuring the generated CSRF token is passed back to the server any request by the the browser will have send this indicator.

Resolves forgejo/forgejo#3538

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9830
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
2025-10-29 22:43:22 +01:00

106 lines
2.7 KiB
Go
Raw Blame History

// Copyright 2019 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package integration
import (
"net/http"
"net/http/httptest"
"os"
"path/filepath"
"testing"
"forgejo.org/modules/json"
"forgejo.org/modules/setting"
"forgejo.org/modules/test"
"forgejo.org/routers"
"forgejo.org/tests"
"code.forgejo.org/go-chi/session"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func getSessionID(t *testing.T, resp *httptest.ResponseRecorder) string {
cookies := resp.Result().Cookies()
found := false
sessionID := ""
for _, cookie := range cookies {
if cookie.Name == setting.SessionConfig.CookieName {
sessionID = cookie.Value
found = true
}
}
assert.True(t, found)
assert.NotEmpty(t, sessionID)
return sessionID
}
func sessionFile(tmpDir, sessionID string) string {
return filepath.Join(tmpDir, sessionID[0:1], sessionID[1:2], sessionID)
}
func sessionFileExist(t *testing.T, tmpDir, sessionID string) bool {
sessionFile := sessionFile(tmpDir, sessionID)
_, err := os.Lstat(sessionFile)
if err != nil {
if os.IsNotExist(err) {
return false
}
require.NoError(t, err)
}
return true
}
func TestSessionFileCreation(t *testing.T) {
defer tests.PrepareTestEnv(t)()
defer test.MockProtect(&setting.SessionConfig.ProviderConfig)()
defer test.MockProtect(&testWebRoutes)()
var config session.Options
err := json.Unmarshal([]byte(setting.SessionConfig.ProviderConfig), &config)
require.NoError(t, err)
config.Provider = "file"
// Now create a temporaryDirectory
tmpDir := t.TempDir()
config.ProviderConfig = tmpDir
newConfigBytes, err := json.Marshal(config)
require.NoError(t, err)
setting.SessionConfig.ProviderConfig = string(newConfigBytes)
testWebRoutes = routers.NormalRoutes()
t.Run("NoSessionOnViewIssue", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequest(t, "GET", "/user2/repo1/issues/1")
resp := MakeRequest(t, req, http.StatusOK)
sessionID := getSessionID(t, resp)
// We're not logged in so there should be no session
assert.False(t, sessionFileExist(t, tmpDir, sessionID))
})
t.Run("CreateSessionOnLogin", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequest(t, "GET", "/user/login")
resp := MakeRequest(t, req, http.StatusOK)
sessionID := getSessionID(t, resp)
// We're not logged in so there should be no session
assert.False(t, sessionFileExist(t, tmpDir, sessionID))
req = NewRequestWithValues(t, "POST", "/user/login", map[string]string{
"user_name": "user2",
"password": userPassword,
})
resp = MakeRequest(t, req, http.StatusSeeOther)
sessionID = getSessionID(t, resp)
assert.FileExists(t, sessionFile(tmpDir, sessionID))
})
}
Reference in a new issue View git blame Copy permalink