Tests for CSRF
This commit is contained in:
parent
e590fe26e5
commit
b29a95d0cb
17
t/admin.t
17
t/admin.t
|
@ -10,6 +10,11 @@ my %valid_login = (
|
||||||
);
|
);
|
||||||
|
|
||||||
subtest Login => sub {
|
subtest Login => sub {
|
||||||
|
$t->get_ok('/login');
|
||||||
|
|
||||||
|
$valid_login{'csrf_token'} =
|
||||||
|
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
|
||||||
|
|
||||||
$t->post_ok('/login', form => \%valid_login)
|
$t->post_ok('/login', form => \%valid_login)
|
||||||
->status_is(302)
|
->status_is(302)
|
||||||
->header_like(Location => qr{moderator/flagged});
|
->header_like(Location => qr{moderator/flagged});
|
||||||
|
@ -31,9 +36,10 @@ subtest Login => sub {
|
||||||
$t->get_ok('/moderator/admin/create')
|
$t->get_ok('/moderator/admin/create')
|
||||||
->status_is(200)
|
->status_is(200)
|
||||||
->text_like(h2 => qr/Create Moderator/)
|
->text_like(h2 => qr/Create Moderator/)
|
||||||
->element_exists('form input[name="name"]' )
|
->element_exists('form input[name="name"]' )
|
||||||
->element_exists('form input[name="email"]' )
|
->element_exists('form input[name="email"]' )
|
||||||
->element_exists('form input[name="password"]')
|
->element_exists('form input[name="password"]' )
|
||||||
|
->element_exists('form input[name="csrf_token"]')
|
||||||
};
|
};
|
||||||
|
|
||||||
subtest Reset => sub {
|
subtest Reset => sub {
|
||||||
|
@ -43,6 +49,7 @@ subtest Login => sub {
|
||||||
->element_exists('a[href*="/moderator/admin/reset"]')
|
->element_exists('a[href*="/moderator/admin/reset"]')
|
||||||
->element_exists('form input[name="email"]' )
|
->element_exists('form input[name="email"]' )
|
||||||
->element_exists('form input[name="password"]' )
|
->element_exists('form input[name="password"]' )
|
||||||
|
->element_exists('form input[name="csrf_token"]' )
|
||||||
};
|
};
|
||||||
|
|
||||||
subtest Lock => sub {
|
subtest Lock => sub {
|
||||||
|
@ -51,6 +58,7 @@ subtest Login => sub {
|
||||||
->text_like(h2 => qr/Lock Account/)
|
->text_like(h2 => qr/Lock Account/)
|
||||||
->element_exists('a[href*="/moderator/admin/lock"]')
|
->element_exists('a[href*="/moderator/admin/lock"]')
|
||||||
->element_exists('form input[name="email"]' )
|
->element_exists('form input[name="email"]' )
|
||||||
|
->element_exists('form input[name="csrf_token"]' )
|
||||||
};
|
};
|
||||||
|
|
||||||
subtest Unlock => sub {
|
subtest Unlock => sub {
|
||||||
|
@ -59,6 +67,7 @@ subtest Login => sub {
|
||||||
->text_like(h2 => qr/Unlock Account/)
|
->text_like(h2 => qr/Unlock Account/)
|
||||||
->element_exists('a[href*="/moderator/admin/unlock"]')
|
->element_exists('a[href*="/moderator/admin/unlock"]')
|
||||||
->element_exists('form input[name="email"]' )
|
->element_exists('form input[name="email"]' )
|
||||||
|
->element_exists('form input[name="csrf_token"]' )
|
||||||
};
|
};
|
||||||
|
|
||||||
subtest Promote => sub {
|
subtest Promote => sub {
|
||||||
|
@ -67,6 +76,7 @@ subtest Login => sub {
|
||||||
->text_like(h2 => qr/Promote Moderator/)
|
->text_like(h2 => qr/Promote Moderator/)
|
||||||
->element_exists('a[href*="/moderator/admin/promote"]')
|
->element_exists('a[href*="/moderator/admin/promote"]')
