Broken

README.md

@@ -1,5 +1,5 @@
 # security
-[![version 1.0.0](https://img.shields.io/badge/pub-v1.0.0-brightgreen.svg)](https://pub.dartlang.org/packages/angel_security)
+[![version 1.0.1](https://img.shields.io/badge/pub-v1.0.1-brightgreen.svg)](https://pub.dartlang.org/packages/angel_security)
 [![build status](https://travis-ci.org/angel-dart/security.svg)](https://travis-ci.org/angel-dart/security)
 
 Angel middleware designed to enhance application security by patching common Web security

lib/src/csrf.dart

@@ -12,9 +12,9 @@ RequestMiddleware verifyCsrfToken(
   return (RequestContext req, res) async {
     String csrfToken;
 
-    if (allowQuery && req.query.containsKey(name))
+    if (allowQuery && (await req.lazyQuery()).containsKey(name))
       csrfToken = req.query[name];
-    else if (req.body.containsKey(name))
+    else if ((await req.lazyBody()).containsKey(name))
       csrfToken = req.body[name];
     else if (allowCookie) {
       var cookie =

lib/src/sanitize.dart

@@ -10,6 +10,8 @@ final Map<Pattern, String> DEFAULT_SANITIZERS = {
 /// Mitigates XSS risk by sanitizing user HTML input.
 ///
 /// You can also provide a Map of patterns to [replace].
+/// 
+/// You can sanitize the [body] or [query] (both `true` by default).
 RequestMiddleware sanitizeHtmlInput(
     {bool body: true,
     bool query: true,
@@ -17,8 +19,8 @@ RequestMiddleware sanitizeHtmlInput(
   var sanitizers = {}..addAll(DEFAULT_SANITIZERS)..addAll(replace ?? {});
 
   return (RequestContext req, res) async {
-    if (body) _sanitizeMap(req.body, sanitizers);
+    if (body) _sanitizeMap(await req.lazyBody(), sanitizers);
-    if (query) _sanitizeMap(req.query, sanitizers);
+    if (query) _sanitizeMap(await req.lazyQuery(), sanitizers);
     return true;
   };
 }

pubspec.yaml

@@ -1,5 +1,5 @@
 name: angel_security
-version: 1.0.0
+version: 1.0.1
 description: Angel middleware designed to enhance application security by patching common Web security holes.
 author: Tobe O <thosakwe@gmail.com>
 environment:

test/hooks_test.dart

@@ -11,6 +11,7 @@ main() {
 
   setUp(() async {
     app = new Angel()
+      ..lazyParseBodies = true
       ..before.add((RequestContext req, res) async {
         var xUser = req.headers.value('X-User');
         if (xUser != null)
@@ -65,7 +66,8 @@ main() {
       var response = await client
           .post('/artists', headers: {'X-User': 'John'}, body: {'foo': 'bar'});
       print('Response: ${response.body}');
-      expect(response, allOf(hasStatus(200), isJson({'foo': 'bar'})));
+      print('Status: ${response.statusCode}');
+      expect(response, allOf(hasStatus(201), isJson({'foo': 'bar'})));
     });
   });
 

test/throttle_test.dart

@@ -27,35 +27,35 @@ main() {
     // First request within the hour is fine
     var response = await client.get('/once-per-hour');
     print(response.body);
-    expect(response.body, contains('OK'));
+    expect(response, hasBody('OK'));
 
     // Second request within an hour? No no no!
     response = await client.get('/once-per-hour');
     print(response.body);
-    expect(response, hasStatus(429));
+    expect(response, isAngelHttpException(statusCode: 429));
   });
 
   test('thrice per minute', () async {
     // First request within the minute is fine
     var response = await client.get('/thrice-per-minute');
     print(response.body);
-    expect(response.body, contains('OK'));
+    expect(response, hasBody('OK'));
 
 
     // Second request within the minute is fine
     response = await client.get('/thrice-per-minute');
     print(response.body);
-    expect(response.body, contains('OK'));
+    expect(response.body, hasBody('OK'));
 
 
     // Third request within the minute is fine
     response = await client.get('/thrice-per-minute');
     print(response.body);
-    expect(response.body, contains('OK'));
+    expect(response, hasBody('OK'));
 
     // Fourth request within a minute? No no no!
     response = await client.get('/thrice-per-minute');
     print(response.body);
-    expect(response, hasStatus(429));
+    expect(response, isAngelHttpException(statusCode: 429));
   });
 }