Skip to content
This repository has been archived by the owner on Jan 17, 2023. It is now read-only.

Commit

Permalink
clear csrf cookie on successful leave
Browse files Browse the repository at this point in the history
  • Loading branch information
Greg Guthe committed Sep 5, 2017
1 parent efe3921 commit 0e7bc51
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 0 deletions.
3 changes: 3 additions & 0 deletions server/src/pages/leave-screenshots/server.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ let app = express();
exports.app = app;

app.get("/", csrfProtection, function(req, res) {
if (req.query && req.query.complete !== undefined) {
res.clearCookie("_csrf");
}
if (!req.deviceId) {
res.status(403).send(req.getText("leavePageErrorAddonRequired"));
return;
Expand Down
22 changes: 22 additions & 0 deletions test/server/test_csrf.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,27 @@ def test_leave_screenshots_with_duplicate_csrf_cookies_fails():
assert resp.status_code == 400


def test_leave_screenshots_clears_csrf_cookie():
user = ScreenshotsClient()
user.login()

leave_resp = user.session.get(user.backend + "/leave-screenshots/")
assert leave_resp.status_code == 200
assert_httponly_csrf_cookie(user.session)

page = leave_resp.text
csrf_match = re.search(r'<input.*name="_csrf".*value="([^"]*)"', page)
csrf = csrf_match.group(1)

first_csrf_cookie = user.session.cookies.get('_csrf')

resp = user.session.post(
urljoin(user.backend, "/leave-screenshots/leave"),
json={"_csrf": csrf})
assert resp.status_code == 200
assert first_csrf_cookie != user.session.cookies.get('_csrf')


def test_get_settings_does_not_set_csrf_cookie():
with screenshots_session() as user:
resp = user.get_settings() # GET /settings/
Expand Down Expand Up @@ -326,6 +347,7 @@ def test_register_with_invalid_headers():
test_leave_screenshots_without_csrftoken_fails()
test_leave_screenshots_with_get_fails()
test_leave_screenshots_with_duplicate_csrf_cookies_fails()
test_leave_screenshots_clears_csrf_cookie()
test_get_settings_does_not_set_csrf_cookie()
test_get_shot_sets_csrf_cookie()
test_get_my_shots_sets_csrf_cookie()
Expand Down

0 comments on commit 0e7bc51

Please sign in to comment.