diff options
author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2020-01-07 13:43:46 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-01-07 13:43:46 +0100 |
commit | 52e4ecd66e2269dd47f2fa7b9e99babc96308713 (patch) | |
tree | d394124c609511f9667dd9157d952a1a316d84a2 /tests | |
parent | 33039a4c97a6deb7b0a2c1e38111e4eaa50a2818 (diff) | |
parent | da81b71f9337621a60def04c304cb301321163b7 (diff) | |
download | nextcloud-server-52e4ecd66e2269dd47f2fa7b9e99babc96308713.tar.gz nextcloud-server-52e4ecd66e2269dd47f2fa7b9e99babc96308713.zip |
Merge pull request #18644 from nextcloud/harden/csrf_endpoint
Only allow requesting new CSRF tokens if it passes the SameSite Cooki…
Diffstat (limited to 'tests')
-rw-r--r-- | tests/Core/Controller/CSRFTokenControllerTest.php | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/tests/Core/Controller/CSRFTokenControllerTest.php b/tests/Core/Controller/CSRFTokenControllerTest.php index 74eebf61749..a02f84832e5 100644 --- a/tests/Core/Controller/CSRFTokenControllerTest.php +++ b/tests/Core/Controller/CSRFTokenControllerTest.php @@ -54,7 +54,9 @@ class CSRFTokenControllerTest extends TestCase { $this->tokenManager); } - public function testGetToken() { + public function testGetToken(): void { + $this->request->method('passesStrictCookieCheck')->willReturn(true); + $token = $this->createMock(CsrfToken::class); $this->tokenManager->method('getToken')->willReturn($token); $token->method('getEncryptedValue')->willReturn('toktok123'); @@ -68,4 +70,13 @@ class CSRFTokenControllerTest extends TestCase { ], $response->getData()); } + public function testGetTokenNoStrictSameSiteCookie(): void { + $this->request->method('passesStrictCookieCheck')->willReturn(false); + + $response = $this->controller->index(); + + $this->assertInstanceOf(JSONResponse::class, $response); + $this->assertSame(Http::STATUS_FORBIDDEN, $response->getStatus()); + } + } |