studio/drive
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2026-03-27. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
58237d9e44286f2714271bdd3a4fae225c57a4ad
drive/tests/server/csrf_test.ts

209 lines
6.3 KiB
TypeScript
Raw Normal View History

Initial commit — Drive, an S3 file browser with WOPI editing Lightweight replacement for the upstream La Suite Numérique drive (Django/Celery/Next.js) built as a single Deno binary. Server (Deno + Hono): - S3 file operations via AWS SigV4 (no SDK) with pre-signed URLs - WOPI host for Collabora Online (CheckFileInfo, GetFile, PutFile, locks) - Ory Kratos session auth + CSRF protection - Ory Keto permission model (OPL namespaces, not yet wired to routes) - PostgreSQL metadata with recursive folder sizes - S3 backfill API for registering files uploaded outside the UI - OpenTelemetry tracing + metrics (opt-in via OTEL_ENABLED) Frontend (React 19 + Cunningham v4 + react-aria): - File browser with GridList, keyboard nav, multi-select - Collabora editor iframe (full-screen, form POST, postMessage) - Profile menu, waffle menu, drag-drop upload, asset type badges - La Suite integration service theming (runtime CSS) Testing (549 tests): - 235 server unit tests (Deno) — 90%+ coverage - 278 UI unit tests (Vitest) — 90%+ coverage - 11 E2E tests (Playwright) - 12 integration service tests (Playwright) - 13 WOPI integration tests (Playwright + Docker Compose + Collabora) MIT licensed.
2026-03-25 18:28:37 +00:00
import {
assertEquals,
assertStringIncludes,
} from "https://deno.land/std@0.224.0/assert/mod.ts";
import { Hono } from "hono";
import { csrfMiddleware, generateCsrfToken, CSRF_COOKIE_NAME } from "../../server/csrf.ts";
Deno.test("CSRF - generateCsrfToken returns token and cookie", async () => {
const { token, cookie } = await generateCsrfToken();
assertEquals(typeof token, "string");
assertEquals(token.includes("."), true);
assertEquals(cookie.includes(CSRF_COOKIE_NAME), true);
});
Deno.test("CSRF - token has UUID.signature format", async () => {
const { token } = await generateCsrfToken();
const parts = token.split(".");
assertEquals(parts.length, 2);
// UUID is 36 chars
assertEquals(parts[0].length, 36);
// Signature is a hex string (64 chars for SHA-256)
assertEquals(parts[1].length, 64);
});
Deno.test("CSRF - cookie contains correct attributes", async () => {
const { cookie } = await generateCsrfToken();
assertStringIncludes(cookie, "Path=/");
assertStringIncludes(cookie, "HttpOnly");
assertStringIncludes(cookie, "SameSite=Strict");
});
Deno.test("CSRF - GET requests bypass CSRF check", async () => {
const app = new Hono();
app.use("/*", csrfMiddleware);
app.get("/api/files", (c) => c.json({ ok: true }));
const res = await app.request("/api/files");
assertEquals(res.status, 200);
});
Deno.test("CSRF - HEAD requests bypass CSRF check", async () => {
const app = new Hono();
app.use("/*", csrfMiddleware);
app.get("/api/files", (c) => c.json({ ok: true }));
const res = await app.request("/api/files", { method: "HEAD" });
// HEAD on a GET route should pass
assertEquals(res.status >= 200 && res.status < 400, true);
});
Deno.test("CSRF - POST without token returns 403", async () => {
const app = new Hono();
app.use("/*", csrfMiddleware);
app.post("/api/files", (c) => c.json({ ok: true }));
const res = await app.request("/api/files", { method: "POST" });
assertEquals(res.status, 403);
});
Deno.test("CSRF - PUT without token returns 403", async () => {
const app = new Hono();
app.use("/*", csrfMiddleware);
app.put("/api/files/abc", (c) => c.json({ ok: true }));
const res = await app.request("/api/files/abc", { method: "PUT" });
assertEquals(res.status, 403);
});
Deno.test("CSRF - PATCH without token returns 403", async () => {
const app = new Hono();
app.use("/*", csrfMiddleware);
app.patch("/api/files/abc", (c) => c.json({ ok: true }));
const res = await app.request("/api/files/abc", { method: "PATCH" });
assertEquals(res.status, 403);
});
Deno.test("CSRF - DELETE without token returns 403", async () => {
const app = new Hono();
app.use("/*", csrfMiddleware);
app.delete("/api/files/abc", (c) => c.json({ ok: true }));
const res = await app.request("/api/files/abc", { method: "DELETE" });
assertEquals(res.status, 403);
});
Deno.test("CSRF - POST with valid token succeeds", async () => {
const app = new Hono();
app.use("/*", csrfMiddleware);
app.post("/api/files", (c) => c.json({ ok: true }));
const { token } = await generateCsrfToken();
const res = await app.request("/api/files", {
method: "POST",
headers: {
"x-csrf-token": token,
cookie: `${CSRF_COOKIE_NAME}=${token}`,
},
});
assertEquals(res.status, 200);
});
Deno.test("CSRF - WOPI POST bypasses CSRF", async () => {
const app = new Hono();
app.use("/*", csrfMiddleware);
app.post("/wopi/files/abc", (c) => c.json({ ok: true }));
const res = await app.request("/wopi/files/abc", { method: "POST" });
assertEquals(res.status, 200);
});
Deno.test("CSRF - mismatched token rejected", async () => {
const app = new Hono();
app.use("/*", csrfMiddleware);
app.post("/api/files", (c) => c.json({ ok: true }));
const { token } = await generateCsrfToken();
const { token: otherToken } = await generateCsrfToken();
const res = await app.request("/api/files", {
method: "POST",
headers: {
"x-csrf-token": token,
cookie: `${CSRF_COOKIE_NAME}=${otherToken}`,
},
});
assertEquals(res.status, 403);
});
Deno.test("CSRF - POST to non-api path bypasses CSRF", async () => {
const app = new Hono();
app.use("/*", csrfMiddleware);
app.post("/login", (c) => c.json({ ok: true }));
const res = await app.request("/login", { method: "POST" });
assertEquals(res.status, 200);
});
Deno.test("CSRF - token without cookie header rejected", async () => {
const app = new Hono();
app.use("/*", csrfMiddleware);
app.post("/api/files", (c) => c.json({ ok: true }));
const { token } = await generateCsrfToken();
const res = await app.request("/api/files", {
method: "POST",
headers: {
"x-csrf-token": token,
// no cookie
},
});
assertEquals(res.status, 403);
});
Deno.test("CSRF - cookie without header token rejected", async () => {
const app = new Hono();
app.use("/*", csrfMiddleware);
app.post("/api/files", (c) => c.json({ ok: true }));
const { token } = await generateCsrfToken();
const res = await app.request("/api/files", {
method: "POST",
headers: {
// no x-csrf-token header
cookie: `${CSRF_COOKIE_NAME}=${token}`,
},
});
assertEquals(res.status, 403);
});
Deno.test("CSRF - malformed token (no dot) rejected", async () => {
const app = new Hono();
app.use("/*", csrfMiddleware);
app.post("/api/files", (c) => c.json({ ok: true }));
const badToken = "no-dot-in-this-token";
const res = await app.request("/api/files", {
method: "POST",
headers: {
"x-csrf-token": badToken,
cookie: `${CSRF_COOKIE_NAME}=${badToken}`,
},
});
assertEquals(res.status, 403);
});
Deno.test("CSRF - token with wrong signature rejected", async () => {
const app = new Hono();
app.use("/*", csrfMiddleware);
app.post("/api/files", (c) => c.json({ ok: true }));
const { token } = await generateCsrfToken();
const parts = token.split(".");
const tamperedToken = `${parts[0]}.${"a".repeat(64)}`;
const res = await app.request("/api/files", {
method: "POST",
headers: {
"x-csrf-token": tamperedToken,
cookie: `${CSRF_COOKIE_NAME}=${tamperedToken}`,
},
});
assertEquals(res.status, 403);
});
Deno.test("CSRF - two generated tokens are different", async () => {
const { token: t1 } = await generateCsrfToken();
const { token: t2 } = await generateCsrfToken();
assertEquals(t1 !== t2, true);
});
Reference in New Issue Copy Permalink