Exemplo n.º 1
0
func TestCSRFTokenBackend(t *testing.T) {
	var cookieName = "test"

	// Create a cookiestore
	store := sessions.NewCookieStore([]byte("secret-key"))

	// Create the recorder
	w := httptest.NewRecorder()

	// Create the handler
	h := New(http.HandlerFunc(successHandler), store, cookieName)

	// Create the form
	form := url.Values{}

	// Create the POST request
	req, err := http.NewRequest("POST", "http://localhost/", bytes.NewBufferString(form.Encode()))
	if err != nil {
		panic(err)
	}
	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

	// Run the page
	h.ServeHTTP(w, req)

	if w.Code == 200 {
		t.Errorf("The request should have failed, but it didn't. Instead, the code was %d",
			w.Code)
	}
}
Exemplo n.º 2
0
func main() {
	// Create cookie store
	Store = sessions.NewCookieStore([]byte("This is super screen..."))
	Store.Options = &sessions.Options{
		//Domain:   "localhost", // Chrome doesn't work with localhost domain
		Path:     "/",
		MaxAge:   3600 * 8, // 8 hours
		HttpOnly: true,
	}

	// Default handler
	h := http.HandlerFunc(routeLogin)

	// Prevents CSRF
	cs := csrfbanana.New(h, Store, SessionName)

	// Set error page for CSRF
	cs.FailureHandler(http.HandlerFunc(routeInvalidToken))

	// Generate a new token after each check (also prevents double submits)
	cs.ClearAfterUsage(true)

	// Exclude /static/ from tokens (even though we don't have a static file handler...)
	cs.ExcludeRegexPaths([]string{"/static(.*)"})

	// Optional - set the token length
	csrfbanana.TokenLength = 32

	// Optional - set the token name used in the forms
	csrfbanana.TokenName = "token"

	fmt.Println("Listening on http://localhost:80/")
	http.ListenAndServe(":80", cs)
}
Exemplo n.º 3
0
func TestClear(t *testing.T) {
	var cookieName = "test"

	// Create a cookiestore
	store := sessions.NewCookieStore([]byte("secret-key"))

	// Create the recorder
	w := httptest.NewRecorder()

	// Create the request
	r := fakeGet()

	// Get the session
	sess, err := store.Get(r, cookieName)
	if err != nil {
		t.Fatalf("Error getting session: %v", err)
	}

	// Generate a token
	Token(w, r, sess)

	// Clear the token
	Clear(w, r, sess)

	if _, ok := sess.Values[TokenName]; ok {
		t.Errorf("StringMap should not exist: expected %v, got %v", nil, reflect.TypeOf(sess.Values[TokenName]))
	}
}
Exemplo n.º 4
0
func TestTokenWithPathMaxTokens(t *testing.T) {
	var cookieName = "test"

	// Create a cookiestore
	store := sessions.NewCookieStore([]byte("secret-key"))

	// Create the recorder
	w := httptest.NewRecorder()

	// Create the request
	r := fakeGet()

	// Get the session
	sess, err := store.Get(r, cookieName)
	if err != nil {
		t.Fatalf("Error getting session: %v", err)
	}

	for i := 0; i < MaxTokens; i++ {
		TokenWithPath(w, r, sess, "/monkey"+fmt.Sprintf("%v", i))
	}

	token := TokenWithPath(w, r, sess, "/monkey")

	if token != sess.Values[TokenName].(StringMap)["/monkey"] {
		t.Errorf("Tokens do not match: expected %v, got %v", token, sess.Values[TokenName])
	}
}
Exemplo n.º 5
0
func TestToken(t *testing.T) {
	var cookieName = "test"
	TokenName = "foo"

	// Create a cookiestore
	store := sessions.NewCookieStore([]byte("secret-key"))

	// Create the recorder
	w := httptest.NewRecorder()

	// Create the request
	r := fakeGet()

	// Get the session
	sess, err := store.Get(r, cookieName)
	if err != nil {
		t.Fatalf("Error getting session: %v", err)
	}

	token := Token(w, r, sess)

	if token != sess.Values[TokenName].(StringMap)["/"] {
		t.Errorf("Tokens do not match: expected %v, got %v", sess.Values[TokenName], token)
	}

	// Reset the token name
	TokenName = "token"
}
Exemplo n.º 6
0
func TestMatchRefererFail(t *testing.T) {
	var cookieName = "test"

	// Create a cookiestore
	store := sessions.NewCookieStore([]byte("secret-key"))

	// Create the form
	token := "123456"
	form := url.Values{}
	form.Set(TokenName, token)

	// Create the POST request
	req, err := http.NewRequest("POST", "http://localhost/login", bytes.NewBufferString(form.Encode()))
	if err != nil {
		panic(err)
	}
	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

	// Pretend the page URL is /loginform, but the referrer is not set
	//req.Header.Set("Referer", "http://localhost/loginform")

	// Get the session
	sess, err := store.Get(req, cookieName)
	if err != nil {
		t.Fatalf("Error getting session: %v", err)
	}

	// Set the values in the session manually
	sess.Values[TokenName] = make(StringMap)
	sess.Values[TokenName].(StringMap)["/loginform"] = "123456"

	if ok := match(req, sess, true); ok {
		t.Error("Tokens should not match")
	}
}
Exemplo n.º 7
0
func TestMatchUniqueToken(t *testing.T) {
	var cookieName = "test"

	// Create a cookiestore
	store := sessions.NewCookieStore([]byte("secret-key"))

	// Create the recorder
	w := httptest.NewRecorder()

	// Create the handler
	h := New(http.HandlerFunc(successHandler), store, cookieName)

	// Use unique token per page
	SingleToken = false

	// Create the form
	token := "123456"
	form := url.Values{}
	form.Set(TokenName, token)

	// Create the POST request
	req, err := http.NewRequest("POST", "http://localhost/test", bytes.NewBufferString(form.Encode()))
	if err != nil {
		panic(err)
	}
	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

	// Get the session
	sess, err := store.Get(req, cookieName)
	if err != nil {
		t.Fatalf("Error getting session: %v", err)
	}

	// Set the values in the session manually
	sess.Values[TokenName] = make(StringMap)
	sess.Values[TokenName].(StringMap)["/"] = "123456"

	// Run the page
	h.ServeHTTP(w, req)

	if w.Code == 200 {
		t.Errorf("The request should have failed, but it didn't. Instead, the code was %d",
			w.Code)
	}
}
Exemplo n.º 8
0
func TestCSRFJSON(t *testing.T) {
	var cookieName = "test"

	// Create a cookiestore
	store := sessions.NewCookieStore([]byte("secret-key"))

	// Create the recorder
	w := httptest.NewRecorder()

	// Create the handler
	h := New(http.HandlerFunc(successHandler), store, cookieName)

	// Create the form
	token := "123456"
	form := url.Values{}
	form.Set(TokenName, token)

	jsonValue := `{"token": "` + token + `"}`

	// Create the POST request
	req, err := http.NewRequest("POST", "http://localhost/", bytes.NewBufferString(jsonValue))
	if err != nil {
		panic(err)
	}
	req.Header.Set("Content-Type", "application/json")

	// Get the session
	sess, err := store.Get(req, cookieName)
	if err != nil {
		t.Fatalf("Error getting session: %v", err)
	}

	// Set the values in the session manually
	sess.Values[TokenName] = make(StringMap)
	sess.Values[TokenName].(StringMap)["/"] = "123456"

	// Run the page
	h.ServeHTTP(w, req)

	if w.Code != 200 {
		t.Errorf("The request should have succeeded, but it didn't. Instead, the code was %d",
			w.Code)
	}
}
Exemplo n.º 9
0
func TestIsExempt(t *testing.T) {
	var cookieName = "test"

	// Create a cookiestore
	store := sessions.NewCookieStore([]byte("secret-key"))

	// Create the recorder
	w := httptest.NewRecorder()

	// Create the handler
	h := New(http.HandlerFunc(successHandler), store, cookieName)
	h.ExcludeRegexPaths([]string{"/skip(.*)"})

	// Create the form
	token := "123456"
	form := url.Values{}
	form.Set(TokenName, token)

	// Create the POST request
	req, err := http.NewRequest("POST", "http://localhost/skip", bytes.NewBufferString(form.Encode()))
	if err != nil {
		panic(err)
	}
	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

	// Get the session
	sess, err := store.Get(req, cookieName)
	if err != nil {
		t.Fatalf("Error getting session: %v", err)
	}

	// Set the values in the session manually
	sess.Values[TokenName] = make(StringMap)
	sess.Values[TokenName].(StringMap)["/"] = "123456ffffff"

