demarches-normaliennes/spec/system/forgery_spec.rb
2024-09-16 15:28:11 +02:00

58 lines
1.6 KiB
Ruby
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# frozen_string_literal: true
describe 'Protecting against request forgeries:', :allow_forgery_protection, :show_exception_pages do
let(:user) { create(:user, password: password) }
let(:password) { SECURE_PASSWORD }
before do
visit new_user_session_path
end
context 'when the browser send a request after the session cookie expired' do
before do
delete_session_cookie
end
context 'when the long-lived CSRF cookie is still present' do
scenario 'the change is allowed' do
fill_sign_in_form
click_on 'Se connecter'
expect(page).to have_content('Connecté')
end
end
context 'when the long-lived CSRF cookie is invalid or missing' do
before do
delete_long_lived_csrf_cookie
end
scenario 'the user sees an error page' do
fill_sign_in_form
click_on 'Se connecter'
expect(page).to have_text('Laction demandée a été rejetée')
end
end
end
private
def fill_sign_in_form
fill_in :user_email, with: user.email
fill_in :user_password, with: password
end
def delete_session_cookie
session_cookie_name = Rails.application.config.session_options[:key]
delete_cookie(session_cookie_name)
end
def delete_long_lived_csrf_cookie
csrf_cookie_name = ApplicationController::LongLivedAuthenticityToken::COOKIE_NAME
delete_cookie(csrf_cookie_name)
end
def delete_cookie(cookie_name)
raise 'The cookie to be deleted cant be nil' if cookie_name.nil?
page.driver.browser.set_cookie("#{cookie_name}=''")
end
end