platform/test/csrf_token_test.dart

import 'package:angel_framework/angel_framework.dart';
import 'package:angel_security/angel_security.dart';
import 'package:angel_test/angel_test.dart';
import 'package:http/http.dart' as http;
import 'package:test/test.dart';

final RegExp _sessId = new RegExp(r'DARTSESSID=([^;]+);');

main() async {
  Angel app;
  TestClient client;

  setUp(() async {
    app = new Angel()..responseFinalizers.add(setCsrfToken());

    app.chain(verifyCsrfToken()).get('/valid', 'Valid!');

    client = await connectTo(app);
  });

  tearDown(() => client.close());

  test('need pre-existing token', () async {
    var response = await client.get('/valid?csrf_token=evil');
    print(response.body);
    expect(response, hasStatus(400));
    expect(response.body, contains('Missing'));
  });

  test('fake token', () async {
    // Get a valid CSRF, but ignore it.
    var response = await client.get('/');
    var sessionId = getCookie(response);
    response = await client.get('/valid?csrf_token=evil',
        headers: {'cookie': 'DARTSESSID=$sessionId'});
    print(response.body);
    expect(response, hasStatus(400));
    expect(response.body.contains('Valid'), isFalse);
    expect(response.body, contains('Invalid CSRF token'));
  });
}

String getCookie(http.Response response) {
  if (response.headers.containsKey('set-cookie')) {
    var header = response.headers['set-cookie'];
    var match = _sessId.firstMatch(header);
    return match?.group(1);
  } else
    return null;
}
+1 2017-01-13 03:11:55 +00:00			`import 'package:angel_framework/angel_framework.dart';`
			`import 'package:angel_security/angel_security.dart';`
			`import 'package:angel_test/angel_test.dart';`
			`import 'package:http/http.dart' as http;`
			`import 'package:test/test.dart';`

			`final RegExp _sessId = new RegExp(r'DARTSESSID=([^;]+);');`

			`main() async {`
			`Angel app;`
			`TestClient client;`

			`setUp(() async {`
			`app = new Angel()..responseFinalizers.add(setCsrfToken());`

			`app.chain(verifyCsrfToken()).get('/valid', 'Valid!');`

			`client = await connectTo(app);`
			`});`

			`tearDown(() => client.close());`

			`test('need pre-existing token', () async {`
			`var response = await client.get('/valid?csrf_token=evil');`
			`print(response.body);`
			`expect(response, hasStatus(400));`
			`expect(response.body, contains('Missing'));`
			`});`

			`test('fake token', () async {`
			`// Get a valid CSRF, but ignore it.`
			`var response = await client.get('/');`
			`var sessionId = getCookie(response);`
			`response = await client.get('/valid?csrf_token=evil',`
			`headers: {'cookie': 'DARTSESSID=$sessionId'});`
			`print(response.body);`
			`expect(response, hasStatus(400));`
			`expect(response.body.contains('Valid'), isFalse);`
			`expect(response.body, contains('Invalid CSRF token'));`
			`});`
			`}`

			`String getCookie(http.Response response) {`
			`if (response.headers.containsKey('set-cookie')) {`
			`var header = response.headers['set-cookie'];`
			`var match = _sessId.firstMatch(header);`
			`return match?.group(1);`
			`} else`
			`return null;`
			`}`