2024-04-29 00:17:15 +02:00
|
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
2021-10-26 11:44:53 +02:00
|
|
|
|
describe 'Protecting against request forgeries:', :allow_forgery_protection, :show_exception_pages do
|
2021-06-22 16:58:24 +02:00
|
|
|
|
let(:user) { create(:user, password: password) }
|
|
|
|
|
let(:password) { 'ThisIsTheUserPassword' }
|
|
|
|
|
|
2021-07-06 16:29:23 +02:00
|
|
|
|
before do
|
2021-06-22 16:58:24 +02:00
|
|
|
|
visit new_user_session_path
|
2021-07-06 16:29:23 +02:00
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'when the browser send a request after the session cookie expired' do
|
|
|
|
|
before do
|
|
|
|
|
delete_session_cookie
|
|
|
|
|
end
|
2021-06-22 16:58:24 +02:00
|
|
|
|
|
2021-07-06 16:29:23 +02:00
|
|
|
|
context 'when the long-lived CSRF cookie is still present' do
|
|
|
|
|
scenario 'the change is allowed' do
|
|
|
|
|
fill_sign_in_form
|
|
|
|
|
click_on 'Se connecter'
|
|
|
|
|
expect(page).to have_content('Connecté')
|
|
|
|
|
end
|
|
|
|
|
end
|
2021-06-22 16:58:24 +02:00
|
|
|
|
|
2021-07-06 16:29:23 +02:00
|
|
|
|
context 'when the long-lived CSRF cookie is invalid or missing' do
|
|
|
|
|
before do
|
|
|
|
|
delete_long_lived_csrf_cookie
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
scenario 'the user sees an error page' do
|
|
|
|
|
fill_sign_in_form
|
|
|
|
|
click_on 'Se connecter'
|
|
|
|
|
expect(page).to have_text('L’action demandée a été rejetée')
|
|
|
|
|
end
|
|
|
|
|
end
|
2021-06-22 16:58:24 +02:00
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
|
|
def fill_sign_in_form
|
|
|
|
|
fill_in :user_email, with: user.email
|
|
|
|
|
fill_in :user_password, with: password
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def delete_session_cookie
|
|
|
|
|
session_cookie_name = Rails.application.config.session_options[:key]
|
2021-07-06 16:29:23 +02:00
|
|
|
|
delete_cookie(session_cookie_name)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def delete_long_lived_csrf_cookie
|
|
|
|
|
csrf_cookie_name = ApplicationController::LongLivedAuthenticityToken::COOKIE_NAME
|
|
|
|
|
delete_cookie(csrf_cookie_name)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def delete_cookie(cookie_name)
|
|
|
|
|
raise 'The cookie to be deleted can’t be nil' if cookie_name.nil?
|
|
|
|
|
page.driver.browser.set_cookie("#{cookie_name}=''")
|
2021-06-22 16:58:24 +02:00
|
|
|
|
end
|
|
|
|
|
end
|