Return-Path: X-Original-To: apmail-couchdb-commits-archive@www.apache.org Delivered-To: apmail-couchdb-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B564D17FE4 for ; Mon, 28 Sep 2015 14:49:31 +0000 (UTC) Received: (qmail 5246 invoked by uid 500); 28 Sep 2015 14:49:31 -0000 Delivered-To: apmail-couchdb-commits-archive@couchdb.apache.org Received: (qmail 5042 invoked by uid 500); 28 Sep 2015 14:49:31 -0000 Mailing-List: contact commits-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list commits@couchdb.apache.org Received: (qmail 4524 invoked by uid 99); 28 Sep 2015 14:49:30 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 28 Sep 2015 14:49:30 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id BFE35DFBA3; Mon, 28 Sep 2015 14:49:30 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: kxepal@apache.org To: commits@couchdb.apache.org Date: Mon, 28 Sep 2015 14:49:50 -0000 Message-Id: <8b896b1083ed487185553c89f1907452@git.apache.org> In-Reply-To: <2c04290cd2ee4b26a9fb7f584a913a91@git.apache.org> References: <2c04290cd2ee4b26a9fb7f584a913a91@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [21/39] couchdb commit: updated refs/heads/developer-preview-2.0 to 3ac3db6 Adapt csrf test to hit form data endpoint COUCHDB-2797 Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/315832d4 Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/315832d4 Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/315832d4 Branch: refs/heads/developer-preview-2.0 Commit: 315832d4dbc402347e4154eaf17b20587bbb6ea0 Parents: 93cc067 Author: Robert Newson Authored: Thu Sep 3 22:06:58 2015 +0100 Committer: Robert Newson Committed: Thu Sep 3 22:06:58 2015 +0100 ---------------------------------------------------------------------- test/javascript/tests/csrf.js | 43 ++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/couchdb/blob/315832d4/test/javascript/tests/csrf.js ---------------------------------------------------------------------- diff --git a/test/javascript/tests/csrf.js b/test/javascript/tests/csrf.js index 9799d6f..e16e78b 100644 --- a/test/javascript/tests/csrf.js +++ b/test/javascript/tests/csrf.js @@ -19,21 +19,26 @@ couchTests.csrf = function(debug) { // Handy function to cause CouchDB to delete the CSRF cookie var deleteCsrf = function() { - var xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", { - body: '{"keys": []}', - headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}}); + var xhr = CouchDB.request("POST", "/_session", { + body: 'name=foo&password=bar', + headers: {'X-CouchDB-CSRF': 'foo', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Cookie': 'CouchDB-CSRF=foo'}}); TEquals(403, xhr.status); }; + var testFun = function () { // Shouldn't receive header if we didn't ask for it var xhr = CouchDB.request("GET", "/"); TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Didn't ask for CSRF"); TEquals(200, xhr.status); // Matching but invalid cookie/header should 403 - xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", { - body: '{"keys": []}', - headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}}); + xhr = CouchDB.request("POST", "/_session", { + body: 'name=foo&password=bar', + headers: {'X-CouchDB-CSRF': 'foo', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Cookie': 'CouchDB-CSRF=foo'}}); TEquals(403, xhr.status); TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent invalid cookie and header"); @@ -43,21 +48,37 @@ couchTests.csrf = function(debug) { T(cookie, "Should receive cookie"); // If I have a cookie, do I get a 403 if I don't send the header? - xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}'}); + xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar', + headers: {'Content-Type': + 'application/x-www-form-urlencoded'}}); TEquals(403, xhr.status); TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We didn't send the header"); // If I have a cookie, do I get a 200 if I send a matching header? - xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}', - headers: {"X-CouchDB-CSRF": cookie[1]}}); + xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar', + headers: {"X-CouchDB-CSRF": cookie[1], + 'Content-Type': 'application/x-www-form-urlencoded'}}); TEquals(200, xhr.status); TEquals("true", xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Server should have sent this"); // How about the wrong header? - xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}', - headers: {'X-CouchDB-CSRF': 'foo'}}); + xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar', + headers: {'X-CouchDB-CSRF': 'foo', + 'Content-Type': 'application/x-www-form-urlencoded'}}); TEquals(403, xhr.status); TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent a mismatched header"); deleteCsrf(); + }; + + run_on_modified_server( + [ + {section: "couch_httpd_auth", + key: "iterations", value: "1"}, + {section: "admins", + key: "foo", value: "bar"} + ], + testFun + ); + };