Amon2-Plugin-Web-CSRFDefender
3 results

 view release on metacpan or  search on metacpan

t/009_csrf_defender.t  view on Meta::CPAN 

            return $c->redirect('/finished');
        } elsif ($c->req->path_info eq '/finished') {
            return $c->create_response(200, [], ['OK']);
        } elsif ($c->req->path_info eq '/get_csrf_defender_token') {
            return $c->create_response(200, [], [$c->get_csrf_defender_token]);
        } else {
            return $c->create_response(404, [], []);
        }
    }
    my $session = HTTP::Session::Store::OnMemory->new();
    __PACKAGE__->load_plugins(
        'Web::CSRFDefender' => {},
    );

    package MyApp::Web::PlackSession;
    our @ISA = qw/MyApp::Web/;

    __PACKAGE__->load_plugins(
        'Web::PlackSession' => { },
    );
}

my $app = builder {
    enable 'Session';
    MyApp::Web::PlackSession->to_app;
};
subtest 'MyApp::Web::PlackSession' => sub {
    $COMMIT = 0;
    subtest 'success case' => sub {
        my $mech = Test::WWW::Mechanize::PSGI->new(
            app => $app,
        );
        $mech->get_ok('http://localhost/form');
        $mech->content_like(qr[<input type="hidden" name="csrf_token" value="[a-zA-Z0-9_-]{40}" />]);
        $mech->submit_form(form_number => 1, fields => {body => 'yay'});
        is $mech->base, 'http://localhost/finished';
        is $COMMIT, 1;
    };

    $COMMIT = 0;
    subtest 'success case with header' => sub {
        my $mech = Test::WWW::Mechanize::PSGI->new(
            app => $app,
        );
        $mech->max_redirect(0);
        $mech->get_ok('http://localhost/form');
        ok($mech->content() =~ qr[<input type="hidden" name="csrf_token" value="([a-zA-Z0-9_-]{40})" />]);
        my $csrf_token = $1;
        $mech->default_headers->push_header('X-CSRF-Token' => $csrf_token);
        $mech->post('/do', { body => 'yay' });
        is $mech->response->code, 302;
        is $COMMIT, 1;
    };

    $COMMIT = 0;
    subtest 'deny' => sub {
        test_psgi
            app => $app,
            client => sub {
                my $cb = shift;
                my $res = $cb->(HTTP::Request->new(POST => 'http://localhost/do'));
                is $res->code, '403';
                is $COMMIT, 0;
            };
    };

    subtest 'get_csrf_defender_token' => sub {
        test_psgi
            app => $app,
            client => sub {
                my $cb = shift;
                my $res = $cb->(HTTP::Request->new(GET => 'http://localhost/get_csrf_defender_token'));
                is $res->code, '200';
                ::like $res->content(), qr{^[a-zA-Z0-9_-]{40}$};
            };
    };
};

done_testing;



( run in 0.997 second using v1.01-cache-2.11-cpan-2398b32b56e )