|
||||||
->element_exists('form input[name="email"]' )
|
->element_exists('form input[name="email"]' )
|
||||||
|
->element_exists('form input[name="csrf_token"]' )
|
||||||
};
|
};
|
||||||
|
|
||||||
subtest Demote => sub {
|
subtest Demote => sub {
|
||||||
|
@ -75,6 +85,7 @@ subtest Login => sub {
|
||||||
->text_like(h2 => qr/Demote Admin/)
|
->text_like(h2 => qr/Demote Admin/)
|
||||||
->element_exists('a[href*="/moderator/admin/demote"]')
|
->element_exists('a[href*="/moderator/admin/demote"]')
|
||||||
->element_exists('form input[name="email"]' )
|
->element_exists('form input[name="email"]' )
|
||||||
|
->element_exists('form input[name="csrf_token"]' )
|
||||||
};
|
};
|
||||||
|
|
||||||
# Admin session ends
|
# Admin session ends
|
||||||
|
|
55
t/human.t
55
t/human.t
|
@ -25,18 +25,39 @@ subtest 'Bumping thread', sub {
|
||||||
$t->get_ok('/human/thread/bump/1')->status_is(302)
|
$t->get_ok('/human/thread/bump/1')->status_is(302)
|
||||||
->header_like(Location => qr/captcha/);
|
->header_like(Location => qr/captcha/);
|
||||||
|
|
||||||
|
$t->get_ok($bump_thread_url)
|
||||||
|
->status_is(200)
|
||||||
|
->element_exists('input[name="answer"]' )
|
||||||
|
->element_exists('input[name="number"]' )
|
||||||
|
->element_exists('input[name="csrf_token"]');
|
||||||
|
|
||||||
|
# Bad CSRF
|
||||||
|
$t->post_ok($bump_thread_url, form => \%bad_bot)
|
||||||
|
->status_is(403)
|
||||||
|
->element_exists('p[class="stash-with-error"]')
|
||||||
|
->text_like(p => qr/Something went wrong/);
|
||||||
|
|
||||||
# Bad CAPTCHA
|
# Bad CAPTCHA
|
||||||
|
$bad_bot{'csrf_token'} =
|
||||||
|
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
|
||||||
|
|
||||||
$t->post_ok($bump_thread_url, form => \%bad_bot)
|
$t->post_ok($bump_thread_url, form => \%bad_bot)
|
||||||
->status_is(400)
|
->status_is(400)
|
||||||
->element_exists('p[class="stash-with-error"]')
|
->element_exists('p[class="stash-with-error"]')
|
||||||
->text_like(p => qr/Sounds like something a robot would say/);
|
->text_like(p => qr/Sounds like something a robot would say/);
|
||||||
|
|
||||||
|
$invalid_captcha{'csrf_token'} =
|
||||||
|
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
|
||||||
|
|
||||||
$t->post_ok($bump_thread_url, form => \%invalid_captcha)
|
$t->post_ok($bump_thread_url, form => \%invalid_captcha)
|
||||||
->status_is(400)
|
->status_is(400)
|
||||||
->element_exists('p[class="field-with-error"]')
|
->element_exists('p[class="field-with-error"]')
|
||||||
->text_like(p => qr/Should be a single number/);
|
->text_like(p => qr/Should be a single number/);
|
||||||
|
|
||||||
# Solved CAPTCHA
|
# Solved CAPTCHA
|
||||||
|
$good_human{'csrf_token'} =
|
||||||
|
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
|
||||||
|
|
||||||
$t->post_ok($bump_thread_url, form => \%good_human)
|
$t->post_ok($bump_thread_url, form => \%good_human)
|
||||||
->status_is(302)
|
->status_is(302)
|
||||||
->header_like(Location => qr{human/thread/bump/1});
|
->header_like(Location => qr{human/thread/bump/1});
|
||||||
|
@ -56,18 +77,35 @@ subtest 'Flagging thread', sub {
|
||||||
$t->get_ok('/human/thread/flag/1')->status_is(302)
|
