[Task] #50 csrf tests added to login

src/app.ts

@@ -44,8 +44,8 @@ app.use(compression())
 app.use(hpp());
 app.use(baseRateLimiter);
 app.use((req, res, next) => { // limit body for specific http methods
-  if(['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method)) {
-   return express.urlencoded({ limit: '0.5kb', extended: true })(req, res, next);
+  if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method)) {
+    return express.urlencoded({ limit: '0.5kb', extended: true })(req, res, next);
   }
   next();
 });

src/tests/login.test.ts

@@ -6,14 +6,21 @@ const userDataLarge = qs.stringify({
   password: "pass",
   kilobyte: 'BPSwVu5vcvhWB17HcfIdyQK83mHJZKChv7zDihBJoifWK9EJFzK7VYf3kUgIqkc0io8DnSdewzc9U0GpzodQUFz0KLMaogsJruEbNSKvxnzUxS5UqSR64lLOmGumoPcn2InC0Ebpqfdiw90HFVZVlE3AY6Lhgbx8ILHi55RvpuGefDjBsePgow8Jh9sc8uVMCDglLmHQ0zk3PumMj0KlOszbMmX9fG0pPUsvLLc40biPBv9t97K3BFjYd3fGriRAQ3bFhGHBz2wzGbNQfHjKFDHuSvXOw8KReM7Wwd4Cl02QQ3RnDJVwH6cayh4BqFRXlP3i6uXw0l9qxdTv0q1CtV9rJho6zwo04gkGLvsS3AoYJQtHnOtUDdHPExu7l3nMKnPoRUwl7K2ePfHRuppFGqa43Q49bI04VjEhrB9k5S2uZJoxZdm63rIUrydmkZWdvBLVVZUIXwwIRnwLmoa26htKOz9FPKwWIPOM0NZj4jAoPhKqLDJwziNZn5UupzxBXoUM3BIyEk3K8GXs7eBduH9GCK2z2HPF0fJNtGiHASe7jCOC2mhSC5zGf9k0Yu1Ey63oQQZUtT7L57lp7UzPE2p6wzKDlbJZOn0Ho5OUfq3hE2C8fQRO1M6jDvRTiUIKhhxSHYd75Pvh4SG9lD8w5OHASusLDxmzKBUuG4GrGrQYpd0awJkqnKp5lk7psLD22YTtjTuDgI500tQLXSslxI1kIuB8RnN1LsxHyRQMVtXmNFOKKZV2U2frWpImIz2wSHCYrwRGygwDtiFfwtVwTapjhQqUMyb1vrWWi3EL1Y50fDCjDDHlvLI4N2tr2DULFf3a9m2SYWSoE6CYP4og5YyqjhqFQFm9urREInyZi9L0iQoMYxEqxTjGiVJfKmaSChSd0kQz6z2OdsxFbkMWJ2CAHOL1XNK8iFFSp93fIspaNMIonRVDCj4ZIP1LaPHDmIYcYTNU4k3Uz6VBHSIc1VjiG3sc2MZpKw9An0tJVlWbtVSk2RGYWIANAYyr5pQS'
 });
-const userData = qs.stringify({
+const userDataWithoutToken = qs.stringify({
   user: "user",
   password: "pass"
 });
 
+let csrfToken = "-";
+const userDataWithToken = {
+  user: "user",
+  password: "pass",
+  csrfToken: ""
+};
+
 describe('Login', () => {
   it('form available', async () => {
-    let serverStatus = {};
+    let serverStatus;
     let response = { data: "", status: "" };
     try {
       response = await axios.get('http://localhost:80/login');
@@ -24,6 +31,10 @@ describe('Login', () => {
 
     expect(serverStatus).toBe(200);
     expect(response.data).toContain('<form');
+    const regex = /name="csrfToken" value="([^"]*)"/;
+    const match = response.data.match(regex);
+    csrfToken = match ? match[1] : '';
+    expect(csrfToken.length).toBeGreaterThan(4);
   })
 
   it('server is blocking requests with large body', async () => {
@@ -39,13 +50,38 @@ describe('Login', () => {
     }
   })
 
-  it('invalid login verification test', async () => {
+  it('invalid csrf shows correct error', async () => {
+    try {
+      await axios.post('http://localhost:80/login', userDataWithoutToken);
+    } catch (error) {
+      const axiosError = error as AxiosError;
+      if (axiosError.response) {
+        expect(axiosError.response.status).toBe(403);
+        if (axiosError.response.data) {
+          expect(JSON.stringify(axiosError.response.data)).toContain('Invalid CSRF');
+        } else {
+          throw Error("fail");
+        }
+      } else {
+        console.error(axiosError);
+      }
+    }
+  })
+
+
+  it('test invalid credentials to return error', async () => {
     try {
-      await axios.post('http://localhost:80/login', userData);
+      userDataWithToken.csrfToken = csrfToken;
+      await axios.post('http://localhost:80/login', qs.stringify(userDataWithToken));
     } catch (error) {
       const axiosError = error as AxiosError;
       if (axiosError.response) {
         expect(axiosError.response.status).toBe(403);
+        if (axiosError.response.data) {
+          expect(JSON.stringify(axiosError.response.data)).toContain('Invalid credentials');
+        } else {
+          throw Error("fail");
+        }
       } else {
         console.error(axiosError);
       }