mirror of
https://github.com/strapi/strapi.git
synced 2026-01-01 01:33:50 +00:00
177 lines
5.7 KiB
JavaScript
177 lines
5.7 KiB
JavaScript
'use strict';
|
|
|
|
const { createStrapiInstance } = require('api-tests/strapi');
|
|
const { createRequest } = require('api-tests/request');
|
|
const { createAuthenticatedUser } = require('../utils');
|
|
|
|
/**
|
|
* Tests for users-permissions cookie security configuration
|
|
* Focus: Verify that plugin::users-permissions.sessions.cookie.secure config is respected with proper defaults
|
|
*/
|
|
describe('Users-Permissions Cookie Security', () => {
|
|
const cookieName = 'strapi_up_refresh';
|
|
|
|
const testUser = {
|
|
username: 'test-cookie-security',
|
|
email: 'test-cookie-security@strapi.io',
|
|
password: 'TestSecure1234!',
|
|
confirmed: true,
|
|
provider: 'local',
|
|
};
|
|
|
|
const getCookie = (res, name) => {
|
|
const setCookies = res.headers['set-cookie'] || [];
|
|
return setCookies.find((c) => c.startsWith(`${name}=`));
|
|
};
|
|
|
|
describe('Default behavior based on NODE_ENV', () => {
|
|
let strapi;
|
|
let originalEnv;
|
|
|
|
afterEach(async () => {
|
|
if (strapi) {
|
|
await strapi.db.query('plugin::users-permissions.user').deleteMany();
|
|
await strapi.destroy();
|
|
strapi = null;
|
|
}
|
|
if (originalEnv !== undefined) {
|
|
process.env.NODE_ENV = originalEnv;
|
|
}
|
|
});
|
|
|
|
test('should set secure=true cookie in production by default (with httpOnly enabled)', async () => {
|
|
originalEnv = process.env.NODE_ENV;
|
|
process.env.NODE_ENV = 'production';
|
|
|
|
strapi = await createStrapiInstance({
|
|
bypassAuth: false,
|
|
async bootstrap({ strapi: s }) {
|
|
s.config.set('plugin::users-permissions.jwtManagement', 'refresh');
|
|
s.config.set('plugin::users-permissions.sessions.httpOnly', true);
|
|
},
|
|
});
|
|
|
|
await createAuthenticatedUser({ strapi, userInfo: testUser });
|
|
const rq = createRequest({ strapi }).setURLPrefix('/api/auth').asHTTPS();
|
|
|
|
const res = await rq({
|
|
method: 'POST',
|
|
url: '/local',
|
|
body: { identifier: testUser.email, password: testUser.password },
|
|
});
|
|
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.body.jwt).toEqual(expect.any(String));
|
|
|
|
const cookie = getCookie(res, cookieName);
|
|
expect(cookie).toBeDefined();
|
|
expect(cookie.toLowerCase()).toMatch(/secure/);
|
|
expect(cookie.toLowerCase()).toMatch(/httponly/);
|
|
});
|
|
|
|
test('should set secure=false cookie in development by default (with httpOnly enabled)', async () => {
|
|
originalEnv = process.env.NODE_ENV;
|
|
process.env.NODE_ENV = 'development';
|
|
|
|
strapi = await createStrapiInstance({
|
|
bypassAuth: false,
|
|
async bootstrap({ strapi: s }) {
|
|
s.config.set('plugin::users-permissions.jwtManagement', 'refresh');
|
|
s.config.set('plugin::users-permissions.sessions.httpOnly', true);
|
|
},
|
|
});
|
|
|
|
await createAuthenticatedUser({ strapi, userInfo: testUser });
|
|
const rq = createRequest({ strapi }).setURLPrefix('/api/auth').asHTTPS();
|
|
|
|
const res = await rq({
|
|
method: 'POST',
|
|
url: '/local',
|
|
body: { identifier: testUser.email, password: testUser.password },
|
|
});
|
|
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.body.jwt).toEqual(expect.any(String));
|
|
|
|
const cookie = getCookie(res, cookieName);
|
|
expect(cookie).toBeDefined();
|
|
expect(cookie.toLowerCase()).not.toMatch(/secure/);
|
|
expect(cookie.toLowerCase()).toMatch(/httponly/);
|
|
});
|
|
});
|
|
|
|
describe('Explicit config overrides', () => {
|
|
let strapi;
|
|
let originalEnv;
|
|
|
|
afterEach(async () => {
|
|
if (strapi) {
|
|
await strapi.db.query('plugin::users-permissions.user').deleteMany();
|
|
await strapi.destroy();
|
|
strapi = null;
|
|
}
|
|
if (originalEnv !== undefined) {
|
|
process.env.NODE_ENV = originalEnv;
|
|
}
|
|
});
|
|
|
|
test('should respect sessions.cookie.secure: true in development', async () => {
|
|
originalEnv = process.env.NODE_ENV;
|
|
process.env.NODE_ENV = 'development';
|
|
|
|
strapi = await createStrapiInstance({
|
|
bypassAuth: false,
|
|
async bootstrap({ strapi: s }) {
|
|
s.config.set('plugin::users-permissions.jwtManagement', 'refresh');
|
|
s.config.set('plugin::users-permissions.sessions.httpOnly', true);
|
|
s.config.set('plugin::users-permissions.sessions.cookie.secure', true);
|
|
},
|
|
});
|
|
|
|
await createAuthenticatedUser({ strapi, userInfo: testUser });
|
|
const rq = createRequest({ strapi }).setURLPrefix('/api/auth').asHTTPS();
|
|
|
|
const res = await rq({
|
|
method: 'POST',
|
|
url: '/local',
|
|
body: { identifier: testUser.email, password: testUser.password },
|
|
});
|
|
|
|
expect(res.statusCode).toBe(200);
|
|
|
|
const cookie = getCookie(res, cookieName);
|
|
expect(cookie).toBeDefined();
|
|
expect(cookie.toLowerCase()).toMatch(/secure/);
|
|
});
|
|
|
|
test('should respect sessions.cookie.secure: false in production', async () => {
|
|
originalEnv = process.env.NODE_ENV;
|
|
process.env.NODE_ENV = 'production';
|
|
|
|
strapi = await createStrapiInstance({
|
|
bypassAuth: false,
|
|
async bootstrap({ strapi: s }) {
|
|
s.config.set('plugin::users-permissions.jwtManagement', 'refresh');
|
|
s.config.set('plugin::users-permissions.sessions.httpOnly', true);
|
|
s.config.set('plugin::users-permissions.sessions.cookie.secure', false);
|
|
},
|
|
});
|
|
|
|
await createAuthenticatedUser({ strapi, userInfo: testUser });
|
|
const rq = createRequest({ strapi }).setURLPrefix('/api/auth').asHTTPS();
|
|
|
|
const res = await rq({
|
|
method: 'POST',
|
|
url: '/local',
|
|
body: { identifier: testUser.email, password: testUser.password },
|
|
});
|
|
|
|
expect(res.statusCode).toBe(200);
|
|
|
|
const cookie = getCookie(res, cookieName);
|
|
expect(cookie).toBeDefined();
|
|
expect(cookie.toLowerCase()).not.toMatch(/secure/);
|
|
});
|
|
});
|
|
});
|