1 # GNU MediaGoblin -- federated, autonomous media hosting
2 # Copyright (C) 2011 MediaGoblin contributors. See AUTHORS.
4 # This program is free software: you can redistribute it and/or modify
5 # it under the terms of the GNU Affero General Public License as published by
6 # the Free Software Foundation, either version 3 of the License, or
7 # (at your option) any later version.
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU Affero General Public License for more details.
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
20 from nose
.tools
import assert_equal
22 from mediagoblin
.tests
.tools
import setup_fresh_app
23 from mediagoblin
import mg_globals
27 def test_csrf_cookie_set(test_app
):
29 cookie_name
= mg_globals
.app_config
['csrf_cookie_name']
32 response
= test_app
.get('/auth/login/')
34 # assert that the mediagoblin nonce cookie has been set
35 assert 'Set-Cookie' in response
.headers
36 assert cookie_name
in response
.cookies_set
38 # assert that we're also sending a vary header
39 assert response
.headers
.get('Vary', False) == 'Cookie'
43 def test_csrf_token_must_match(test_app
):
45 # construct a request with no cookie or form token
46 assert test_app
.post('/auth/login/',
47 extra_environ
={'gmg.verify_csrf': True},
48 expect_errors
=True).status_int
== 403
50 # construct a request with a cookie, but no form token
51 assert test_app
.post('/auth/login/',
52 headers
={'Cookie': str('%s=foo; ' %
53 mg_globals
.app_config
['csrf_cookie_name'])},
54 extra_environ
={'gmg.verify_csrf': True},
55 expect_errors
=True).status_int
== 403
57 # if both the cookie and form token are provided, they must match
58 assert test_app
.post('/auth/login/',
59 {'csrf_token': 'blarf'},
60 headers
={'Cookie': str('%s=foo; ' %
61 mg_globals
.app_config
['csrf_cookie_name'])},
62 extra_environ
={'gmg.verify_csrf': True},
66 assert test_app
.post('/auth/login/',
67 {'csrf_token': 'foo'},
68 headers
={'Cookie': str('%s=foo; ' %
69 mg_globals
.app_config
['csrf_cookie_name'])},
70 extra_environ
={'gmg.verify_csrf': True}).\
74 def test_csrf_exempt(test_app
):
76 # monkey with the views to decorate a known endpoint
77 import mediagoblin
.auth
.views
78 from mediagoblin
.meddleware
.csrf
import csrf_exempt
80 mediagoblin
.auth
.views
.login
= csrf_exempt(
81 mediagoblin
.auth
.views
.login
84 # construct a request with no cookie or form token
85 assert test_app
.post('/auth/login/',
86 extra_environ
={'gmg.verify_csrf': True},
87 expect_errors
=False).status_int
== 200
89 # restore the CSRF protection in case other tests expect it
90 mediagoblin
.auth
.views
.login
.csrf_enabled
= True