Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing CSRF token makes params invalid in test #228

Open
kukicola opened this issue Dec 27, 2022 · 6 comments
Open

Missing CSRF token makes params invalid in test #228

kukicola opened this issue Dec 27, 2022 · 6 comments
Assignees
Labels
Milestone

Comments

@kukicola
Copy link

Hello
In tests, CSRF token isn't set (and it's expected behavior) but calling request.params.valid? will return false because param is blank (even if my params validation rules don't include _csrf_token field):

> request.params.valid?
=> false
> request.params.errors
=> {:_csrf_token=>["must be filled"]}

I believe it's caused by:
https://github.com/hanami/controller/blob/main/lib/hanami/action/params.rb#L116
or
https://github.com/hanami/validations/blob/main/lib/hanami/validations/form.rb#L14

To fix it, I could remove input with CSRF token in views in test env or include middleware:

class RemoveCsrfParamMiddleware
  def initialize(app)
    @app = app
  end

  def call(env)
    return @app.call(env) if env["CONTENT_TYPE"]&.start_with?("multipart")

    params = Rack::Utils.parse_query(env["rack.input"].read, "&")
    params.delete("_csrf_token")
    env["rack.input"] = StringIO.new(Rack::Utils.build_query(params))
    @app.call(env)
  end
end

I think that in test env this default param validation should be removed

@jodosha jodosha self-assigned this Jan 25, 2023
@jodosha
Copy link
Member

jodosha commented Jan 25, 2023

@kukicola Hey, thanks for reporting.

Are you using hanami-controller as a standalone library, or are you using it in a Hanami app?

@kukicola
Copy link
Author

@jodosha in Hanami app

@jodosha
Copy link
Member

jodosha commented Jan 25, 2023

@kukicola, can you paste here the parameters that you're receiving?
Could you let me know if you are using views? Can you share the action code?

@kukicola
Copy link
Author

I created a sample app https://github.com/kukicola/hanami-csrf-example with two simple forms (/test1 and /test2). The only difference between them is that in test2 I have params validation (without any rules specified for csrf_token param). If you run specs, you'll see that it fails for test2 since request.params.valid? validates _csrf_token as well.

So that's a bit confusing to me that hanami validates csrf param by default.

@jodosha
Copy link
Member

jodosha commented Feb 8, 2023

@kukicola

So that's a bit confusing to me that hanami validates csrf param by default.

It allows to let that param always be accepted.

The alternative would be that each form will need the validation param counterpart. We wanted to avoid this friction.

@jodosha
Copy link
Member

jodosha commented Feb 8, 2023

@kukicola I had a look at this problem. It's a regression from 1.0. Hanami shouldn't validate CSRF Token in test env.

@jodosha jodosha transferred this issue from hanami/controller Feb 8, 2023
@jodosha jodosha added this to the v2.0.2 milestone Feb 8, 2023
@jodosha jodosha added the bug label Feb 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants