From 283e8e54d3873b9862b06e4b263d0a7b4e94418f Mon Sep 17 00:00:00 2001 From: Type-Style Date: Tue, 26 Mar 2024 00:58:54 +0100 Subject: [PATCH] [Task] #50 csrf tests added to login --- src/app.ts | 4 ++-- src/tests/login.test.ts | 44 +++++++++++++++++++++++++++++++++++++---- 2 files changed, 42 insertions(+), 6 deletions(-) diff --git a/src/app.ts b/src/app.ts index ff7a87e..b11cfdb 100644 --- a/src/app.ts +++ b/src/app.ts @@ -44,8 +44,8 @@ app.use(compression()) app.use(hpp()); app.use(baseRateLimiter); app.use((req, res, next) => { // limit body for specific http methods - if(['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method)) { - return express.urlencoded({ limit: '0.5kb', extended: true })(req, res, next); + if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method)) { + return express.urlencoded({ limit: '0.5kb', extended: true })(req, res, next); } next(); }); diff --git a/src/tests/login.test.ts b/src/tests/login.test.ts index 6fbc340..957a73f 100644 --- a/src/tests/login.test.ts +++ b/src/tests/login.test.ts @@ -6,14 +6,21 @@ const userDataLarge = qs.stringify({ password: "pass", kilobyte: 'BPSwVu5vcvhWB17HcfIdyQK83mHJZKChv7zDihBJoifWK9EJFzK7VYf3kUgIqkc0io8DnSdewzc9U0GpzodQUFz0KLMaogsJruEbNSKvxnzUxS5UqSR64lLOmGumoPcn2InC0Ebpqfdiw90HFVZVlE3AY6Lhgbx8ILHi55RvpuGefDjBsePgow8Jh9sc8uVMCDglLmHQ0zk3PumMj0KlOszbMmX9fG0pPUsvLLc40biPBv9t97K3BFjYd3fGriRAQ3bFhGHBz2wzGbNQfHjKFDHuSvXOw8KReM7Wwd4Cl02QQ3RnDJVwH6cayh4BqFRXlP3i6uXw0l9qxdTv0q1CtV9rJho6zwo04gkGLvsS3AoYJQtHnOtUDdHPExu7l3nMKnPoRUwl7K2ePfHRuppFGqa43Q49bI04VjEhrB9k5S2uZJoxZdm63rIUrydmkZWdvBLVVZUIXwwIRnwLmoa26htKOz9FPKwWIPOM0NZj4jAoPhKqLDJwziNZn5UupzxBXoUM3BIyEk3K8GXs7eBduH9GCK2z2HPF0fJNtGiHASe7jCOC2mhSC5zGf9k0Yu1Ey63oQQZUtT7L57lp7UzPE2p6wzKDlbJZOn0Ho5OUfq3hE2C8fQRO1M6jDvRTiUIKhhxSHYd75Pvh4SG9lD8w5OHASusLDxmzKBUuG4GrGrQYpd0awJkqnKp5lk7psLD22YTtjTuDgI500tQLXSslxI1kIuB8RnN1LsxHyRQMVtXmNFOKKZV2U2frWpImIz2wSHCYrwRGygwDtiFfwtVwTapjhQqUMyb1vrWWi3EL1Y50fDCjDDHlvLI4N2tr2DULFf3a9m2SYWSoE6CYP4og5YyqjhqFQFm9urREInyZi9L0iQoMYxEqxTjGiVJfKmaSChSd0kQz6z2OdsxFbkMWJ2CAHOL1XNK8iFFSp93fIspaNMIonRVDCj4ZIP1LaPHDmIYcYTNU4k3Uz6VBHSIc1VjiG3sc2MZpKw9An0tJVlWbtVSk2RGYWIANAYyr5pQS' }); -const userData = qs.stringify({ +const userDataWithoutToken = qs.stringify({ user: "user", password: "pass" }); +let csrfToken = "-"; +const userDataWithToken = { + user: "user", + password: "pass", + csrfToken: "" +}; + describe('Login', () => { it('form available', async () => { - let serverStatus = {}; + let serverStatus; let response = { data: "", status: "" }; try { response = await axios.get('http://localhost:80/login'); @@ -24,6 +31,10 @@ describe('Login', () => { expect(serverStatus).toBe(200); expect(response.data).toContain(' { @@ -39,13 +50,38 @@ describe('Login', () => { } }) - it('invalid login verification test', async () => { + it('invalid csrf shows correct error', async () => { + try { + await axios.post('http://localhost:80/login', userDataWithoutToken); + } catch (error) { + const axiosError = error as AxiosError; + if (axiosError.response) { + expect(axiosError.response.status).toBe(403); + if (axiosError.response.data) { + expect(JSON.stringify(axiosError.response.data)).toContain('Invalid CSRF'); + } else { + throw Error("fail"); + } + } else { + console.error(axiosError); + } + } + }) + + + it('test invalid credentials to return error', async () => { try { - await axios.post('http://localhost:80/login', userData); + userDataWithToken.csrfToken = csrfToken; + await axios.post('http://localhost:80/login', qs.stringify(userDataWithToken)); } catch (error) { const axiosError = error as AxiosError; if (axiosError.response) { expect(axiosError.response.status).toBe(403); + if (axiosError.response.data) { + expect(JSON.stringify(axiosError.response.data)).toContain('Invalid credentials'); + } else { + throw Error("fail"); + } } else { console.error(axiosError); }