def testExpiredTokenDoesNotVerify(self):
now = int(time.time()) - (xsrf.DEFAULT_TIMEOUT_ + 1)
token = xsrf.GenerateToken(self.key, 'user', '*', now)
self.assertFalse(xsrf.ValidateToken(self.key, 'user', token))
self.assertTrue(
xsrf.ValidateToken(self.key, 'user', token, '*',
xsrf.DEFAULT_TIMEOUT_ * 2))
def testXsrfProtectionSucceedsWithValidToken(self):
self._FakeLogin()
key = handlers._GetXsrfKey()
token = xsrf.GenerateToken(key, '*****@*****.**')
self.assertEqual(
'post_succeeded',
self.app.get_response('/', method='POST', POST={
'xsrf': token
}).body)
def __init__(self, request, response):
self.initialize(request, response)
api_fixer.ReplaceDefaultArgument(response.set_cookie.im_func, 'secure',
not constants.IS_DEV_APPSERVER)
api_fixer.ReplaceDefaultArgument(response.set_cookie.im_func, 'httponly',
True)
if self.current_user:
self._xsrf_token = xsrf.GenerateToken(_GetXsrfKey(),
self.current_user.email())
if self.app.config.get('using_angular', constants.DEFAULT_ANGULAR):
# AngularJS requires a JS readable XSRF-TOKEN cookie and will pass this
# back in AJAX requests.
self.response.set_cookie('XSRF-TOKEN', self._xsrf_token, httponly=False)
else:
self._xsrf_token = None
self._RawWrite = self.response.out.write
self.response.out.write = self._ReplacementWrite
def testTokenWithDifferentUsersFail(self):
token = xsrf.GenerateToken(self.key, 'user')
self.assertFalse(xsrf.ValidateToken(self.key, 'otheruser', token))
def testTokenWithDifferentActionsFail(self):
token = xsrf.GenerateToken(self.key, 'user', 'a')
self.assertFalse(xsrf.ValidateToken(self.key, 'user', token, 'b'))
def testTokenWithNoActionVerifies(self):
token = xsrf.GenerateToken(self.key, 'user')
self.assertTrue(xsrf.ValidateToken(self.key, 'user', token))
