-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Testing #13
Comments
YMMV, but yes, I would test at least the routes which are supposed to be protected with rack-test, just to avoid "surprises" down the road. |
Ok, rack_csrf is breaking my rspec tests, so I'm going to go ahead and be that 'noob' How do you configure it to work in a test environment? It's there. It's throwing Rack::Csrf::InvalidCsrfToken, but I can't seem to change its behavior either in spec_helper or within tests |
ATM I am disabling CSRF in testing like that in a sinatra configure block: use Rack::Csrf, { :raise => false, :skip => ['POST:.*', 'PUT:.*', 'DELETE:.*', 'PATCH:.*'] } Did not have the time to make it work in testing. But my ultimate goal sometime in the future would be to enable it again for rack-test like @baldowl suggested... |
@IanBurry: if everything is behind Rack::Csrf, skipping it in test environment is a no brainer. However, if you wan to test it, you can follow a couple of different routes. Rack::Test provides an it 'responds correctly' do
env 'rack.session', Rack::Csrf.key => 'super-fake-token'
post '/protected_form', :a_field => 'a value', Rack::Csrf.field => 'super-fake-token'
expect(last_response).to be_ok
end Alternatively (and don't tell anyone I told you to do it 😜) you can mess with Rack::Test's internals: it 'responds correctly' do
env_object = current_session.instance_variable_get :@env
env_object['rack.session'] = {}
token = Rack::Csrf.token env_object
post '/protected_form', :a_field => 'a value', Rack::Csrf.field => token
expect(last_response).to be_ok
end Whatever you choose, of course you can/should extract and polish the code which injects the token (the fake, static, one or the real token) or your specs will smell bad pretty soon. |
Hi all,
I am trying to test a Sinatra app which has rack_csrf enabled for forms and most routes.
Some routes do not have csrf enabled, as they belong to the apps API.
Does it make any sense to test csrf protection (with minitest and rack-test) for all routes, to check that forms are correctly csrf-protected and API routes are not? What would be the best practice for this? Or would it be best to just ignore this and disable/skip rack_csrf completely in test mode?
Thanks and best regards
Christian
The text was updated successfully, but these errors were encountered: