search

koajs / csrf

CSRF tokens for koa
MIT License
264 stars 32 forks source link

tests randomly fail #22

Closed stephenmathieson closed 7 years ago

stephenmathieson commented 8 years ago

fresh clone/fork and:

~/dev/src/github.com/stephenmathieson/koa-csrf on master ∴ npm install
npm WARN deprecated istanbul-harmony@0.3.16: Please use istanbul@>=0.4.0 instead
npm WARN deprecated jade@0.26.3: Jade has been renamed to pug, please install the latest version of pug instead of jade
should@9.0.0 node_modules/should
├── should-type@1.0.1
├── should-equal@1.0.0
└── should-format@1.0.0

koa-session@3.3.1 node_modules/koa-session
├── deep-equal@1.0.1
└── debug@2.2.0 (ms@0.7.1)

csrf@3.0.3 node_modules/csrf
├── rndm@1.2.0
├── base64-url@1.2.2
├── tsscmp@1.0.5
└── uid-safe@2.1.1 (random-bytes@1.0.0)

co-body@4.2.0 node_modules/co-body
├── inflation@2.0.0
├── qs@4.0.0
├── raw-body@2.1.6 (unpipe@1.0.0, bytes@2.3.0, iconv-lite@0.4.13)
└── type-is@1.6.13 (media-typer@0.3.0, mime-types@2.1.11)

koa@0.21.0 node_modules/koa
├── error-inject@1.0.0
├── koa-compose@2.4.0
├── escape-html@1.0.3
├── destroy@1.0.4
├── koa-is-json@1.0.0
├── content-type@1.0.2
├── parseurl@1.3.1
├── vary@1.1.0
├── fresh@0.3.0
├── content-disposition@0.5.1
├── co@4.6.0
├── only@0.0.2
├── statuses@1.3.0
├── delegates@0.1.0
├── type-is@1.6.13 (media-typer@0.3.0)
├── debug@2.2.0 (ms@0.7.1)
├── http-errors@1.5.0 (setprototypeof@1.0.1, inherits@2.0.1)
├── accepts@1.3.3 (negotiator@0.6.1)
├── cookies@0.5.1 (keygrip@1.0.1)
├── http-assert@1.2.0 (deep-equal@1.0.1, http-errors@1.4.0)
├── on-finished@2.3.0 (ee-first@1.1.1)
├── mime-types@2.1.11 (mime-db@1.23.0)
└── composition@2.3.0 (any-promise@1.3.0)

mocha@2.5.3 node_modules/mocha
├── escape-string-regexp@1.0.2
├── commander@2.3.0
├── diff@1.4.0
├── supports-color@1.2.0
├── growl@1.9.2
├── to-iso-string@0.0.2
├── debug@2.2.0 (ms@0.7.1)
├── mkdirp@0.5.1 (minimist@0.0.8)
├── jade@0.26.3 (commander@0.6.1, mkdirp@0.3.0)
└── glob@3.2.11 (inherits@2.0.1, minimatch@0.3.0)

supertest@1.2.0 node_modules/supertest
├── methods@1.1.2
└── superagent@1.8.3 (component-emitter@1.2.1, cookiejar@2.0.6, reduce-component@1.0.1, extend@3.0.0, mime@1.3.4, formidable@1.0.17, qs@2.3.3, debug@2.2.0, readable-stream@1.0.27-1, form-data@1.0.0-rc3)

istanbul-harmony@0.3.16 node_modules/istanbul-harmony
├── which@1.0.9
├── supports-color@1.3.1
├── abbrev@1.0.7
├── async@0.9.2
├── wordwrap@0.0.3
├── nopt@3.0.6
├── once@1.3.3 (wrappy@1.0.2)
├── esprima-fb@15001.1001.0-dev-harmony-fb
├── mkdirp@0.5.1 (minimist@0.0.8)
├── resolve@1.1.7
├── fileset@0.2.1 (glob@5.0.15, minimatch@2.0.10)
├── escodegen@1.6.1 (estraverse@1.9.3, esutils@1.1.6, esprima@1.2.5, optionator@0.5.0, source-map@0.1.43)
├── js-yaml@3.6.1 (esprima@2.7.2, argparse@1.0.7)
└── handlebars@3.0.0 (source-map@0.1.43, optimist@0.6.1, uglify-js@2.3.6)

~/dev/src/github.com/stephenmathieson/koa-csrf on master ∴ npm test

> koa-csrf@2.4.0 test /Users/stephenmathieson/dev/src/github.com/stephenmathieson/koa-csrf
> NODE_ENV=test mocha --harmony --reporter spec --require should

  CSRF Token
    should create
      ✓ a token
      ✓ a single token per request
      ✓ a new token per request
    should assert
      ✓ when no token is supplied
      ✓ when no secret is supplied
      ✓ when invalid csrf token
    should not assert when the token is supplied via
      ✓ json body
      ✓ querystring
      ✓ x-csrf-token
      ✓ x-xsrf-token
    .assertCSRF()
      ✓ should support a string value

  CSRF Token Middleware
    should create
      ✓ a token
      ✓ a single token per request
      1) a new token per request
      ✓ a null token when session is invalid
    should assert
      ✓ when no token is supplied
    should not assert when the token is supplied via
      ✓ json body
      ✓ querystring
      ✓ querystring with body
      ✓ x-csrf-token
      ✓ x-xsrf-token

  20 passing (111ms)
  1 failing

  1) CSRF Token Middleware should create a new token per request:
     Error: expected body 'fjn6oL6A--KQnQ2JliJVRlVMRL8atRinZV0M' to match /^\w+-[\w+\/]+/
      at error (node_modules/supertest/lib/test.js:265:13)
      at Test._assertBody (node_modules/supertest/lib/test.js:188:18)
      at Test._assertFunction (node_modules/supertest/lib/test.js:247:11)
      at Test.assert (node_modules/supertest/lib/test.js:148:18)
      at assert (node_modules/supertest/lib/test.js:127:12)
      at node_modules/supertest/lib/test.js:124:5
      at Test.Request.callback (node_modules/supertest/node_modules/superagent/lib/node/index.js:691:12)
      at IncomingMessage.<anonymous> (node_modules/supertest/node_modules/superagent/lib/node/index.js:922:12)
      at endReadableNT (_stream_readable.js:905:12)

npm ERR! Test failed.  See above for more details.

maybe we shouldnt use a regex?

jonathanong commented 8 years ago

i don't remember adding that. i believe the tokens are base64 escaped via https://www.npmjs.com/package/base64-url so that regexp is invalid

stephenmathieson commented 7 years ago

The tests are a little flaky, but this hasn't come up since opening this issue. Closing for now.

Should address this some day, but it's by no mean urgent, as we've released a major version since.