Replace CSRF cookie with CrossOriginProtection (#36183)
Removes the CSRF cookie in favor of [`CrossOriginProtection`](https://pkg.go.dev/net/http#CrossOriginProtection) which relies purely on HTTP headers. Fixes: https://github.com/go-gitea/gitea/issues/11188 Fixes: https://github.com/go-gitea/gitea/issues/30333 Helps: https://github.com/go-gitea/gitea/issues/35107 TODOs: - [x] Fix tests - [ ] Ideally add tests to validates the protection --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
silverwind
@@ -129,13 +129,7 @@ func TestUserSettingsUpdatePassword(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
|
||||
session := loginUser(t, "user2")
|
||||
|
||||
req := NewRequest(t, "GET", "/user/settings/account")
|
||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||
doc := NewHTMLParser(t, resp.Body)
|
||||
|
||||
req = NewRequestWithValues(t, "POST", "/user/settings/account", map[string]string{
|
||||
"_csrf": doc.GetCSRF(),
|
||||
req := NewRequestWithValues(t, "POST", "/user/settings/account", map[string]string{
|
||||
"old_password": "password",
|
||||
"password": "password",
|
||||
"retype": "password",
|
||||
@@ -147,16 +141,8 @@ func TestUserSettingsUpdatePassword(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
|
||||
WithDisabledFeatures(t, setting.UserFeatureManageCredentials)
|
||||
|
||||
session := loginUser(t, "user2")
|
||||
|
||||
req := NewRequest(t, "GET", "/user/settings/account")
|
||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||
doc := NewHTMLParser(t, resp.Body)
|
||||
|
||||
req = NewRequestWithValues(t, "POST", "/user/settings/account", map[string]string{
|
||||
"_csrf": doc.GetCSRF(),
|
||||
})
|
||||
req := NewRequest(t, "POST", "/user/settings/account")
|
||||
session.MakeRequest(t, req, http.StatusNotFound)
|
||||
})
|
||||
}
|
||||
@@ -168,16 +154,8 @@ func TestUserSettingsUpdateEmail(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
|
||||
WithDisabledFeatures(t, setting.UserFeatureManageCredentials)
|
||||
|
||||
session := loginUser(t, "user2")
|
||||
|
||||
req := NewRequest(t, "GET", "/user/settings/account")
|
||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||
doc := NewHTMLParser(t, resp.Body)
|
||||
|
||||
req = NewRequestWithValues(t, "POST", "/user/settings/account/email", map[string]string{
|
||||
"_csrf": doc.GetCSRF(),
|
||||
})
|
||||
req := NewRequest(t, "POST", "/user/settings/account/email")
|
||||
session.MakeRequest(t, req, http.StatusNotFound)
|
||||
})
|
||||
}
|
||||
@@ -189,16 +167,8 @@ func TestUserSettingsDeleteEmail(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
|
||||
WithDisabledFeatures(t, setting.UserFeatureManageCredentials)
|
||||
|
||||
session := loginUser(t, "user2")
|
||||
|
||||
req := NewRequest(t, "GET", "/user/settings/account")
|
||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||
doc := NewHTMLParser(t, resp.Body)
|
||||
|
||||
req = NewRequestWithValues(t, "POST", "/user/settings/account/email/delete", map[string]string{
|
||||
"_csrf": doc.GetCSRF(),
|
||||
})
|
||||
req := NewRequest(t, "POST", "/user/settings/account/email/delete")
|
||||
session.MakeRequest(t, req, http.StatusNotFound)
|
||||
})
|
||||
}
|
||||
@@ -212,14 +182,7 @@ func TestUserSettingsDelete(t *testing.T) {
|
||||
WithDisabledFeatures(t, setting.UserFeatureDeletion)
|
||||
|
||||
session := loginUser(t, "user2")
|
||||
|
||||
req := NewRequest(t, "GET", "/user/settings/account")
|
||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||
doc := NewHTMLParser(t, resp.Body)
|
||||
|
||||
req = NewRequestWithValues(t, "POST", "/user/settings/account/delete", map[string]string{
|
||||
"_csrf": doc.GetCSRF(),
|
||||
})
|
||||
req := NewRequest(t, "POST", "/user/settings/account/delete")
|
||||
session.MakeRequest(t, req, http.StatusNotFound)
|
||||
})
|
||||
}
|
||||
@@ -308,15 +271,10 @@ func TestUserSettingsApplications(t *testing.T) {
|
||||
t.Run("OAuthApplicationsEdit", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
|
||||
req := NewRequest(t, "GET", "/user/settings/applications/oauth2/2")
|
||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||
doc := NewHTMLParser(t, resp.Body)
|
||||
|
||||
t.Run("Invalid URL", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
|
||||
req := NewRequestWithValues(t, "POST", "/user/settings/applications/oauth2/2", map[string]string{
|
||||
"_csrf": doc.GetCSRF(),
|
||||
"application_name": "Test native app",
|
||||
"redirect_uris": "ftp://127.0.0.1",
|
||||
"confidential_client": "false",
|
||||
@@ -332,7 +290,6 @@ func TestUserSettingsApplications(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
|
||||
req := NewRequestWithValues(t, "POST", "/user/settings/applications/oauth2/2", map[string]string{
|
||||
"_csrf": doc.GetCSRF(),
|
||||
"application_name": "Test native app",
|
||||
"redirect_uris": "http://127.0.0.1",
|
||||
"confidential_client": "false",
|
||||
|
||||
Reference in New Issue
Block a user