blob: 036f52398bb579a9e4189c34a9482c33d96397e0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
# frozen_string_literal: true
require 'spec_helper'
describe ActionController::Base, 'CSRF token generation patch', type: :controller do # rubocop:disable RSpec/FilePath
let(:fixed_seed) { SecureRandom.random_bytes(described_class::AUTHENTICITY_TOKEN_LENGTH) }
context 'global_csrf_token feature flag is enabled' do
it 'generates 6.0.3.1 style CSRF token', :aggregate_failures do
generated_token = controller.send(:form_authenticity_token)
expect(valid_authenticity_token?(generated_token)).to be_truthy
expect(compare_with_real_token(generated_token)).to be_falsey
expect(compare_with_global_token(generated_token)).to be_truthy
end
end
context 'global_csrf_token feature flag is disabled' do
before do
stub_feature_flags(global_csrf_token: false)
end
it 'generates 6.0.3 style CSRF token', :aggregate_failures do
generated_token = controller.send(:form_authenticity_token)
expect(valid_authenticity_token?(generated_token)).to be_truthy
expect(compare_with_real_token(generated_token)).to be_truthy
expect(compare_with_global_token(generated_token)).to be_falsey
end
end
def compare_with_global_token(token)
unmasked_token = controller.send :unmask_token, Base64.strict_decode64(token)
controller.send(:compare_with_global_token, unmasked_token, session)
end
def compare_with_real_token(token)
unmasked_token = controller.send :unmask_token, Base64.strict_decode64(token)
controller.send(:compare_with_real_token, unmasked_token, session)
end
def valid_authenticity_token?(token)
controller.send(:valid_authenticity_token?, session, token)
end
end
|