public void CheckIfRestRequest_Session_WhenAjaxSentWithoutCSRFToken_ThenTokenShouldBeSentFirst()
{
var doc = new XmlDocument();
doc.LoadXml("<r><template id='a' mode='Server' /></r>");
var httpContextInfo = new HttpContextInfo();
httpContextInfo.QueryString.Add("xtags-xajax", "xtags-xajax");
httpContextInfo.QueryString.Add("xtags-http-method", "GET");
httpContextInfo.QueryString.Add("xtags-id", "a");
var result =
new xContext(httpContextInfo)
.Do(new LoadLibrary(doc))
.Do(new CreateTag("template"))
.DoFirst(x => x != null, new CheckIfRestRequest(onGet: EmptyGetHandler), new RenderHtml());
var responseText = result.ResponseText.ToString();
Assert.IsTrue(responseText.StartsWith("{\"xtags-renew-token\":\""));
Assert.IsTrue(responseText.EndsWith("\"}"));
Assert.AreEqual(result.ContentType, "text/plain");
Assert.AreEqual(httpContextInfo.Session("a"), responseText.Replace("{\"xtags-renew-token\":\"", string.Empty).Replace("\"}", string.Empty));
}
public void CheckIfRestRequest_WhenAjaxSentWithoutCSRFTokenWhenCSRFIsDisabled_ThenNormalAjaxRequest()
{
var doc = new XmlDocument();
doc.LoadXml("<r><template id='b' mode='Server' /></r>");
var httpContextInfo = new HttpContextInfo();
httpContextInfo.QueryString.Add("xtags-xajax", "xtags-xajax");
httpContextInfo.QueryString.Add("xtags-http-method", "GET");
httpContextInfo.QueryString.Add("xtags-id", "b");
var result =
new xContext(httpContextInfo)
.Do(new LoadLibrary(doc))
.Do(new CreateTag("template"))
.DoFirst(x => x != null, new CheckIfRestRequest(onGet: (context, isAjax) =>
{
Assert.IsTrue(isAjax);
Assert.AreEqual(context.xTag.Id, "b");
}, csrfProtectionEnabled: false), new RenderHtml());
Assert.AreEqual(result.ContentType, "text/plain");
Assert.IsNull(httpContextInfo.Session("b"));
Assert.IsNull(result.ResponseCookies["b"]);
}
public void CheckIfRestRequest_Session_WhenAjaxIsValidValuesOnlyRequest_ThenJsonResponseRendered()
{
var doc = new XmlDocument();
doc.LoadXml("<r><template id='a' mode='Server' /></r>");
var validToken = "valid-token";
var httpContextInfo = new HttpContextInfo();
httpContextInfo.QueryString.Add("xtags-xajax", "xtags-xajax");
httpContextInfo.QueryString.Add("xtags-http-method", "GET");
httpContextInfo.QueryString.Add("xtags-id", "a");
httpContextInfo.QueryString.Add("xtags-token", validToken);
httpContextInfo.QueryString.Add("callback", "callbackMethod");
httpContextInfo.QueryString.Add("xtags-values-only", "xtags-values-only");
httpContextInfo.Session("a", validToken);
var result =
new xContext(httpContextInfo)
.Do(new LoadLibrary(doc))
.Do(new CreateTag("template"))
.DoFirst(x => x != null, new CheckIfRestRequest(onGet: (context, isAjax) =>
{
Assert.IsTrue(isAjax);
Assert.AreEqual(context.xTag.Id, "a");
}), new RenderHtml());
var responseText = result.ResponseText.ToString();
var json = JsonConvert.DeserializeObject(responseText);
Assert.AreEqual(result.ContentType, "text/plain");
}
public void CheckIfRestRequest_Session_WhenAjaxHasCallback_ThenJsonpResponseRendered()
{
var doc = new XmlDocument();
doc.LoadXml("<r><template id='a' mode='Server' /></r>");
var validToken = "valid-token";
var httpContextInfo = new HttpContextInfo();
httpContextInfo.QueryString.Add("xtags-xajax", "xtags-xajax");
httpContextInfo.QueryString.Add("xtags-http-method", "GET");
httpContextInfo.QueryString.Add("xtags-id", "a");
httpContextInfo.QueryString.Add("xtags-token", validToken);
