yoinkkk/ExcaliDash
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

sign CSRF with cookie, Login rate-limit key hardened against identifier-only lockout

Browse Source
This commit is contained in:
Zimeng Xiong
2026-02-07 18:52:00 -08:00
parent fd013de325
commit 70103e18fb
6 changed files with 104 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/src/server/csrf.test.ts
+41
View File
@@ -0,0 +1,41 @@
import express from "express";
import request from "supertest";
import { describe, expect, it } from "vitest";
import { registerCsrfProtection } from "./csrf";
describe("CSRF token issuance", () => {
it("binds first-issued tokens to cookie client identity", async () => {
const app = express();
app.use(express.json());
registerCsrfProtection({
app,
isAllowedOrigin: () => true,
maxRequestsPerWindow: 100,
});
app.post("/drawings", (_req, res) => {
res.status(200).json({ ok: true });
});
const agent = request.agent(app);
const csrfRes = await agent
.get("/csrf-token")
.set("User-Agent", "csrf-test-agent-a");
expect(csrfRes.status).toBe(200);
const headerName = csrfRes.body.header as string;
const token = csrfRes.body.token as string;
expect(typeof headerName).toBe("string");
expect(typeof token).toBe("string");
const postRes = await agent
.post("/drawings")
.set("User-Agent", "csrf-test-agent-b")
.set(headerName, token)
.send({ name: "test" });
expect(postRes.status).toBe(200);
expect(postRes.body.ok).toBe(true);
});
});