Improved header handling.

This commit is contained in:
Thorsten Eckel 2019-01-21 11:36:41 +01:00 committed by Martin Edenhofer
parent de15ce2cdf
commit f106ad0ef0
2 changed files with 16 additions and 2 deletions

View file

@ -2,7 +2,7 @@
class SessionsController < ApplicationController class SessionsController < ApplicationController
prepend_before_action :authentication_check, only: %i[switch_to_user list delete] prepend_before_action :authentication_check, only: %i[switch_to_user list delete]
skip_before_action :verify_csrf_token, only: %i[create show destroy create_omniauth failure_omniauth create_sso] skip_before_action :verify_csrf_token, only: %i[show destroy create_omniauth failure_omniauth create_sso]
# "Create" a login, aka "log the user in" # "Create" a login, aka "log the user in"
def create def create

View file

@ -2,6 +2,17 @@ require 'rails_helper'
RSpec.describe 'Api Auth', type: :request do RSpec.describe 'Api Auth', type: :request do
around(:each) do |example|
orig = ActionController::Base.allow_forgery_protection
begin
ActionController::Base.allow_forgery_protection = true
example.run
ensure
ActionController::Base.allow_forgery_protection = orig
end
end
let(:admin_user) do let(:admin_user) do
create(:admin_user) create(:admin_user)
end end
@ -369,7 +380,10 @@ RSpec.describe 'Api Auth', type: :request do
it 'does session auth - admin' do it 'does session auth - admin' do
create(:admin_user, login: 'api-admin@example.com', password: 'adminpw') create(:admin_user, login: 'api-admin@example.com', password: 'adminpw')
post '/api/v1/signin', params: { username: 'api-admin@example.com', password: 'adminpw', fingerprint: '123456789' } get '/'
token = response.headers['CSRF-TOKEN']
post '/api/v1/signin', params: { username: 'api-admin@example.com', password: 'adminpw', fingerprint: '123456789' }, headers: { 'X-CSRF-Token' => token }
expect(response.header.key?('Access-Control-Allow-Origin')).to be_falsey expect(response.header.key?('Access-Control-Allow-Origin')).to be_falsey
expect(response).to have_http_status(201) expect(response).to have_http_status(201)