Make sure we can do a GET with a CSRF token cookie and still obtain t…

…he token This is only a test to make sure we never regress on such a common use-case. This was already fixed in quarkusio#37725 (cherry picked from commit 511b0c7)
gsmet · Jan 23, 2024 · 87859df · 87859df
1 parent 8bc6ddb
commit 87859df
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 1 deletion.
diff --git a/integration-tests/csrf-reactive/src/main/java/io/quarkus/it/csrf/TestResource.java b/integration-tests/csrf-reactive/src/main/java/io/quarkus/it/csrf/TestResource.java
@@ -17,6 +17,7 @@
 import org.eclipse.microprofile.config.ConfigProvider;
 import org.jboss.resteasy.reactive.RestForm;
 
+import io.quarkus.csrf.reactive.runtime.CsrfTokenParameterProvider;
 import io.quarkus.csrf.reactive.runtime.CsrfTokenUtils;
 import io.quarkus.qute.Template;
 import io.quarkus.qute.TemplateInstance;
@@ -47,6 +48,9 @@ public class TestResource {
     @Inject
     RoutingContext routingContext;
 
+    @Inject
+    CsrfTokenParameterProvider parameterProvider;
+
     @GET
     @Path("/csrfTokenForm")
     @Produces(MediaType.TEXT_HTML)
@@ -153,6 +157,13 @@ public String getSimpleGet() {
         return "hello";
     }
 
+    @GET
+    @Path("/token")
+    @Produces(MediaType.TEXT_PLAIN)
+    public String getToken() {
+        return this.parameterProvider.getToken();
+    }
+
     public static class MultiPart {
         @RestForm
         File file;

diff --git a/integration-tests/csrf-reactive/src/main/resources/application.properties b/integration-tests/csrf-reactive/src/main/resources/application.properties
@@ -1,5 +1,5 @@
 quarkus.csrf-reactive.cookie-name=csrftoken
-quarkus.csrf-reactive.create-token-path=/service/csrfTokenForm,/service/csrfTokenFirstForm,/service/csrfTokenSecondForm,/service/csrfTokenWithFormRead,/service/csrfTokenMultipart,/service/csrfTokenWithHeader
+quarkus.csrf-reactive.create-token-path=/service/csrfTokenForm,/service/csrfTokenFirstForm,/service/csrfTokenSecondForm,/service/csrfTokenWithFormRead,/service/csrfTokenMultipart,/service/csrfTokenWithHeader,/service/token
 quarkus.csrf-reactive.token-signature-key=AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow
 
 quarkus.http.auth.basic=true

diff --git a/integration-tests/csrf-reactive/src/test/java/io/quarkus/it/csrf/CsrfReactiveTest.java b/integration-tests/csrf-reactive/src/test/java/io/quarkus/it/csrf/CsrfReactiveTest.java
@@ -349,6 +349,31 @@ public void testWrongCsrfTokenWithFormRead() throws Exception {
         }
     }
 
+    @Test
+    public void testGetWithCsrfToken() throws Exception {
+        try (final WebClient webClient = createWebClient()) {
+
+            assertNull(webClient.getCookieManager().getCookie("csrftoken"));
+
+            TextPage htmlPage = webClient.getPage("http://localhost:8081/service/token");
+
+            assertNotNull(webClient.getCookieManager().getCookie("csrftoken"));
+
+            // Can't check that it matches the cookie because it's signed
+            assertNotNull(htmlPage.getContent());
+
+            // get it again
+            htmlPage = webClient.getPage("http://localhost:8081/service/token");
+
+            assertNotNull(webClient.getCookieManager().getCookie("csrftoken"));
+
+            // Can't check that it matches the cookie because it's signed
+            assertNotNull(htmlPage.getContent());
+
+            webClient.getCookieManager().clearCookies();
+        }
+    }
+
     private WebClient createWebClient() {
         WebClient webClient = new WebClient();
         webClient.setCssErrorHandler(new SilentCssErrorHandler());