Play Framework/Scala example source code file (CSRFFilterSpec.scala)
The CSRFFilterSpec.scala Play Framework example source code/*
* Copyright (C) 2009-2013 Typesafe Inc. <http://www.typesafe.com>
*/
package play.filters.csrf
import scala.concurrent.Future
import play.api.libs.ws._
import play.api.mvc._
import play.api.libs.json.Json
import play.api.test._
import scala.util.Random
import play.api.libs.Crypto
/**
* Specs for the global CSRF filter
*/
object CSRFFilterSpec extends CSRFCommonSpecs {
sequential
import CSRFConf._
"a CSRF filter also" should {
// conditions for adding a token
"not add a token to non GET requests" in {
buildCsrfAddToken()(_.put(""))(_.status must_== NOT_FOUND)
}
"not add a token to GET requests that don't accept HTML" in {
buildCsrfAddToken()(_.withHeaders(ACCEPT -> "application/json").get())(_.status must_== NOT_FOUND)
}
"add a token to GET requests that accept HTML" in {
buildCsrfAddToken()(_.withHeaders(ACCEPT -> "text/html").get())(_.status must_== OK)
}
"not add a token to HEAD requests that don't accept HTML" in {
buildCsrfAddToken()(_.withHeaders(ACCEPT -> "application/json").head())(_.status must_== NOT_FOUND)
}
"add a token to HEAD requests that accept HTML" in {
buildCsrfAddToken()(_.withHeaders(ACCEPT -> "text/html").head())(_.status must_== OK)
}
// extra conditions for not doing a check
"not check non form bodies" in {
buildCsrfCheckRequest(false)(_.post(Json.obj("foo" -> "bar")))(_.status must_== OK)
}
"not check safe methods" in {
buildCsrfCheckRequest(false)(_.put(Map("foo" -> "bar")))(_.status must_== OK)
}
// other
"feed the body once a check has been done and passes" in {
withServer(Nil) {
case _ => CSRFFilter()(Action(
_.body.asFormUrlEncoded
.flatMap(_.get("foo"))
.flatMap(_.headOption)
.map(Results.Ok(_))
.getOrElse(Results.NotFound)))
} {
val token = Crypto.generateSignedToken
import play.api.Play.current
await(WS.url("http://localhost:" + testServerPort).withSession(TokenName -> token)
.post(Map("foo" -> "bar", TokenName -> token))).body must_== "bar"
}
}
val notBufferedFakeApp = FakeApplication(
additionalConfiguration = Map("application.secret" -> "foobar", "csrf.body.bufferSize" -> "200"),
withRoutes = {
case _ => CSRFFilter()(Action(
_.body.asFormUrlEncoded
.flatMap(_.get("foo"))
.flatMap(_.headOption)
.map(Results.Ok(_))
.getOrElse(Results.NotFound)))
}
)
"feed a not fully buffered body once a check has been done and passes" in new WithServer(notBufferedFakeApp, testServerPort) {
val token = Crypto.generateSignedToken
val response = await(WS.url("http://localhost:" + port).withSession(TokenName -> token)
.withHeaders(CONTENT_TYPE -> "application/x-www-form-urlencoded")
.post(
Seq(
// Ensure token is first so that it makes it into the buffered part
TokenName -> token,
// This value must go over the edge of csrf.body.bufferSize
"longvalue" -> Random.alphanumeric.take(1024).mkString(""),
"foo" -> "bar"
).map(f => f._1 + "=" + f._2).mkString("&")
)
)
response.status must_== OK
response.body must_== "bar"
}
"be possible to instantiate when there is no running application" in {
CSRFFilter() must beAnInstanceOf[AnyRef]
}
"work with a Java error handler" in {
def csrfCheckRequest = buildCsrfCheckRequestWithJavaHandler()
def csrfAddToken = buildCsrfAddToken("csrf.cookie.name" -> "csrf")
def generate = Crypto.generateSignedToken
def addToken(req: WSRequestHolder, token: String) = req.withCookies("csrf" -> token)
def getToken(response: WSResponse) = response.cookies.find(_.name.exists(_ == "csrf")).flatMap(_.value)
def compareTokens(a: String, b: String) = Crypto.compareSignedTokens(a, b) must beTrue
sharedTests(csrfCheckRequest, csrfAddToken, generate, addToken, getToken, compareTokens, UNAUTHORIZED)
}
}
def buildCsrfCheckRequest(sendUnauthorizedResult: Boolean, configuration: (String, String)*) = new CsrfTester {
def apply[T](makeRequest: (WSRequestHolder) => Future[WSResponse])(handleResponse: (WSResponse) => T) = withServer(configuration) {
case _ => if (sendUnauthorizedResult) {
CSRFFilter(errorHandler = new CustomErrorHandler())(Action(Results.Ok))
} else {
CSRFFilter()(Action(Results.Ok))
}
} {
import play.api.Play.current
handleResponse(await(makeRequest(WS.url("http://localhost:" + testServerPort))))
}
}
def buildCsrfCheckRequestWithJavaHandler() = new CsrfTester {
def apply[T](makeRequest: (WSRequestHolder) => Future[WSResponse])(handleResponse: (WSResponse) => T) = {
withServer(Seq(
"csrf.cookie.name" -> "csrf",
"csrf.error.handler" -> "play.filters.csrf.JavaErrorHandler"
)) {
case _ => new CSRFFilter().apply(Action(Results.Ok))
} {
import play.api.Play.current
handleResponse(await(makeRequest(WS.url("http://localhost:" + testServerPort))))
}
}
}
def buildCsrfAddToken(configuration: (String, String)*) = new CsrfTester {
def apply[T](makeRequest: (WSRequestHolder) => Future[WSResponse])(handleResponse: (WSResponse) => T) = withServer(configuration) {
case _ => CSRFFilter()(Action { implicit req =>
CSRF.getToken(req).map { token =>
Results.Ok(token.value)
} getOrElse Results.NotFound
})
} {
import play.api.Play.current
handleResponse(await(makeRequest(WS.url("http://localhost:" + testServerPort))))
}
}
class CustomErrorHandler extends CSRF.ErrorHandler {
import play.api.mvc.Results.Unauthorized
def handle(req: RequestHeader, msg: String) = Unauthorized(msg)
}
}
class JavaErrorHandler extends CSRFErrorHandler {
def handle(msg: String) = play.mvc.Results.unauthorized()
}
Other Play Framework source code examplesHere is a short list of links related to this Play Framework CSRFFilterSpec.scala source code file: |
The search page
Other Play Framework source code examples at this package level
Click here to learn more about this project
