1 # -*- coding: utf-8 -*-
2 # This file is part of django-ssify, licensed under GNU Affero GPLv3 or later.
3 # Copyright © Fundacja Nowoczesna Polska. See README.md for more information.
5 from __future__ import unicode_literals
8 from django.conf import settings
9 from django.test import Client, TestCase
12 from django.middleware.csrf import _compare_salted_tokens
15 _compare_salted_tokens = lambda t1, t2: t1 == t2
18 class CsrfTestCase(TestCase):
20 self.client = Client(enforce_csrf_checks=True)
22 def assertCsrfTokenOk(self, response):
23 token = response.cookies[settings.CSRF_COOKIE_NAME].value
24 self.assertTrue(token)
26 r"<!--#set var='vd07f6920655622adc90dd591c545bb2a' value='([A-Za-z0-9]*)'-->\n\n"
27 r"<input type='hidden' name='csrfmiddlewaretoken' value='"
28 r"<!--#echo var='vd07f6920655622adc90dd591c545bb2a' "
29 r"encoding='none'-->' />",
30 response.content.strip().decode('ascii'),
33 self.assertTrue(_compare_salted_tokens(match.group(1), token))
36 def test_csrf_token(self):
37 response = self.client.get('/csrf')
38 token = self.assertCsrfTokenOk(response)
40 # Make a bad request to see that CSRF protection works.
41 response = self.client.post('/csrf_check', {
44 self.assertEqual(response.status_code, 403)
46 # Make a good request.
47 response = self.client.post('/csrf_check', {
49 'csrfmiddlewaretoken': token,
51 self.assertEqual(response.status_code, 200)
52 self.assertEqual(response.content, b'some data')
54 def test_new_csrf_token_in_cached_response(self):
56 response = Client().get('/csrf')
57 token = self.assertCsrfTokenOk(response)