imgfloat/server
1
0
Fork 0
mirror of https://github.com/imgfloat/server.git synced 2026-02-05 11:49:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix CSRF bugs

Browse Source
This commit is contained in:
Andreas Krühlmann
2026-01-05 17:45:54 +01:00
parent 0ebfc390c5
commit 929a0f2217
4 changed files with 18 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/test/java/dev/kruhlmann/imgfloat/ChannelApiIntegrationTest.java
View File

@@ -1,6 +1,7 @@
package dev.kruhlmann.imgfloat;
import static org.hamcrest.Matchers.hasSize;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.oauth2Login;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
@@ -48,6 +49,7 @@ class ChannelApiIntegrationTest {
.contentType(MediaType.APPLICATION_JSON)
.content("{\"username\":\"helper\"}")
.with(oauth2Login().attributes((attrs) -> attrs.put("preferred_username", broadcaster)))
.with(csrf())
)
.andExpect(status().isOk());
@@ -70,6 +72,7 @@ class ChannelApiIntegrationTest {
multipart("/api/channels/{broadcaster}/assets", broadcaster)
.file(file)
.with(oauth2Login().attributes((attrs) -> attrs.put("preferred_username", broadcaster)))
.with(csrf())
)
.andExpect(status().isOk())
.andReturn()
@@ -96,6 +99,7 @@ class ChannelApiIntegrationTest {
.contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(visibilityRequest))
.with(oauth2Login().attributes((attrs) -> attrs.put("preferred_username", broadcaster)))
.with(csrf())
)
.andExpect(status().isOk())
.andExpect(jsonPath("$.hidden").value(false));
@@ -113,7 +117,7 @@ class ChannelApiIntegrationTest {
.perform(
delete("/api/channels/{broadcaster}/assets/{id}", broadcaster, assetId).with(
oauth2Login().attributes((attrs) -> attrs.put("preferred_username", broadcaster))
)
).with(csrf())
)
.andExpect(status().isOk());
}
@@ -126,6 +130,7 @@ class ChannelApiIntegrationTest {
.contentType(MediaType.APPLICATION_JSON)
.content("{\"username\":\"helper\"}")
.with(oauth2Login().attributes((attrs) -> attrs.put("preferred_username", "intruder")))
.with(csrf())
)
.andExpect(status().isForbidden());
}