t/Token.t

   1 #!/usr/bin/perl
   2
   3 # tests for Koha::Token
   4
   5 # Copyright 2016 Rijksmuseum
   6 #
   7 # This file is part of Koha.
   8 #
   9 # Koha is free software; you can redistribute it and/or modify it under the
  10 # terms of the GNU General Public License as published by the Free Software
  11 # Foundation; either version 3 of the License, or (at your option) any later
  12 # version.
  13 #
  14 # Koha is distributed in the hope that it will be useful, but WITHOUT ANY
  15 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
  16 # A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
  17 #
  18 # You should have received a copy of the GNU General Public License along
  19 # with Koha; if not, write to the Free Software Foundation, Inc.,
  20 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21
  22 use Modern::Perl;
  23 use Test::More tests => 10;
  24 use Time::HiRes qw|usleep|;
  25 use C4::Context;
  26 use Koha::Token;
  27
  28 C4::Context->_new_userenv('DUMMY SESSION');
  29 C4::Context->set_userenv(0,42,0,'firstname','surname', 'CPL', 'Library 1', 0, ', ');
  30
  31 my $tokenizer = Koha::Token->new;
  32 is( length( $tokenizer->generate ), 1, "Generate without parameters" );
  33 my $token = $tokenizer->generate({ length => 20 });
  34 is( length($token), 20, "Token $token has 20 chars" );
  35
  36 my $id = $tokenizer->generate({ length => 8 });
  37 my $csrftoken = $tokenizer->generate_csrf({ session_id => $id });
  38 isnt( length($csrftoken), 0, "Token $csrftoken should not be empty" );
  39
  40 is( $tokenizer->check, undef, "Check without any parameters" );
  41 my $result = $tokenizer->check_csrf({
  42     session_id => $id, token => $csrftoken,
  43 });
  44 is( $result, 1, "CSRF token verified" );
  45
  46 $result = $tokenizer->check({
  47     type => 'CSRF', id => $id, token => $token,
  48 });
  49 isnt( $result, 1, "This token is no CSRF token" );
  50
  51 # Test MaxAge parameter
  52 my $age = 1; # 1 second
  53 $result = $tokenizer->check_csrf({
  54     session_id => $id, token => $csrftoken, MaxAge => $age,
  55 });
  56 is( $result, 1, "CSRF token still valid within one second" );
  57 usleep $age * 1000000 * 2; # micro (millionth) seconds + 100%
  58 $result = $tokenizer->check_csrf({
  59     session_id => $id, token => $csrftoken, MaxAge => $age,
  60 });
  61 isnt( $result, 1, "CSRF token expired after one second" );
  62
  63 subtest 'Same id (cookie CGISESSID) with an other logged in user' => sub {
  64     plan tests => 2;
  65     $csrftoken = $tokenizer->generate_csrf({ session_id => $id });
  66     $result = $tokenizer->check_csrf({
  67         session_id => $id, token => $csrftoken,
  68     });
  69     is( $result, 1, "CSRF token verified" );
  70     C4::Context->set_userenv(0,43,0,'firstname','surname', 'CPL', 'Library 1', 0, ', ');
  71     $result = $tokenizer->check_csrf({
  72         session_id => $id, token => $csrftoken,
  73     });
  74     is( $result, '', "CSRF token is not verified if another logged in user is using the same id" );
  75 };
  76
  77 subtest 'Same logged in user with another session (cookie CGISESSID)' => sub {
  78     plan tests => 2;
  79     C4::Context->set_userenv(0,42,0,'firstname','surname', 'CPL', 'Library 1', 0, ', ');
  80     $csrftoken = $tokenizer->generate_csrf({ session_id => $id });
  81     $result = $tokenizer->check_csrf({
  82         session_id => $id, token => $csrftoken,
  83     });
  84     is( $result, 1, "CSRF token verified" );
  85     # Get another session id
  86     $id = $tokenizer->generate({ length => 8 });
  87     $result = $tokenizer->check_csrf({
  88         session_id => $id, token => $csrftoken,
  89     });
  90     is( $result, '', "CSRF token is not verified if another session is used" );
  91 };