	// Run the page
	h.ServeHTTP(w, req)

	if w.Code != 200 {
		t.Errorf("The request should have been successful, but it wasn't. Instead, the code was %d",
			w.Code)
	}
}
Exemplo n.º 10
0
func TestDontClearAfterUsage(t *testing.T) {
	var cookieName = "test"

	// Create a cookiestore
	store := sessions.NewCookieStore([]byte("secret-key"))

	// Create the recorder
	w := httptest.NewRecorder()

	// Create the handler
	h := New(http.HandlerFunc(successHandler), store, cookieName)
	h.ClearAfterUsage(false)

	// Create the form
	token := "123456"
	form := url.Values{}
	form.Set(TokenName, token)

	// Create the POST request
	req, err := http.NewRequest("POST", "http://localhost/", bytes.NewBufferString(form.Encode()))
	if err != nil {
		panic(err)
	}
	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

	// Get the session
	sess, err := store.Get(req, cookieName)
	if err != nil {
		t.Fatalf("Error getting session: %v", err)
	}

	// Set the values in the session manually
	sess.Values[TokenName] = make(StringMap)
	sess.Values[TokenName].(StringMap)["/"] = "123456ffffff"

	// Run the page
	h.ServeHTTP(w, req)

	if _, ok := sess.Values[TokenName].(StringMap)["/"]; !ok {
		t.Error("The token should not have been deleted.")
	}
}
Exemplo n.º 11
0
func TestUniqueTokenPerPage(t *testing.T) {
	var cookieName = "test"

	// Create a cookiestore
	store := sessions.NewCookieStore([]byte("secret-key"))

	// Create the recorder
	w := httptest.NewRecorder()

	// Use unique token per page
	SingleToken = false

	// Create the GET request
	req, err := http.NewRequest("GET", "http://localhost/test1", nil)
	if err != nil {
		panic(err)
	}

	// Get the session
	sess, err := store.Get(req, cookieName)
	if err != nil {
		t.Fatalf("Error getting session: %v", err)
	}

	token1 := Token(w, req, sess)

	// Create the GET request
	req2, err := http.NewRequest("GET", "http://localhost/test2", nil)
	if err != nil {
		panic(err)
	}

	token2 := Token(w, req2, sess)

	if token1 == token2 {
		t.Error("Tokens should not match")
	}
}
Exemplo n.º 12
0
func TestSingleTokenPerSession(t *testing.T) {
	var cookieName = "test"

	// Create a cookiestore
	store := sessions.NewCookieStore([]byte("secret-key"))

	// Create the recorder
	w := httptest.NewRecorder()

	// Use single token
	SingleToken = true

	// Create the GET request
	req, err := http.NewRequest("GET", "http://localhost/test1", nil)
	if err != nil {
		panic(err)
	}

	// Get the session
	sess, err := store.Get(req, cookieName)
	if err != nil {
		t.Fatalf("Error getting session: %v", err)
	}

	token1 := Token(w, req, sess)

	// Create the GET request
	req2, err := http.NewRequest("GET", "http://localhost/test2", nil)
	if err != nil {
		panic(err)
	}

	token2 := Token(w, req2, sess)

	if token1 != token2 {
		t.Errorf("Tokens should match: expected %v, got %v", token1, token2)
	}
}
Exemplo n.º 13
0
func TestCSRFMissingTokenJSONNoPayload(t *testing.T) {
	var cookieName = "test"

	// Create a cookiestore
	store := sessions.NewCookieStore([]byte("secret-key"))

	// Create the recorder
	w := httptest.NewRecorder()

	// Create the handler
	h := New(http.HandlerFunc(successHandler), store, cookieName)

	// Create the POST request with no token
	req, err := http.NewRequest("POST", "http://localhost/", nil)
	if err != nil {
		panic(err)
	}
	req.Header.Set("Content-Type", "application/json")

	// Get the session
	sess, err := store.Get(req, cookieName)
	if err != nil {
		t.Fatalf("Error getting session: %v", err)
	}

	// Set the values in the session manually
	sess.Values[TokenName] = make(StringMap)

	// Run the page
	h.ServeHTTP(w, req)

	if w.Code == 200 {
		t.Errorf("The request should have failed, but it didn't. Instead, the code was %d",
			w.Code)
	}
}