$t->get_ok('/human/thread/flag/1')->status_is(302)
|
||||||
->header_like(Location => qr/captcha/);
|
->header_like(Location => qr/captcha/);
|
||||||
|
|
||||||
|
# Bad CSRF
|
||||||
|
$t->get_ok($flag_thread_url);
|
||||||
|
|
||||||
|
$t->post_ok($flag_thread_url, form => \%bad_bot)
|
||||||
|
->status_is(403)
|
||||||
|
->element_exists('p[class="stash-with-error"]')
|
||||||
|
->text_like(p => qr/Something went wrong/);
|
||||||
|
|
||||||
# Bad CAPTCHA
|
# Bad CAPTCHA
|
||||||
|
$bad_bot{'csrf_token'} =
|
||||||
|
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
|
||||||
|
|
||||||
$t->post_ok($flag_thread_url, form => \%bad_bot)
|
$t->post_ok($flag_thread_url, form => \%bad_bot)
|
||||||
->status_is(400)
|
->status_is(400)
|
||||||
->element_exists('p[class="stash-with-error"]')
|
->element_exists('p[class="stash-with-error"]')
|
||||||
->text_like(p => qr/Sounds like something a robot would say/);
|
->text_like(p => qr/Sounds like something a robot would say/);
|
||||||
|
|
||||||
|
$invalid_captcha{'csrf_token'} =
|
||||||
|
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
|
||||||
|
|
||||||
$t->post_ok($flag_thread_url, form => \%invalid_captcha)
|
$t->post_ok($flag_thread_url, form => \%invalid_captcha)
|
||||||
->status_is(400)
|
->status_is(400)
|
||||||
->element_exists('p[class="field-with-error"]')
|
->element_exists('p[class="field-with-error"]')
|
||||||
->text_like(p => qr/Should be a single number/);
|
->text_like(p => qr/Should be a single number/);
|
||||||
|
|
||||||
# Solved CAPTCHA
|
# Solved CAPTCHA
|
||||||
|
$good_human{'csrf_token'} =
|
||||||
|
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
|
||||||
|
|
||||||
$t->post_ok($flag_thread_url, form => \%good_human)
|
$t->post_ok($flag_thread_url, form => \%good_human)
|
||||||
->status_is(302)
|
->status_is(302)
|
||||||
->header_like(Location => qr{human/thread/flag/1});
|
->header_like(Location => qr{human/thread/flag/1});
|
||||||
|
@ -83,18 +121,35 @@ subtest 'Flagging remark', sub {
|
||||||
$t->get_ok('/human/remark/flag/1')->status_is(302)
|
$t->get_ok('/human/remark/flag/1')->status_is(302)
|
||||||
->header_like(Location => qr/captcha/);
|
->header_like(Location => qr/captcha/);
|
||||||
|
|
||||||
|
# Bad CSRF
|
||||||
|
$t->get_ok($flag_remark_url);
|
||||||
|
|
||||||
|
$t->post_ok($flag_remark_url, form => \%bad_bot)
|
||||||
|
->status_is(403)
|
||||||
|
->element_exists('p[class="stash-with-error"]')
|
||||||
|
->text_like(p => qr/Something went wrong/);
|
||||||
|
|
||||||
# Bad CAPTCHA
|
# Bad CAPTCHA
|
||||||
|
$bad_bot{'csrf_token'} =
|
||||||
|
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
|
||||||
|
|
||||||
$t->post_ok($flag_remark_url, form => \%bad_bot)
|
$t->post_ok($flag_remark_url, form => \%bad_bot)
|
||||||
->status_is(400)
|
->status_is(400)
|
||||||
->element_exists('p[class="stash-with-error"]')
|
->element_exists('p[class="stash-with-error"]')
|
||||||
->text_like(p => qr/Sounds like something a robot would say/);
|
->text_like(p => qr/Sounds like something a robot would say/);
|
||||||
|
|
||||||
|
$invalid_captcha{'csrf_token'} =
|
||||||
|
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
|
||||||
