diff options
| author | NavaL <ayoyo@thoughtworks.com> | 2016-02-24 16:33:20 +0100 |
|---|---|---|
| committer | NavaL <mnandri@thoughtworks.com> | 2016-02-25 09:17:53 +0100 |
| commit | 9573bdca55ddc5488066d3af525e41ed1d872ea6 (patch) | |
| tree | 228ca246c306bd44faa37c01e52c6d7aefec1531 /web-ui/test/spec | |
| parent | b79035b83e81e4fd654b587426083c6033e695ad (diff) | |
Backend and frontend protection against csrf attacks:
- root resources changes the csrf token cookie everytime it is loaded, in particular during the intestitial load during login
- it will also add that cookie on single user mode
- initialize will still load all resources
- but they you cant access them if the csrf token do not match
- all ajax calls needs to add the token to the header
- non ajax get requests do not need xsrf token validation
- non ajax post will have to send the token in as a form input or in the content
Issue #612
Diffstat (limited to 'web-ui/test/spec')
| -rw-r--r-- | web-ui/test/spec/helpers/browser.spec.js | 12 | ||||
| -rw-r--r-- | web-ui/test/spec/helpers/monitored_ajax_call.spec.js | 24 |
2 files changed, 33 insertions, 3 deletions
diff --git a/web-ui/test/spec/helpers/browser.spec.js b/web-ui/test/spec/helpers/browser.spec.js new file mode 100644 index 00000000..5b740da8 --- /dev/null +++ b/web-ui/test/spec/helpers/browser.spec.js @@ -0,0 +1,12 @@ +define(['helpers/browser'], function (browser) { + 'use strict'; + + describe('browser ', function() { + it('gets cookie', function() { + document.cookie = 'TWISTED_SESSION=ff895ffc45a4ce140bfc5dda6c61d232; i18next=en-us'; + expect(browser.getCookie('TWISTED_SESSION')).toEqual('ff895ffc45a4ce140bfc5dda6c61d232'); + expect(browser.getCookie('i18next')).toEqual('en-us'); + }); + + }); +}); diff --git a/web-ui/test/spec/helpers/monitored_ajax_call.spec.js b/web-ui/test/spec/helpers/monitored_ajax_call.spec.js index 972ca3ae..c0d55198 100644 --- a/web-ui/test/spec/helpers/monitored_ajax_call.spec.js +++ b/web-ui/test/spec/helpers/monitored_ajax_call.spec.js @@ -1,6 +1,24 @@ define(['helpers/monitored_ajax'], function (monitoredAjax) { 'use strict'; describe('monitoredAjaxCall', function () { + + describe('default configs', function () { + + it('should always attach the xsrf token in the header', function () { + var component = { trigger: function () {}}; + var d = $.Deferred(); + spyOn($, 'ajax').and.returnValue(d); + document.cookie = 'XSRF-TOKEN=ff895ffc45a4ce140bfc5dda6c61d232; i18next=en-us'; + var anyUrl = '/'; + + monitoredAjax(component, anyUrl, {}); + + expect($.ajax.calls.mostRecent().args[1].headers).toEqual({ 'X-XSRF-TOKEN' : 'ff895ffc45a4ce140bfc5dda6c61d232' }); + + }); + + }); + describe('when dealing with errors', function () { _.each( @@ -19,7 +37,7 @@ define(['helpers/monitored_ajax'], function (monitoredAjax) { d.reject({ responseJSON: {}}, errorType, ''); expect(component.trigger).toHaveBeenCalledWith(document, Pixelated.events.ui.userAlerts.displayMessage, - { message: errorMessage }); + { message: errorMessage, class: 'error' }); }); }); @@ -33,7 +51,7 @@ define(['helpers/monitored_ajax'], function (monitoredAjax) { d.reject({ responseJSON: { message: 'Server Message'}}, 'error', ''); expect(component.trigger).toHaveBeenCalledWith(document, Pixelated.events.ui.userAlerts.displayMessage, - { message: 'Server Message' }); + { message: 'Server Message', class: 'error' }); }); }); @@ -76,4 +94,4 @@ define(['helpers/monitored_ajax'], function (monitoredAjax) { }); }); -});
\ No newline at end of file +}); |