httpContextInfo.QueryString.Add("callback", "callbackMethod");
httpContextInfo.Session("a", validToken);
var result =
new xContext(httpContextInfo)
.Do(new LoadLibrary(doc))
.Do(new CreateTag("template"))
.DoFirst(x => x != null, new CheckIfRestRequest(onGet: (context, isAjax) =>
{
Assert.IsTrue(isAjax);
Assert.AreEqual(context.xTag.Id, "a");
}), new RenderHtml())
.Do(new RenderJsonpIfRequested());
var responseText = result.ResponseText.ToString();
Assert.IsTrue(responseText.StartsWith("callbackMethod(\"(function(){"));
Assert.IsTrue(responseText.Contains("'a'"));
Assert.IsTrue(responseText.Contains("'" + httpContextInfo.PageUri() + "'"));
Assert.IsTrue(responseText.EndsWith("})();\");"));
Assert.AreEqual(result.ContentType, "text/javascript");
}
public void CheckIfRestRequest_FormPost_WhenCSRFTokenIsValidButValuesAreMixedBetweenFormAndQuerystring_ThenTheHandlerShouldNotBeExecuted()
{
var doc = new XmlDocument();
doc.LoadXml("<r><template id='a' mode='Server' /></r>");
var validToken = "valid-token";
var httpContextInfo = new HttpContextInfo(httpMethod: "POST");
httpContextInfo.QueryString.Add("xtags-id", "a");
httpContextInfo.Form.Add("xtags-token", validToken);
httpContextInfo.Session("a", validToken);
var isMethodCalled = false;
var result =
new xContext(httpContextInfo)
.Do(new LoadLibrary(doc))
.Do(new CreateTag("template"))
.DoFirst(x => x != null, new CheckIfRestRequest(onPost: (tag, isAjax) =>
{
isMethodCalled = true;
}), new RenderHtml());
var responseText = result.ResponseText.ToString();
Assert.AreEqual(responseText, "<div id='a'></div>");
Assert.AreEqual(result.ContentType, "text/html");
Assert.IsFalse(isMethodCalled);
}
public void CheckIfRestRequest_FormPost_WhenAjaxCSRFTokenIsValid_ThenGetRequestShouldBeAjax()
{
var doc = new XmlDocument();
doc.LoadXml("<r><template id='a' mode='Server' /></r>");
var validToken = "valid-token";
var httpContextInfo = new HttpContextInfo(httpMethod: "POST");
httpContextInfo.QueryString.Add("xtags-id", "a");
httpContextInfo.Form.Add("xtags-token", validToken);
httpContextInfo.Session("a", validToken);
var result =
new xContext(httpContextInfo)
.Do(new LoadLibrary(doc))
.Do(new CreateTag("template"))
.DoFirst(x => x != null, new CheckIfRestRequest(onPost: (context, isAjax) =>
{
Assert.IsFalse(isAjax);
Assert.AreEqual(context.xTag.Id, "a");
}), new RenderHtml());
var responseText = result.ResponseText.ToString();
Assert.AreEqual(responseText, "<div id='a'></div>");
Assert.AreEqual(result.ContentType, "text/html");
}
public void CheckIfRestRequest_FormGet_WhenAjaxCSRFTokenInvalid_ThenServerGetIsNotRequestedAndJustRenderResponse()
{
var doc = new XmlDocument();
doc.LoadXml("<r><template id='a' mode='Server' /></r>");
var validToken = "valid-token";
var httpContextInfo = new HttpContextInfo();
httpContextInfo.QueryString.Add("xtags-http-method", "GET");
httpContextInfo.QueryString.Add("xtags-id", "a");
httpContextInfo.QueryString.Add("xtags-token", validToken);
httpContextInfo.Session("a", "invalid-token");
var isMethodCalled = false;
var result =
new xContext(httpContextInfo)
.Do(new LoadLibrary(doc))
.Do(new CreateTag("template"))
.DoFirst(x => x != null, new CheckIfRestRequest(onGet: (tag, isAjax) =>
{
isMethodCalled = true;
}), new RenderHtml());
var responseText = result.ResponseText.ToString();
Assert.AreEqual(responseText, "<div id='a'></div>");
Assert.AreEqual(result.ContentType, "text/html");
Assert.IsFalse(isMethodCalled);
}