test: few more ways to get misconfigured csrf

tinyhttp · Jul 7, 2021 · 88b3634 · 88b3634
1 parent e57a564
commit 88b3634
Showing 1 changed file with 36 additions and 0 deletions.
diff --git a/tests/failing.spec.ts b/tests/failing.spec.ts
@@ -1,5 +1,6 @@
 import { makeFetch } from 'supertest-fetch'
 import { App, Request } from '@tinyhttp/app'
+import { cookieParser } from '@tinyhttp/cookie-parser'
 import { urlencoded } from 'milliparsec'
 import { suite } from 'uvu'
 import * as assert from 'uvu/assert'
@@ -25,4 +26,39 @@ failing('without a cookie parser', async () => {
   assert.is(body, 'misconfigured csrf')
 })
 
+failing('signed but without a secret', async () => {
+  const app = new App<any, Request & CSRFRequest>()
+  app.use(cookieParser())
+  const csrfProtection = csrf({ cookie: { signed: true } })
+  app.use('/', urlencoded(), csrfProtection, (req, res) => {
+    res.status(200).json({ token: req.csrfToken() })
+  })
+  const server = app.listen()
+
+  const fetch = makeFetch(server)
+
+  const response = await fetch('/')
+  const body = await response.text()
+
+  assert.is(response.status, 500)
+  assert.is(body, 'misconfigured csrf')
+})
+
+failing('session without the session middleware', async () => {
+  const app = new App<any, Request & CSRFRequest>()
+  const csrfProtection = csrf({ middleware: 'session' })
+  app.use('/', urlencoded(), csrfProtection, (req, res) => {
+    res.status(200).json({ token: req.csrfToken() })
+  })
+  const server = app.listen()
+
+  const fetch = makeFetch(server)
+
+  const response = await fetch('/')
+  const body = await response.text()
+
+  assert.is(response.status, 500)
+  assert.is(body, 'misconfigured csrf')
+})
+
 failing.run()