如何在功能测试中获得CSRF令牌

时间:2013-04-29 15:20:52

标签: playframework-2.1

如何在功能测试中获得CSRF令牌?它无法在会话中保存令牌并在URL中提交。

"The `send` action" should {
  "return status code 400 if subject is invalid" in new WithApp with Context {
    val token = CSRF.Token(42.toString)
    val Some(result) = route(FakeRequest(POST, helper.CSRF(routes.ContactUs.send())(token).toString())
      .withFormUrlEncodedBody(
        ("subject" -> "invalid"),
        ("name" -> "Lucky Luke"),
        ("email" -> "test@test.com"),
        ("message" -> "test")
      )
      .withSession(TOKEN_NAME -> token.toString)
    )

    status(result) must equalTo(BAD_REQUEST)
    contentType(result) must beSome("application/json")
    charset(result) must beSome("utf-8")
}

修改

token.toString不会将标记返回为字符串。访问者token.value返回一个可以在会话中发送的正确令牌。一个有效的例子是:

"The `send` action" should {
  "return status code 400 if subject is invalid" in new WithApp with Context {
    val token = CSRF.Token(42.toString)
    val Some(result) = route(FakeRequest(POST, helper.CSRF(routes.ContactUs.send())(token).toString())
      .withFormUrlEncodedBody(
        ("subject" -> "invalid"),
        ("name" -> "Lucky Luke"),
        ("email" -> "test@test.com"),
        ("message" -> "test")
      )
      .withSession(TOKEN_NAME -> token.value)
    )

    status(result) must equalTo(BAD_REQUEST)
    contentType(result) must beSome("application/json")
    charset(result) must beSome("utf-8")
}

1 个答案:

答案 0 :(得分:1)

您的解决方案有效,但为了不对每个请求执行此操作并进行更清晰的测试,您可以使用自定义GlobalSettings。这样做有两件事:删除csrf检查过滤器但仍在会话中提供csrf令牌,因此csrf帮助程序不会阻塞。

object TestGlobal extends WithFilters(FakeCSRF)
object FakeCSRF extends Filter{
  def apply(next: (RequestHeader) => Result)(request: RequestHeader) = {
    next(CSRF.addRequestToken(request,CSRF.generate))
  }
}

然后为测试定义自定义范围:

trait testApp extends Scope with Around{
  def around[T](t: => T)(implicit evidence$1: AsResult[T]) = {
    Helpers.running(FakeApplication(withGlobal = Some(TestGlobal)))(AsResult(t))
  }
}

现在,在你的测试中,你可以做到:

"The `send` action" should {
  "return status code 400 if subject is invalid" in new testApp {
    val Some(result) = route(FakeRequest(POST, routes.ContactUs.send())
     .withFormUrlEncodedBody(...)
  }
}

请注意,测试代码中没有提及CSRF。

警告:如果您没有路由您的虚假请求,而是直接调用控制器,则此功能无效。不会使用TestGlobal,因此您需要使用更详细的解决方案。