Remove <br/> from safe string indicating that CSRF cooking is missing.
[larjonas-mediagoblin.git] / mediagoblin / tests / test_csrf_middleware.py
blob4452112beb2cb45ac0fae35c3c791be1ec09fa80
1 # GNU MediaGoblin -- federated, autonomous media hosting
2 # Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
4 # This program is free software: you can redistribute it and/or modify
5 # it under the terms of the GNU Affero General Public License as published by
6 # the Free Software Foundation, either version 3 of the License, or
7 # (at your option) any later version.
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU Affero General Public License for more details.
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 from mediagoblin import mg_globals
20 def test_csrf_cookie_set(test_app):
21 cookie_name = mg_globals.app_config['csrf_cookie_name']
23 # get login page
24 response = test_app.get('/auth/login/')
26 # assert that the mediagoblin nonce cookie has been set
27 assert 'Set-Cookie' in response.headers
28 assert cookie_name in test_app.cookies
30 # assert that we're also sending a vary header
31 assert response.headers.get('Vary', False) == 'Cookie'
34 # We need a fresh app for this test on webtest < 1.3.6.
35 # We do not understand why, but it fixes the tests.
36 # If we require webtest >= 1.3.6, we can switch to a non fresh app here.
38 # ... this comment might be irrelevant post-pytest-fixtures, but I'm not
39 # removing it yet in case we move to module-level tests :)
40 # -- cwebber
41 def test_csrf_token_must_match(test_app):
43 # construct a request with no cookie or form token
44 assert test_app.post('/auth/login/',
45 extra_environ={'gmg.verify_csrf': True},
46 expect_errors=True).status_int == 403
48 # construct a request with a cookie, but no form token
49 assert test_app.post('/auth/login/',
50 headers={'Cookie': str('%s=foo' %
51 mg_globals.app_config['csrf_cookie_name'])},
52 extra_environ={'gmg.verify_csrf': True},
53 expect_errors=True).status_int == 403
55 # if both the cookie and form token are provided, they must match
56 assert test_app.post('/auth/login/',
57 {'csrf_token': 'blarf'},
58 headers={'Cookie': str('%s=foo' %
59 mg_globals.app_config['csrf_cookie_name'])},
60 extra_environ={'gmg.verify_csrf': True},
61 expect_errors=True).\
62 status_int == 403
64 assert test_app.post('/auth/login/',
65 {'csrf_token': 'foo'},
66 headers={'Cookie': str('%s=foo' %
67 mg_globals.app_config['csrf_cookie_name'])},
68 extra_environ={'gmg.verify_csrf': True}).\
69 status_int == 200
71 def test_csrf_exempt(test_app):
72 # monkey with the views to decorate a known endpoint
73 import mediagoblin.auth.views
74 from mediagoblin.meddleware.csrf import csrf_exempt
76 mediagoblin.auth.views.login = csrf_exempt(
77 mediagoblin.auth.views.login
80 # construct a request with no cookie or form token
81 assert test_app.post('/auth/login/',
82 extra_environ={'gmg.verify_csrf': True},
83 expect_errors=False).status_int == 200
85 # restore the CSRF protection in case other tests expect it
86 mediagoblin.auth.views.login.csrf_enabled = True