Add XSRF protection to legacy authentication mechanism

------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=148689952
2025-05-20 03:09:33 +02:00 · 2017-02-27 13:53:10 -08:00 · 2017-02-27 13:53:10 -08:00 · c7a62e9b98
commit c7a62e9b98
parent a5932c0fc3
12 changed files with 227 additions and 56 deletions
--- a/javatests/google/registry/security/XsrfTokenManagerTest.java
+++ b/javatests/google/registry/security/XsrfTokenManagerTest.java
@ -54,7 +54,9 @@ public class XsrfTokenManagerTest {

  @Test
  public void testSuccess() {
-    assertThat(xsrfTokenManager.validateToken(xsrfTokenManager.generateToken("console"), "console"))
+    assertThat(
+            xsrfTokenManager.validateToken(
+                xsrfTokenManager.generateTokenWithCurrentUser("console"), "console"))
        .isTrue();
  }

@ -70,7 +72,7 @@ public class XsrfTokenManagerTest {

  @Test
  public void testExpired() {
-    String token = xsrfTokenManager.generateToken("console");
+    String token = xsrfTokenManager.generateTokenWithCurrentUser("console");
    clock.setTo(START_OF_TIME.plusDays(2));
    assertThat(xsrfTokenManager.validateToken(token, "console")).isFalse();
  }
@ -78,7 +80,9 @@ public class XsrfTokenManagerTest {
  @Test
  public void testTimestampTamperedWith() {
    String encodedPart =
-        Splitter.on(':').splitToList(xsrfTokenManager.generateToken("console")).get(0);
+        Splitter.on(':')
+            .splitToList(xsrfTokenManager.generateTokenWithCurrentUser("console"))
+            .get(0);
    long tamperedTimestamp = clock.nowUtc().plusMillis(1).getMillis();
    assertThat(xsrfTokenManager.validateToken(encodedPart + ":" + tamperedTimestamp, "console"))
        .isFalse();
@ -93,7 +97,26 @@ public class XsrfTokenManagerTest {

  @Test
  public void testDifferentScope() {
-    assertThat(xsrfTokenManager.validateToken(xsrfTokenManager.generateToken("console"), "foobar"))
+    assertThat(
+            xsrfTokenManager.validateToken(
+                xsrfTokenManager.generateTokenWithCurrentUser("console"), "foobar"))
        .isFalse();
  }
+
+  @Test
+  public void testNullScope() {
+    assertThat(
+            xsrfTokenManager.validateToken(
+                xsrfTokenManager.generateTokenWithCurrentUser(null), null))
+        .isTrue();
+  }
+
+  // This test checks that the server side will pass when we switch the client to use a null scope.
+  @Test
+  public void testNullScopePassesWhenTestedWithNonNullScope() {
+    assertThat(
+            xsrfTokenManager.validateToken(
+                xsrfTokenManager.generateTokenWithCurrentUser(null), "console"))
+        .isTrue();
+  }
 }