stackoom
  简体   繁体   中英

NodeJS Express Application Testing - How to submit CSRF token when testing with Mocha and Chai?

 原文  2016-09-30 09:00:10       node.js/ express/ testing/ mocha/ chai

Question

I'm trying to write a test for a POST route in my Express application using Mocha, Chai and ChaiHttp, but I can't get it to work due to the fact that I keep getting an HTTP 403 response whenever submitting my CSRF token. Below is the code that I have up until now:

express.js configuration file 

...
  app.use(session(config.SESSION));
  // csrf is the 'csurf' module
  app.use(csrf());

  app.use((req, res, next) => {
    res.cookie('XSRF-TOKEN', req.csrfToken());
    return next();
  });
...

User.test.js 

'use strict';
process.env.NODE_ENV = 'test';

const User = require('../server/models/User');
const chai = require('chai');
const chaiHttp = require('chai-http');
const server = require('../index');
const utils = require('../utils');

chai.use(chaiHttp);

describe('Users', () => {
  beforeEach((done) => {
    User.remove({}, (err) => {
      done();
    });
  });

  after((done) => {
    server.close();
    done();
  });
...
 /*
   * [POST] /user
   */
  describe('[POST] /user', () => {
    it('should return a JSON object with a "success" property equal to "true" when creating a new user', (done) => {
      const userObj = utils.generateUserObject();

      chai.request(server)
          .get('/api')
          .end((error, response) => {

            userObj._csrf = utils.extractCsrfToken(response.headers['set-cookie']);


            /*
             * Accurately logs the _csrf property with the correct CSRF token that was retrieved via the initial GET request
             * 
             * Example output:
             * 
             * { 
             * username: 'Stacey89',
             * first_name: 'Gregg',
             * last_name: 'King',
             * ...
             * _csrf: 'vBhDfXUq-jE86hOHadDyjgpQOu-uE8FyUp_M' 
             * }
             *
             */ 


            console.log(userObj);

            chai.request(server)
                .post('/api/user')
                .set('content-type', 'application/x-www-form-urlencoded')
                .send(userObj)
                .end((err, res) => {
                  res.should.have.status(200);
                  res.body.should.be.a('object');
                  res.body.should.have.property('success').eql('true');
                  done();
                });
          });
    });
...

utils.js 

...
  extractCsrfToken(cookiesObj) {
    const cookiesArray = Array.prototype.join.call(cookiesObj, '').split(';');
    let csrfToken = 'NOT FOUND';

    cookiesArray.forEach((cookie) => {
      if (cookie.includes('XSRF-TOKEN')) {
        csrfToken = cookie.split('=').splice(1, 1).join('');
      }
    });

    return csrfToken;
  }
...

When I run the above test, I get the following error: 

ForbiddenError: invalid csrf token
...
POST /api/user 403

The strange thing is that if I do a POST request from Postman with the exact same configuration as the one previously described, I successfully get the response I am looking for and the form submission succeeds.

It appears to not be working only when submitting the userObj from my test suite.

UPDATE #1 I finally managed to find a working solution for my issue.

I've updated the middleware that was previously setting the XSRF-TOKEN cookie to the following: 

  app.use((err, req, res, next) => {
    res.locals._csrf = req.csrfToken();
    return next();
  });

Now the unit test runs successfully.

Moreover, I noticed that the first [GET] request issued to the server returns the Set-Cookie header: 

Status Code: 200 OK
Content-Length: 264
Content-Type: application/json; charset=utf-8
Date: Tue, 18 Oct 2016 12:10:09 GMT
Etag: W/"108-NSQ2HIdRqiuMIf0F+7qwjw"
Set-Cookie: connect.sid=s%3Ap5io8_3iD7Wy0X0K77qWZLoYj-fD1ZbA.6uvcBiB%2B%2BSi1KOVOmJgvWe%2B5Mqpuc1rs9yUYxH0uNPY; Path=/; HttpOnly
X-Download-Options: noopen
X-XSS-Protection: 1; mode=block
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-frame-options: SAMEORIGIN

Any subsequent [GET] request does not return that header: 

Status Code: 200 OK
Content-Length: 264
Content-Type: application/json; charset=utf-8
Date: Tue, 18 Oct 2016 12:11:19 GMT
Etag: W/"108-NSQ2HIdRqiuMIf0F+7qwjw"
X-Download-Options: noopen
X-XSS-Protection: 1; mode=block
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-frame-options: SAMEORIGIN

Is this ok in terms of application security? Is it a good practice to simply set the _csrf token on the res.locals object?

1 answers

solution1
 0  2016-10-06 23:19:22

The send() method of chai-http is for sending json (which normally requires the use of the json body parser). So, you shouldn't also be setting the content-type to application/x-www-form-urlencoded .

If you are not using the json body parser and you really do want to send it as form data, the field() method should work: 

chai.request(server)
    .post('/api/user')
    .field('_csrf', _csrf)
    .end((err, res) => {
        res.should.have.status(200);
        res.body.should.be.a('object');
        res.body.should.have.property('success').eql('true');
        done();
    });

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question express middleware testing mocha chai Testing that express loads with mocha & chai mocha, chai testing for post in nodejs How to write code for unit testing header in mocha and chai for Node.js express framework application? Testing Node/Express API with Mocha/Chai Testing Express and Passport OAuth2 with Mocha and Chai Testing Express Js Server using mocha and chai testing services in nodejs with sinon chai & mocha Nodejs - Mocha, Chai multiple async testing Functional Site Testing using Mocha and Chai for Nodejs
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM