Skip to content

Commit

Permalink
Make sure we can do a GET with a CSRF token cookie and still obtain t…
Browse files Browse the repository at this point in the history
…he token

This is only a test to make sure we never regress on such a common
use-case. This was already fixed in #37725
  • Loading branch information
FroMage committed Jan 9, 2024
1 parent 02471b8 commit 5f827b6
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import org.eclipse.microprofile.config.ConfigProvider;
import org.jboss.resteasy.reactive.RestForm;

import io.quarkus.csrf.reactive.runtime.CsrfTokenParameterProvider;
import io.quarkus.csrf.reactive.runtime.CsrfTokenUtils;
import io.quarkus.qute.Template;
import io.quarkus.qute.TemplateInstance;
Expand Down Expand Up @@ -47,6 +48,9 @@ public class TestResource {
@Inject
RoutingContext routingContext;

@Inject
CsrfTokenParameterProvider parameterProvider;

@GET
@Path("/csrfTokenForm")
@Produces(MediaType.TEXT_HTML)
Expand Down Expand Up @@ -153,6 +157,13 @@ public String getSimpleGet() {
return "hello";
}

@GET
@Path("/token")
@Produces(MediaType.TEXT_PLAIN)
public String getToken() {
return this.parameterProvider.getToken();
}

public static class MultiPart {
@RestForm
File file;
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
quarkus.csrf-reactive.cookie-name=csrftoken
quarkus.csrf-reactive.create-token-path=/service/csrfTokenForm,/service/csrfTokenFirstForm,/service/csrfTokenSecondForm,/service/csrfTokenWithFormRead,/service/csrfTokenMultipart,/service/csrfTokenWithHeader
quarkus.csrf-reactive.create-token-path=/service/csrfTokenForm,/service/csrfTokenFirstForm,/service/csrfTokenSecondForm,/service/csrfTokenWithFormRead,/service/csrfTokenMultipart,/service/csrfTokenWithHeader,/service/token
quarkus.csrf-reactive.token-signature-key=AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow

quarkus.http.auth.basic=true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -341,6 +341,31 @@ public void testWrongCsrfTokenWithFormRead() throws Exception {
}
}

@Test
public void testGetWithCsrfToken() throws Exception {
try (final WebClient webClient = createWebClient()) {

assertNull(webClient.getCookieManager().getCookie("csrftoken"));

TextPage htmlPage = webClient.getPage("http://localhost:8081/service/token");

assertNotNull(webClient.getCookieManager().getCookie("csrftoken"));

// Can't check that it matches the cookie because it's signed
assertNotNull(htmlPage.getContent());

// get it again
htmlPage = webClient.getPage("http://localhost:8081/service/token");

assertNotNull(webClient.getCookieManager().getCookie("csrftoken"));

// Can't check that it matches the cookie because it's signed
assertNotNull(htmlPage.getContent());

webClient.getCookieManager().clearCookies();
}
}

private WebClient createWebClient() {
WebClient webClient = new WebClient();
webClient.setCssErrorHandler(new SilentCssErrorHandler());
Expand Down

0 comments on commit 5f827b6

Please sign in to comment.