gds-sso icon indicating copy to clipboard operation
gds-sso copied to clipboard
verified publisher icon alphagov

Impossible to test CSRF protection in automated tests

Open heathd opened this issue 12 years ago • 8 comments

In spite of a javascript-enabled cucumber scenario in our tests in specialist publisher, we failed to spot that we were failing to pass the CSRF token in an Ajax request for previewing documents in the specialist publisher.

In other words, the cucumber scenario worked fine, but the preview button actually failed due to the lack of CSRF.

We tracked this down to the the interaction between the CSRF forgery protection and the 'mock' authentication strategy in gds-sso.

If CSRF verification fails, the default behaviour is to clear the session.

However, in test-mode gds-sso does not pay attention to the session it always treats the user as authenticated, by just loading the first user from the database.

It would be good to figure out a general-purpose fix for this issue so that everyone can rely on cucumber-style tests to verify CSRF behaviour.

We should review the design of the mock_gds_sso strategy to see if there's a way to achieve this.

heathd avatar Mar 05 '14 14:03 heathd

I agree that the current mock strategies are sub-optimal. For test mode, we could look at moving to use the omniauth test helpers - I took this approach in errbit (I couldn't use gds-sso becuase it doesn't play nicely with devise, so I had to just use omniauth-gds directly).

alext avatar Mar 05 '14 14:03 alext

In dev mode, maybe we should move towards not mocking out auth at all, and just make apps auth against signon properly.

alext avatar Mar 05 '14 14:03 alext

Thanks Alex, have you got a pointer to how you used the omniauth test helpers on errbit?

heathd avatar Mar 05 '14 14:03 heathd

In dev mode, maybe we should move towards not mocking out auth at all, and just make apps auth against signon properly.

My concern is that this change will require more faffing to get from a blank slate to ~~passing tests~~ a working setup. ~~Also, since almost all user models are DB-backed, won't this make tests slower?~~

benilovj avatar Mar 05 '14 14:03 benilovj

Unless I'm missing something, dev mode != test mode.

bradwright avatar Mar 05 '14 14:03 bradwright

@bradleywright oops sorry, my brain did a thing there, you're right (fixed my comment). But at least the faffing part is still a valid question IMHO.

benilovj avatar Mar 05 '14 15:03 benilovj

@heathd The acceptance spec for gds-sso auth is https://github.com/alphagov/errbit/blob/master/spec/acceptance/auth_with_gds_sso_spec.rb. It uses test helpers defined in https://github.com/alphagov/errbit/blob/master/spec/acceptance/acceptance_helper.rb and https://github.com/alphagov/errbit/blob/master/spec/support/gds_auth_stubs.rb

alext avatar Mar 05 '14 15:03 alext

Alex thanks for the pointers I'll take a look

heathd avatar Mar 05 '14 18:03 heathd