Only allow requesting new CSRF tokens if it passes the SameSite Cookie test

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
author: Roeland Jago Douma <roeland@famdouma.nl> 2020-01-03 15:08:37 +0300
committer: Roeland Jago Douma <roeland@famdouma.nl> 2020-01-03 15:12:03 +0300
commit: da81b71f9337621a60def04c304cb301321163b7 (patch)
tree: 516138a4646d0cfd69e634a15aa21395517c0eb3 /tests
parent: 7976cb7e94d2d73173d1774534c1ae636dc4e17f (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/tests/Core/Controller/CSRFTokenControllerTest.php b/tests/Core/Controller/CSRFTokenControllerTest.php
index 74eebf61749..a02f84832e5 100644
--- a/tests/Core/Controller/CSRFTokenControllerTest.php
+++ b/tests/Core/Controller/CSRFTokenControllerTest.php
@@ -54,7 +54,9 @@ class CSRFTokenControllerTest extends TestCase {
 			$this->tokenManager);
 	}
 
-	public function testGetToken() {
+	public function testGetToken(): void {
+		$this->request->method('passesStrictCookieCheck')->willReturn(true);
+
 		$token = $this->createMock(CsrfToken::class);
 		$this->tokenManager->method('getToken')->willReturn($token);
 		$token->method('getEncryptedValue')->willReturn('toktok123');
@@ -68,4 +70,13 @@ class CSRFTokenControllerTest extends TestCase {
 			], $response->getData());
 	}
 
+	public function testGetTokenNoStrictSameSiteCookie(): void {
+		$this->request->method('passesStrictCookieCheck')->willReturn(false);
+
+		$response = $this->controller->index();
+
+		$this->assertInstanceOf(JSONResponse::class, $response);
+		$this->assertSame(Http::STATUS_FORBIDDEN, $response->getStatus());
+	}
+
 }
author	Roeland Jago Douma <roeland@famdouma.nl>	2020-01-03 15:08:37 +0300
committer	Roeland Jago Douma <roeland@famdouma.nl>	2020-01-03 15:12:03 +0300
commit	da81b71f9337621a60def04c304cb301321163b7 (patch)
tree	516138a4646d0cfd69e634a15aa21395517c0eb3 /tests
parent	7976cb7e94d2d73173d1774534c1ae636dc4e17f (diff)