def test_validate_request_calls_handler_when_from_endpoints(self):
# Calls Handler when coming from endpoints.
xsrf.constants.ON_GAE = True
self.get_user_stub.return_value = 'test@{}'.format(
loanertest.USER_DOMAIN)
self.assertFalse(
xsrf.validate_request(request=self.request_webapp,
response=self.response))
self.request_webapp.service_path = '/_ah/api/ChromeApi.heartbeat'
self.assertTrue(
xsrf.validate_request(request=self.request_webapp,
response=self.response))
def test_validate_request_returns_true_when_method_is_safe(self):
self.get_user_stub.return_value = 'test@{}'.format(
loanertest.USER_DOMAIN)
self.request_webapp.method = 'GET'
self.assertTrue(
xsrf.validate_request(request=self.request_webapp,
response=self.response))
def test_validate_request_returns_false_when_token_is_missing(self):
xsrf.constants.ON_GAE = True
self.get_user_stub.return_value = 'test@{}'.format(
loanertest.USER_DOMAIN)
self.assertFalse(
xsrf.validate_request(request=self.request_webapp,
response=self.response))
def test_validate_request_returns_true_when_valid_token_in_params(self):
self.get_user_stub.return_value = 'test2@{}'.format(
loanertest.USER_DOMAIN)
self.request_webapp.params[constants.XSRF_PARAM] = (
xsrf._generate_token())
self.assertTrue(
xsrf.validate_request(request=self.request_webapp,
response=self.response))
def test_validate_request_returns_false_when_users_differ(self):
xsrf.constants.ON_GAE = True
self.get_user_stub.return_value = 'test@{}'.format(
loanertest.USER_DOMAIN)
self.request_webapp.headers[constants.XSRF_HEADER] = (
xsrf._generate_token())
self.get_user_stub.return_value = 'test2@{}'.format(
loanertest.USER_DOMAIN)
self.assertFalse(
xsrf.validate_request(request=self.request_webapp,
response=self.response))
self.response.delete_cookie.assert_called_once_with(
constants.XSRF_COOKIE_NAME)
def check_xsrf_token(self, request_state):
"""Examine a request and raise an exception for an invalid XSRF token.
Args:
request_state: a protorpc.remote.HttpRequestState object from Endpoints
API request.
Raises:
endpoints.ForbiddenException: if the call to xsrf.validate_request returns
False.
"""
if not xsrf.validate_request(request_state):
raise endpoints.ForbiddenException(
'Refresh page to obtain a valid XSRF token.')
def test_validate_request_returns_false_when_user_not_logged_in(self):
xsrf.constants.ON_GAE = True
self.get_user_stub.return_value = None
self.assertFalse(
xsrf.validate_request(request=self.request_webapp,
response=self.response))
def test_validate_request_returns_true_when_not_on_gae(self):
xsrf.constants.ON_GAE = False
self.assertTrue(
xsrf.validate_request(request=self.request_webapp,
response=self.response))
def test_validate_request_returns_true_when_valid_token_in_headers(self):
self.get_user_stub.return_value = 'test@{}'.format(
loanertest.USER_DOMAIN)
self.request_webapp.headers[constants.XSRF_HEADER] = (
xsrf._generate_token())
self.assertTrue(xsrf.validate_request(request=self.request_webapp))