mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-30 14:22:07 +03:00
a701ee7023
no-issue * Added default for getting origin of request This function is used to attach the origin of the request to the session, and later check that requests using the session are coming from the same origin. This protects us against CSRF attacks as requests in the browser MUST originate from the same origin on which the user logged in. Previously, when we could not determine the origin we would return null, as a "safety" net. This updates the function to use a secure and sensible default - which is the origin of the Ghost-Admin application, and if that's not set - the origin of the Ghost application. This will make dealing with magic links simpler as you can not always guaruntee the existence of these headers when visiting via a hyperlink * Removed init fns and getters from session service This simplifies the code here, making it easier to read and maintain * Moved express-session initialisation to own file This is complex enough that it deserves its own module * Added createSessionFromToken to session service * Wired up the createSessionFromToken middleware
128 lines
4.0 KiB
JavaScript
128 lines
4.0 KiB
JavaScript
const sessionMiddleware = require('../../../../../core/server/services/auth').session;
|
|
const models = require('../../../../../core/server/models');
|
|
const sinon = require('sinon');
|
|
const should = require('should');
|
|
|
|
describe('Session Service', function () {
|
|
before(function () {
|
|
models.init();
|
|
});
|
|
|
|
afterEach(function () {
|
|
sinon.restore();
|
|
});
|
|
|
|
const fakeReq = function fakeReq() {
|
|
return {
|
|
session: {
|
|
destroy() {}
|
|
},
|
|
user: null,
|
|
body: {},
|
|
get() {}
|
|
};
|
|
};
|
|
|
|
const fakeRes = function fakeRes() {
|
|
return {
|
|
sendStatus() {}
|
|
};
|
|
};
|
|
|
|
describe('createSession', function () {
|
|
it('sets req.session.origin from the Referer header', function (done) {
|
|
const req = fakeReq();
|
|
const res = fakeRes();
|
|
|
|
sinon.stub(req, 'get')
|
|
.withArgs('user-agent').returns('')
|
|
.withArgs('origin').returns('')
|
|
.withArgs('referrer').returns('http://ghost.org/path');
|
|
|
|
req.ip = '127.0.0.1';
|
|
req.user = models.User.forge({id: 23});
|
|
|
|
sinon.stub(res, 'sendStatus')
|
|
.callsFake(function () {
|
|
should.equal(req.session.origin, 'http://ghost.org');
|
|
done();
|
|
});
|
|
|
|
sessionMiddleware.createSession(req, res);
|
|
});
|
|
|
|
it('sets req.session.user_id,origin,user_agent,ip and calls sendStatus with 201 if the check succeeds', function (done) {
|
|
const req = fakeReq();
|
|
const res = fakeRes();
|
|
|
|
sinon.stub(req, 'get')
|
|
.withArgs('origin').returns('http://host.tld')
|
|
.withArgs('user-agent').returns('bububang');
|
|
|
|
req.ip = '127.0.0.1';
|
|
req.user = models.User.forge({id: 23});
|
|
|
|
sinon.stub(res, 'sendStatus')
|
|
.callsFake(function (statusCode) {
|
|
should.equal(req.session.user_id, 23);
|
|
should.equal(req.session.origin, 'http://host.tld');
|
|
should.equal(req.session.user_agent, 'bububang');
|
|
should.equal(req.session.ip, '127.0.0.1');
|
|
should.equal(statusCode, 201);
|
|
done();
|
|
});
|
|
|
|
sessionMiddleware.createSession(req, res);
|
|
});
|
|
});
|
|
|
|
describe('destroySession', function () {
|
|
it('calls req.session.destroy', function (done) {
|
|
const req = fakeReq();
|
|
const res = fakeRes();
|
|
const destroyStub = sinon.stub(req.session, 'destroy')
|
|
.callsFake(function (fn) {
|
|
fn();
|
|
});
|
|
|
|
sinon.stub(res, 'sendStatus')
|
|
.callsFake(function () {
|
|
should.equal(destroyStub.callCount, 1);
|
|
done();
|
|
});
|
|
|
|
sessionMiddleware.destroySession(req, res);
|
|
});
|
|
|
|
it('calls next with InternalServerError if destroy errors', function (done) {
|
|
const req = fakeReq();
|
|
const res = fakeRes();
|
|
sinon.stub(req.session, 'destroy')
|
|
.callsFake(function (fn) {
|
|
fn(new Error('oops'));
|
|
});
|
|
|
|
sessionMiddleware.destroySession(req, res, function next(err) {
|
|
should.equal(err.errorType, 'InternalServerError');
|
|
done();
|
|
});
|
|
});
|
|
|
|
it('calls sendStatus with 204 if destroy does not error', function (done) {
|
|
const req = fakeReq();
|
|
const res = fakeRes();
|
|
sinon.stub(req.session, 'destroy')
|
|
.callsFake(function (fn) {
|
|
fn();
|
|
});
|
|
sinon.stub(res, 'sendStatus')
|
|
.callsFake(function (status) {
|
|
should.equal(status, 204);
|
|
done();
|
|
});
|
|
|
|
sessionMiddleware.destroySession(req, res);
|
|
});
|
|
});
|
|
});
|