Testing

[chriso0710]

Hi all,

I am trying to test a Sinatra app which has rack_csrf enabled for forms and most routes.
Some routes do not have csrf enabled, as they belong to the apps API.

Does it make any sense to test csrf protection (with minitest and rack-test) for all routes, to check that forms are correctly csrf-protected and API routes are not? What would be the best practice for this? Or would it be best to just ignore this and disable/skip rack_csrf completely in test mode?

Thanks and best regards
Christian

[baldowl]

YMMV, but yes, I would test at least the routes which are supposed to be protected with rack-test, just to avoid "surprises" down the road.

[IanBurry]

Ok, rack_csrf is breaking my rspec tests, so I'm going to go ahead and be that 'noob'

How do you configure it to work in a test environment? It's there. It's throwing Rack::Csrf::InvalidCsrfToken, but I can't seem to change its behavior either in spec_helper or within tests

[chriso0710]

ATM I am disabling CSRF in testing like that in a sinatra configure block:

use Rack::Csrf, { :raise => false, :skip => ['POST:.*', 'PUT:.*', 'DELETE:.*', 'PATCH:.*'] }

Did not have the time to make it work in testing. But my ultimate goal sometime in the future would be to enable it again for rack-test like @baldowl suggested...

[baldowl]

@IanBurry: if everything is behind Rack::Csrf, skipping it in test environment is a no brainer. However, if you wan to test it, you can follow a couple of different routes.

Rack::Test provides an env method which can be used to insert whatever you want in the fake env used by post & co.; however, that env method does not expose the object and thus you cannot use the fake env with Rack::Csrf.token and the only solution I can think of is using a static, fake, token, like this:

it 'responds correctly' do
  env 'rack.session', Rack::Csrf.key => 'super-fake-token'
  post '/protected_form', :a_field => 'a value', Rack::Csrf.field => 'super-fake-token'
  expect(last_response).to be_ok
end

Alternatively (and don't tell anyone I told you to do it 😜) you can mess with Rack::Test's internals:

it 'responds correctly' do
  env_object = current_session.instance_variable_get :@env
  env_object['rack.session'] = {}
  token = Rack::Csrf.token env_object
  post '/protected_form', :a_field => 'a value', Rack::Csrf.field => token
  expect(last_response).to be_ok
end

Whatever you choose, of course you can/should extract and polish the code which injects the token (the fake, static, one or the real token) or your specs will smell bad pretty soon.