def testExpiredTokenDoesNotVerify(self): now = int(time.time()) - (xsrf.DEFAULT_TIMEOUT_ + 1) token = xsrf.GenerateToken(self.key, 'user', '*', now) self.assertFalse(xsrf.ValidateToken(self.key, 'user', token)) self.assertTrue( xsrf.ValidateToken(self.key, 'user', token, '*', xsrf.DEFAULT_TIMEOUT_ * 2))
def testXsrfProtectionSucceedsWithValidToken(self): self._FakeLogin() key = handlers._GetXsrfKey() token = xsrf.GenerateToken(key, '*****@*****.**') self.assertEqual( 'post_succeeded', self.app.get_response('/', method='POST', POST={ 'xsrf': token }).body)
def __init__(self, request, response): self.initialize(request, response) api_fixer.ReplaceDefaultArgument(response.set_cookie.im_func, 'secure', not constants.IS_DEV_APPSERVER) api_fixer.ReplaceDefaultArgument(response.set_cookie.im_func, 'httponly', True) if self.current_user: self._xsrf_token = xsrf.GenerateToken(_GetXsrfKey(), self.current_user.email()) if self.app.config.get('using_angular', constants.DEFAULT_ANGULAR): # AngularJS requires a JS readable XSRF-TOKEN cookie and will pass this # back in AJAX requests. self.response.set_cookie('XSRF-TOKEN', self._xsrf_token, httponly=False) else: self._xsrf_token = None self._RawWrite = self.response.out.write self.response.out.write = self._ReplacementWrite
def testTokenWithDifferentUsersFail(self): token = xsrf.GenerateToken(self.key, 'user') self.assertFalse(xsrf.ValidateToken(self.key, 'otheruser', token))
def testTokenWithDifferentActionsFail(self): token = xsrf.GenerateToken(self.key, 'user', 'a') self.assertFalse(xsrf.ValidateToken(self.key, 'user', token, 'b'))
def testTokenWithNoActionVerifies(self): token = xsrf.GenerateToken(self.key, 'user') self.assertTrue(xsrf.ValidateToken(self.key, 'user', token))