1 files changed, 44 insertions, 6 deletions

diff --git a/spec/requests/api/helpers_spec.rb b/spec/requests/api/helpers_spec.rb
index 25ec44fa036..7a1bd76af7a 100644
--- a/spec/requests/api/helpers_spec.rb
+++ b/spec/requests/api/helpers_spec.rb
@@ -10,8 +10,16 @@ describe API::Helpers do
   let(:key) { create(:key, user: user) }
 
   let(:params) { {} }
-  let(:env) { { 'REQUEST_METHOD' => 'GET' } }
-  let(:request) { Rack::Request.new(env) }
+  let(:csrf_token) { SecureRandom.base64(ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH) }
+  let(:env) do
+    {
+      'rack.input' => '',
+      'rack.session' => {
+        _csrf_token: csrf_token
+      },
+      'REQUEST_METHOD' => 'GET'
+    }
+  end
   let(:header) { }
 
   before do
@@ -58,7 +66,7 @@ describe API::Helpers do
   describe ".current_user" do
     subject { current_user }
 
-    describe "Warden authentication" do
+    describe "Warden authentication", :allow_forgery_protection do
       before do
         doorkeeper_guard_returns false
       end
@@ -99,7 +107,17 @@ describe API::Helpers do
             env['REQUEST_METHOD'] = 'PUT'
           end
 
-          it { is_expected.to be_nil }
+          context 'without CSRF token' do
+            it { is_expected.to be_nil }
+          end
+
+          context 'with CSRF token' do
+            before do
+              env['HTTP_X_CSRF_TOKEN'] = csrf_token
+            end
+
+            it { is_expected.to eq(user) }
+          end
         end
 
         context "POST request" do
@@ -107,7 +125,17 @@ describe API::Helpers do
             env['REQUEST_METHOD'] = 'POST'
           end
 
-          it { is_expected.to be_nil }
+          context 'without CSRF token' do
+            it { is_expected.to be_nil }
+          end
+
+          context 'with CSRF token' do
+            before do
+              env['HTTP_X_CSRF_TOKEN'] = csrf_token
+            end
+
+            it { is_expected.to eq(user) }
+          end
         end
 
         context "DELETE request" do
@@ -115,7 +143,17 @@ describe API::Helpers do
             env['REQUEST_METHOD'] = 'DELETE'
           end
 
-          it { is_expected.to be_nil }
+          context 'without CSRF token' do
+            it { is_expected.to be_nil }
+          end
+
+          context 'with CSRF token' do
+            before do
+              env['HTTP_X_CSRF_TOKEN'] = csrf_token
+            end
+
+            it { is_expected.to eq(user) }
+          end
         end
       end
     end