Skip to content

Commit

Permalink
chore: add csrf token handling
Browse files Browse the repository at this point in the history
  • Loading branch information
@tsaleksandrova
Aleksandrova authored and tsaleksandrova committed Feb 22, 2021
1 parent 7d71b05 commit 3619230
Show file tree
Hide file tree
Showing 7 changed files with 345 additions and 4 deletions.
3 changes: 3 additions & 0 deletions docs/usage/api.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,9 @@ request.get(restServiceMockUrl +'/usersWithAuth')
.auth('<user>','<password>').do();
```

## CSRF Tokens
// ---todo

# OData Helpers
Full OData ORM is out of scope but the following samples can simplify basic OData scenarios. For better oData support, please use [TBD]().

Expand Down
22 changes: 21 additions & 1 deletion e2e/scenario/fixture/api.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,5 +77,25 @@ describe('api', function() {
var res = request.get(restServiceMockUrl +'/usersWithAuth').auth('testUser','testPass');
expect(res).toHaveHTTPBody({status: 'Authenticated'});
});


it('Should set csrf token', function () {
request.post(restServiceMockUrl + '/form').send({
field: 'value'
}).do().catch(function (err) {
expect(err.status).toBe(403);
});

request.csrf({
url: restServiceMockUrl + '/form'
}).then(function () {
request.post(restServiceMockUrl + '/form').send({
field: 'value'
}).do().then(function (res) {
expect(res.status).toBe(200);
}).catch(function (err) {
expect(true).toBeFalsy();
});
});
});

});
33 changes: 32 additions & 1 deletion e2e/scenario/fixture/mock/apiServiceMock.js
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
var express = require('express');
var bodyParser = require('body-parser')
var bodyParser = require('body-parser');
var cookieParser = require('cookie-parser');
var csrf = require('csurf');

module.exports = function() {
var app = express();
var csrfProtection = csrf({
cookie: true
});

var response = 1;
app.get('/user/', function(req, res) {
Expand Down Expand Up @@ -68,5 +73,31 @@ module.exports = function() {
res.send({deleted: req.params.user});
});

app.use(cookieParser());
app.use(function (err, req, res, next) {
if (err.code === 'EBADCSRFTOKEN') {
// CSRF token error
res.status(403);
res.send('form tampered with');
} else {
return next();
}
});

app.get('/form', csrfProtection, function (req, res) {
if (req.headers['x-csrf-token'].toLowerCase() === 'fetch') {
res.set('x-csrf-token', req.csrfToken());
res.send({
csrfToken: req.csrfToken()
});
} else {
res.sendStatus(200);
}
});

app.post('/form', csrfProtection, function (req, res) {
res.send('data is being processed')
});

return app;
};
4 changes: 4 additions & 0 deletions e2e/scenario/fixture/mock/mockServer.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
var Runner = require('../../../Runner');
var restServiceMock = require('./apiServiceMock');

Runner.startApp(restServiceMock);
Loading

0 comments on commit 3619230

Please sign in to comment.