csrf-tok
Test case for showing csrf/anti-forgery with double-submit cookies returns a 404 Not Found rather than a 403 Forbidden if the request does not include a valid CSRF token.
The :leave
function of the anti-forgery
interceptor returns nil
(in
particular assoc-double-submit-cookie
if there is no session set when using
cookie tokens.
To reproduce
The pedestal service includes routes using csrf with (/csrf-cookie
) and
without (/csrf
) cookie tokens. The tests POST against these routes showing
/csrf
responds with the expected 403 and /csrf-cookie
responds with a 404.
lein test
lein test csrf-tok.service-test
INFO io.pedestal.http - {:msg "POST /csrf-cookie", :line 78}
lein test :only csrf-tok.service-test/csrf-cookie-test
FAIL in (csrf-cookie-test) (service_test.clj:20)
expected: (= 403 status)
actual: (not (= 403 404))
INFO io.pedestal.http - {:msg "POST /csrf", :line 78}
Ran 2 tests containing 2 assertions.
1 failures, 0 errors.
Tests failed.