Apache-AuthCookie
view release on metacpan or search on metacpan
credential_1 => 'Hero'
]);
is($r->code, 302, 'UTF-8 username works');
is($r->header('Location'), '/docs/authany/get_me.html',
'redirect header exists, and contains expected url');
like $r->header('Set-Cookie'),
qr#Sample::AuthCookieHandler_WhatEver=%E7%A8%8B%E5%BA%8F%E5%91%98:Hero;#,
'response contains the session key cookie';
$r = GET('/docs/authany/get_me.html',
Cookie => 'Sample::AuthCookieHandler_WhatEver=%E7%A8%8B%E5%BA%8F%E5%91%98:Hero;'
);
is $r->code, 200;
like($r->content, qr/Congratulations, you got past AuthCookie/s,
'check protected document content');
};
# Should succeed and cookie should have HttpOnly attribute
subtest 'HttpOnly cookie attribute' => sub {
plan tests => 3;
my $r = POST('/LOGIN-HTTPONLY', [
destination => '/docs/protected/get_me.html',
credential_0 => 'programmer',
credential_1 => 'Heroo'
]);
is($r->header('Location'), '/docs/protected/get_me.html',
'HttpOnly location header');
is($r->header('Set-Cookie'),
'Sample::AuthCookieHandler_WhatEver=programmer:Heroo; path=/; HttpOnly',
'cookie contains HttpOnly attribute');
is($r->code, 302, 'check redirect response code');
};
# Should succeed and cookie should have SameSite attribute
subtest 'SameSite cookie attribute' => sub {
plan tests => 3;
my $r = POST('/LOGIN-SAMESITE', [
destination => '/docs/protected/get_me.html',
credential_0 => 'programmer',
credential_1 => 'Heroo'
]);
is($r->header('Location'), '/docs/protected/get_me.html',
'SameSite location header');
is($r->header('Set-Cookie'),
'Sample::AuthCookieHandler_WhatEver=programmer:Heroo; path=/; SameSite=strict',
'cookie contains SameSite attribute');
is($r->code, 302, 'check redirect response code');
};
# test SessionTimeout
subtest 'session timeout' => sub {
plan tests => 1;
my $r = GET(
'/docs/stimeout/get_me.html',
Cookie => 'Sample::AuthCookieHandler_WhatEver=programmer:Hero'
);
like($r->header('Set-Cookie'),
qr/^Sample::AuthCookieHandler_WhatEver=.*expires=.+/,
'Set-Cookie contains expires property');
};
# should return bad credentials page, and credentials should be in a comment.
# We are checking here that $r->prev->pnotes('WhatEverCreds') works.
subtest 'creds are in pnotes' => sub {
plan tests => 1;
my $r = POST('/LOGIN', [
destination => '/docs/protected/get_me.html',
credential_0 => 'fail',
credential_1 => 'Hero'
]);
like($r->content, qr/creds: fail Hero/s, 'WhatEverCreds pnotes works');
};
# regression - Apache2::URI::unescape_url() does not handle '+' to ' '
# conversion.
subtest 'unescape URL with spaces' => sub {
plan tests => 1;
my $r = POST('/LOGIN', [
destination => '/docs/protected/get_me.html',
credential_0 => 'fail',
credential_1 => 'one two'
]);
like($r->content, qr/creds: fail one two/,
'read form data handles "+" conversion');
};
# variation of '+' to ' ' regression. Make sure we do not remove encoded
# '+'
subtest 'do not remove encoded +' => sub {
plan tests => 1;
my $r = POST('/LOGIN', [
destination => '/docs/protected/get_me.html',
credential_0 => 'fail',
credential_1 => 'one+two'
]);
like($r->content, qr/creds: fail one\+two/,
'read form data handles "+" conversion with encoded +');
};
# XSS attack prevention. make sure embedded \r, \n, \t is escaped in the destination.
subtest 'XSS: no newlines in destination' => sub {
plan tests => 4;
( run in 1.949 second using v1.01-cache-2.11-cpan-d8267643d1d )