haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #917 from MaxGabriel/yesodTest-deprecateNonces

Browse Source 
Move yesod-test to using the term "token" instead of nonce.
This commit is contained in:
Michael Snoyman 2015-01-28 08:37:30 -08:00
commit 5d431fbdb5
3 changed files with 35 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
yesod-test/README.md
View File

@ -50,7 +50,7 @@ This is the helloworld and kitchen sink. In this case for testing a yesod app.
-- Performs the post using the current page to extract field values:
post "url/to/post/to" $ do
addNonce -- Add the _nonce field with the currently shown value
addToken -- Add the CSRF _token field with the currently shown value
-- Lookup field by the text on the labels pointing to them.
byLabel "Email:" "gustavo@cerati.com"

49
yesod-test/Yesod/Test.hs
View File

@ -18,7 +18,7 @@ using CSS selectors to explore the document more easily.
You can also easily build requests using forms present in the current page.
This is very useful for testing web applications built in yesod, for example,
where your forms may have field names generated by the framework or a randomly
generated nonce value.
generated CSRF token input.
Your database is also directly available so you can use 'runDB' to set up
backend pre-conditions, or to assert that your session is having the desired effect.
@ -40,7 +40,7 @@ module Yesod.Test
-- * Making requests
-- | You can construct requests with the 'RequestBuilder' monad, which lets you
-- set the URL and add parameters, headers, and files. Helper functions are provided to
-- lookup fields by label and to add the current nonce value from your forms.
-- lookup fields by label and to add the current CSRF token from your forms.
-- Once built, the request can be executed with the 'request' method.
--
-- Convenience functions like 'get' and 'post' build and execute common requests.
@ -66,13 +66,15 @@ module Yesod.Test
, byLabel
, fileByLabel
-- *** Nonces
-- *** CSRF Tokens
-- | In order to prevent CSRF exploits, yesod-form adds a hidden input
-- to your forms with the name "_token". This token is a randomly generated,
-- per-session value called a /nonce/.
-- per-session value.
--
-- In order to prevent your forms from being rejected in tests, use one of
-- these functions to add the nonce to your request.
-- these functions to add the token to your request.
, addToken
, addToken_
, addNonce
, addNonce_
@ -553,24 +555,39 @@ fileByLabel label path mime = do
name <- nameFromLabel label
addFile name path mime
-- | Lookup a _token form field and add its value to the params.
-- Receives a CSS selector that should resolve to the form element containing the nonce.
-- | An alias for 'addToken_'.
addNonce_ :: Query -> RequestBuilder site ()
addNonce_ = addToken_
{-# DEPRECATED addNonce_ "Use 'addToken_' instead; 'addNonce_' will be removed in the next major version. Reasoning: Yesod's CSRF tokens are not actually nonces (one-time values), so yesod-form moved to calling them tokens instead. yesod-test is now using the word token as well. See https://github.com/yesodweb/yesod/issues/914 for details." #-}
-- | An alias for 'addToken'.
addNonce :: RequestBuilder site ()
addNonce = addToken
{-# DEPRECATED addNonce "Use 'addToken' instead; 'addNonce' will be removed in the next major version. Reasoning: Yesod's CSRF tokens are not actually nonces (one-time values), so yesod-form moved to calling them tokens instead. yesod-test is now using the word token as well. See https://github.com/yesodweb/yesod/issues/914 for details." #-}
-- | Lookups the hidden input named "_token" and adds its value to the params.
-- Receives a CSS selector that should resolve to the form element containing the token.
--
-- ==== __Examples__
--
-- > request $ do
-- > addNonce_ "#formID"
addNonce_ :: Query -> RequestBuilder site ()
addNonce_ scope = do
-- > addToken_ "#formID"
addToken_ :: Query -> RequestBuilder site ()
addToken_ scope = do
matches <- htmlQuery' rbdResponse $ scope <> "input[name=_token][type=hidden][value]"
case matches of
[] -> failure $ "No nonce found in the current page"
[] -> failure $ "No CSRF token found in the current page"
element:[] -> addPostParam "_token" $ head $ attribute "value" $ parseHTML element
_ -> failure $ "More than one nonce found in the page"
_ -> failure $ "More than one CSRF token found in the page"
-- | For responses that display a single form, just lookup the only nonce available.
addNonce :: RequestBuilder site ()
addNonce = addNonce_ ""
-- | For responses that display a single form, just lookup the only CSRF token available.
--
-- ==== __Examples__
--
-- > request $ do
-- > addToken
addToken :: RequestBuilder site ()
addToken = addToken_ ""
-- | Perform a POST request to @url@.
--
@ -694,7 +711,7 @@ addRequestHeader header = ST.modify $ \rbd -> rbd
-- ==== __Examples__
--
-- > request $ do
-- > addNonce
-- > addToken
-- > byLabel "First Name" "Felipe"
-- > setMethod "PUT"
-- > setUrl NameR

2
yesod-test/test/main.hs
View File

@ -122,7 +122,7 @@ main = hspec $ do
setUrl ("/form" :: Text)
byLabel "Some Label" "12345"
fileByLabel "Some File" "test/main.hs" "text/plain"
addNonce
addToken
statusIs 200
bodyEquals "12345"
yit "finding html" $ do