1 # GNU MediaGoblin -- federated, autonomous media hosting
2 # Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
4 # This program is free software: you can redistribute it and/or modify
5 # it under the terms of the GNU Affero General Public License as published by
6 # the Free Software Foundation, either version 3 of the License, or
7 # (at your option) any later version.
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU Affero General Public License for more details.
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 from mediagoblin
.tests
.tools
import setup_fresh_app
18 from mediagoblin
import mg_globals
22 def test_csrf_cookie_set(test_app
):
24 cookie_name
= mg_globals
.app_config
['csrf_cookie_name']
27 response
= test_app
.get('/auth/login/')
29 # assert that the mediagoblin nonce cookie has been set
30 assert 'Set-Cookie' in response
.headers
31 assert cookie_name
in response
.cookies_set
33 # assert that we're also sending a vary header
34 assert response
.headers
.get('Vary', False) == 'Cookie'
38 def test_csrf_token_must_match(test_app
):
40 # construct a request with no cookie or form token
41 assert test_app
.post('/auth/login/',
42 extra_environ
={'gmg.verify_csrf': True},
43 expect_errors
=True).status_int
== 403
45 # construct a request with a cookie, but no form token
46 assert test_app
.post('/auth/login/',
47 headers
={'Cookie': str('%s=foo; ' %
48 mg_globals
.app_config
['csrf_cookie_name'])},
49 extra_environ
={'gmg.verify_csrf': True},
50 expect_errors
=True).status_int
== 403
52 # if both the cookie and form token are provided, they must match
53 assert test_app
.post('/auth/login/',
54 {'csrf_token': 'blarf'},
55 headers
={'Cookie': str('%s=foo; ' %
56 mg_globals
.app_config
['csrf_cookie_name'])},
57 extra_environ
={'gmg.verify_csrf': True},
61 assert test_app
.post('/auth/login/',
62 {'csrf_token': 'foo'},
63 headers
={'Cookie': str('%s=foo; ' %
64 mg_globals
.app_config
['csrf_cookie_name'])},
65 extra_environ
={'gmg.verify_csrf': True}).\
69 def test_csrf_exempt(test_app
):
71 # monkey with the views to decorate a known endpoint
72 import mediagoblin
.auth
.views
73 from mediagoblin
.meddleware
.csrf
import csrf_exempt
75 mediagoblin
.auth
.views
.login
= csrf_exempt(
76 mediagoblin
.auth
.views
.login
79 # construct a request with no cookie or form token
80 assert test_app
.post('/auth/login/',
81 extra_environ
={'gmg.verify_csrf': True},
82 expect_errors
=False).status_int
== 200
84 # restore the CSRF protection in case other tests expect it
85 mediagoblin
.auth
.views
.login
.csrf_enabled
= True