Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-27 09:06:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

test: add failing guest csrf test (#10169)

Browse Source 
* test: add failing guest csrf test

* test: use correct var

* fix: use applyCsrf for guests as well
This commit is contained in:
Barış Soner Uşaklı
2022-01-20 18:22:10 -05:00
committed by GitHub
parent f090de3688
commit 10949184ca
2 changed files with 42 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/middleware/user.js
View File

@@ -42,12 +42,12 @@ module.exports = function (middleware) {
return true; return true;
} }
if (req.loggedIn) { if (res.locals.isAPI && (req.loggedIn || !req.headers.hasOwnProperty('authorization'))) {
// If authenticated via cookie (express-session), protect routes with CSRF checking // If authenticated via cookie (express-session), protect routes with CSRF checking
if (res.locals.isAPI) { await middleware.applyCSRFasync(req, res);
await middleware.applyCSRFasync(req, res); }
}
if (req.loggedIn) {
return true; return true;
} else if (req.headers.hasOwnProperty('authorization')) { } else if (req.headers.hasOwnProperty('authorization')) {
const user = await passportAuthenticateAsync(req, res); const user = await passportAuthenticateAsync(req, res);

44
test/topics.js
View File

@@ -130,17 +130,41 @@ describe('Topic\'s', () => {
}); });
}); });
it('should fail to post a topic as guest if no privileges', async () => { it('should fail to post a topic as guest with invalid csrf_token', async () => {
const categoryObj = await categories.create({ const categoryObj = await categories.create({
name: 'Test Category', name: 'Test Category',
description: 'Test category created by testing script', description: 'Test category created by testing script',
}); });
await privileges.categories.give(['groups:topics:create'], categoryObj.cid, 'guests');
await privileges.categories.give(['groups:topics:reply'], categoryObj.cid, 'guests');
const result = await requestType('post', `${nconf.get('url')}/api/v3/topics`, { const result = await requestType('post', `${nconf.get('url')}/api/v3/topics`, {
form: { form: {
title: 'just a title', title: 'just a title',
cid: categoryObj.cid, cid: categoryObj.cid,
content: 'content for the main post', content: 'content for the main post',
}, },
headers: {
'x-csrf-token': 'invalid',
},
json: true,
});
assert.strictEqual(result.res.statusCode, 403);
assert.strictEqual(result.body, 'Forbidden');
});
it('should fail to post a topic as guest if no privileges', async () => {
const categoryObj = await categories.create({
name: 'Test Category',
description: 'Test category created by testing script',
});
const jar = request.jar();
const result = await helpers.request('post', `/api/v3/topics`, {
form: {
title: 'just a title',
cid: categoryObj.cid,
content: 'content for the main post',
},
jar: jar,
json: true, json: true,
}); });
assert.strictEqual(result.body.status.message, 'You do not have enough privileges for this action.'); assert.strictEqual(result.body.status.message, 'You do not have enough privileges for this action.');
@@ -154,12 +178,14 @@ describe('Topic\'s', () => {
await privileges.categories.give(['groups:topics:create'], categoryObj.cid, 'guests'); await privileges.categories.give(['groups:topics:create'], categoryObj.cid, 'guests');
await privileges.categories.give(['groups:topics:reply'], categoryObj.cid, 'guests'); await privileges.categories.give(['groups:topics:reply'], categoryObj.cid, 'guests');
const result = await requestType('post', `${nconf.get('url')}/api/v3/topics`, { const jar = request.jar();
const result = await helpers.request('post', `/api/v3/topics`, {
form: { form: {
title: 'just a title', title: 'just a title',
cid: categoryObj.cid, cid: categoryObj.cid,
content: 'content for the main post', content: 'content for the main post',
}, },
jar: jar,
json: true, json: true,
}); });
@@ -167,10 +193,11 @@ describe('Topic\'s', () => {
assert.strictEqual(result.body.response.title, 'just a title'); assert.strictEqual(result.body.response.title, 'just a title');
assert.strictEqual(result.body.response.user.username, '[[global:guest]]'); assert.strictEqual(result.body.response.user.username, '[[global:guest]]');
const replyResult = await requestType('post', `${nconf.get('url')}/api/v3/topics/${result.body.response.tid}`, { const replyResult = await helpers.request('post', `/api/v3/topics/${result.body.response.tid}`, {
form: { form: {
content: 'a reply by guest', content: 'a reply by guest',
}, },
jar: jar,
json: true, json: true,
}); });
assert.strictEqual(replyResult.body.response.content, 'a reply by guest'); assert.strictEqual(replyResult.body.response.content, 'a reply by guest');
@@ -186,13 +213,14 @@ describe('Topic\'s', () => {
await privileges.categories.give(['groups:topics:reply'], categoryObj.cid, 'guests'); await privileges.categories.give(['groups:topics:reply'], categoryObj.cid, 'guests');
const oldValue = meta.config.allowGuestHandles; const oldValue = meta.config.allowGuestHandles;
meta.config.allowGuestHandles = 1; meta.config.allowGuestHandles = 1;
const result = await requestType('post', `${nconf.get('url')}/api/v3/topics`, { const result = await helpers.request('post', `/api/v3/topics`, {
form: { form: {
title: 'just a title', title: 'just a title',
cid: categoryObj.cid, cid: categoryObj.cid,
content: 'content for the main post', content: 'content for the main post',
handle: 'guest123', handle: 'guest123',
}, },
jar: request.jar(),
json: true, json: true,
}); });
@@ -201,11 +229,12 @@ describe('Topic\'s', () => {
assert.strictEqual(result.body.response.user.username, 'guest123'); assert.strictEqual(result.body.response.user.username, 'guest123');
assert.strictEqual(result.body.response.user.displayname, 'guest123'); assert.strictEqual(result.body.response.user.displayname, 'guest123');
const replyResult = await requestType('post', `${nconf.get('url')}/api/v3/topics/${result.body.response.tid}`, { const replyResult = await helpers.request('post', `/api/v3/topics/${result.body.response.tid}`, {
form: { form: {
content: 'a reply by guest', content: 'a reply by guest',
handle: 'guest124', handle: 'guest124',
}, },
jar: request.jar(),
json: true, json: true,
}); });
assert.strictEqual(replyResult.body.response.content, 'a reply by guest'); assert.strictEqual(replyResult.body.response.content, 'a reply by guest');
@@ -2715,7 +2744,10 @@ describe('Topic\'s', () => {
it('should allow guests to reply if privilege is given', async () => { it('should allow guests to reply if privilege is given', async () => {
await privileges.categories.give(['groups:topics:schedule'], categoryObj.cid, 'guests'); await privileges.categories.give(['groups:topics:schedule'], categoryObj.cid, 'guests');
const response = await requestType('post', `${nconf.get('url')}/api/v3/topics/${topicData.tid}`, replyData); const response = await helpers.request('post', `/api/v3/topics/${topicData.tid}`, {
...replyData,
jar: request.jar(),
});
assert.strictEqual(response.body.response.content, 'a reply by guest'); assert.strictEqual(response.body.response.content, 'a reply by guest');
assert.strictEqual(response.body.response.user.username, '[[global:guest]]'); assert.strictEqual(response.body.response.user.username, '[[global:guest]]');
}); });