48 lines
1.6 KiB
Ruby
48 lines
1.6 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require 'spec_helper'
|
|
|
|
describe ActionController::Base, 'CSRF token generation patch', type: :controller do # rubocop:disable RSpec/FilePath
|
|
let(:fixed_seed) { SecureRandom.random_bytes(described_class::AUTHENTICITY_TOKEN_LENGTH) }
|
|
|
|
context 'global_csrf_token feature flag is enabled' do
|
|
it 'generates 6.0.3.1 style CSRF token', :aggregate_failures do
|
|
generated_token = controller.send(:form_authenticity_token)
|
|
|
|
expect(valid_authenticity_token?(generated_token)).to be_truthy
|
|
expect(compare_with_real_token(generated_token)).to be_falsey
|
|
expect(compare_with_global_token(generated_token)).to be_truthy
|
|
end
|
|
end
|
|
|
|
context 'global_csrf_token feature flag is disabled' do
|
|
before do
|
|
stub_feature_flags(global_csrf_token: false)
|
|
end
|
|
|
|
it 'generates 6.0.3 style CSRF token', :aggregate_failures do
|
|
generated_token = controller.send(:form_authenticity_token)
|
|
|
|
expect(valid_authenticity_token?(generated_token)).to be_truthy
|
|
expect(compare_with_real_token(generated_token)).to be_truthy
|
|
expect(compare_with_global_token(generated_token)).to be_falsey
|
|
end
|
|
end
|
|
|
|
def compare_with_global_token(token)
|
|
unmasked_token = controller.send :unmask_token, Base64.strict_decode64(token)
|
|
|
|
controller.send(:compare_with_global_token, unmasked_token, session)
|
|
end
|
|
|
|
def compare_with_real_token(token)
|
|
unmasked_token = controller.send :unmask_token, Base64.strict_decode64(token)
|
|
|
|
controller.send(:compare_with_real_token, unmasked_token, session)
|
|
end
|
|
|
|
def valid_authenticity_token?(token)
|
|
controller.send(:valid_authenticity_token?, session, token)
|
|
end
|
|
end
|