|
|
||||||
$t->post_ok($flag_remark_url, form => \%invalid_captcha)
|
$t->post_ok($flag_remark_url, form => \%invalid_captcha)
|
||||||
->status_is(400)
|
->status_is(400)
|
||||||
->element_exists('p[class="field-with-error"]')
|
->element_exists('p[class="field-with-error"]')
|
||||||
->text_like(p => qr/Should be a single number/);
|
->text_like(p => qr/Should be a single number/);
|
||||||
|
|
||||||
# Solved CAPTCHA
|
# Solved CAPTCHA
|
||||||
|
$good_human{'csrf_token'} =
|
||||||
|
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
|
||||||
|
|
||||||
$t->post_ok($flag_remark_url, form => \%good_human)
|
$t->post_ok($flag_remark_url, form => \%good_human)
|
||||||
->status_is(302)
|
->status_is(302)
|
||||||
->header_like(Location => qr{human/remark/flag/1});
|
->header_like(Location => qr{human/remark/flag/1});
|
||||||
|
|
|
@ -17,16 +17,28 @@ my %invalid_login = (
|
||||||
subtest Login => sub {
|
subtest Login => sub {
|
||||||
$t->get_ok('/login')
|
$t->get_ok('/login')
|
||||||
->status_is(200)
|
->status_is(200)
|
||||||
->element_exists('form input[name="email"]')
|
->element_exists('form input[name="email"]' )
|
||||||
->element_exists('form input[name="password"]')
|
->element_exists('form input[name="password"]' )
|
||||||
|
->element_exists('form input[name="csrf_token"]')
|
||||||
->text_like(h2 => qr/Moderator Login/);
|
->text_like(h2 => qr/Moderator Login/);
|
||||||
|
|
||||||
|
# Bad CSRF token
|
||||||
|
$t->post_ok('/login', form => \%valid_login)
|
||||||
|
->status_is(403)
|
||||||
|
->text_like(p => qr/Something went wrong/);
|
||||||
|
|
||||||
|
$invalid_login{'csrf_token'} =
|
||||||
|
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
|
||||||
|
|
||||||
$t->post_ok('/login', form => \%invalid_login)
|
$t->post_ok('/login', form => \%invalid_login)
|
||||||
->status_is(403)
|
->status_is(403)
|
||||||
->element_exists('form input[name="email"]')
|
->element_exists('form input[name="email"]')
|
||||||
->element_exists('form input[name="password"]')
|
->element_exists('form input[name="password"]')
|
||||||
->text_like(p => qr/Invalid login/);
|
->text_like(p => qr/Invalid login/);
|
||||||
|
|
||||||
|
$valid_login{'csrf_token'} =
|
||||||
|
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
|
||||||
|
|
||||||
$t->post_ok('/login', form => \%valid_login)
|
$t->post_ok('/login', form => \%valid_login)
|
||||||
->status_is(302)
|
->status_is(302)
|
||||||
->header_like(Location => qr{moderator/flagged});
|
->header_like(Location => qr{moderator/flagged});
|
||||||
|
|
|
@ -14,6 +14,11 @@ subtest 'Search before CAPTCHA', sub {
|
||||||
};
|
};
|
||||||
|
|
||||||
subtest 'Search after CAPTCHA', sub {
|
subtest 'Search after CAPTCHA', sub {
|
||||||
|
$t->get_ok($search_url);
|
||||||
|
|
||||||
|
$good_human{'csrf_token'} =
|
||||||
|
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
|
||||||
|
|
||||||
$t->post_ok($search_url, form => \%good_human)
|
$t->post_ok($search_url, form => \%good_human)
|
||||||
->status_is(302)
|
->status_is(302)
|
||||||
->header_like(Location => qr{human/search});
|
->header_like(Location => qr{human/search});
|
||||||
|
|
Loading…
Reference in a new issue