specs: add a feature test for forgery protection

2021-06-22 16:58:24 +02:00 · 2021-06-22 16:58:24 +02:00 · 446c57ed63
commit 446c57ed63
parent a03d8d0705
2 changed files with 56 additions and 0 deletions
--- a/spec/features/forgery_spec.rb
+++ b/spec/features/forgery_spec.rb
@ -0,0 +1,26 @@
+feature 'Protecting against request forgeries:', :allow_forgery_protection, :show_exception_pages do
+  let(:user) { create(:user, password: password) }
+  let(:password) { 'ThisIsTheUserPassword' }
+
+  scenario 'a form without a matching CSRF token is rejected' do
+    visit new_user_session_path
+
+    delete_session_cookie
+    fill_sign_in_form
+
+    click_on 'Se connecter'
+    expect(page).to have_text('L’action demandée a été rejetée')
+  end
+
+  private
+
+  def fill_sign_in_form
+    fill_in :user_email, with: user.email
+    fill_in :user_password, with: password
+  end
+
+  def delete_session_cookie
+    session_cookie_name = Rails.application.config.session_options[:key]
+    page.driver.browser.set_cookie("#{session_cookie_name}=''")
+  end
+end
--- a/spec/rails_helper.rb
+++ b/spec/rails_helper.rb
@ -93,6 +93,36 @@ RSpec.configure do |config|
    Flipper.enable(:instructeur_bypass_email_login_token)
  end

+  # By default, forgery protection is disabled in the test environment.
+  # (See `config.action_controller.allow_forgery_protection` in `config/test.rb`)
+  #
+  # Examples tagged with the :allow_forgery_protection have the forgery protection enabled anyway.
+  config.around(:each, :allow_forgery_protection) do |example|
+    previous_allow_forgery_protection = ActionController::Base.allow_forgery_protection
+    ActionController::Base.allow_forgery_protection = true
+    begin
+      example.call
+    ensure
+      ActionController::Base.allow_forgery_protection = previous_allow_forgery_protection
+    end
+  end
+
+  # By default, the default HTML templates for exceptions are not rendered in the test environment.
+  # (See `config.action_dispatch.show_exceptions` in `config/test.rb`)
+  #
+  # Examples tagged with the :show_exception_pages render the exception HTML page anyway.
+  config.around(:each, :show_exception_pages) do |example|
+    app = Rails.application
+    previous_show_exceptions = app.env_config['action_dispatch.show_exceptions'] || app.config.action_dispatch.show_exceptions
+
+    begin
+      app.env_config['action_dispatch.show_exceptions'] = true
+      example.call
+    ensure
+      app.env_config['action_dispatch.show_exceptions'] = previous_show_exceptions
+    end
+  end
+
  config.include Shoulda::Matchers::ActiveRecord, type: :model
  config.include Shoulda::Matchers::ActiveModel, type: :model
  config.include Devise::Test::ControllerHelpers, type: :controller