demarches-normaliennes/spec/system/forgery_spec.rb

describe 'Protecting against request forgeries:', :allow_forgery_protection, :show_exception_pages do
  let(:user) { create(:user, password: password) }
  let(:password) { 'ThisIsTheUserPassword' }

  before do
    visit new_user_session_path
  end

  context 'when the browser send a request after the session cookie expired' do
    before do
      delete_session_cookie
    end

    context 'when the long-lived CSRF cookie is still present' do
      scenario 'the change is allowed' do
        fill_sign_in_form
        click_on 'Se connecter'
        expect(page).to have_content('Connecté')
      end
    end

    context 'when the long-lived CSRF cookie is invalid or missing' do
      before do
        delete_long_lived_csrf_cookie
      end

      scenario 'the user sees an error page' do
        fill_sign_in_form
        click_on 'Se connecter'
        expect(page).to have_text('L’action demandée a été rejetée')
      end
    end
  end

  private

  def fill_sign_in_form
    fill_in :user_email, with: user.email
    fill_in :user_password, with: password
  end

  def delete_session_cookie
    session_cookie_name = Rails.application.config.session_options[:key]
    delete_cookie(session_cookie_name)
  end

  def delete_long_lived_csrf_cookie
    csrf_cookie_name = ApplicationController::LongLivedAuthenticityToken::COOKIE_NAME
    delete_cookie(csrf_cookie_name)
  end

  def delete_cookie(cookie_name)
    raise 'The cookie to be deleted can’t be nil' if cookie_name.nil?
    page.driver.browser.set_cookie("#{cookie_name}=''")
  end
end
-												specs: migrate from features to system specs

System specs have been available since Rails 5.1, and are better
integrated with the Rails framework.

- Rename `spec/features` to `spec/system`
- Rename `feature do` to `describe do`
- Configure Capybara for system specs

Steps mostly taken from https://medium.com/table-xi/a-quick-guide-to-rails-system-tests-in-rspec-b6e9e8a8b5f6

											
										
										
											2021-10-26 11:44:53 +02:00
+								describe 'Protecting against request forgeries:', :allow_forgery_protection, :show_exception_pages do
-												specs: add a feature test for forgery protection

											
										
										
											2021-06-22 16:58:24 +02:00
+								  let(:user) { create(:user, password: password) }
 								  let(:password) { 'ThisIsTheUserPassword' }
-												app: use a long-lived cookie for CSRF token

See the ADR document for rationale.

											
										
										
											2021-07-06 16:29:23 +02:00
+								  before do
-												specs: add a feature test for forgery protection

											
										
										
											2021-06-22 16:58:24 +02:00
+								    visit new_user_session_path
-												app: use a long-lived cookie for CSRF token

See the ADR document for rationale.

											
										
										
											2021-07-06 16:29:23 +02:00
+								  end
 								  context 'when the browser send a request after the session cookie expired' do
 								    before do
 								      delete_session_cookie
 								    end
-												specs: add a feature test for forgery protection

											
										
										
											2021-06-22 16:58:24 +02:00
-												app: use a long-lived cookie for CSRF token

See the ADR document for rationale.

											
										
										
											2021-07-06 16:29:23 +02:00
+								    context 'when the long-lived CSRF cookie is still present' do
 								      scenario 'the change is allowed' do
 								        fill_sign_in_form
 								        click_on 'Se connecter'
 								        expect(page).to have_content('Connecté')
 								      end
 								    end
-												specs: add a feature test for forgery protection

											
										
										
											2021-06-22 16:58:24 +02:00
-												app: use a long-lived cookie for CSRF token

See the ADR document for rationale.

											
										
										
											2021-07-06 16:29:23 +02:00
+								    context 'when the long-lived CSRF cookie is invalid or missing' do
 								      before do
 								        delete_long_lived_csrf_cookie
 								      end
 								      scenario 'the user sees an error page' do
 								        fill_sign_in_form
 								        click_on 'Se connecter'
 								        expect(page).to have_text('L’action demandée a été rejetée')
 								      end
 								    end
-												specs: add a feature test for forgery protection

											
										
										
											2021-06-22 16:58:24 +02:00
+								  end
 								  private
 								  def fill_sign_in_form
 								    fill_in :user_email, with: user.email
 								    fill_in :user_password, with: password
 								  end
 								  def delete_session_cookie
 								    session_cookie_name = Rails.application.config.session_options[:key]
-												app: use a long-lived cookie for CSRF token

See the ADR document for rationale.

											
										
										
											2021-07-06 16:29:23 +02:00
+								    delete_cookie(session_cookie_name)
 								  end
 								  def delete_long_lived_csrf_cookie
 								    csrf_cookie_name = ApplicationController::LongLivedAuthenticityToken::COOKIE_NAME
 								    delete_cookie(csrf_cookie_name)
 								  end
 								  def delete_cookie(cookie_name)
 								    raise 'The cookie to be deleted can’t be nil' if cookie_name.nil?
 								    page.driver.browser.set_cookie("#{cookie_name}=''")
-												specs: add a feature test for forgery protection

											
										
										
											2021-06-22 16:58:24 +02:00
+								  end
 								end