Backend and frontend protection against csrf attacks:

- root resources changes the csrf token cookie everytime it is loaded, in particular during the intestitial load during login
- it will also add that cookie on single user mode
- initialize will still load all resources
- but they you cant access them if the csrf token do not match
- all ajax calls needs to add the token to the header
- non ajax get requests do not need xsrf token validation
- non ajax post will have to send the token in as a form input or in the content

Issue #612

1 files changed, 12 insertions, 1 deletions

diff --git a/service/test/support/test_helper.py b/service/test/support/test_helper.py
index 77c74407..640baf6f 100644
--- a/service/test/support/test_helper.py
+++ b/service/test/support/test_helper.py
@@ -88,6 +88,7 @@ class PixRequestMock(DummyRequest):
         DummyRequest.__init__(self, path)
         self.content = None
         self.code = None
+        self.cookies = {}
 
     def getWrittenData(self):
         if len(self.written):
@@ -97,8 +98,14 @@ class PixRequestMock(DummyRequest):
         self.setResponseCode(302)
         self.setHeader(b"location", url)
 
+    def addCookie(self, key, value):
+        self.cookies[key] = value
 
-def request_mock(path='', method='GET', body='', headers={}):
+    def getCookie(self, key):
+        return self.cookies.get(key)
+
+
+def request_mock(path='', method='GET', body='', headers={}, ajax=True, csrf='token'):
     dummy = PixRequestMock(path.split('/'))
     for name, val in headers.iteritems():
         dummy.headers[name.lower()] = val
@@ -108,5 +115,9 @@ def request_mock(path='', method='GET', body='', headers={}):
     else:
         for key, val in body.items():
             dummy.addArg(key, val)
+    if ajax:
+        dummy.headers['x-requested-with'] = 'XMLHttpRequest'
+        dummy.headers['x-xsrf-token'] = csrf
+        dummy.addCookie('XSRF-TOKEN', csrf)
 
     return dummy