code.gitea.io/gitea@v1.22.3/tests/integration/csrf_test.go

code.gitea.io/gitea@v1.22.3/tests/integration/csrf_test.go (about)

     1  // Copyright 2017 The Gitea Authors. All rights reserved.
     2  // SPDX-License-Identifier: MIT
     3  
     4  package integration
     5  
     6  import (
     7  	"net/http"
     8  	"testing"
     9  
    10  	"code.gitea.io/gitea/models/unittest"
    11  	user_model "code.gitea.io/gitea/models/user"
    12  	"code.gitea.io/gitea/tests"
    13  
    14  	"github.com/stretchr/testify/assert"
    15  )
    16  
    17  func TestCsrfProtection(t *testing.T) {
    18  	defer tests.PrepareTestEnv(t)()
    19  
    20  	// test web form csrf via form
    21  	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
    22  	session := loginUser(t, user.Name)
    23  	req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
    24  		"_csrf": "fake_csrf",
    25  	})
    26  	resp := session.MakeRequest(t, req, http.StatusBadRequest)
    27  	assert.Contains(t, resp.Body.String(), "Invalid CSRF token")
    28  
    29  	// test web form csrf via header. TODO: should use an UI api to test
    30  	req = NewRequest(t, "POST", "/user/settings")
    31  	req.Header.Add("X-Csrf-Token", "fake_csrf")
    32  	resp = session.MakeRequest(t, req, http.StatusBadRequest)
    33  	assert.Contains(t, resp.Body.String(), "Invalid CSRF token")
    34  }