diff options
Diffstat (limited to 'spec/initializers/actionpack_generate_old_csrf_token_spec.rb')
| -rw-r--r-- | spec/initializers/actionpack_generate_old_csrf_token_spec.rb | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/spec/initializers/actionpack_generate_old_csrf_token_spec.rb b/spec/initializers/actionpack_generate_old_csrf_token_spec.rb new file mode 100644 index 00000000000..036f52398bb --- /dev/null +++ b/spec/initializers/actionpack_generate_old_csrf_token_spec.rb @@ -0,0 +1,47 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe ActionController::Base, 'CSRF token generation patch', type: :controller do # rubocop:disable RSpec/FilePath + let(:fixed_seed) { SecureRandom.random_bytes(described_class::AUTHENTICITY_TOKEN_LENGTH) } + + context 'global_csrf_token feature flag is enabled' do + it 'generates 6.0.3.1 style CSRF token', :aggregate_failures do + generated_token = controller.send(:form_authenticity_token) + + expect(valid_authenticity_token?(generated_token)).to be_truthy + expect(compare_with_real_token(generated_token)).to be_falsey + expect(compare_with_global_token(generated_token)).to be_truthy + end + end + + context 'global_csrf_token feature flag is disabled' do + before do + stub_feature_flags(global_csrf_token: false) + end + + it 'generates 6.0.3 style CSRF token', :aggregate_failures do + generated_token = controller.send(:form_authenticity_token) + + expect(valid_authenticity_token?(generated_token)).to be_truthy + expect(compare_with_real_token(generated_token)).to be_truthy + expect(compare_with_global_token(generated_token)).to be_falsey + end + end + + def compare_with_global_token(token) + unmasked_token = controller.send :unmask_token, Base64.strict_decode64(token) + + controller.send(:compare_with_global_token, unmasked_token, session) + end + + def compare_with_real_token(token) + unmasked_token = controller.send :unmask_token, Base64.strict_decode64(token) + + controller.send(:compare_with_real_token, unmasked_token, session) + end + + def valid_authenticity_token?(token) + controller.send(:valid_authenticity_token?, session, token) + end +end |