mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-01 22:02:11 +03:00
135 lines
3.9 KiB
JavaScript
135 lines
3.9 KiB
JavaScript
const should = require('should');
|
|
const sinon = require('sinon');
|
|
const express = require('express');
|
|
const SessionService = require('../');
|
|
|
|
describe('SessionService', function () {
|
|
it('Returns the user for the id stored on the session', async function () {
|
|
const getSession = async (req) => {
|
|
if (req.session) {
|
|
return req.session;
|
|
}
|
|
req.session = {
|
|
destroy: sinon.spy(cb => cb())
|
|
};
|
|
return req.session;
|
|
};
|
|
const findUserById = sinon.spy(async ({id}) => ({id}));
|
|
const getOriginOfRequest = sinon.stub().returns('origin');
|
|
|
|
const sessionService = SessionService({
|
|
getSession,
|
|
findUserById,
|
|
getOriginOfRequest
|
|
});
|
|
|
|
const req = Object.create(express.request, {
|
|
ip: {
|
|
value: '0.0.0.0'
|
|
},
|
|
headers: {
|
|
value: {
|
|
cookie: 'thing'
|
|
}
|
|
},
|
|
get: {
|
|
value: () => 'Fake'
|
|
}
|
|
});
|
|
const res = Object.create(express.response);
|
|
const user = {id: 'egg'};
|
|
|
|
await sessionService.createSessionForUser(req, res, user);
|
|
|
|
should.equal(req.session.user_id, 'egg');
|
|
|
|
const actualUser = await sessionService.getUserForSession(req, res);
|
|
should.ok(findUserById.calledWith(sinon.match({id: 'egg'})));
|
|
|
|
const expectedUser = await findUserById.returnValues[0];
|
|
should.equal(actualUser, expectedUser);
|
|
|
|
await sessionService.destroyCurrentSession(req, res);
|
|
should.ok(req.session.destroy.calledOnce);
|
|
});
|
|
|
|
it('Throws an error when the csrf verification fails', async function () {
|
|
const getSession = async (req) => {
|
|
if (req.session) {
|
|
return req.session;
|
|
}
|
|
req.session = {
|
|
origin: 'origin'
|
|
};
|
|
return req.session;
|
|
};
|
|
const findUserById = sinon.spy(async ({id}) => ({id}));
|
|
const getOriginOfRequest = sinon.stub().returns('other-origin');
|
|
|
|
const sessionService = SessionService({
|
|
getSession,
|
|
findUserById,
|
|
getOriginOfRequest
|
|
});
|
|
|
|
const req = Object.create(express.request, {
|
|
ip: {
|
|
value: '0.0.0.0'
|
|
},
|
|
headers: {
|
|
value: {
|
|
cookie: 'thing'
|
|
}
|
|
},
|
|
get: {
|
|
value: () => 'Fake'
|
|
}
|
|
});
|
|
const res = Object.create(express.response);
|
|
|
|
const error = `Request made from incorrect origin. Expected 'origin' received 'other-origin'.`;
|
|
|
|
await sessionService.getUserForSession(req, res).should.be.rejectedWith(error);
|
|
});
|
|
|
|
it('Doesn\'t throw an error when the csrf verification fails when bypassed', async function () {
|
|
const getSession = async (req) => {
|
|
if (req.session) {
|
|
return req.session;
|
|
}
|
|
req.session = {
|
|
origin: 'origin'
|
|
};
|
|
return req.session;
|
|
};
|
|
const findUserById = sinon.spy(async ({id}) => ({id}));
|
|
const getOriginOfRequest = sinon.stub().returns('other-origin');
|
|
|
|
const sessionService = SessionService({
|
|
getSession,
|
|
findUserById,
|
|
getOriginOfRequest
|
|
});
|
|
|
|
const req = Object.create(express.request, {
|
|
ip: {
|
|
value: '0.0.0.0'
|
|
},
|
|
headers: {
|
|
value: {
|
|
cookie: 'thing'
|
|
}
|
|
},
|
|
get: {
|
|
value: () => 'Fake'
|
|
}
|
|
});
|
|
const res = Object.create(express.response);
|
|
res.locals = {
|
|
bypassCsrfProtection: true
|
|
};
|
|
|
|
await sessionService.getUserForSession(req, res).should.be.fulfilled();
|
|
});
|
|
});
|