refactor: move CSRF code into plugin (#56447)

2026-03-10 01:01:16 -04:00 · 2024-10-04 14:56:04 +02:00
parent 86527f448c
commit ced457fed5
8 changed files with 167 additions and 104 deletions
--- a/api/src/plugins/csrf.test.ts
+++ b/api/src/plugins/csrf.test.ts
@@ -0,0 +1,107 @@
+import Fastify, { type FastifyInstance } from 'fastify';
+
+import { COOKIE_DOMAIN } from '../utils/env';
+import cookies from './cookies';
+import csrf, { CSRF_COOKIE, CSRF_SECRET_COOKIE } from './csrf';
+
+// eslint-disable-next-line @typescript-eslint/no-unsafe-return
+jest.mock('../utils/env', () => ({
+  ...jest.requireActual('../utils/env'),
+  COOKIE_DOMAIN: 'www.example.com',
+  FREECODECAMP_NODE_ENV: 'production'
+}));
+
+async function setupServer() {
+  const fastify = Fastify();
+  await fastify.register(cookies);
+  await fastify.register(csrf);
+  // @ts-expect-error - @fastify/csrf-protection needs to update their types
+  // eslint-disable-next-line @typescript-eslint/unbound-method
+  fastify.addHook('onRequest', fastify.csrfProtection);
+
+  fastify.get('/', (_req, reply) => {
+    void reply.send({ foo: 'bar' });
+  });
+  return fastify;
+}
+
+describe('CSRF protection', () => {
+  let fastify: FastifyInstance;
+  beforeEach(async () => {
+    fastify = await setupServer();
+  });
+  it('should receive a new CSRF token with the expected properties', async () => {
+    const response = await fastify.inject({
+      method: 'GET',
+      url: '/'
+    });
+    const newCookies = response.cookies;
+    const csrfTokenCookie = newCookies.find(
+      cookie => cookie.name === CSRF_COOKIE
+    );
+
+    const { value, ...rest } = csrfTokenCookie!;
+
+    // The value is a random string - it's enough to check that it's not empty
+    expect(value).toHaveLength(52);
+
+    expect(rest).toStrictEqual({
+      name: CSRF_COOKIE,
+      path: '/',
+      sameSite: 'Strict',
+      domain: COOKIE_DOMAIN,
+      secure: true
+    });
+  });
+
+  it('should return 403 if the _csrf secret is missing', async () => {
+    const response = await fastify.inject({
+      method: 'GET',
+      url: '/'
+    });
+
+    expect(response.statusCode).toEqual(403);
+    // The response body is determined by the error-handling plugin, so we don't
+    // check it here.
+  });
+
+  it('should return 403 if the csrf_token is invalid', async () => {
+    const response = await fastify.inject({
+      method: 'GET',
+      url: '/',
+      cookies: {
+        _csrf: 'foo',
+        csrf_token: 'bar'
+      }
+    });
+    expect(response.statusCode).toEqual(403);
+  });
+
+  it('should allow the request if the csrf_token is valid', async () => {
+    const csrfResponse = await fastify.inject({
+      method: 'GET',
+      url: '/'
+    });
+
+    const csrfTokenCookie = csrfResponse.cookies.find(
+      cookie => cookie.name === CSRF_COOKIE
+    );
+    const csrfSecretCookie = csrfResponse.cookies.find(
+      cookie => cookie.name === CSRF_SECRET_COOKIE
+    );
+
+    const res = await fastify.inject({
+      method: 'GET',
+      url: '/',
+      cookies: {
+        _csrf: csrfSecretCookie!.value
+      },
+      headers: {
+        'csrf-token': csrfTokenCookie!.value
+      }
+    });
+
+    expect(res.json()).toEqual({ foo: 'bar' });
+    expect(res.statusCode).toEqual(200);
+  });
+});